Posted by
michael
on from the does-renter's-insurance-cover-this dept.
sagman writes "Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly... Russ is taking a poll on his site. Russ states in an email that he wrote this up at the request of a US Senator staffer..."
A couple of problems
by
aridhol
·
· Score: 5, Interesting
First, I think this will lead to ISPs only allowing "approved" OSs on their networks, in order to prevent themselves from getting fined. Unfortunately, the approved list will probably contain the worst offenders.
Second:
ISPs must receive freedom from liability for dropping the identified traffic. False detections are the fault of the "Independent Authority", who should also be free from liability.
Sorry we blocked your critical data, but you can't do anything about it.
-- I can't say that I don't give a fuck. I've just run out of fuck to give.
Lawsuits abound
by
chia_monkey
·
· Score: 3, Interesting
I just see lawsuits left and right with this one. On one hand, you've got Ma and Pa Kettle who know how to turn on their computer, check their email, and play solitaire. All of a suddent they're notified they owe $2.4 billion because their computer was used to take down sixteen major corporations. Do they get to sue the ISP for not filtering? Or do they get to sue the virus programmer if they're caught? Or hell, do I get to sue them because maybe they infected me and my computer infected the corner store. Sure my fine was only $50, but maybe I'll sue them $250,000 for pain and suffering (hey, this is America, we do that). Scary...
--
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
Problem with this...
by
chrisgeleven
·
· Score: 3, Interesting
people aren't licensed/educated properly to use the internet. So how will they know that they have to update virus definitions and patch their systems? By e-mail notifications? When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month for their monthly statements, they instead had hotmail accounts for their regular e-mail. We would have to call customers non-stop to remind them to check their ISP e-mail for their bill. Now we would have to call them for their weekly virus breakout?
The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.
So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
Fine the O/S vendors instead
by
Dark+Coder
·
· Score: 5, Interesting
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
Re:Denial of Money attack?
by
isomeme
·
· Score: 4, Interesting
There was a science fiction story many years ago (circa 1980, IIRC) in Analog (again IIRC) which predicted widespread networked home computers, and the threat of hostile programs spreading among them. In the story, the US government mandated installation of (what we would call) antivirus software, developed and provided by the government. An attorney successfully gets the program thrown out on Constitutional grounds, showing that it violates the Third Amendment, since a program guarding against national security threats is effectively a "soldier".
-- When all you have is a hammer, everything looks like a skull.
Re:Denial of Money attack?
by
njchick
·
· Score: 3, Interesting
It would push users to ISPs that do filtering for them for a few bucks a month. Also home firewalls would become more popular. That's it. It's easy to convey an idea to the end users if it's about their money.
A legally sanctioned DOS attack...
by
Darlok
·
· Score: 3, Interesting
For the love of... I think the last paragraph of this article contains the most telling statement: "...make every effort to assist in bringing about a change in the way the Internet is managed..."
The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.
Example:
Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.
Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article. Should all of our ISPs be blocking SSH traffic now?
You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.
This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.
-- Notice: Your mouse has been moved. Windows will now restart so this change can take effect.
Slashdot Mirror
Second:
Sorry we blocked your critical data, but you can't do anything about it.I can't say that I don't give a fuck. I've just run out of fuck to give.
I just see lawsuits left and right with this one. On one hand, you've got Ma and Pa Kettle who know how to turn on their computer, check their email, and play solitaire. All of a suddent they're notified they owe $2.4 billion because their computer was used to take down sixteen major corporations. Do they get to sue the ISP for not filtering? Or do they get to sue the virus programmer if they're caught? Or hell, do I get to sue them because maybe they infected me and my computer infected the corner store. Sure my fine was only $50, but maybe I'll sue them $250,000 for pain and suffering (hey, this is America, we do that). Scary...
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
people aren't licensed/educated properly to use the internet. So how will they know that they have to update virus definitions and patch their systems? By e-mail notifications? When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month for their monthly statements, they instead had hotmail accounts for their regular e-mail. We would have to call customers non-stop to remind them to check their ISP e-mail for their bill. Now we would have to call them for their weekly virus breakout?
The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.
So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
There was a science fiction story many years ago (circa 1980, IIRC) in Analog (again IIRC) which predicted widespread networked home computers, and the threat of hostile programs spreading among them. In the story, the US government mandated installation of (what we would call) antivirus software, developed and provided by the government. An attorney successfully gets the program thrown out on Constitutional grounds, showing that it violates the Third Amendment, since a program guarding against national security threats is effectively a "soldier".
When all you have is a hammer, everything looks like a skull.
It would push users to ISPs that do filtering for them for a few bucks a month. Also home firewalls would become more popular. That's it. It's easy to convey an idea to the end users if it's about their money.
For the love of... I think the last paragraph of this article contains the most telling statement: "...make every effort to assist in bringing about a change in the way the Internet is managed..."
The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.
Example:
Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.
Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article. Should all of our ISPs be blocking SSH traffic now?
You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.
This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.
Notice: Your mouse has been moved. Windows will now restart so this change can take effect.