Posted by
michael
on from the does-renter's-insurance-cover-this dept.
sagman writes "Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly... Russ is taking a poll on his site. Russ states in an email that he wrote this up at the request of a US Senator staffer..."
Danger, Will Robinson! Danger!
by
inertia187
·
· Score: 5, Funny
I can just see the virus protection software making changes to their notifications to keep track of attacks that could cost people money and list it in a tally window: "You've saved $764 in internet fines this year because you used Morton AntiVirus 2005! Want to upgrade to the Pro version?"
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
-- A programmer is a machine for converting coffee into code.
Denial of Money attack?
by
soren42
·
· Score: 5, Insightful
The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.
ISPs probably would have too much volume to deal with to investigate every packet, so it becomes easier to pay the fine than fight the system.
There's got to be a better solution than this.
--
"Adventure? Excitement? A Jedi craves not these things."
Re:Denial of Money attack?
by
eln
·
· Score: 5, Insightful
Yes, this would effectively push >90% of today's Internet users off the network. While some people might think this is a good thing, I doubt the many thousands of people that would lose their jobs in an already down economy would agree.
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms relating to privacy rights, freedoms related to what one can do with one's own property, and implementation of such a thing without a.) forcing every American to spend money on virus scanning software or b.) jacking up everyone's tax rates. This doesn't even take into account what sort of staggering class action lawsuit would result if a destructive virus was not picked up by the now-required scanning software.
All in all, this is a kneejerk reaction of the worst kind.
Re:Denial of Money attack?
by
soren42
·
· Score: 2, Interesting
You make an excellent point, but that is still a real risk on a system similar to my home system. I use Time Warner's RoadRunner Cable Modem service, and have hundreds of people on my subnet.
In fact, a good percentage of attacks in general against my systems have been from "local" machines.
Besides, what better way to get back at that neighbor that pissed you off - run up their fines!
--
"Adventure? Excitement? A Jedi craves not these things."
Re:Denial of Money attack?
by
isomeme
·
· Score: 4, Interesting
There was a science fiction story many years ago (circa 1980, IIRC) in Analog (again IIRC) which predicted widespread networked home computers, and the threat of hostile programs spreading among them. In the story, the US government mandated installation of (what we would call) antivirus software, developed and provided by the government. An attorney successfully gets the program thrown out on Constitutional grounds, showing that it violates the Third Amendment, since a program guarding against national security threats is effectively a "soldier".
-- When all you have is a hammer, everything looks like a skull.
Re:Denial of Money attack?
by
njchick
·
· Score: 3, Interesting
It would push users to ISPs that do filtering for them for a few bucks a month. Also home firewalls would become more popular. That's it. It's easy to convey an idea to the end users if it's about their money.
Re:Denial of Money attack?
by
Tackhead
·
· Score: 2, Insightful
> Since part of the plan is for ISPs to monitor outbound traffic, that would only become a real issue of someone on your same subnet, that was served by the same gateway router, spoofed your address. Otherwise it would be real easy to say, "check the outbound logs on the router at xxx.xxx.xxx.1." Then it would pretty obvious that those packets originated on a different subnet and not from your machine, since the logs on your servicing gateway would be clean.
Spoken like a man who hasn't seen the ping-flooding that's been going non-stop since Welchia came out. Your/16's a mess, dude. But then, so is mine.
Re:Denial of Money attack?
by
tomhudson
·
· Score: 4, Insightful
Sorry, buy my bullshit-o-meter went of the scale here. The article is a troll (so is the original proposal). One of the indicators is
"Russ states in an email that he wrote this up at the request of a US Senator staffer...
That can mean pretty much anything, and is pretty lame, as is the proposal itself (yes, I did RTFA).
The other indicator is the article itself. It completely misses 2 things that have to happen:
educated users, and better operating systems.
Another quote:
According to a recent TruSecure Corporation survey, 34% of networks of 100 computers or more were affected, and the average cost per computer was US$477.00.
Do you really believe these numbers on the average cost? So why isn't it ever mentioned in SEC filings? Why aren't they investing in training end-users to use more secure systems. Why aren't they getting rid of Outlook Express?
Ok, rant off.
Re:Denial of Money attack?
by
ryanvm
·
· Score: 4, Insightful
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms
Virus scanning software is complete bullshit. Explain to me how I have NEVER been aflicted with a computer virus, yet I also do not run antivirus software. (And yes, I'm running Windows:)
Smart users don't need antivirus software. Keep your machine patched and don't open executable attachments. Problem solved. Furthermore, the most dangerous viruses spread faster than the virus definitions anyway.
Re:Denial of Money attack?
by
tomhudson
·
· Score: 2, Funny
Of course he should switch his box. Look at the bottom of the page at the article:
An error occurred on the server when processing the URL. Please contact the system administrator.
But what do you expect from an NT advice site?
Re:Denial of Money attack?
by
RevMike
·
· Score: 2, Interesting
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms relating to privacy rights, freedoms related to what one can do with one's own property, and implementation of such a thing without a.) forcing every American to spend money on virus scanning software or b.) jacking up everyone's tax rates.
You're right that it would be difficult for the government to require that individuals install anti-virus software and the like. However, the US Federal Government is empowered by the interstate commerce clause to regulate the ISPs. One could write a law that requires that ISPs act in good faith to secure their network. An ISP could then require anti-virus software, firewall software, etc. as part of their terms of service.
I would imagine that an ISP might periodically run that new version of nmap on each of the IP addresses that have been handed out to clients. If a service with known security holes is discovered, and email is sent to the owner and a restrictive filter is put on that IP until it is patched. That should reduce the incidence of worms.
The ISP would also route all outbound SMTP packets through its own mail server.
Antivirus software there would look for email attachments containing viruses. This would take a nice bite out of viruses. <tinfoilhat>This also provides a convenient place for the government to monitor your email.</tinfoilhat>
I'm not sure, yet, what the best approach to trojans is.
Re:Denial of Money attack?
by
tomhudson
·
· Score: 4, Funny
Couldn't have said it better myself! And of course,
after the article quotes some pulled-out-of-the-ass statistics from a "TruSecure Corporation Survey", look how the whole thing is signed:
Russ Cooper -
Surgeon General of TruSecure Corporation/NTBugtraq Editor
right above this:
An error occurred on the server when processing the URL. Please contact the system administrator.
Has he been practicing do-it-(to)-yourself lobotomies again?
Re:Denial of Money attack?
by
linkjunkie
·
· Score: 2, Insightful
And you can tell me that they don't apply to you, I'll just reply "no, not these particular ones..."
Look around, this isn't the only list! NOTHING should be compulsory, but no AV on a windows box, have you never heard of a worm?
No way in hell this would fly.
by
grub
·
· Score: 5, Insightful
"..whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly.."
Rather than fining the people (victims?) of poorly written software and OSes, why not have a
class-action suit against the corporations that make the worms & viruses possible in the first place?
Most people are up in arms when the RIAA goes after the wallet of individuals who knowingly download their
Evil MP3s whereas the bulk of users that get these infections just don't know any better.
Fining lusers won't give them clues, education will.
-- Trolling is a art,
Re:No way in hell this would fly.
by
McAddress
·
· Score: 5, Insightful
forget a lawsuit. fine the maker of the software for each copy of an OS or other piece of software that propogates a bug. After all, the OS belongs to MS. I only have a license.
Re:No way in hell this would fly.
by
Kraegar
·
· Score: 3, Insightful
So who do we file a class action suit against when a flaw like this is turned in to a worm?
I'm no Microsoft fan, but neither am I of the belief that all Open Source software (or Mac software, or *nix software) is perfect. Pull off your blinders, and realize that the solution rests not just in the hands of some major corporation, but also in the hands of anyone who chooses to place their computer on the 'net.
The blame lies in both courts.
Re:No way in hell this would fly.
by
eln
·
· Score: 5, Insightful
Sounds great for Microsoft, but in a market where successfully introducing a new competing OS is already near impossible, such a policy would push any fledgling OS company instantly into bankruptcy the minute a minor security flaw is detected in their software. Microsoft is probably the only software company in the US right now that could begin to absorb the costs of such a policy, leaving it the only company standing.
You think Microsoft owning 90% of the market is bad, wait until they own 100%.
Re:No way in hell this would fly.
by
Kaa
·
· Score: 2, Insightful
Rather than fining the people (victims?) of poorly written software and OSes, why not have a class-action suit against the corporations that make the worms & viruses possible in the first place?
A wonderful idea.
You understand, of course, that such corporations as RedHat, SuSE, etc. will be among those sued..?
And there is really no reason to limit this to corporations only. A buffer overflow in some Linux code? Look into the source for the copyright notice and sue the hell out of the poor schmuck who wrote it!
Yeah, as I've said, a great idea.
--
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
Fines won't cut it...
by
TopShelf
·
· Score: 4, Funny
What he proposes is way too strict. Right now, I run through a firewall and proxy, keep my system up to date, etc. Is it my fault if someone hacks into my computer and uses it? No. I've done everything possible to make my computer secure, short of spending thousands of dollars on corporate-level firewalls, etc., or disconnecting it from the internet completely. No computer is 100% hackproof.
Is it my fault if someone hacks into my computer and uses it?
Apparently, judging from the editorial. It's like someone rear-ending you and you are responsible because you didn't move out of the way soon enough. Also read the following quote:
The fines would be used by ISPs to support the significant efforts required to continually block identified attack traffic.
What a nice way to encourage ISPs to scan their own [users'] network for vulnerabilities and inject them with viruses to increase their revenues.
Where would the money go?
by
Jason1729
·
· Score: 2, Insightful
If someone's negligence allows their computer to participate in a DoS, why should they have to pay money to a 3rd party regulatory body or government?
A couple of problems
by
aridhol
·
· Score: 5, Interesting
First, I think this will lead to ISPs only allowing "approved" OSs on their networks, in order to prevent themselves from getting fined. Unfortunately, the approved list will probably contain the worst offenders.
Second:
ISPs must receive freedom from liability for dropping the identified traffic. False detections are the fault of the "Independent Authority", who should also be free from liability.
Sorry we blocked your critical data, but you can't do anything about it.
-- I can't say that I don't give a fuck. I've just run out of fuck to give.
Whoa, now, wait a minute....
by
sixteenraisins
·
· Score: 2, Insightful
In order for some entity to levy a fine, there must first be some sort of law broken. As far as I know, there are no laws requiring virus protection or mandatory software/OS updates.
Are we really willing to consider allowing our computers' software, configurations, etc. to be dictated to us by the government? After all, isn't one of the selling points of "free" software having a choice in which OS/programs we use?
I don't want to be told by anybody that I must/must not download any updates to any software I choose to use (unless that particular program's EULA requires it). And I don't think I'm the only one.
William
-- When you're not looking, this sig is in Latin.
But users don't own the OS
by
RichMan
·
· Score: 4, Insightful
For the majority of enduser systems out there the user does not own the software on the system. Microsoft owns the software and has all rights to modify and control the software.
Is the enduser responsible or the actual owner of the software?
first virus fines, what next..
by
InShadows
·
· Score: 2, Funny
a fine for slashdotting a site into oblivion?
Lawsuits abound
by
chia_monkey
·
· Score: 3, Interesting
I just see lawsuits left and right with this one. On one hand, you've got Ma and Pa Kettle who know how to turn on their computer, check their email, and play solitaire. All of a suddent they're notified they owe $2.4 billion because their computer was used to take down sixteen major corporations. Do they get to sue the ISP for not filtering? Or do they get to sue the virus programmer if they're caught? Or hell, do I get to sue them because maybe they infected me and my computer infected the corner store. Sure my fine was only $50, but maybe I'll sue them $250,000 for pain and suffering (hey, this is America, we do that). Scary...
--
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
Russ posted this to NTBugTraq:
by
Medieval
·
· Score: 3, Informative
I was recently quoted in a WashingtonPost.com article saying I was in favor of fines against people who emit viruses or worms (not just originate, but infectees who perpetuate attacks.) There wasn't any meat in that article describing my proposal, so it comes off sounding kind of cold. I've had this proposal for quite some time, after being asked by a U.S. Senator staffer once to write something up to identify what's lacking in the U.S. National CyberSecurity Strategy document.
I've tried to explain it as clearly as I can, and have included a poll to take your feedback on whether you think the idea would be valuable to you. I'd appreciate it if you'd give it a read and take the poll.
I hereby acknowledge that the poll is hosted on my little T1, so you may well experience bandwidth-related fun. At least you only have to click two buttons to take the vote.
Feel free to repost this request to other lists.
Cheers,
Russ - NTBugtraq Editor
Why don't we just remove them for a period of time
by
AxelTorvalds
·
· Score: 2, Insightful
Instead of trying to get money out of them (look at all the young pirates bitching about being sued for a few grand, they don't have money) why don't we just cut their link for a period of time, say 8 days? It's short enough that you can deal but long enough to really piss you off so you had better make sure you don't let that stuff happen.
There are "attractive nuisance" laws. Be careful what you wish for.
-- MORTAR COMBAT!
Problem with this...
by
chrisgeleven
·
· Score: 3, Interesting
people aren't licensed/educated properly to use the internet. So how will they know that they have to update virus definitions and patch their systems? By e-mail notifications? When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month for their monthly statements, they instead had hotmail accounts for their regular e-mail. We would have to call customers non-stop to remind them to check their ISP e-mail for their bill. Now we would have to call them for their weekly virus breakout?
The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.
So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
Fine the O/S vendors instead
by
Dark+Coder
·
· Score: 5, Interesting
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
Re:What about Microsoft?
by
brkello
·
· Score: 3, Insightful
Give me a break. What about Microsoft? Any computer on a network is vulnerable, even Linux boxes, why don't we fine Red Hat? Who should we go after when there is a crime? Maybe the criminal who wrote the freaking virus. I guarantee you, any OS that is the most used is going to be hacked...often. You don't fine grandma, nor do you fine the OS company, you find the hackers/script kiddies/etc, and you fine and jail them. Ignorant indeed.
-- Support a great indie game: http://www.abaddon360.com
Another impartial proposal (not)
by
Rosco+P.+Coltrane
·
· Score: 5, Informative
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
As I read the BugTraq article I was wondering who was going to provide the "approved" software to monitor all this bad traffic and keep up with the fines, etc. "The organization responsible for providing ISPs with the accurate identification information (possibly TruSecure Corporation, or maybe the new US-CERT) would determine the point at which fines will be imposed." Who else will have access to the information? Looks like a perfect opportunity for Russ's company to make a fortune implementing the mother of all Big Brothers.
fine the commerical software company
by
YouOverThere
·
· Score: 2, Interesting
Seems to be when an
car company creates a damaging defect, it isn't the driver who has to pay a fine.
Why should joe user, have to pay for the latest RPC hole?
I have to say although the article lost me from about the first line I loved this:
We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous.
Uhhh yes you are...
Correct me if I'm wrong, but arn't fines a 'penality'?
Sorry, but flat out this is elitism. These people don't get how great the knowledge gap is from the average user, to anyone who might know what bugtraq is...
Think about it for 1 clock cycle.
Simply make the fine a percentage of the amount of revenue made on that product. That should put the onus back on the software company that leashed the security horror that is out there. Meanwhile, free software is protected.
Re:Danger, Will Robinson! Danger!
by
SuperBanana
·
· Score: 5, Funny
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home:-)
So this bill would give a financial reward...
by
WolfWithoutAClause
·
· Score: 3, Insightful
...to the government for me getting subverted by a worm/virus?
Wouldn't it be better to give the government an incentive to help solve the problem rather than give them an incentive to get some obscure, amoral, and deeply secret government department to release new and more virulent attacks so as to up their income?
Sure, they probably wouldn't, officially; but why take the risk that some individual in the government would be in a position to benefit from this kind of thing?
These kinds of theoretical problems always sound impossible, but I'm nearly always surprised to find out how often they really do crop up in practice.
--
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"
Impossible to avoid
by
One+Louder
·
· Score: 5, Insightful
Unfortunately, at this point it's nearly impossible for a new user to keep from getting infected.
Let's say Joe Consumer is interested in a computer - he goes down to MicroCompuCenterUSA and buys a spanking new Windows XP-based machine, plugs in the cable modem, turns it on.
*WHAMMO*
He's infected before he even gets a chance to get the latest updates, assuming he even know that's something he's supposed to do.
My sister-in-law when through this exact scenario just recently. She got nailed by Blaster within a few minutes of powering up the machine for the first time. She has no idea what a firewall is, and would certainly wonder why she would need one with a brand-new computer.
This proposal is a little like buying a new car and having the wheels fall off as you drive off the lot, then being fined for causing an accident.
Not comfortable with this.
by
0xA
·
· Score: 2, Insightful
I had this conversation last month:
Boss: I thought I told you to put that RPC patch an all our client's servers.
Me: I did.
Boss: How come these guys have Blaster then?
Me: I dunno.
Now imgaine having that conversation starting out with:
Boss: On of our clients is being fined for worm traffic...
As much as I realize that people failing to update is one of the largest enablers of these worms, I know it is possible to do everything you are suppsed to and still get nailed. Firewalled (externally) and patched but I'm still cleaning it up. I don't think I deserve a fine for that.
So Why Would I Stay On The 'Net?
by
istartedi
·
· Score: 2, Interesting
I'd have to go back to calling brokers on the phone, and writing checks, licking stamps, and sending things through the mail. I'd have to sign up at the library if there was something that I had to get from the 'net. That's assuming the library can stand the liability. If they can't, I'd probably be limited to the library's proprietary DBs on their local LAN.
In other words, if you want to kill the 'net, just turn my PC into a slot machine that has unlimited negative payout odds.
This sounds like another example of "letting the terrorists win". It would turn the 'net into a "fascist police state".
Oh... unless there is an OS that is gauranteed secure through every revision, which we all know there can't be.
Now, if they capped the fine it might be reasonable. What would I do? Buy expensive AV software? No. I'd buy insurance against the fine and continue to exercise good practices (e.g., not using OE for mail, not downloading crap software that runs in my taskbar, etc.) Does anybody sell "virus" insurance?
-- For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Is he vaccinated against all possible illnesses, including the latest strain of the common cold? No? Well, he was clearly negligent, and has resulted in you being off work for at least a week, when you could have worked 42 hours plus 126 hours overtime at triple rate, and may well have receied a promotion and a 1000% pay rise as a result of doing al that extra time, so he owes you roughly 100 times your week's salary, plus a little extra for pain and suffering.
You'll need representation. Here's my card. Right now I'm suing the driver of an ambulance that reversed over me as I was chasing it.
Seems a Bit Elitist
by
druske
·
· Score: 3, Insightful
Okay, the Slashdot crowd is probably quite a bit more tech-savvy than our old pal Bubba, clicking away at every link that arrives in his inbox and updating his software only when he buys a new machine with it.
But I'm not sure penalizing Bubba is the right answer. Maybe Bubba is ignorant; on the other hand, he might have a legitimate mental handicap. How much responsibility should someone with Alzheimer's disease or a learning disability carry? What about someone who's simply too old or too young to grasp security issues? Where should the line be drawn, and how could we charge according to ability? And how much would it cost to administer such a program?
This suggestion is badly flawed at multiple levels.
First and foremost, Russ Cooper's is suggesting that ISP's should be fined if they fail to block attacks that propagate across their networks. This proposal violates the basic end-to-end architectural principles on which the Internet was founded. Intelligence should be localized at the end node, supported by a "stupid" network infrastructure whose function is restricted to routing packets from point to point. "Smart" networks don't scale and they cost enormous amounts of money. Most individuals who are pushing these models are more concerned with supporting a business model rather than a viable technology. Consider what is necessary for Cooper's suggestion to work: Each ISP needs to preserve state on all the TCP connections emanating from a host to ensure that the host is not starting some kind of attack.
It might be possible to create a similar model assigning all liability to the computer owner: Joe Smith's decision to run an insecure system presents a potential threat to some class of computer users. Hence, this action could be considered to be actionable. Here once again, we have a logical fallacy: Suppose that Joe's computer is vulnerable to the XYZ worm. Joe's computer is compromised and used to launch the XYZ worm at other PCs on the Internet. However, the major group of people that are put at risk by Joe's vulnerability is the set of users who share this same vulnerability. In short, the class action lawsuit would be directed against the plaintiffs.
It is certainly possible to argue that compromised systems can be used to inconvenience Internet users in other ways. Case 1: A PC could be used as a Zombie in a distributed denial of service attack. Case 2: A PC could be used as a part of a SPAM generation network. Here, the "cost" of the attack is proportional to the amount of traffic being generated by the host. In theory, if you want to establish a linkage between fines and the cost of a system being compromised, the fine should be proportional to the amount of traffic being generated. I would argue that this would be better accomplished through a tarriffing system in which monthy access charges were proportional to traffic volume.
Ultimately, Cooper's proposal would require some kind of licensing system for operating systems. This is an incredibly ugly thought.
Capitalism at it's best?
by
baneblackblade
·
· Score: 2, Insightful
If this does pass (which I sincerely hope it doesn't), what's to stop the guy who collects the fines from writing a virus, snail-mailing it to his buddy in Finland for distribution so his computer isn't picked up by the "scanning software" over in the US and then kicking back to watch the money come in? What is the money going to be used for anyway? I doubt that it would be put to any sort of use in preventing further fines or attacks.
A legally sanctioned DOS attack...
by
Darlok
·
· Score: 3, Interesting
For the love of... I think the last paragraph of this article contains the most telling statement: "...make every effort to assist in bringing about a change in the way the Internet is managed..."
The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.
Example:
Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.
Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article. Should all of our ISPs be blocking SSH traffic now?
You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.
This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.
-- Notice: Your mouse has been moved. Windows will now restart so this change can take effect.
Grandma: "What is this fine in the mail? What is a firewall? Why am I being fined? Is is the gremlins in my computer again?"
Not to mention underfunded organizations like Libraries and schools that may not be completely up to speed. This is a stupid idea. I put this up on the shelf with that idea to destroy people's computers for "piracy".
I find it amazing that people are so amazed that no one patches their computers. Think of your grandparents. What do they know about firewalls and TCP/IP and man-in-the-middle attacks? My mother has a VAGUE understanding of updating software and that it's important, but she doesn't know why. If you don't know why you are doing something, it's hard to continue doing it; and they are bound to miss something important along the way.
Someone had a good idea on another thread. ISP's should be the firewall for the little guy, and if you are in the know, you just opt-out. I work for SBC tech support. They decided to block port 135 due to all the MSBlast+derivatives activity. I think it's only temporary, but it is a good solution. No one really has any reason to be using port 135 over the net anyway. Locally, yes, internet no. You should be using a VPN if it is that important to you.
-- -- Having a Creationist Museum is like having an Atheist place of worship
Fines for companies
by
Decameron81
·
· Score: 2, Interesting
What about hunting down those guys that actually released the virus?
This sounds as stupid to me as a fine for people that let thieves into their houses.
Decameron
-- diegoT
Re:Denial of Sense attack?
by
Bearpaw
·
· Score: 2, Insightful
Sorry, buy my bullshit-o-meter went of the scale here.
My bullshit-o-meter goes off the scale whenever anyone sets up a "poll" like this. The results of such a poll wouldn't mean anything, even if the question was sensible. But he doesn't even ask a real question; he wants to know whether people agree or disagree with the "information". If he doesn't know whether or not the information he presents is correct, he should find out. If he knows it's correct, why does he care what other people think about it?
If he'd like feedback on his suggestions, he should say so.
Sorry. In irritates me when people call this sort of thing a "poll", and it makes me less inclined to take them seriously.
All how you view it
by
mindstrm
·
· Score: 2, Insightful
Let's face it. We've survived these worms pretty well. Some minor inconveniences. Sure, some people paid some money.. but it was spread around. We've survived lots of worms, and viruses, and other disasters... each time we learn a lesson, systems are hardened a bit. Pundits bitch about how security isn't getting any better, but if you look at the number of new hosts on the net in the last 10 years, it's surprising how FEW big problems there have been. The Interent is so far, successful.
Fines for people? No way. ISPs need to be responsible, peopel need to be responsible.. and that's about it. I'm not in favor of licenses, fines, or any other scheme for keeping the net "safe". It will just create beurocracy.
What I AM in favor of is making the pricing reflect costs. If your computer uses a ton of baniwidth because of some worm, you SHOULD pay for it. The fact that you didn't know is irrelevant... your computer used it.. it's your responsibility (though not necessarily your fault). Of course, ISPs will not go to this length.. customers won't like the pricing model.. its' better to charge based on average usage, and then kick off the "abusers".
The net has done well so far. Let's keep it open, and let it grow.. and if some organisation really misbehaves, we jus't wont play with them more.
To his credit, the guy is asking for feedback. This is what I sent him:
Your proposed "Internet Penalties Plan" is flawed in several aspects.
First, the concept of penalizing the victim of a crime, in this case the user of poorly written software, is morally and economically wrong beyond words. Have you ever taken a moment to read the EULAs to most software you install and run every day? The software industry dodges responsibility for its actions like no other industry ever could. If auto manufacturers forced consumers to sell away their rights in the event of neglect or incompetence on the part of the manufacturer, they'd be faced with several class action law suits. Yet when a analogous situation happens with software companies, we blame the customer? Perhaps it is the customer's fault . . . for letting the industry get away with such crimes. Ultimately, the poor design of software is too blame, specifically on the technical and user levels. Technical flaws allow the exploits to exist in the first place. Flaws at the user level keep the masses largely and, in most cases, inescapably ignorant of the problem and of any means to fix it. If software companies were held responsible for their actions, there'd be better software, and with better software we wouldn't be having this conversation.
Secondly, even if what you propose weren't horribly immoral, it would still be technically impractical. You'd like to levy fines against people who unknowingly contribute to malicious computer attack. How do you propose on identifying those "responsible"? IP addresses, MAC addresses, and other means of computer identification can and will always be forged. Now, instead of crippling a company's network, all an attacker has to do is trick "the system" into thinking the company is the unknowing accomplice in another attack, thus incurring financial and legal woes for that company. Any proposal too trusting of technology will inevitably be reduced to yet another tool by those who would initiate such malicious attacks. Of course, there's also the issue of logistics, in that it would be virtually impossible to successfully levy all fines imposed since a large portion of these "unknowing" conspirators would lie outside the jurisdiction of the United States.
Overall, while I understand your logic, I believe you to be on the wrong track. Your proposal is fundamentally flawed and ultimately counterproductive.
Sincerely,
Re:But is it Microsoft's fault?
by
Fermier+de+Pomme+de
·
· Score: 2, Insightful
Why is it that the users are blamed for all of this.
If someone wants to have a box on their desk that lets them chat w/friends, read mail, check the weather, etc. why does that person have to understand open ports, trojans, viruses, firewalls, etc?
Something smells funny then again programmers are great for forgetting that someone actually has to use the stuff that they write. I'll give you a hint - when you blame a user for repeatedly falling into the same trap you are missing the real problem: the software doesn't meet the user's needs.
Why should someone either be forced to become an MCSE or RHCE to maintain their system? Why should someone be forced to outsource their system maintenence to a 3rd party? Why do we even need virus scanners for email? Who the hell needs macros and scripting in a freaking email client? Why can't the box the user's desk just do the things the company advertises without taking out infrastructure and attacking other machines?
Because software is created/tested in a half-assed way.
Don't think so? Why do buffer overrun attacks still happen today? Is this something an end user should be responsible for? To take the car analogy above further this would be like selling someone a car with brakes that fail every 2-3 weeks. This is now the owner's fault? WTF?
Windows Update, and Up2Date are 2 examples of offerings that make it possilbe for non-tech users to stay patched. The industry is (somewhat slowly) moving to address the problem of unpatched systems.
Corporations do feel the heat from the ever increasing number of attacks and you can bet that some of the larger customers are giving MS an earful w/regards to what a virus attack does to their TCO. Microsoft is in turn reacting to this, though the lack of competition on the desktop is probably slowing progress here.
Market forces seem to be taking care of this issue gradually. I hope that things can be improved without lameass legislation put together by a group of people that make luddites look like early-adopters. The scary thing is that large corporations are whispering in ears saying things like: "Don't hold us liable, it will be bad for the economy". Is there anyone that is letting our elected officials know what a screw-job it would be to blame end users for problems whose technical solutions are beyond their understanding?
Re:Danger, Will Robinson! Danger!
by
kilgore_47
·
· Score: 4, Insightful
Riight, lets punish the ignorant victims for their ignorance... 'Cause fining the richest man in the world, or his company that is the cause of most of the problems, why.. that... that would be crazy!
*shakes head*
This is a horrible idea for oh so many reasons. The first that comes to mind is that government mandates about ISP logging and packet blocking are a bad thing. Once a national infrastructure is in place that allows a government sponsored program to declare certain packets or application signatures "bad", what's to stop them from adding more things than just viruses? It would be trivial, technically, to write a 'virus definition' for p2p traffic. It would be almost as trivial, and only a bit more expensive, to get this done on a political level (a certain senator from disney would probably love to help out). When the DMCA crowd is done adding their firewall rules, maybe the Patriot Act fan club will want to throw in a few too... What it comes down to is that the U.S. government cannot be allowed to regulate the internet in this manner.
Which also brings up another point; being US-only, this system is pretty worthless for stopping attacks. To be effective, the law would need to require extensive "border" filtering at sites with international peers. See point above about why this is really bad. Fortunately, this whole proposition is such preposterous crazytalk that I don't think it actually has much of any chance at happening.
I think a better idea would be to implement new regulations surrounding software warranties. I don't know how exactly it should be done, but I do know that (a) if a company's ReallyExpensiveProduct routinely breaks and causes large financial damages for it's users, the company should be somehow held liable, and they shouldn't be able to get out of it with a clause in an EULA. But at the same time, (b) independent programmers who are giving their software away need to be able to do it without taking on liability, or they won't be able to do it at all, and we won't have Free software. The No Warranty clause of the GPL is a very important one. It would be great if paying for software meant you had more guarantee that it was going to work... it's really a bit bizarre that today the software you can get for free works better than the software that costs money. Perhaps a sliding scale price based warranty would help with that.
-- ___ The way to see by faith is to shut the eye of reason. --Ben Franklin
Slashdot Mirror
I can just see the virus protection software making changes to their notifications to keep track of attacks that could cost people money and list it in a tally window: "You've saved $764 in internet fines this year because you used Morton AntiVirus 2005! Want to upgrade to the Pro version?"
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
A programmer is a machine for converting coffee into code.
The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.
ISPs probably would have too much volume to deal with to investigate every packet, so it becomes easier to pay the fine than fight the system.
There's got to be a better solution than this.
"Adventure? Excitement? A Jedi craves not these things."
"..whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly
Rather than fining the people (victims?) of poorly written software and OSes, why not have a class-action suit against the corporations that make the worms & viruses possible in the first place? Most people are up in arms when the RIAA goes after the wallet of individuals who knowingly download their Evil MP3s whereas the bulk of users that get these infections just don't know any better.
Fining lusers won't give them clues, education will.
Trolling is a art,
I'd much prefer bounties.
Stop by my site where I write about ERP systems & more
Make all the laws you want. Enforcement will always be the issue that causes less-than-satisfactory results.
Same for spam, parasiteware, etc.
oh, btw.. Almost First Post!
do() || do_not();
Great,
Just what I need, my grandma getting hit with fines because she wants email to talk to the grandkids.
I maintain several win and linux computers and I certainly don't have the time to lurk security mailing lists to stay ahead of every friggin' exploit.
BOO! TERRO
What about foriegn computers that propogate this problem?
--fetch daddy's blue fright wig, i must be handsome when i release my rage
does this mean that we could fine the Microsoft Corporation ... ONE... HUNDRED... BILLION DOLLARS???
muuwaahahahahahahaha!!!
My Sig Beat up your Honor Roll Sig
What he proposes is way too strict. Right now, I run through a firewall and proxy, keep my system up to date, etc. Is it my fault if someone hacks into my computer and uses it? No. I've done everything possible to make my computer secure, short of spending thousands of dollars on corporate-level firewalls, etc., or disconnecting it from the internet completely. No computer is 100% hackproof.
If someone's negligence allows their computer to participate in a DoS, why should they have to pay money to a 3rd party regulatory body or government?
Jason
ProrQuotes
Second:
Sorry we blocked your critical data, but you can't do anything about it.I can't say that I don't give a fuck. I've just run out of fuck to give.
In order for some entity to levy a fine, there must first be some sort of law broken. As far as I know, there are no laws requiring virus protection or mandatory software/OS updates.
Are we really willing to consider allowing our computers' software, configurations, etc. to be dictated to us by the government? After all, isn't one of the selling points of "free" software having a choice in which OS/programs we use?
I don't want to be told by anybody that I must/must not download any updates to any software I choose to use (unless that particular program's EULA requires it). And I don't think I'm the only one.
William
When you're not looking, this sig is in Latin.
For the majority of enduser systems out there the user does not own the software on the system. Microsoft owns the software and has all rights to modify and control the software.
Is the enduser responsible or the actual owner of the software?
a fine for slashdotting a site into oblivion?
I just see lawsuits left and right with this one. On one hand, you've got Ma and Pa Kettle who know how to turn on their computer, check their email, and play solitaire. All of a suddent they're notified they owe $2.4 billion because their computer was used to take down sixteen major corporations. Do they get to sue the ISP for not filtering? Or do they get to sue the virus programmer if they're caught? Or hell, do I get to sue them because maybe they infected me and my computer infected the corner store. Sure my fine was only $50, but maybe I'll sue them $250,000 for pain and suffering (hey, this is America, we do that). Scary...
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
The included URL, for reference.
I was recently quoted in a WashingtonPost.com article saying I was in favor of fines against people who emit viruses or worms (not just originate, but infectees who perpetuate attacks.) There wasn't any meat in that article describing my proposal, so it comes off sounding kind of cold. I've had this proposal for quite some time, after being asked by a U.S. Senator staffer once to write something up to identify what's lacking in the U.S. National CyberSecurity Strategy document.
I've tried to explain it as clearly as I can, and have included a poll to take your feedback on whether you think the idea would be valuable to you. I'd appreciate it if you'd give it a read and take the poll.
I hereby acknowledge that the poll is hosted on my little T1, so you may well experience bandwidth-related fun. At least you only have to click two buttons to take the vote.
Feel free to repost this request to other lists.
Cheers,Russ - NTBugtraq Editor
Instead of trying to get money out of them (look at all the young pirates bitching about being sued for a few grand, they don't have money) why don't we just cut their link for a period of time, say 8 days? It's short enough that you can deal but long enough to really piss you off so you had better make sure you don't let that stuff happen.
There are "attractive nuisance" laws. Be careful what you wish for.
MORTAR COMBAT!
people aren't licensed/educated properly to use the internet. So how will they know that they have to update virus definitions and patch their systems? By e-mail notifications? When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month for their monthly statements, they instead had hotmail accounts for their regular e-mail. We would have to call customers non-stop to remind them to check their ISP e-mail for their bill. Now we would have to call them for their weekly virus breakout?
The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.
So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
Give me a break. What about Microsoft? Any computer on a network is vulnerable, even Linux boxes, why don't we fine Red Hat? Who should we go after when there is a crime? Maybe the criminal who wrote the freaking virus. I guarantee you, any OS that is the most used is going to be hacked...often. You don't fine grandma, nor do you fine the OS company, you find the hackers/script kiddies/etc, and you fine and jail them. Ignorant indeed.
Support a great indie game: http://www.abaddon360.com
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
...
- Russ Cooper is editor at NTBugTraq
- NTBugTraq is a division of TruSecure Corporation
- Russ Cooper is chief scientist at TruSecure Corporation
- TruSecure Corporation sells security solutions and services.
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming
Another fine impartial article brought to you by Slashdot.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Why should joe user, have to pay for the latest RPC hole?
I have to say although the article lost me from about the first line I loved this :
We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous.
Uhhh yes you are...
Correct me if I'm wrong, but arn't fines a 'penality'? Sorry, but flat out this is elitism. These people don't get how great the knowledge gap is from the average user, to anyone who might know what bugtraq is...
Think about it for 1 clock cycle.
Simply make the fine a percentage of the amount of revenue made on that product. That should put the onus back on the software company that leashed the security horror that is out there. Meanwhile, free software is protected.
Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home :-)
Please help metamoderate.
Wouldn't it be better to give the government an incentive to help solve the problem rather than give them an incentive to get some obscure, amoral, and deeply secret government department to release new and more virulent attacks so as to up their income?
Sure, they probably wouldn't, officially; but why take the risk that some individual in the government would be in a position to benefit from this kind of thing?
These kinds of theoretical problems always sound impossible, but I'm nearly always surprised to find out how often they really do crop up in practice.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Let's say Joe Consumer is interested in a computer - he goes down to MicroCompuCenterUSA and buys a spanking new Windows XP-based machine, plugs in the cable modem, turns it on.
*WHAMMO*
He's infected before he even gets a chance to get the latest updates, assuming he even know that's something he's supposed to do.
My sister-in-law when through this exact scenario just recently. She got nailed by Blaster within a few minutes of powering up the machine for the first time. She has no idea what a firewall is, and would certainly wonder why she would need one with a brand-new computer.
This proposal is a little like buying a new car and having the wheels fall off as you drive off the lot, then being fined for causing an accident.
Boss: I thought I told you to put that RPC patch an all our client's servers.
Me: I did.
Boss: How come these guys have Blaster then?
Me: I dunno.
Now imgaine having that conversation starting out with:
Boss: On of our clients is being fined for worm traffic...
As much as I realize that people failing to update is one of the largest enablers of these worms, I know it is possible to do everything you are suppsed to and still get nailed. Firewalled (externally) and patched but I'm still cleaning it up. I don't think I deserve a fine for that.
I'd have to go back to calling brokers on the phone, and writing checks, licking stamps, and sending things through the mail. I'd have to sign up at the library if there was something that I had to get from the 'net. That's assuming the library can stand the liability. If they can't, I'd probably be limited to the library's proprietary DBs on their local LAN.
In other words, if you want to kill the 'net, just turn my PC into a slot machine that has unlimited negative payout odds.
This sounds like another example of "letting the terrorists win". It would turn the 'net into a "fascist police state".
Oh... unless there is an OS that is gauranteed secure through every revision, which we all know there can't be.
Now, if they capped the fine it might be reasonable. What would I do? Buy expensive AV software? No. I'd buy insurance against the fine and continue to exercise good practices (e.g., not using OE for mail, not downloading crap software that runs in my taskbar, etc.) Does anybody sell "virus" insurance?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Yes!
Is he vaccinated against all possible illnesses, including the latest strain of the common cold? No? Well, he was clearly negligent, and has resulted in you being off work for at least a week, when you could have worked 42 hours plus 126 hours overtime at triple rate, and may well have receied a promotion and a 1000% pay rise as a result of doing al that extra time, so he owes you roughly 100 times your week's salary, plus a little extra for pain and suffering.
You'll need representation. Here's my card. Right now I'm suing the driver of an ambulance that reversed over me as I was chasing it.
Okay, the Slashdot crowd is probably quite a bit more tech-savvy than our old pal Bubba, clicking away at every link that arrives in his inbox and updating his software only when he buys a new machine with it.
But I'm not sure penalizing Bubba is the right answer. Maybe Bubba is ignorant; on the other hand, he might have a legitimate mental handicap. How much responsibility should someone with Alzheimer's disease or a learning disability carry? What about someone who's simply too old or too young to grasp security issues? Where should the line be drawn, and how could we charge according to ability? And how much would it cost to administer such a program?
This suggestion is badly flawed at multiple levels.
First and foremost, Russ Cooper's is suggesting that ISP's should be fined if they fail to block attacks that propagate across their networks. This proposal violates the basic end-to-end architectural principles on which the Internet was founded. Intelligence should be localized at the end node, supported by a "stupid" network infrastructure whose function is restricted to routing packets from point to point. "Smart" networks don't scale and they cost enormous amounts of money. Most individuals who are pushing these models are more concerned with supporting a business model rather than a viable technology. Consider what is necessary for Cooper's suggestion to work: Each ISP needs to preserve state on all the TCP connections emanating from a host to ensure that the host is not starting some kind of attack.
It might be possible to create a similar model assigning all liability to the computer owner: Joe Smith's decision to run an insecure system presents a potential threat to some class of computer users. Hence, this action could be considered to be actionable. Here once again, we have a logical fallacy: Suppose that Joe's computer is vulnerable to the XYZ worm. Joe's computer is compromised and used to launch the XYZ worm at other PCs on the Internet. However, the major group of people that are put at risk by Joe's vulnerability is the set of users who share this same vulnerability. In short, the class action lawsuit would be directed against the plaintiffs.
It is certainly possible to argue that compromised systems can be used to inconvenience Internet users in other ways. Case 1: A PC could be used as a Zombie in a distributed denial of service attack. Case 2: A PC could be used as a part of a SPAM generation network. Here, the "cost" of the attack is proportional to the amount of traffic being generated by the host. In theory, if you want to establish a linkage between fines and the cost of a system being compromised, the fine should be proportional to the amount of traffic being generated. I would argue that this would be better accomplished through a tarriffing system in which monthy access charges were proportional to traffic volume.
Ultimately, Cooper's proposal would require some kind of licensing system for operating systems. This is an incredibly ugly thought.
If this does pass (which I sincerely hope it doesn't), what's to stop the guy who collects the fines from writing a virus, snail-mailing it to his buddy in Finland for distribution so his computer isn't picked up by the "scanning software" over in the US and then kicking back to watch the money come in? What is the money going to be used for anyway? I doubt that it would be put to any sort of use in preventing further fines or attacks.
For the love of... I think the last paragraph of this article contains the most telling statement: "...make every effort to assist in bringing about a change in the way the Internet is managed..."
The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.
Example:
Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.
Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article. Should all of our ISPs be blocking SSH traffic now?
You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.
This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.
Notice: Your mouse has been moved. Windows will now restart so this change can take effect.
Grandma: "What is this fine in the mail? What is a firewall? Why am I being fined? Is is the gremlins in my computer again?"
Not to mention underfunded organizations like Libraries and schools that may not be completely up to speed. This is a stupid idea. I put this up on the shelf with that idea to destroy people's computers for "piracy".
I find it amazing that people are so amazed that no one patches their computers. Think of your grandparents. What do they know about firewalls and TCP/IP and man-in-the-middle attacks? My mother has a VAGUE understanding of updating software and that it's important, but she doesn't know why. If you don't know why you are doing something, it's hard to continue doing it; and they are bound to miss something important along the way.
Someone had a good idea on another thread. ISP's should be the firewall for the little guy, and if you are in the know, you just opt-out. I work for SBC tech support. They decided to block port 135 due to all the MSBlast+derivatives activity. I think it's only temporary, but it is a good solution. No one really has any reason to be using port 135 over the net anyway. Locally, yes, internet no. You should be using a VPN if it is that important to you.
-- Having a Creationist Museum is like having an Atheist place of worship
What about hunting down those guys that actually released the virus?
This sounds as stupid to me as a fine for people that let thieves into their houses.
Decameron
diegoT
My bullshit-o-meter goes off the scale whenever anyone sets up a "poll" like this. The results of such a poll wouldn't mean anything, even if the question was sensible. But he doesn't even ask a real question; he wants to know whether people agree or disagree with the "information". If he doesn't know whether or not the information he presents is correct, he should find out. If he knows it's correct, why does he care what other people think about it?
If he'd like feedback on his suggestions, he should say so.
Sorry. In irritates me when people call this sort of thing a "poll", and it makes me less inclined to take them seriously.
Let's face it. We've survived these worms pretty well. Some minor inconveniences. Sure, some people paid some money.. but it was spread around. We've survived lots of worms, and viruses, and other disasters... each time we learn a lesson, systems are hardened a bit. Pundits bitch about how security isn't getting any better, but if you look at the number of new hosts on the net in the last 10 years, it's surprising how FEW big problems there have been. The Interent is so far, successful.
Fines for people? No way. ISPs need to be responsible, peopel need to be responsible.. and that's about it.
I'm not in favor of licenses, fines, or any other scheme for keeping the net "safe". It will just create beurocracy.
What I AM in favor of is making the pricing reflect costs. If your computer uses a ton of baniwidth because of some worm, you SHOULD pay for it. The fact that you didn't know is irrelevant... your computer used it.. it's your responsibility (though not necessarily your fault).
Of course, ISPs will not go to this length.. customers won't like the pricing model.. its' better to charge based on average usage, and then kick off the "abusers".
The net has done well so far. Let's keep it open, and let it grow.. and if some organisation really misbehaves, we jus't wont play with them more.
To his credit, the guy is asking for feedback. This is what I sent him:
Your proposed "Internet Penalties Plan" is flawed in several aspects.
First, the concept of penalizing the victim of a crime, in this case the user of poorly written software, is morally and economically wrong beyond words. Have you ever taken a moment to read the EULAs to most software you install and run every day? The software industry dodges responsibility for its actions like no other industry ever could. If auto manufacturers forced consumers to sell away their rights in the event of neglect or incompetence on the part of the manufacturer, they'd be faced with several class action law suits. Yet when a analogous situation happens with software companies, we blame the customer? Perhaps it is the customer's fault . . . for letting the industry get away with such crimes. Ultimately, the poor design of software is too blame, specifically on the technical and user levels. Technical flaws allow the exploits to exist in the first place. Flaws at the user level keep the masses largely and, in most cases, inescapably ignorant of the problem and of any means to fix it. If software companies were held responsible for their actions, there'd be better software, and with better software we wouldn't be having this conversation.
Secondly, even if what you propose weren't horribly immoral, it would still be technically impractical. You'd like to levy fines against people who unknowingly contribute to malicious computer attack. How do you propose on identifying those "responsible"? IP addresses, MAC addresses, and other means of computer identification can and will always be forged. Now, instead of crippling a company's network, all an attacker has to do is trick "the system" into thinking the company is the unknowing accomplice in another attack, thus incurring financial and legal woes for that company. Any proposal too trusting of technology will inevitably be reduced to yet another tool by those who would initiate such malicious attacks. Of course, there's also the issue of logistics, in that it would be virtually impossible to successfully levy all fines imposed since a large portion of these "unknowing" conspirators would lie outside the jurisdiction of the United States.
Overall, while I understand your logic, I believe you to be on the wrong track. Your proposal is fundamentally flawed and ultimately counterproductive.
Sincerely,
If someone wants to have a box on their desk that lets them chat w/friends, read mail, check the weather, etc. why does that person have to understand open ports, trojans, viruses, firewalls, etc?
Something smells funny then again programmers are great for forgetting that someone actually has to use the stuff that they write. I'll give you a hint - when you blame a user for repeatedly falling into the same trap you are missing the real problem: the software doesn't meet the user's needs.
Why should someone either be forced to become an MCSE or RHCE to maintain their system? Why should someone be forced to outsource their system maintenence to a 3rd party? Why do we even need virus scanners for email? Who the hell needs macros and scripting in a freaking email client? Why can't the box the user's desk just do the things the company advertises without taking out infrastructure and attacking other machines?
Because software is created/tested in a half-assed way.
Don't think so? Why do buffer overrun attacks still happen today? Is this something an end user should be responsible for? To take the car analogy above further this would be like selling someone a car with brakes that fail every 2-3 weeks. This is now the owner's fault? WTF?
Windows Update, and Up2Date are 2 examples of offerings that make it possilbe for non-tech users to stay patched. The industry is (somewhat slowly) moving to address the problem of unpatched systems.
Corporations do feel the heat from the ever increasing number of attacks and you can bet that some of the larger customers are giving MS an earful w/regards to what a virus attack does to their TCO. Microsoft is in turn reacting to this, though the lack of competition on the desktop is probably slowing progress here.
Market forces seem to be taking care of this issue gradually. I hope that things can be improved without lameass legislation put together by a group of people that make luddites look like early-adopters. The scary thing is that large corporations are whispering in ears saying things like: "Don't hold us liable, it will be bad for the economy". Is there anyone that is letting our elected officials know what a screw-job it would be to blame end users for problems whose technical solutions are beyond their understanding?
Riight, lets punish the ignorant victims for their ignorance... 'Cause fining the richest man in the world, or his company that is the cause of most of the problems, why.. that... that would be crazy!
*shakes head*
This is a horrible idea for oh so many reasons. The first that comes to mind is that government mandates about ISP logging and packet blocking are a bad thing. Once a national infrastructure is in place that allows a government sponsored program to declare certain packets or application signatures "bad", what's to stop them from adding more things than just viruses? It would be trivial, technically, to write a 'virus definition' for p2p traffic. It would be almost as trivial, and only a bit more expensive, to get this done on a political level (a certain senator from disney would probably love to help out). When the DMCA crowd is done adding their firewall rules, maybe the Patriot Act fan club will want to throw in a few too... What it comes down to is that the U.S. government cannot be allowed to regulate the internet in this manner.
Which also brings up another point; being US-only, this system is pretty worthless for stopping attacks. To be effective, the law would need to require extensive "border" filtering at sites with international peers. See point above about why this is really bad. Fortunately, this whole proposition is such preposterous crazytalk that I don't think it actually has much of any chance at happening.
I think a better idea would be to implement new regulations surrounding software warranties. I don't know how exactly it should be done, but I do know that (a) if a company's ReallyExpensiveProduct routinely breaks and causes large financial damages for it's users, the company should be somehow held liable, and they shouldn't be able to get out of it with a clause in an EULA. But at the same time, (b) independent programmers who are giving their software away need to be able to do it without taking on liability, or they won't be able to do it at all, and we won't have Free software. The No Warranty clause of the GPL is a very important one. It would be great if paying for software meant you had more guarantee that it was going to work... it's really a bit bizarre that today the software you can get for free works better than the software that costs money. Perhaps a sliding scale price based warranty would help with that.
___
The way to see by faith is to shut the eye of reason. --Ben Franklin