Posted by
michael
on from the does-renter's-insurance-cover-this dept.
sagman writes "Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly... Russ is taking a poll on his site. Russ states in an email that he wrote this up at the request of a US Senator staffer..."
Danger, Will Robinson! Danger!
by
inertia187
·
· Score: 5, Funny
I can just see the virus protection software making changes to their notifications to keep track of attacks that could cost people money and list it in a tally window: "You've saved $764 in internet fines this year because you used Morton AntiVirus 2005! Want to upgrade to the Pro version?"
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
-- A programmer is a machine for converting coffee into code.
Denial of Money attack?
by
soren42
·
· Score: 5, Insightful
The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.
ISPs probably would have too much volume to deal with to investigate every packet, so it becomes easier to pay the fine than fight the system.
There's got to be a better solution than this.
--
"Adventure? Excitement? A Jedi craves not these things."
Re:Denial of Money attack?
by
eln
·
· Score: 5, Insightful
Yes, this would effectively push >90% of today's Internet users off the network. While some people might think this is a good thing, I doubt the many thousands of people that would lose their jobs in an already down economy would agree.
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms relating to privacy rights, freedoms related to what one can do with one's own property, and implementation of such a thing without a.) forcing every American to spend money on virus scanning software or b.) jacking up everyone's tax rates. This doesn't even take into account what sort of staggering class action lawsuit would result if a destructive virus was not picked up by the now-required scanning software.
All in all, this is a kneejerk reaction of the worst kind.
Re:Denial of Money attack?
by
isomeme
·
· Score: 4, Interesting
There was a science fiction story many years ago (circa 1980, IIRC) in Analog (again IIRC) which predicted widespread networked home computers, and the threat of hostile programs spreading among them. In the story, the US government mandated installation of (what we would call) antivirus software, developed and provided by the government. An attorney successfully gets the program thrown out on Constitutional grounds, showing that it violates the Third Amendment, since a program guarding against national security threats is effectively a "soldier".
-- When all you have is a hammer, everything looks like a skull.
Re:Denial of Money attack?
by
njchick
·
· Score: 3, Interesting
It would push users to ISPs that do filtering for them for a few bucks a month. Also home firewalls would become more popular. That's it. It's easy to convey an idea to the end users if it's about their money.
Re:Denial of Money attack?
by
tomhudson
·
· Score: 4, Insightful
Sorry, buy my bullshit-o-meter went of the scale here. The article is a troll (so is the original proposal). One of the indicators is
"Russ states in an email that he wrote this up at the request of a US Senator staffer...
That can mean pretty much anything, and is pretty lame, as is the proposal itself (yes, I did RTFA).
The other indicator is the article itself. It completely misses 2 things that have to happen:
educated users, and better operating systems.
Another quote:
According to a recent TruSecure Corporation survey, 34% of networks of 100 computers or more were affected, and the average cost per computer was US$477.00.
Do you really believe these numbers on the average cost? So why isn't it ever mentioned in SEC filings? Why aren't they investing in training end-users to use more secure systems. Why aren't they getting rid of Outlook Express?
Ok, rant off.
Re:Denial of Money attack?
by
ryanvm
·
· Score: 4, Insightful
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms
Virus scanning software is complete bullshit. Explain to me how I have NEVER been aflicted with a computer virus, yet I also do not run antivirus software. (And yes, I'm running Windows:)
Smart users don't need antivirus software. Keep your machine patched and don't open executable attachments. Problem solved. Furthermore, the most dangerous viruses spread faster than the virus definitions anyway.
Re:Denial of Money attack?
by
tomhudson
·
· Score: 4, Funny
Couldn't have said it better myself! And of course,
after the article quotes some pulled-out-of-the-ass statistics from a "TruSecure Corporation Survey", look how the whole thing is signed:
Russ Cooper -
Surgeon General of TruSecure Corporation/NTBugtraq Editor
right above this:
An error occurred on the server when processing the URL. Please contact the system administrator.
Has he been practicing do-it-(to)-yourself lobotomies again?
No way in hell this would fly.
by
grub
·
· Score: 5, Insightful
"..whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly.."
Rather than fining the people (victims?) of poorly written software and OSes, why not have a
class-action suit against the corporations that make the worms & viruses possible in the first place?
Most people are up in arms when the RIAA goes after the wallet of individuals who knowingly download their
Evil MP3s whereas the bulk of users that get these infections just don't know any better.
Fining lusers won't give them clues, education will.
-- Trolling is a art,
Re:No way in hell this would fly.
by
McAddress
·
· Score: 5, Insightful
forget a lawsuit. fine the maker of the software for each copy of an OS or other piece of software that propogates a bug. After all, the OS belongs to MS. I only have a license.
Re:No way in hell this would fly.
by
Kraegar
·
· Score: 3, Insightful
So who do we file a class action suit against when a flaw like this is turned in to a worm?
I'm no Microsoft fan, but neither am I of the belief that all Open Source software (or Mac software, or *nix software) is perfect. Pull off your blinders, and realize that the solution rests not just in the hands of some major corporation, but also in the hands of anyone who chooses to place their computer on the 'net.
The blame lies in both courts.
Re:No way in hell this would fly.
by
eln
·
· Score: 5, Insightful
Sounds great for Microsoft, but in a market where successfully introducing a new competing OS is already near impossible, such a policy would push any fledgling OS company instantly into bankruptcy the minute a minor security flaw is detected in their software. Microsoft is probably the only software company in the US right now that could begin to absorb the costs of such a policy, leaving it the only company standing.
You think Microsoft owning 90% of the market is bad, wait until they own 100%.
Fines won't cut it...
by
TopShelf
·
· Score: 4, Funny
What he proposes is way too strict. Right now, I run through a firewall and proxy, keep my system up to date, etc. Is it my fault if someone hacks into my computer and uses it? No. I've done everything possible to make my computer secure, short of spending thousands of dollars on corporate-level firewalls, etc., or disconnecting it from the internet completely. No computer is 100% hackproof.
Is it my fault if someone hacks into my computer and uses it?
Apparently, judging from the editorial. It's like someone rear-ending you and you are responsible because you didn't move out of the way soon enough. Also read the following quote:
The fines would be used by ISPs to support the significant efforts required to continually block identified attack traffic.
What a nice way to encourage ISPs to scan their own [users'] network for vulnerabilities and inject them with viruses to increase their revenues.
A couple of problems
by
aridhol
·
· Score: 5, Interesting
First, I think this will lead to ISPs only allowing "approved" OSs on their networks, in order to prevent themselves from getting fined. Unfortunately, the approved list will probably contain the worst offenders.
Second:
ISPs must receive freedom from liability for dropping the identified traffic. False detections are the fault of the "Independent Authority", who should also be free from liability.
Sorry we blocked your critical data, but you can't do anything about it.
-- I can't say that I don't give a fuck. I've just run out of fuck to give.
But users don't own the OS
by
RichMan
·
· Score: 4, Insightful
For the majority of enduser systems out there the user does not own the software on the system. Microsoft owns the software and has all rights to modify and control the software.
Is the enduser responsible or the actual owner of the software?
Lawsuits abound
by
chia_monkey
·
· Score: 3, Interesting
I just see lawsuits left and right with this one. On one hand, you've got Ma and Pa Kettle who know how to turn on their computer, check their email, and play solitaire. All of a suddent they're notified they owe $2.4 billion because their computer was used to take down sixteen major corporations. Do they get to sue the ISP for not filtering? Or do they get to sue the virus programmer if they're caught? Or hell, do I get to sue them because maybe they infected me and my computer infected the corner store. Sure my fine was only $50, but maybe I'll sue them $250,000 for pain and suffering (hey, this is America, we do that). Scary...
--
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
Russ posted this to NTBugTraq:
by
Medieval
·
· Score: 3, Informative
I was recently quoted in a WashingtonPost.com article saying I was in favor of fines against people who emit viruses or worms (not just originate, but infectees who perpetuate attacks.) There wasn't any meat in that article describing my proposal, so it comes off sounding kind of cold. I've had this proposal for quite some time, after being asked by a U.S. Senator staffer once to write something up to identify what's lacking in the U.S. National CyberSecurity Strategy document.
I've tried to explain it as clearly as I can, and have included a poll to take your feedback on whether you think the idea would be valuable to you. I'd appreciate it if you'd give it a read and take the poll.
I hereby acknowledge that the poll is hosted on my little T1, so you may well experience bandwidth-related fun. At least you only have to click two buttons to take the vote.
Feel free to repost this request to other lists.
Cheers,
Russ - NTBugtraq Editor
Problem with this...
by
chrisgeleven
·
· Score: 3, Interesting
people aren't licensed/educated properly to use the internet. So how will they know that they have to update virus definitions and patch their systems? By e-mail notifications? When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month for their monthly statements, they instead had hotmail accounts for their regular e-mail. We would have to call customers non-stop to remind them to check their ISP e-mail for their bill. Now we would have to call them for their weekly virus breakout?
The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.
So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
Fine the O/S vendors instead
by
Dark+Coder
·
· Score: 5, Interesting
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
Re:What about Microsoft?
by
brkello
·
· Score: 3, Insightful
Give me a break. What about Microsoft? Any computer on a network is vulnerable, even Linux boxes, why don't we fine Red Hat? Who should we go after when there is a crime? Maybe the criminal who wrote the freaking virus. I guarantee you, any OS that is the most used is going to be hacked...often. You don't fine grandma, nor do you fine the OS company, you find the hackers/script kiddies/etc, and you fine and jail them. Ignorant indeed.
-- Support a great indie game: http://www.abaddon360.com
Another impartial proposal (not)
by
Rosco+P.+Coltrane
·
· Score: 5, Informative
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming...
Another fine impartial article brought to you by Slashdot.
-- "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Re:Danger, Will Robinson! Danger!
by
SuperBanana
·
· Score: 5, Funny
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home:-)
So this bill would give a financial reward...
by
WolfWithoutAClause
·
· Score: 3, Insightful
...to the government for me getting subverted by a worm/virus?
Wouldn't it be better to give the government an incentive to help solve the problem rather than give them an incentive to get some obscure, amoral, and deeply secret government department to release new and more virulent attacks so as to up their income?
Sure, they probably wouldn't, officially; but why take the risk that some individual in the government would be in a position to benefit from this kind of thing?
These kinds of theoretical problems always sound impossible, but I'm nearly always surprised to find out how often they really do crop up in practice.
--
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"
Impossible to avoid
by
One+Louder
·
· Score: 5, Insightful
Unfortunately, at this point it's nearly impossible for a new user to keep from getting infected.
Let's say Joe Consumer is interested in a computer - he goes down to MicroCompuCenterUSA and buys a spanking new Windows XP-based machine, plugs in the cable modem, turns it on.
*WHAMMO*
He's infected before he even gets a chance to get the latest updates, assuming he even know that's something he's supposed to do.
My sister-in-law when through this exact scenario just recently. She got nailed by Blaster within a few minutes of powering up the machine for the first time. She has no idea what a firewall is, and would certainly wonder why she would need one with a brand-new computer.
This proposal is a little like buying a new car and having the wheels fall off as you drive off the lot, then being fined for causing an accident.
Seems a Bit Elitist
by
druske
·
· Score: 3, Insightful
Okay, the Slashdot crowd is probably quite a bit more tech-savvy than our old pal Bubba, clicking away at every link that arrives in his inbox and updating his software only when he buys a new machine with it.
But I'm not sure penalizing Bubba is the right answer. Maybe Bubba is ignorant; on the other hand, he might have a legitimate mental handicap. How much responsibility should someone with Alzheimer's disease or a learning disability carry? What about someone who's simply too old or too young to grasp security issues? Where should the line be drawn, and how could we charge according to ability? And how much would it cost to administer such a program?
A legally sanctioned DOS attack...
by
Darlok
·
· Score: 3, Interesting
For the love of... I think the last paragraph of this article contains the most telling statement: "...make every effort to assist in bringing about a change in the way the Internet is managed..."
The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.
Example:
Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.
Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article. Should all of our ISPs be blocking SSH traffic now?
You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.
This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.
-- Notice: Your mouse has been moved. Windows will now restart so this change can take effect.
Grandma: "What is this fine in the mail? What is a firewall? Why am I being fined? Is is the gremlins in my computer again?"
Not to mention underfunded organizations like Libraries and schools that may not be completely up to speed. This is a stupid idea. I put this up on the shelf with that idea to destroy people's computers for "piracy".
I find it amazing that people are so amazed that no one patches their computers. Think of your grandparents. What do they know about firewalls and TCP/IP and man-in-the-middle attacks? My mother has a VAGUE understanding of updating software and that it's important, but she doesn't know why. If you don't know why you are doing something, it's hard to continue doing it; and they are bound to miss something important along the way.
Someone had a good idea on another thread. ISP's should be the firewall for the little guy, and if you are in the know, you just opt-out. I work for SBC tech support. They decided to block port 135 due to all the MSBlast+derivatives activity. I think it's only temporary, but it is a good solution. No one really has any reason to be using port 135 over the net anyway. Locally, yes, internet no. You should be using a VPN if it is that important to you.
-- -- Having a Creationist Museum is like having an Atheist place of worship
Re:Danger, Will Robinson! Danger!
by
kilgore_47
·
· Score: 4, Insightful
Riight, lets punish the ignorant victims for their ignorance... 'Cause fining the richest man in the world, or his company that is the cause of most of the problems, why.. that... that would be crazy!
*shakes head*
This is a horrible idea for oh so many reasons. The first that comes to mind is that government mandates about ISP logging and packet blocking are a bad thing. Once a national infrastructure is in place that allows a government sponsored program to declare certain packets or application signatures "bad", what's to stop them from adding more things than just viruses? It would be trivial, technically, to write a 'virus definition' for p2p traffic. It would be almost as trivial, and only a bit more expensive, to get this done on a political level (a certain senator from disney would probably love to help out). When the DMCA crowd is done adding their firewall rules, maybe the Patriot Act fan club will want to throw in a few too... What it comes down to is that the U.S. government cannot be allowed to regulate the internet in this manner.
Which also brings up another point; being US-only, this system is pretty worthless for stopping attacks. To be effective, the law would need to require extensive "border" filtering at sites with international peers. See point above about why this is really bad. Fortunately, this whole proposition is such preposterous crazytalk that I don't think it actually has much of any chance at happening.
I think a better idea would be to implement new regulations surrounding software warranties. I don't know how exactly it should be done, but I do know that (a) if a company's ReallyExpensiveProduct routinely breaks and causes large financial damages for it's users, the company should be somehow held liable, and they shouldn't be able to get out of it with a clause in an EULA. But at the same time, (b) independent programmers who are giving their software away need to be able to do it without taking on liability, or they won't be able to do it at all, and we won't have Free software. The No Warranty clause of the GPL is a very important one. It would be great if paying for software meant you had more guarantee that it was going to work... it's really a bit bizarre that today the software you can get for free works better than the software that costs money. Perhaps a sliding scale price based warranty would help with that.
-- ___ The way to see by faith is to shut the eye of reason. --Ben Franklin
Slashdot Mirror
I can just see the virus protection software making changes to their notifications to keep track of attacks that could cost people money and list it in a tally window: "You've saved $764 in internet fines this year because you used Morton AntiVirus 2005! Want to upgrade to the Pro version?"
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
A programmer is a machine for converting coffee into code.
The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.
ISPs probably would have too much volume to deal with to investigate every packet, so it becomes easier to pay the fine than fight the system.
There's got to be a better solution than this.
"Adventure? Excitement? A Jedi craves not these things."
"..whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly
Rather than fining the people (victims?) of poorly written software and OSes, why not have a class-action suit against the corporations that make the worms & viruses possible in the first place? Most people are up in arms when the RIAA goes after the wallet of individuals who knowingly download their Evil MP3s whereas the bulk of users that get these infections just don't know any better.
Fining lusers won't give them clues, education will.
Trolling is a art,
I'd much prefer bounties.
Stop by my site where I write about ERP systems & more
Great,
Just what I need, my grandma getting hit with fines because she wants email to talk to the grandkids.
What about foriegn computers that propogate this problem?
--fetch daddy's blue fright wig, i must be handsome when i release my rage
What he proposes is way too strict. Right now, I run through a firewall and proxy, keep my system up to date, etc. Is it my fault if someone hacks into my computer and uses it? No. I've done everything possible to make my computer secure, short of spending thousands of dollars on corporate-level firewalls, etc., or disconnecting it from the internet completely. No computer is 100% hackproof.
Second:
Sorry we blocked your critical data, but you can't do anything about it.I can't say that I don't give a fuck. I've just run out of fuck to give.
For the majority of enduser systems out there the user does not own the software on the system. Microsoft owns the software and has all rights to modify and control the software.
Is the enduser responsible or the actual owner of the software?
I just see lawsuits left and right with this one. On one hand, you've got Ma and Pa Kettle who know how to turn on their computer, check their email, and play solitaire. All of a suddent they're notified they owe $2.4 billion because their computer was used to take down sixteen major corporations. Do they get to sue the ISP for not filtering? Or do they get to sue the virus programmer if they're caught? Or hell, do I get to sue them because maybe they infected me and my computer infected the corner store. Sure my fine was only $50, but maybe I'll sue them $250,000 for pain and suffering (hey, this is America, we do that). Scary...
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
The included URL, for reference.
I was recently quoted in a WashingtonPost.com article saying I was in favor of fines against people who emit viruses or worms (not just originate, but infectees who perpetuate attacks.) There wasn't any meat in that article describing my proposal, so it comes off sounding kind of cold. I've had this proposal for quite some time, after being asked by a U.S. Senator staffer once to write something up to identify what's lacking in the U.S. National CyberSecurity Strategy document.
I've tried to explain it as clearly as I can, and have included a poll to take your feedback on whether you think the idea would be valuable to you. I'd appreciate it if you'd give it a read and take the poll.
I hereby acknowledge that the poll is hosted on my little T1, so you may well experience bandwidth-related fun. At least you only have to click two buttons to take the vote.
Feel free to repost this request to other lists.
Cheers,Russ - NTBugtraq Editor
people aren't licensed/educated properly to use the internet. So how will they know that they have to update virus definitions and patch their systems? By e-mail notifications? When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month for their monthly statements, they instead had hotmail accounts for their regular e-mail. We would have to call customers non-stop to remind them to check their ISP e-mail for their bill. Now we would have to call them for their weekly virus breakout?
The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.
So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
Give me a break. What about Microsoft? Any computer on a network is vulnerable, even Linux boxes, why don't we fine Red Hat? Who should we go after when there is a crime? Maybe the criminal who wrote the freaking virus. I guarantee you, any OS that is the most used is going to be hacked...often. You don't fine grandma, nor do you fine the OS company, you find the hackers/script kiddies/etc, and you fine and jail them. Ignorant indeed.
Support a great indie game: http://www.abaddon360.com
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
...
- Russ Cooper is editor at NTBugTraq
- NTBugTraq is a division of TruSecure Corporation
- Russ Cooper is chief scientist at TruSecure Corporation
- TruSecure Corporation sells security solutions and services.
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming
Another fine impartial article brought to you by Slashdot.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home :-)
Please help metamoderate.
Wouldn't it be better to give the government an incentive to help solve the problem rather than give them an incentive to get some obscure, amoral, and deeply secret government department to release new and more virulent attacks so as to up their income?
Sure, they probably wouldn't, officially; but why take the risk that some individual in the government would be in a position to benefit from this kind of thing?
These kinds of theoretical problems always sound impossible, but I'm nearly always surprised to find out how often they really do crop up in practice.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Let's say Joe Consumer is interested in a computer - he goes down to MicroCompuCenterUSA and buys a spanking new Windows XP-based machine, plugs in the cable modem, turns it on.
*WHAMMO*
He's infected before he even gets a chance to get the latest updates, assuming he even know that's something he's supposed to do.
My sister-in-law when through this exact scenario just recently. She got nailed by Blaster within a few minutes of powering up the machine for the first time. She has no idea what a firewall is, and would certainly wonder why she would need one with a brand-new computer.
This proposal is a little like buying a new car and having the wheels fall off as you drive off the lot, then being fined for causing an accident.
Okay, the Slashdot crowd is probably quite a bit more tech-savvy than our old pal Bubba, clicking away at every link that arrives in his inbox and updating his software only when he buys a new machine with it.
But I'm not sure penalizing Bubba is the right answer. Maybe Bubba is ignorant; on the other hand, he might have a legitimate mental handicap. How much responsibility should someone with Alzheimer's disease or a learning disability carry? What about someone who's simply too old or too young to grasp security issues? Where should the line be drawn, and how could we charge according to ability? And how much would it cost to administer such a program?
For the love of... I think the last paragraph of this article contains the most telling statement: "...make every effort to assist in bringing about a change in the way the Internet is managed..."
The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.
Example:
Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.
Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article. Should all of our ISPs be blocking SSH traffic now?
You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.
This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.
Notice: Your mouse has been moved. Windows will now restart so this change can take effect.
Grandma: "What is this fine in the mail? What is a firewall? Why am I being fined? Is is the gremlins in my computer again?"
Not to mention underfunded organizations like Libraries and schools that may not be completely up to speed. This is a stupid idea. I put this up on the shelf with that idea to destroy people's computers for "piracy".
I find it amazing that people are so amazed that no one patches their computers. Think of your grandparents. What do they know about firewalls and TCP/IP and man-in-the-middle attacks? My mother has a VAGUE understanding of updating software and that it's important, but she doesn't know why. If you don't know why you are doing something, it's hard to continue doing it; and they are bound to miss something important along the way.
Someone had a good idea on another thread. ISP's should be the firewall for the little guy, and if you are in the know, you just opt-out. I work for SBC tech support. They decided to block port 135 due to all the MSBlast+derivatives activity. I think it's only temporary, but it is a good solution. No one really has any reason to be using port 135 over the net anyway. Locally, yes, internet no. You should be using a VPN if it is that important to you.
-- Having a Creationist Museum is like having an Atheist place of worship
Riight, lets punish the ignorant victims for their ignorance... 'Cause fining the richest man in the world, or his company that is the cause of most of the problems, why.. that... that would be crazy!
*shakes head*
This is a horrible idea for oh so many reasons. The first that comes to mind is that government mandates about ISP logging and packet blocking are a bad thing. Once a national infrastructure is in place that allows a government sponsored program to declare certain packets or application signatures "bad", what's to stop them from adding more things than just viruses? It would be trivial, technically, to write a 'virus definition' for p2p traffic. It would be almost as trivial, and only a bit more expensive, to get this done on a political level (a certain senator from disney would probably love to help out). When the DMCA crowd is done adding their firewall rules, maybe the Patriot Act fan club will want to throw in a few too... What it comes down to is that the U.S. government cannot be allowed to regulate the internet in this manner.
Which also brings up another point; being US-only, this system is pretty worthless for stopping attacks. To be effective, the law would need to require extensive "border" filtering at sites with international peers. See point above about why this is really bad. Fortunately, this whole proposition is such preposterous crazytalk that I don't think it actually has much of any chance at happening.
I think a better idea would be to implement new regulations surrounding software warranties. I don't know how exactly it should be done, but I do know that (a) if a company's ReallyExpensiveProduct routinely breaks and causes large financial damages for it's users, the company should be somehow held liable, and they shouldn't be able to get out of it with a clause in an EULA. But at the same time, (b) independent programmers who are giving their software away need to be able to do it without taking on liability, or they won't be able to do it at all, and we won't have Free software. The No Warranty clause of the GPL is a very important one. It would be great if paying for software meant you had more guarantee that it was going to work... it's really a bit bizarre that today the software you can get for free works better than the software that costs money. Perhaps a sliding scale price based warranty would help with that.
___
The way to see by faith is to shut the eye of reason. --Ben Franklin