Posted by
michael
on from the does-renter's-insurance-cover-this dept.
sagman writes "Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly... Russ is taking a poll on his site. Russ states in an email that he wrote this up at the request of a US Senator staffer..."
Danger, Will Robinson! Danger!
by
inertia187
·
· Score: 5, Funny
I can just see the virus protection software making changes to their notifications to keep track of attacks that could cost people money and list it in a tally window: "You've saved $764 in internet fines this year because you used Morton AntiVirus 2005! Want to upgrade to the Pro version?"
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
-- A programmer is a machine for converting coffee into code.
Denial of Money attack?
by
soren42
·
· Score: 5, Insightful
The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.
ISPs probably would have too much volume to deal with to investigate every packet, so it becomes easier to pay the fine than fight the system.
There's got to be a better solution than this.
--
"Adventure? Excitement? A Jedi craves not these things."
Re:Denial of Money attack?
by
eln
·
· Score: 5, Insightful
Yes, this would effectively push >90% of today's Internet users off the network. While some people might think this is a good thing, I doubt the many thousands of people that would lose their jobs in an already down economy would agree.
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms relating to privacy rights, freedoms related to what one can do with one's own property, and implementation of such a thing without a.) forcing every American to spend money on virus scanning software or b.) jacking up everyone's tax rates. This doesn't even take into account what sort of staggering class action lawsuit would result if a destructive virus was not picked up by the now-required scanning software.
All in all, this is a kneejerk reaction of the worst kind.
Re:Denial of Money attack?
by
isomeme
·
· Score: 4, Interesting
There was a science fiction story many years ago (circa 1980, IIRC) in Analog (again IIRC) which predicted widespread networked home computers, and the threat of hostile programs spreading among them. In the story, the US government mandated installation of (what we would call) antivirus software, developed and provided by the government. An attorney successfully gets the program thrown out on Constitutional grounds, showing that it violates the Third Amendment, since a program guarding against national security threats is effectively a "soldier".
-- When all you have is a hammer, everything looks like a skull.
Re:Denial of Money attack?
by
tomhudson
·
· Score: 4, Insightful
Sorry, buy my bullshit-o-meter went of the scale here. The article is a troll (so is the original proposal). One of the indicators is
"Russ states in an email that he wrote this up at the request of a US Senator staffer...
That can mean pretty much anything, and is pretty lame, as is the proposal itself (yes, I did RTFA).
The other indicator is the article itself. It completely misses 2 things that have to happen:
educated users, and better operating systems.
Another quote:
According to a recent TruSecure Corporation survey, 34% of networks of 100 computers or more were affected, and the average cost per computer was US$477.00.
Do you really believe these numbers on the average cost? So why isn't it ever mentioned in SEC filings? Why aren't they investing in training end-users to use more secure systems. Why aren't they getting rid of Outlook Express?
Ok, rant off.
Re:Denial of Money attack?
by
ryanvm
·
· Score: 4, Insightful
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms
Virus scanning software is complete bullshit. Explain to me how I have NEVER been aflicted with a computer virus, yet I also do not run antivirus software. (And yes, I'm running Windows:)
Smart users don't need antivirus software. Keep your machine patched and don't open executable attachments. Problem solved. Furthermore, the most dangerous viruses spread faster than the virus definitions anyway.
Re:Denial of Money attack?
by
tomhudson
·
· Score: 4, Funny
Couldn't have said it better myself! And of course,
after the article quotes some pulled-out-of-the-ass statistics from a "TruSecure Corporation Survey", look how the whole thing is signed:
Russ Cooper -
Surgeon General of TruSecure Corporation/NTBugtraq Editor
right above this:
An error occurred on the server when processing the URL. Please contact the system administrator.
Has he been practicing do-it-(to)-yourself lobotomies again?
No way in hell this would fly.
by
grub
·
· Score: 5, Insightful
"..whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly.."
Rather than fining the people (victims?) of poorly written software and OSes, why not have a
class-action suit against the corporations that make the worms & viruses possible in the first place?
Most people are up in arms when the RIAA goes after the wallet of individuals who knowingly download their
Evil MP3s whereas the bulk of users that get these infections just don't know any better.
Fining lusers won't give them clues, education will.
-- Trolling is a art,
Re:No way in hell this would fly.
by
McAddress
·
· Score: 5, Insightful
forget a lawsuit. fine the maker of the software for each copy of an OS or other piece of software that propogates a bug. After all, the OS belongs to MS. I only have a license.
Re:No way in hell this would fly.
by
eln
·
· Score: 5, Insightful
Sounds great for Microsoft, but in a market where successfully introducing a new competing OS is already near impossible, such a policy would push any fledgling OS company instantly into bankruptcy the minute a minor security flaw is detected in their software. Microsoft is probably the only software company in the US right now that could begin to absorb the costs of such a policy, leaving it the only company standing.
You think Microsoft owning 90% of the market is bad, wait until they own 100%.
Fines won't cut it...
by
TopShelf
·
· Score: 4, Funny
What he proposes is way too strict. Right now, I run through a firewall and proxy, keep my system up to date, etc. Is it my fault if someone hacks into my computer and uses it? No. I've done everything possible to make my computer secure, short of spending thousands of dollars on corporate-level firewalls, etc., or disconnecting it from the internet completely. No computer is 100% hackproof.
Is it my fault if someone hacks into my computer and uses it?
Apparently, judging from the editorial. It's like someone rear-ending you and you are responsible because you didn't move out of the way soon enough. Also read the following quote:
The fines would be used by ISPs to support the significant efforts required to continually block identified attack traffic.
What a nice way to encourage ISPs to scan their own [users'] network for vulnerabilities and inject them with viruses to increase their revenues.
A couple of problems
by
aridhol
·
· Score: 5, Interesting
First, I think this will lead to ISPs only allowing "approved" OSs on their networks, in order to prevent themselves from getting fined. Unfortunately, the approved list will probably contain the worst offenders.
Second:
ISPs must receive freedom from liability for dropping the identified traffic. False detections are the fault of the "Independent Authority", who should also be free from liability.
Sorry we blocked your critical data, but you can't do anything about it.
-- I can't say that I don't give a fuck. I've just run out of fuck to give.
But users don't own the OS
by
RichMan
·
· Score: 4, Insightful
For the majority of enduser systems out there the user does not own the software on the system. Microsoft owns the software and has all rights to modify and control the software.
Is the enduser responsible or the actual owner of the software?
Fine the O/S vendors instead
by
Dark+Coder
·
· Score: 5, Interesting
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
Another impartial proposal (not)
by
Rosco+P.+Coltrane
·
· Score: 5, Informative
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming...
Another fine impartial article brought to you by Slashdot.
-- "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Re:Danger, Will Robinson! Danger!
by
SuperBanana
·
· Score: 5, Funny
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home:-)
Impossible to avoid
by
One+Louder
·
· Score: 5, Insightful
Unfortunately, at this point it's nearly impossible for a new user to keep from getting infected.
Let's say Joe Consumer is interested in a computer - he goes down to MicroCompuCenterUSA and buys a spanking new Windows XP-based machine, plugs in the cable modem, turns it on.
*WHAMMO*
He's infected before he even gets a chance to get the latest updates, assuming he even know that's something he's supposed to do.
My sister-in-law when through this exact scenario just recently. She got nailed by Blaster within a few minutes of powering up the machine for the first time. She has no idea what a firewall is, and would certainly wonder why she would need one with a brand-new computer.
This proposal is a little like buying a new car and having the wheels fall off as you drive off the lot, then being fined for causing an accident.
Grandma: "What is this fine in the mail? What is a firewall? Why am I being fined? Is is the gremlins in my computer again?"
Not to mention underfunded organizations like Libraries and schools that may not be completely up to speed. This is a stupid idea. I put this up on the shelf with that idea to destroy people's computers for "piracy".
I find it amazing that people are so amazed that no one patches their computers. Think of your grandparents. What do they know about firewalls and TCP/IP and man-in-the-middle attacks? My mother has a VAGUE understanding of updating software and that it's important, but she doesn't know why. If you don't know why you are doing something, it's hard to continue doing it; and they are bound to miss something important along the way.
Someone had a good idea on another thread. ISP's should be the firewall for the little guy, and if you are in the know, you just opt-out. I work for SBC tech support. They decided to block port 135 due to all the MSBlast+derivatives activity. I think it's only temporary, but it is a good solution. No one really has any reason to be using port 135 over the net anyway. Locally, yes, internet no. You should be using a VPN if it is that important to you.
-- -- Having a Creationist Museum is like having an Atheist place of worship
Re:Danger, Will Robinson! Danger!
by
kilgore_47
·
· Score: 4, Insightful
Riight, lets punish the ignorant victims for their ignorance... 'Cause fining the richest man in the world, or his company that is the cause of most of the problems, why.. that... that would be crazy!
*shakes head*
This is a horrible idea for oh so many reasons. The first that comes to mind is that government mandates about ISP logging and packet blocking are a bad thing. Once a national infrastructure is in place that allows a government sponsored program to declare certain packets or application signatures "bad", what's to stop them from adding more things than just viruses? It would be trivial, technically, to write a 'virus definition' for p2p traffic. It would be almost as trivial, and only a bit more expensive, to get this done on a political level (a certain senator from disney would probably love to help out). When the DMCA crowd is done adding their firewall rules, maybe the Patriot Act fan club will want to throw in a few too... What it comes down to is that the U.S. government cannot be allowed to regulate the internet in this manner.
Which also brings up another point; being US-only, this system is pretty worthless for stopping attacks. To be effective, the law would need to require extensive "border" filtering at sites with international peers. See point above about why this is really bad. Fortunately, this whole proposition is such preposterous crazytalk that I don't think it actually has much of any chance at happening.
I think a better idea would be to implement new regulations surrounding software warranties. I don't know how exactly it should be done, but I do know that (a) if a company's ReallyExpensiveProduct routinely breaks and causes large financial damages for it's users, the company should be somehow held liable, and they shouldn't be able to get out of it with a clause in an EULA. But at the same time, (b) independent programmers who are giving their software away need to be able to do it without taking on liability, or they won't be able to do it at all, and we won't have Free software. The No Warranty clause of the GPL is a very important one. It would be great if paying for software meant you had more guarantee that it was going to work... it's really a bit bizarre that today the software you can get for free works better than the software that costs money. Perhaps a sliding scale price based warranty would help with that.
-- ___ The way to see by faith is to shut the eye of reason. --Ben Franklin
Slashdot Mirror
I can just see the virus protection software making changes to their notifications to keep track of attacks that could cost people money and list it in a tally window: "You've saved $764 in internet fines this year because you used Morton AntiVirus 2005! Want to upgrade to the Pro version?"
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
A programmer is a machine for converting coffee into code.
The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.
ISPs probably would have too much volume to deal with to investigate every packet, so it becomes easier to pay the fine than fight the system.
There's got to be a better solution than this.
"Adventure? Excitement? A Jedi craves not these things."
"..whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly
Rather than fining the people (victims?) of poorly written software and OSes, why not have a class-action suit against the corporations that make the worms & viruses possible in the first place? Most people are up in arms when the RIAA goes after the wallet of individuals who knowingly download their Evil MP3s whereas the bulk of users that get these infections just don't know any better.
Fining lusers won't give them clues, education will.
Trolling is a art,
I'd much prefer bounties.
Stop by my site where I write about ERP systems & more
Great,
Just what I need, my grandma getting hit with fines because she wants email to talk to the grandkids.
What about foriegn computers that propogate this problem?
--fetch daddy's blue fright wig, i must be handsome when i release my rage
What he proposes is way too strict. Right now, I run through a firewall and proxy, keep my system up to date, etc. Is it my fault if someone hacks into my computer and uses it? No. I've done everything possible to make my computer secure, short of spending thousands of dollars on corporate-level firewalls, etc., or disconnecting it from the internet completely. No computer is 100% hackproof.
Second:
Sorry we blocked your critical data, but you can't do anything about it.I can't say that I don't give a fuck. I've just run out of fuck to give.
For the majority of enduser systems out there the user does not own the software on the system. Microsoft owns the software and has all rights to modify and control the software.
Is the enduser responsible or the actual owner of the software?
The operating system vendors should face the music.
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
...
- Russ Cooper is editor at NTBugTraq
- NTBugTraq is a division of TruSecure Corporation
- Russ Cooper is chief scientist at TruSecure Corporation
- TruSecure Corporation sells security solutions and services.
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming
Another fine impartial article brought to you by Slashdot.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home :-)
Please help metamoderate.
Let's say Joe Consumer is interested in a computer - he goes down to MicroCompuCenterUSA and buys a spanking new Windows XP-based machine, plugs in the cable modem, turns it on.
*WHAMMO*
He's infected before he even gets a chance to get the latest updates, assuming he even know that's something he's supposed to do.
My sister-in-law when through this exact scenario just recently. She got nailed by Blaster within a few minutes of powering up the machine for the first time. She has no idea what a firewall is, and would certainly wonder why she would need one with a brand-new computer.
This proposal is a little like buying a new car and having the wheels fall off as you drive off the lot, then being fined for causing an accident.
Grandma: "What is this fine in the mail? What is a firewall? Why am I being fined? Is is the gremlins in my computer again?"
Not to mention underfunded organizations like Libraries and schools that may not be completely up to speed. This is a stupid idea. I put this up on the shelf with that idea to destroy people's computers for "piracy".
I find it amazing that people are so amazed that no one patches their computers. Think of your grandparents. What do they know about firewalls and TCP/IP and man-in-the-middle attacks? My mother has a VAGUE understanding of updating software and that it's important, but she doesn't know why. If you don't know why you are doing something, it's hard to continue doing it; and they are bound to miss something important along the way.
Someone had a good idea on another thread. ISP's should be the firewall for the little guy, and if you are in the know, you just opt-out. I work for SBC tech support. They decided to block port 135 due to all the MSBlast+derivatives activity. I think it's only temporary, but it is a good solution. No one really has any reason to be using port 135 over the net anyway. Locally, yes, internet no. You should be using a VPN if it is that important to you.
-- Having a Creationist Museum is like having an Atheist place of worship
Riight, lets punish the ignorant victims for their ignorance... 'Cause fining the richest man in the world, or his company that is the cause of most of the problems, why.. that... that would be crazy!
*shakes head*
This is a horrible idea for oh so many reasons. The first that comes to mind is that government mandates about ISP logging and packet blocking are a bad thing. Once a national infrastructure is in place that allows a government sponsored program to declare certain packets or application signatures "bad", what's to stop them from adding more things than just viruses? It would be trivial, technically, to write a 'virus definition' for p2p traffic. It would be almost as trivial, and only a bit more expensive, to get this done on a political level (a certain senator from disney would probably love to help out). When the DMCA crowd is done adding their firewall rules, maybe the Patriot Act fan club will want to throw in a few too... What it comes down to is that the U.S. government cannot be allowed to regulate the internet in this manner.
Which also brings up another point; being US-only, this system is pretty worthless for stopping attacks. To be effective, the law would need to require extensive "border" filtering at sites with international peers. See point above about why this is really bad. Fortunately, this whole proposition is such preposterous crazytalk that I don't think it actually has much of any chance at happening.
I think a better idea would be to implement new regulations surrounding software warranties. I don't know how exactly it should be done, but I do know that (a) if a company's ReallyExpensiveProduct routinely breaks and causes large financial damages for it's users, the company should be somehow held liable, and they shouldn't be able to get out of it with a clause in an EULA. But at the same time, (b) independent programmers who are giving their software away need to be able to do it without taking on liability, or they won't be able to do it at all, and we won't have Free software. The No Warranty clause of the GPL is a very important one. It would be great if paying for software meant you had more guarantee that it was going to work... it's really a bit bizarre that today the software you can get for free works better than the software that costs money. Perhaps a sliding scale price based warranty would help with that.
___
The way to see by faith is to shut the eye of reason. --Ben Franklin