1427195
story
sagman writes
"Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly... Russ is taking a poll on his site. Russ states in an email that he wrote this up at the request of a US Senator staffer..."
Danger, Will Robinson! Danger! (Score:5, Funny)
The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
Re:Danger, Will Robinson! Danger! (Score:2)
Re:Danger, Will Robinson! Danger! (Score:5, Insightful)
*shakes head*
This is a horrible idea for oh so many reasons. The first that comes to mind is that government mandates about ISP logging and packet blocking are a bad thing. Once a national infrastructure is in place that allows a government sponsored program to declare certain packets or application signatures "bad", what's to stop them from adding more things than just viruses? It would be trivial, technically, to write a 'virus definition' for p2p traffic. It would be almost as trivial, and only a bit more expensive, to get this done on a political level (a certain senator from disney [senate.gov] would probably love to help out). When the DMCA crowd is done adding their firewall rules, maybe the Patriot Act fan club will want to throw in a few too... What it comes down to is that the U.S. government cannot be allowed to regulate the internet in this manner.
Which also brings up another point; being US-only, this system is pretty worthless for stopping attacks. To be effective, the law would need to require extensive "border" filtering at sites with international peers. See point above about why this is really bad. Fortunately, this whole proposition is such preposterous crazytalk that I don't think it actually has much of any chance at happening.
I think a better idea would be to implement new regulations surrounding software warranties. I don't know how exactly it should be done, but I do know that (a) if a company's ReallyExpensiveProduct routinely breaks and causes large financial damages for it's users, the company should be somehow held liable, and they shouldn't be able to get out of it with a clause in an EULA. But at the same time, (b) independent programmers who are giving their software away need to be able to do it without taking on liability, or they won't be able to do it at all, and we won't have Free software. The No Warranty clause of the GPL is a very important one. It would be great if paying for software meant you had more guarantee that it was going to work... it's really a bit bizarre that today the software you can get for free works better than the software that costs money. Perhaps a sliding scale price based warranty would help with that.
Re:Danger, Will Robinson! Danger! (Score:5, Funny)
Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home :-)
Denial of Money attack? (Score:5, Insightful)
ISPs probably would have too much volume to deal with to investigate every packet, so it becomes easier to pay the fine than fight the system.
There's got to be a better solution than this.
Re:Denial of Money attack? (Score:5, Insightful)
The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms relating to privacy rights, freedoms related to what one can do with one's own property, and implementation of such a thing without a.) forcing every American to spend money on virus scanning software or b.) jacking up everyone's tax rates. This doesn't even take into account what sort of staggering class action lawsuit would result if a destructive virus was not picked up by the now-required scanning software.
All in all, this is a kneejerk reaction of the worst kind.
Re:Denial of Money attack? (Score:5, Interesting)
Re:Denial of Money attack? (Score:4, Interesting)
Re:Denial of Money attack? (Score:5, Insightful)
Virus scanning software is complete bullshit. Explain to me how I have NEVER been aflicted with a computer virus, yet I also do not run antivirus software. (And yes, I'm running Windows
Smart users don't need antivirus software. Keep your machine patched and don't open executable attachments. Problem solved. Furthermore, the most dangerous viruses spread faster than the virus definitions anyway.
Re:Denial of Money attack? (Score:3, Interesting)
You're right that it would be difficult for the government to require that individuals install anti-virus software and the like. However,
Re:Denial of Money attack? (Score:5, Insightful)
The other indicator is the article itself. It completely misses 2 things that have to happen: educated users, and better operating systems.
Another quote:
Do you really believe these numbers on the average cost? So why isn't it ever mentioned in SEC filings? Why aren't they investing in training end-users to use more secure systems. Why aren't they getting rid of Outlook Express?Ok, rant off.
Re:Denial of Sense attack? (Score:3, Insightful)
My bullshit-o-meter goes off the scale whenever anyone sets up a "poll" like this. The results of such a poll wouldn't mean anything, even if the question was sensible. But he doesn't even ask a real question; he wants to know whether people agree or disagree with the "information". If he doesn't know whether or not the information he presents is correct, he should find out. If he knows it's correct, why does he care what other people think about
Re:Denial of Money attack? (Score:5, Funny)
Re:Denial of Money attack? (Score:3, Funny)
Re:Denial of Money attack? (Score:2)
The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.
Since part of the plan is for ISPs to monitor outbound traffic, that would only become a real issue of someone on your same subnet, that was served by the same gateway router, spoofed your address. Otherwise it would be real easy to say, "check the outbound logs on the router at xxx.xxx.x
Re:Denial of Money attack? (Score:2, Interesting)
In fact, a good percentage of attacks in general against my systems have been from "local" machines.
Besides, what better way to get back at that neighbor that pissed you off - run up their fines!
Re:Denial of Money attack? (Score:3, Insightful)
Spoken like a man who hasn't seen th
No way in hell this would fly. (Score:5, Insightful)
"..whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly
Rather than fining the people (victims?) of poorly written software and OSes, why not have a class-action suit against the corporations that make the worms & viruses possible in the first place? Most people are up in arms when the RIAA goes after the wallet of individuals who knowingly download their Evil MP3s whereas the bulk of users that get these infections just don't know any better.
Fining lusers won't give them clues, education will.
Re:No way in hell this would fly. (Score:5, Insightful)
Re:No way in hell this would fly. (Score:5, Insightful)
You think Microsoft owning 90% of the market is bad, wait until they own 100%.
Re:No way in hell this would fly. (Score:4, Insightful)
I'm no Microsoft fan, but neither am I of the belief that all Open Source software (or Mac software, or *nix software) is perfect. Pull off your blinders, and realize that the solution rests not just in the hands of some major corporation, but also in the hands of anyone who chooses to place their computer on the 'net.
The blame lies in both courts.
Re:No way in hell this would fly. (Score:3, Insightful)
A wonderful idea.
You understand, of course, that such corporations as RedHat, SuSE, etc. will be among those sued..?
And there is really no reason to limit this to corporations only. A buffer overflow in some Linux code? Look into the source for the copyright notice and sue the hell out of the poor schmuck who
Re:No way in hell this would fly. (Score:2)
Fines won't cut it... (Score:5, Funny)
Enforcement (Score:2, Insightful)
Same for spam, parasiteware, etc.
oh, btw.. Almost First Post!
Great (Score:4, Insightful)
Just what I need, my grandma getting hit with fines because she wants email to talk to the grandkids.
Draconian measures (Score:2, Interesting)
I maintain several win and linux computers and I certainly don't have the time to lurk security mailing lists to stay ahead of every friggin' exploit.
Re:Draconian measures (Score:2)
No. But crippling your local broadband segment because of a virus for which a patch exists does count as a good enough reason.
I certainly don't have the time to lurk security mailing lists to stay ahead of every friggin' exploit.
Then, put simply, you do not do your job (assuming security on those boxes does fall under your responsibility). Doing a quick check on the major exploits discovered on any given day takes about 5 min
Soo (Score:5, Insightful)
TCO (Score:2)
Of course the Microsoft lobby will make sure that it never happens, and if it did then a group of virus writers would convene in a well hidden room in Redmond . . .
Soo... (Score:2, Funny)
muuwaahahahahahahaha!!!
Re:Soo... (Score:2, Funny)
Man with the eye patch clears his throat and whispers:
"Dr Evil, one hundred billion dollars isn't much money for Microsoft these days, Bill Gate ALONE makes
Too strict (Score:5, Insightful)
Re:Too strict (Score:5, Insightful)
Apparently, judging from the editorial. It's like someone rear-ending you and you are responsible because you didn't move out of the way soon enough. Also read the following quote:
The fines would be used by ISPs to support the significant efforts required to continually block identified attack traffic.
What a nice way to encourage ISPs to scan their own [users'] network for vulnerabilities and inject them with viruses to increase their revenues.
What about Microsoft? (Score:2, Insightful)
Re:What about Microsoft? (Score:4, Insightful)
Gimme a break, what about the assholes... (Score:2)
Where would the money go? (Score:3, Insightful)
Jason
ProrQuotes [profquotes.com]
Ha Ha (Score:2)
Glad not the live in the US. How the fcuk do they expect to police and enforce that in Asia and the rest of the world.
I am all in favor of fining software makers, that may get them to at least beta test there work before its shipped.
Fcuk? (Score:2)
While I find this perfume [fcuk.com] intriguing, I didn't realize it was already so popular as to be invoked as a profanity. Is it some kind of god where you live?
A couple of problems (Score:5, Interesting)
Second:
Sorry we blocked your critical data, but you can't do anything about it.Whoa, now, wait a minute.... (Score:2, Insightful)
Are we really willing to consider allowing our computers' software, configurations, etc. to be dictated to us by the government? After all, isn't one of the selling points of "free" software having a choice in which OS/programs we use?
I don't want to be told by anybody that I must/must not download any updates to any softwar
Re:Whoa, now, wait a minute.... (Score:2)
"Turing. You are under arrest."
William Gibson, Neuromancer
Consumer of the product to be responsible for... (Score:2)
But users don't own the OS (Score:5, Insightful)
Is the enduser responsible or the actual owner of the software?
Dumb idea (Score:2)
Re:Dumb idea (Score:2)
And these dumb users would have an easier time patching Linux? Come on. Any computer on a network is vulnerable, even ones that are patched and maintained. The problem is not in the OS (though every effort should be put in to security both before and after a product is released), but with the people who are breaking the law: the virus writers and the people who initially unleash them. They
first virus fines, what next.. (Score:2, Funny)
Lawsuits abound (Score:4, Interesting)
Apologies from the Cooper Family (Score:2)
I personally blame my parents, they smoked pot in college, and being older than me, he managed to inhale. Luckily I was raised in a less dirty-hippy fashion.
But, again, my apologies.
Russ posted this to NTBugTraq: (Score:4, Informative)
The included URL [ntbugtraq.com], for reference.
I was recently quoted in a WashingtonPost.com article saying I was in favor of fines against people who emit viruses or worms (not just originate, but infectees who perpetuate attacks.) There wasn't any meat in that article describing my proposal, so it comes off sounding kind of cold. I've had this proposal for quite some time, after being asked by a U.S. Senator staffer once to write something up to identify what's lacking in the U.S. National CyberSecurity Strategy document.
I've tried to explain it as clearly as I can, and have included a poll to take your feedback on whether you think the idea would be valuable to you. I'd appreciate it if you'd give it a read and take the poll.
I hereby acknowledge that the poll is hosted on my little T1, so you may well experience bandwidth-related fun. At least you only have to click two buttons to take the vote.
Feel free to repost this request to other lists.
Cheers,Russ - NTBugtraq Editor
Why don't we just remove them for a period of time (Score:3, Insightful)
Re:Why don't we just remove them for a period of t (Score:2)
Just like a politician (Score:2)
Problem with this... (Score:4, Interesting)
The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.
So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
Fine the O/S vendors instead (Score:5, Interesting)
If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
Hierarchal Denial of Service (Score:2)
So I can see how when a bill comes in from Nigeria to some random department's web server at a university in Myanmar that the threat of fine will have a profound impact, NOT!
The penalty that is understood is loss of network service.
Successively, pestilant host owners should be notified and given a decent interval to fix their problem.
If not, then the ISP is notified and given a decent interval to get the owner to clean up his act or to disconnect service.
Likewise, up the chain, to the largest ISPs, who
We're on our way... (Score:2)
Take computers used, software used, servers used, general topo of network, speed of pipes (together) and competancy of admin. The conglomeration is the "Computer and Network Insurance (CANI)".
I wonder how much would be charged for a competant unix admin, on heavilly firewalled subnet of mac and windows (seperated, of course) boxen, with Linux servers, and a T-3. --- Probably not as much as Winders with MCSE.
Question (Score:2)
Re:Question (Score:2)
What the hell is happening to America?
Back in the good old days you'd just beat the living shit out of him.
If the RIAA can do it. (Score:2)
Re:If the RIAA can do it. (Score:2)
A plan with no drawbacks, I feel.
Another impartial proposal (not) (Score:5, Informative)
- Russ Cooper is editor at NTBugTraq
- NTBugTraq is a division of TruSecure Corporation [trusecure.com]
- Russ Cooper is chief scientist at TruSecure Corporation [trusecure.com]
- TruSecure Corporation [trusecure.com] sells security solutions and services [trusecure.com].
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming
Another fine impartial article brought to you by Slashdot.
Re:Another impartial proposal (not) (Score:2)
This seems like just a ploy to get some publicity for TruSecure. I don't think any rational person would expect this to fly.
Re:Another impartial proposal (not) (Score:2)
Reverse Psychology (Score:2)
fine the commerical software company (Score:2, Interesting)
Why should joe user, have to pay for the latest RPC hole?
I have to say although the article lost me from about the first line I loved this :
We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous.
Uhhh yes you are...
Correct me if I'm wrong, but arn't fines a 'penality'? Sorry, but flat
License the user (Score:2)
Both ideas have some dumb, expensive slow-moving govt body out there... WRONG.
Your money or your life, it still doesn't matter (Score:2)
I skimmed the article earlier today and I didn't see it address the education aspect of the problem. If the corporate and education networks are vulnerable, how can you expect joe schmoe to know what to do in a timely fashion? Windows XP and Red Hat have auto update options, but there is a certain level of trust (or ignorance) you need to
He has no clue... (Score:2)
Unless he can provide an answer to someone that will make them 100% compliante and immune then his idea is as idiotic as the others.
Fines for proven abusers? Yeah, I'll take that.
fine the little guy being abused? nope.
Fine isp's , corperations, and known asshats.
My Letter to Russ (Score:2)
If you are willing to personally verify that each person with a computer is aware of the threat, your plan sounds fine. By 'verify' I mean contact through some means other than via computer and receive a response from said user. Essentially, one would have to telephone each computer user in order to do this.
Without such explicit notice, users would not necessarily know that their computer could be commiting a 'crime'. In fact, as the populace becomes more computer literate and th
Add THAT to your TCO figures and smoke it! (Score:2)
This would open up a whole new realm for "Microsoft Haters" but perhaps it would result in Microsoft's patches having a much faster response time as well. But imagine being fined even $5 for your software being unpatched or something...
There are thousands of other problems that could result. Microsoft would cheer this thing even though it'd gi
Fining virus spreaders (Score:2)
I've also pondered whether this would be a valid approach or not. Virus stories in the media tend to portray the people who are actually spreading the viruses as innocent victims, with only the original author being the "bad guy". But the "bad guy" wouldn't have been able to do any damage unless people opened virus attachments, ran unpatched systems, and other no-no's.
Also, this type of approach is not unprecedented... if I fail to maintain my car and it spews pollution into the air, the fines are poten
This sounds like a scene from demolition man... (Score:2)
I say do it (Score:2)
Stupid idea (Score:2)
Bad Idea (Score:2)
Conti
So this bill would give a financial reward... (Score:4, Insightful)
Wouldn't it be better to give the government an incentive to help solve the problem rather than give them an incentive to get some obscure, amoral, and deeply secret government department to release new and more virulent attacks so as to up their income?
Sure, they probably wouldn't, officially; but why take the risk that some individual in the government would be in a position to benefit from this kind of thing?
These kinds of theoretical problems always sound impossible, but I'm nearly always surprised to find out how often they really do crop up in practice.
Impossible to avoid (Score:5, Insightful)
Let's say Joe Consumer is interested in a computer - he goes down to MicroCompuCenterUSA and buys a spanking new Windows XP-based machine, plugs in the cable modem, turns it on.
*WHAMMO*
He's infected before he even gets a chance to get the latest updates, assuming he even know that's something he's supposed to do.
My sister-in-law when through this exact scenario just recently. She got nailed by Blaster within a few minutes of powering up the machine for the first time. She has no idea what a firewall is, and would certainly wonder why she would need one with a brand-new computer.
This proposal is a little like buying a new car and having the wheels fall off as you drive off the lot, then being fined for causing an accident.
What tha ... (Score:2)
Not comfortable with this. (Score:3, Insightful)
Boss: I thought I told you to put that RPC patch an all our client's servers.
Me: I did.
Boss: How come these guys have Blaster then?
Me: I dunno.
Now imgaine having that conversation starting out with:
Boss: On of our clients is being fined for worm traffic...
As much as I realize that people failing to update is one of the largest enablers of these worms, I know it is possible to do everything you are suppsed to and still get nailed. Firewalled (externally) and patched but I'm still cleaning it up. I don't think I deserve a fine for that.
smoking crack? (Score:2)
What DOES need to happen is for the more "grey" forms of cracking to be eliminated..i.e. Gator and such. Programs that install without user intervention and don't leave an entry in add/remove programs are viruses...same thing. Also, ISPs need to be able to handle updating users on their own...this would allow them to require/force patches before you ever get access to the internet. AOL [yes, a realy bad
Punish OS creator not users! (Score:2)
Make scanners free or there will be.... trouble. (Score:2)
McCrafty Scanpro 2004, $399 for a 1 year subscription, or $39.99 a month.
Or you can go with Ed Norton Antivirus Live SuperCop mark VI - the Revenge for $399 for a 1 year subscription.
You need to buy one of them, which one is it? What's that you say? These cost more than your OS and you can't afford it? Sucks to be you... Maybe you should go back to BBSs then.
If the gov
Lol (Score:2)
No doubt he'll change his mind when his site gets assimilated by the next big worm.
Sounds like Pork, taxes and. . . (Score:2)
Yummy, where do I sign up?
KFG
I bet anything (Score:2)
Not feasible (Score:2)
Let the market decide (Score:2)
Or what about.... (Score:2)
I did not RTFA (Score:2)
Any attempt to hold individual (ignorant) users liable for allowing their machines to propogate viruses, worms, spam will be a complete waste of government money, and it won't cause people to behave any differently.
Unable to see the article, but, I have concerns (Score:2)
Conceivably we could fine sites running exploitable servers for which patches exist, and say, have existed for two weeks or more.
Howev
So Why Would I Stay On The 'Net? (Score:3, Interesting)
I'd have to go back to calling brokers on the phone, and writing checks, licking stamps, and sending things through the mail. I'd have to sign up at the library if there was something that I had to get from the 'net. That's assuming the library can stand the liability. If they can't, I'd probably be limited to the library's proprietary DBs on their local LAN.
In other words, if you want to kill the 'net, just turn my PC into a slot machine that has unlimited negative payout odds.
This sounds like another example of "letting the terrorists win". It would turn the 'net into a "fascist police state".
Oh... unless there is an OS that is gauranteed secure through every revision, which we all know there can't be.
Now, if they capped the fine it might be reasonable. What would I do? Buy expensive AV software? No. I'd buy insurance against the fine and continue to exercise good practices (e.g., not using OE for mail, not downloading crap software that runs in my taskbar, etc.) Does anybody sell "virus" insurance?
Seems a Bit Elitist (Score:4, Insightful)
But I'm not sure penalizing Bubba is the right answer. Maybe Bubba is ignorant; on the other hand, he might have a legitimate mental handicap. How much responsibility should someone with Alzheimer's disease or a learning disability carry? What about someone who's simply too old or too young to grasp security issues? Where should the line be drawn, and how could we charge according to ability? And how much would it cost to administer such a program?
A legally sanctioned DOS attack... (Score:3, Interesting)
The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.
Example:
Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078 [microsoft.com]. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.
Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article [slashdot.org]. Should all of our ISPs be blocking SSH traffic now?
You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.
This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.
BAD idea (Score:5, Insightful)
Not to mention underfunded organizations like Libraries and schools that may not be completely up to speed. This is a stupid idea. I put this up on the shelf with that idea to destroy people's computers for "piracy".
I find it amazing that people are so amazed that no one patches their computers. Think of your grandparents. What do they know about firewalls and TCP/IP and man-in-the-middle attacks? My mother has a VAGUE understanding of updating software and that it's important, but she doesn't know why. If you don't know why you are doing something, it's hard to continue doing it; and they are bound to miss something important along the way.
Someone had a good idea on another thread. ISP's should be the firewall for the little guy, and if you are in the know, you just opt-out. I work for SBC tech support. They decided to block port 135 due to all the MSBlast+derivatives activity. I think it's only temporary, but it is a good solution. No one really has any reason to be using port 135 over the net anyway. Locally, yes, internet no. You should be using a VPN if it is that important to you.
Re:In relatedly fascial news... (Score:3, Insightful)
Re:Make the OS pay (Score:2)
Re:hmmm (Score:2)
Jason
ProfQuotes [profquotes.com]
Re:Good plan... (Score:2)