A Need for Greater Cybersecurity 186
otterit writes "A story in the Washington Post discusses how chief executives of U.S. corporations and their boards of directors should assume direct responsibility for securing their computer networks from worms, viruses and other attacks, an industry task force working with the federal government said."
Deciding how important the Net is to your business (Score:5, Interesting)
Restricting the internet to a single machine (or battery of machines) that only sent and received external email and forwarded it on to the internal network seems like the absolute maximum internet connection necessary for most businesses.
Surely employees don't have to surf the web at work?
Re:Deciding how important the Net is to your busin (Score:5, Funny)
Think about the slashdot. Think!
Re:Deciding how important the Net is to your busin (Score:2)
Re:Deciding how important the Net is to your busin (Score:2, Insightful)
Re:Deciding how important the Net is to your busin (Score:2)
Re:Deciding how important the Net is to your busin (Score:5, Insightful)
For the last 8 years, I would not have been able to do any of the work I've been paid to do if I didn't have timely access to the web. It's to the point that I now wonder how I was able to have any work done 15-25 year ago!!! Granted, not all work **REQUIRES** it, but if you start discriminating between functions at work, you will get more disgruntling than good work done; it has come to the point that web access is nothing less than telephone access.
However, granting internet access to employees doesn't mean that the barest minimum security and/or monitoring should not be deployed. In fact, it would be quite foolish to grant unrestricted/unmonitored internet access to employees.
Re:Deciding how important the Net is to your busin (Score:3, Insightful)
The management heads who like to crack the whip need to make a choice: if they take sadistic joy in cracking the whip then they're either go
Re:Deciding how important the Net is to your busin (Score:2)
How then will we pore through picture after picture of celebrity assess then?
Re:Deciding how important the Net is to your busin (Score:3, Insightful)
Interent access at a computer today is something that is taken for granted, it is assumed when you sit at a computer that you will be able to get online, especially at your office. I liken restricting internet access to the removal of Solitaire from office PCs. Sure, your empl
Re:Deciding how important the Net is to your busin (Score:5, Insightful)
How can they keep a network secure if their own users are working against them by installing crap on their PCs like Kazaa or whatever else they think looks fun? They can't really protect a network if the people inside the network are the problem.
Re:Deciding how important the Net is to your busin (Score:3, Insightful)
Saying that IT cannot protect machines from their users is saying IT doesn't have a clue about security. Fortunately thi
Re:Deciding how important the Net is to your busin (Score:5, Insightful)
No, they don't need to surf at work. However, being a BOFH and cutting off internet access to the employees doesn't do much for employee morale.
Sooner or later all your good employees will leave, and you'll be stuck with disgruntled employees who don't have the skills to get another job (and are underqualified for the one they have), or recent grads who have no other choice but will leave as fast as they can. You'll lose money in training and recruiting costs.
Draconian measures might save money in the short run, but keeping employees happy does much more for employee retention.
Re:Deciding how important the Net is to your busin (Score:5, Insightful)
Quick anecdote: I used to work for a large company that made web authoring tools. At some point we had to ask ourselves whether we still wanted NFR versions of our rather expensive software available to every employee on the intranet. Was it absolutely necessary for the receptionist to install an HTML editing environment? Creating HTML was not part of his job.
Our decision was that if our receptionist takes an interest in our own products and wants to play with them, that's a Good Thing[tm Martha Stewart] and should be encouraged. It'll make him more interested in the company and a more committed employee; we might find out that he's actually a decent designer and can contribute more to the company in our web design group. Did the NFR products get 'pilfered' every once in a while? Sure. But I'll bet you that 95%+ of the pilfering that was going on with them was to people who wouldn't have purchased them anyway -- but now were using them, and talking about them (mostly positively, we hoped
I work now for a company that doesn't allow general internet access for 90%+ of its employees. I think disallowing general internet access is symptomatic of a certain sort of relationship the company wishes to maintain with its employees and is indicative of how it thinks of them -- and it's not indicative of a particularly high level of trust in, or care for, the employees.
Left to my own devices, I'd rather put in a robust anti-virus and anti-malicious-code system coupled with employee education and discipline for people who break the minimal rules and then let the employees loose. Will some of them surf during work hours and damage their productivity? Indubitably. I still think that the overall benefit in employee morale and easy access to information is going to be worth the occasional loss from someone who can't control his surfing.
Re:Deciding how important the Net is to your busin (Score:5, Funny)
Restricting telephone calls to a single secretary (or secretarial pool) that only make and receive calls and forwarded messages on to the internal workforce seems like the absolute maximum telephone usage necessary for most businesses.
Surely employees don't have to make calls (especially personal) while at work?
Re:Deciding how important the Net is to your busin (Score:2, Interesting)
Sure, and every computer system works magically out of the box? What if that "enroll in a health care plan here" site doesn't work correctly? What if I need tech support to come down and install a local administrator account on my machine? My staff assisstant isn't nessecairly the person that I would want to have to talk directly to our help desk on my behalf.
Re:Deciding how important the Net is to your busin (Score:3, Interesting)
Re:Deciding how important the Net is to your busin (Score:2, Funny)
Re:Deciding how important the Net is to your busin (Score:2, Insightful)
I am an embedded systems firmware engineer at a small (~20 employees) comapny. In addition, I manage the network here, maintain the workstations and purchase/setup any new computers required. I am going to state unequivocally that I simply could not do my job(s) without Internet access.
Whether it is finding, downloading and installing the latest drivers for a new or existing system, researching new microcontrollers for new product development, chasing d
Re:Deciding how important the Net is to your busin (Score:2)
If you stop employees from using telephones, they'll use mobile phones or use VoIP.
Restrict all forms of communication, and you won't keep/recruit the best staff.
In a research environment, having access to the Internet is essential. Not only is accessing IEEE, ACM portals useful in accessing papers, but a Google search can also root out other papers, and check to see where the commercial an
Breaking news! (Score:5, Funny)
(as opposed to relying on magical network security elves that secure your network while you sleep and provide freshly made footware in the morning)
Re:Breaking news! (Score:2, Funny)
Do they come with the Magical Server Pixie Dust?
I have it ... (Score:2, Interesting)
Seriously, yes, corporations *do* need to take better care of their systems, but I'd hazard a from-the-hip guess that the biggest problem these days as far as worm spreading is concerned is home machines and those in lesser "net developed" countries. In other words, ISP's need to become a little more responsible, and go about figuring out how/who/when to block certain ports from leaving their domain (like, say, 25).
Re:Breaking news! (Score:2, Funny)
This is very effective: after three or four wedgies, people learn NOT to do some st00pid stuff with Internet Exploder...
Re:Breaking news! (Score:5, Funny)
Re:Breaking news! (Score:2)
Wait. This isn't another dig at "offshoring" is it?
magical network security elves (Score:2)
-kgj
Open source (Score:3, Interesting)
So they will finally migrate to open source technology?
German Gov ITsecurity Agency BSI published a nice migration guide. I would like to see that on the other side of the Atlantic.
Re: (Score:3, Insightful)
What? (Score:5, Insightful)
Re:What? (Score:5, Insightful)
Heck, a lot of companies don't even have a comprehensive software inventory.
Downstream Liability (Score:3, Informative)
This paper [cert.org] addresses some of the issues you mentioned.
ObDisclaimer: I am one of the authors (though no longer at CERT) and express some opinions in the paper re: patching schedules and general due care in this area.
Re:Downstream Liability (Score:2)
OCTAVE (Score:2)
For those of you wondering about OCTAVE: it is the Operationally Critical Threat, Asset, and Vulnerability Evaluation [cert.org]. (It's not really about survivability as such.)
Please understand that what follows is my opinion only.
OCTAVE is interesting: it involves getting input from all levels of the organization to determine what is important to whom and why. This is a pretty effective way to figure out a) what would happen/be affected if $RESOURCE became unavailable, and b) how to best protect $RESOURCE. H
Re:What? (Pardon?) (Score:3, Insightful)
Shipping an OS with ports open is not a prudent security decision.
Shipping an OS with ports open with no way to close them save installing an extra piece of software called a "firewall" is infuriating.
An attitude of security through obscurity a software firm whose software products run on 90% of all desktop computers is naive.
Using an environment that allows the programmer to make an error that allows a hostile data packet to co
Assigning fault (Score:4, Informative)
Yesbut.
It is still the software company's fault that the bug existed in the first place. If the client company doesn't dare install patches because previous patches have crashed the production systems, that's the software company's fault. If the software company's salespeople showed a TCO study that didn't include monitoring for patches, building a regression lab to test patches before deploying them, rolling out patches, and doing this weekly or monthly, then the salespeople misled the client company.
If your car blows up because you got a recall notice six months ago and you ignored it, your fault. If your car gets three recall notices a week, there's something wrong at the manufacturer.
Re:What? (Score:3, Interesting)
That's the first thing I thought of too. However, how often are security efforts stonewalled by braindead executive types who say "I want security", then later chastise the people who bring it to them for the effect it has on convenience? I'm currently engaged in that exact battle. They said "we want a security system to secure our documents", and when I rolled it out with some basic requirements: you must change your password every thirty days, passwords must be a mix of letters and numbers, and passwords
Re:What? (Score:2)
For large software sites there can be a disconnect between security fantasy and security reality. On the wall of my cubical is a Dilbert cartoon and a memo for IT. The subject of both is password policy. The reason they are on my wall is the new security policy of IT and the fictional one proposed by the IT person in the Dilbert cartoon are ident
Weed Them Out (Score:5, Insightful)
those that don't... (Score:2, Insightful)
Sarbanes-Oxley (Score:5, Interesting)
Re:Sarbanes-Oxley (Score:3, Funny)
I'm having trouble finding that document. Every time I think I've located it I get a 404 response.
Re:Sarbanes-Oxley (Score:2)
They are the ones who trump the security team at my company. We had a nice small tight set of controls until the executives started chipping away at them.
"But Mr. CEO needs to receive these passworded zip files by e-mail"
"Mr. VP needs access to port xxx through the firewall."
Or the best one:
"We need Mr. Executive VP to have pcAnywhere through the fire
Sarbanes-Oxley (they dont understand) CFO vs CTO (Score:4, Informative)
Being in the IT Security field I thought that this would be a big boom for my career but I have not seen it yet. 404 cleary states that someone has to be responsible for reporting on the security readiness of the company. I don't see how the audits I have performed meets this requirement. Does the 20+ page audits that I produce make the CFO think he can report on security readiness? I don't think so because security is something that changes on a day to day basis. Plus I would bet that the CFO is an end user to some of those systems (badge reader, workstation, email intranet, etc) and that this would prohibit him from being in that role. If I had the resources I would start a comapny and outsource the security audit and reporting responsibility. The major expense would be advertising / education of the corporations of the need of such a service.
Anyways, I could go on all day but in summary most corporations have no idea that they need this and the ones that do know don't understand it.
Nick Powers
Re:Sarbanes-Oxley (Score:2)
If you think that an employee has any rights to privacy within a corporation that he/she works in then your fooling yourself. Assume that everyone can see and hear everything you are doing once you pull your car into the parking l
Whoa Thar, Pard! (Score:5, Funny)
So ironic (Score:4, Informative)
That's not to say that IT security and virii aren't devastating. Just that putting clueless buzzword-directive-issuers in charge, instead of those who understand the implications and directly deal with customers, doesn't solve anything.
Not likely (Score:5, Interesting)
Re:Not likely (Score:2)
In the good old US of A you are no longer responsible for your actions. You were forced to do it, tricked into doing it, didn't know better, or to you it was ok. Any which way, we have lawyers that manipulate everyone to freedom.
Duh... (Score:3)
Move along /., nothing new to see here...
Re:Duh... (Score:2, Funny)
Taken to the extreme... (Score:5, Funny)
Re:Taken to the extreme... (Score:4, Insightful)
Re:Taken to the extreme... (Score:2, Insightful)
Re:Taken to the extreme... (Score:2)
Servers (especially mail/ftp/file servers, but not so much database/app servers) are a good spot to catch viruses that got past the anti-virus software that is installed on the user's desktops. Especially since user's have a bad habit of disabling or just simply breaking their anti-virus software.
A good ad
This is what Sarbanes Oxley's all about. (Score:3, Funny)
Re:This is what Sarbanes Oxley's all about. (Score:2)
True, but unlike Y2K, this one has no expiry date. Each change to the IT infrastructure of a company is going to mean that the CEO/CFO that is now accountable due to Sarbannes-Oxley is going to be sticking their neck a little further out. Sooner or later that person is going to want (and probably get) another audit to cover their ass. Assuming they haven't already factored this into the business strategy of course; security tests on odd-numbered years, PAT te
Cybersecurity? (Score:5, Insightful)
The internal network can also be destroyed by a simple click on an email attachment. The real issue here is educating people about computers, and expecting a certain level of competency. To many employees are using something they don't understand; it would be like giving company cars to people who don't know how to remove the keys from the ignition and lock the doors.
suggestion (Score:3, Interesting)
I realize lots of spam comes from overseas, but a lot also comes from aol.com,rr.com,comcast.net,etc.
Or we could just make commercial software vendors responsible for the quality of thier software.
Re:suggestion (Score:3, Interesting)
Many of the major ISPs won't recieve email from an IP that is from residential cable/dsl service. Most of this is already being blocked. I know from personal experience that comcast is already blocking port 25 in some areas.
"Or we could just make commercial software vendors responsible for the quality of thier software."
Just comercial. What about
Re:suggestion (Score:2)
Oh, and discounting asymmetric routing tricks, good luck establishing an outbound port 25 connection from inside the aol.com network.
-roy
responsibility (Score:3, Interesting)
In other words, Homeland security and the FBI blew all their money on booze, cigarettes, and hookers, so now someone else must pay to take care of problems like internet insecurity before they become problems.
But is it really that simple? Can all security threats be stopped before they start, or should the government be held accountable for part of it? Seems to me like they are trying to lay some responsibility on the big corporations (not a horribly bad thing) but the reasons behind this are not good. I think their attention is focused in the wrong places. Their attitude is that creating colored alert systems and making duct tape warnings is of more importance than securing the global internet infrastructure.
I guess keeping people focused on the T word (Terrorism)is key to keeping them from realizing that the executive branch really sucks right now.
Re:responsibility (Score:3, Interesting)
So, are you saying that Homeland Security or the FBI should come in to and handle security on their network? Isn't it up to a private company to handle it's own security? Or should the US put up one big firewall around the nation and block us off from the rest of the world and manage secutiy that way. Kind of like an old castle moat for cyberspace.
Re:responsibility (Score:2)
No, I'm saying that they need so spend more money going after the writers of the internet worms. They give these threats little attention, but I would wager that the associated costs of network downtime and lost productivity have cost the average company far more time and money than any terrorism. I am not one to blindly believe the ant
Re:responsibility (Score:2)
Terrorists go around killing people. Internet worms are an inconvienance and cost money. There is a big difference.
Re:responsibility (Score:2)
Where are you getting from the government that they want to scan every email??? They can't, don't want to do that. Maybe with a court order like a wire tap but that's about it.
"If Ford produced a car that when it got into an accident, took control away from the driver for the next few months and continuously drove into other cars they would probably be held responsible."
Ford in this case didn't
Great but your data is leaving the country (Score:5, Interesting)
Blame the users (Score:5, Insightful)
2. Watch while a global industry in wormware develops to take advantage of this
3. Blame the users for not preventing it.
Excellent strategy, which will help enormously. While we're at it, let's stick a large label on new PCs saying "Warning: this PC is likely to infected within 5 minutes of connecting to the Internet, but that's your fault."
Why... why are companies allowed to sell software that has known defects? Surely it's technically possible to ensure that every installation of Windows XP leaves the shop with all necessary patches?
not quite (Score:2, Interesting)
They probably couldn't find every possible flaw and patch it before it leaves Redmond, not due to technical reasons, but because at some point they must keep income flowing in (please no flames here).
A 100% bugless windows would probably take a very long time (increase cost, increased consumer price), this is not necessarily a bad thing, but may drive the price of the Windows compu
Re:not quite (Score:2)
No arguments here, but I don't think that's what the OP meant. I read it as "why can't PC manufacturers and retailers ensure that no PC is shipped until all the latest (security) patches have been applied?"
Seriously - if you buy a new PC off the shelf from a store, what's to stop them from plugging it in and patching it? Not only would it help to reduce problems in the short term, it would demonstrate that it worked! Fro
Re:Blame the users (Score:3, Insightful)
If it's that easy, why don't you get back to us once you've got it complete.
This is not meant to be a Troll, but think about the question and think about politics, bureaucracy, red tape, etc. Oh, and you might want to start your own biz too, that helps put things in perspective.
The Government is Stupid (Score:5, Insightful)
The problem solution isn't the lack of CEO involvement, it's the lack of clout technology officers have. People seem to ignore the advice of technology advisers of all sorts. If a system administrator says something is insecure, one would think the people who hired them would listen, but they don't.
This is brilliantly demonstrated by electronic voting. Almost all security experts say it is a bad idea. Almost all technology websites trash the idea. When all the experts in a field so not to do it, the politicians still think it's a good idea. Thus, they are truly fools, for they do not know that they are fools.
One of the main flaws to all this: they used representatives from technology companies. Did they never consider talking to security experts? Despite recent changes, the American higher education system has some of the best research institutes in the world, and amazingly enough, there are experts at those institutes! Even better, those experts are relatively unbiased! Oh, the possibilities!
Strangely enough, that's not the problem. the problem is that there are too many governmental enablers. The government gives all sorts of help to companies who suffer losses from cybersecurity, so they have no motivation to secure themselves. What idiocy.
I guess that, in general, I would have to say most of these problems are caused by governmental stupidity and corporate vileness, but there is still hope for the future, as there are proposals to force businesses to have regular cyber-security audits, as well as other measures.
Re:The Government is Stupid (Score:2, Insightful)
He's not charging enough. (Score:2)
If the janitor[1] comes up to you and says "The front door isn't secure, we need to put a lock on it. He gets ignored. He's only a janitor, gets paid peanuts, what could he possibly know.
If he puts on a suit and becomes a $200/hour security consultant and charges $15,000 for a security audit coming to the conclusion that, damn those doors should really have locks on them, he will be listened to. That advice is worth $15,000 after all... Isn't it...
[1] And yes, this *is* how systems administrators
Re:The Government is Stupid (Score:2)
People seem to ignore the advice of technology advisers of all sorts. If a system administrator says something is insecure, one would think the people who hired them would listen, but they don't. This is brilliantly demonstrated by electronic voting. Almost all security experts say it is a bad idea. Almost all technology websites trash the idea. When all the experts in a field so not to do it, the politicians still think it's a good idea. Thus, they are truly fools, for they do not know that they are foo
Why do worms propagate in the first place... (Score:5, Insightful)
You can (try) to patch all your services and stay ahead of vulnerabilities, but in a very large organization unpatched machines can fall through the cracks, and in a small organization there may not be enough skilled staff to keep everything patched.
User edjimukation (sic) is all well and good, but unfortunately there will always be a population of Darl's who will willfully ignore best practices and try to do stupid things with viruses and whatnot.
IMHO there are solutions to at least some of the more stupid problems with security. I think the best ones are through least privilege enforcement with Mandatory Access Controls (see SELinux as one very good commercially available example, I also like Domain & Type Enforcement for Linux too!) With MAC systems root is no longer a god, and you have a much richer ability to limit what user's can do with things like email attachments. Worms can also be contained much better since you define a policy of what a server is supposed to do instead of trying to pattern match every possible type of malware (an impossible job in the long run).
So why is this rambling post not entirely OT? Well a bigger organizatio like a corporation will have a greater incentive and a greater ability to start experimenting with MAC systems that are both secure and usable in an office environment. Bigger companies have more resources to work with software vendors to iron out bugs and kinks in the system, and then the refined products can start to filter down to consumer grade products, where security is usually almost non-existant. It is a slow process, but we desparately need better methods and technologies than the standard issue patch & pray employed in today's networks.
Re:Why do worms propagate in the first place... (Score:2, Informative)
Security is mayhem (Score:5, Interesting)
if the CEO's spend the required money hiring people to take on the responsibility of securing a network then why is it the ceo's fault?
If the people being hired are not competant, but played the 'i know what im doing' role then it is still their fault.
The only time I see it as acceptable that the ceo gets the blame is when the ceo him/herself directly contributes to the lack of security or employee laxness.
The article, imho, is hinting that if a company was to go down due to security problems then it's the ceo who gets the blame if, and when, they are led to believe their networks are (or were in this case) secure/d by an (incompetent) tech-support guy.
I say it truthfully AND before I become flamebait: I have the utmost confidence for *most* IT people, it's usually the users who contribute to the problem not IT departments, but I truly do, in this case, feel sorry for the CEO (with their huge paychecks and massive perks) when they get the blame for something that they did honestly have a go at fixing/preventing.
Worms/Virii are designed to be destructive and disruptive and there is little to no way that most users will ever learn that they need to be more cautious about security without having their credit card details exposed by a black-hat or their personal PC brought to a halt by the worlds least advanced virus - becausethe user hadn't patched their virus scanner.
It's a case of once bitten twice afraid - and if it's kept that way by the community, as long as it doesn't affect me, then I'm all for it - I just hate cleaning up after one has hit.
New rule for virii - release a strain to the public and release a quick-repair tool at the same time to slashdot!
Re:Security is mayhem (Score:3, Interesting)
It makes perfect sense to hold them responsible for the decisions of their underlings if their hiring decisions prove unfortuitous. You'd have a hard time convincing me to feel bad for them if they hired some schmuck to do their internal security and then didn't bother to audit that person independently -- we expect them to do it with the accountants, so w
Call Me Crazy... (Score:5, Insightful)
Given a way to easily update applications (which virtually every useful and enterprise program has in some form) the only way the end-user should be held responsible if is they haven't stayed on top of these updates.
I can see gray areas where exploits are unknown to the software creators, however once made aware either via direct communications or one of the many vuln/exploit websites they should be required to fix the vunerability in a timely manner.
What really gets me is that MS for example clearly knows that probably 1/2 of the Windows installs are pirated versions and they purposefully disallow the Windows Update feature on these copies. I'm willing to bet a good portion if not most of the trojaned and wormed zombie boxes out there are of this class. Perhaps if MS just sucked it up and turned on Windows Update by DEFAULT and allowed pirated versions to download AT LEAST the critical security updates the Internet would indeed be a much happier place.
BTW, I'm a predominantly Windows user most of the time, so don't just file this under 'hating'.
Re:Call Me Crazy... (Score:3, Insightful)
Re:Call Me Crazy... (Score:2)
As for supporting pirated software, yeah, it sucks. But, patch the security holes at least. Put the usability bug fixes and new features in a patch that will check for a legit version beforehand.
Re:Call Me Crazy... (Score:2, Insightful)
I seriously hope you are joking! Don't get me wrong, I hate Microshaft just as much, if not more, than the next person; however, what you are saying is that a Company that produces a commercial product should support and update that product for any and all persons that steal that product. I, and I hope most others
I don't think theft mitigates defects (Score:2)
The question is whether the theft removes all the manufacturer liability for defective products. I don't believe it does.
Let's assume that I own a 2004 Ford Exploder and Ford issues a recall for faulty master cylinders that could cause a total loss of braking ability. No
I would be happy.. (Score:2, Funny)
if executives thesedays where accountable for anything, seems if you wear a suit and grovel enough you can more or less do whatever you want !, just read the newspaper for examples
We don't even have a single standard (Score:2, Interesting)
F/OSS is the _only_ way to comply (Score:2)
This is flat out impossible to achieve without Free and/or Open Source Software. For someone to assume responsibility for their software, they need to be able to proactively deal with defects.
How can this be done with closed-source software? It can't. Closed-source software (CSS) vendors assume no liability and no responsib
"Where the buck stops" v. "the man in the mirror" (Score:2, Interesting)
The real day-to-day security problem is not in the CEO's office, at least not exclusively. We've all seen or had passwords on monitors, and under keyboards. We've all seen or used a birthday, family member, or pet as a "secure" password. We've all telneted when we should have SSH'ed, or HTTP'ed when we should have HTTPS
new theory (Score:3, Funny)
They all get in trouble (Score:4, Informative)
'Because everyone here uses Microsoft and Microsoft can't get their shit straight, we're gonna have everyone here give pay out more money to Microsoft'
tangible recalls and a proposal (Score:3, Interesting)
I think if it's a tangible PROFIT they want, then it's the companies duty to provide a patched TANGIBLE product. They should be required to provide a PATCHED install CD, not just skate on saying "there's a downloadable patch available".
Example in meatworld. Lst year I found out two of my small cordless drills were recalled. The company paid to mail the old drills back to them, and they sent me new drills "patched"(they were basically brand new drills of a newer "release" style), they DIDN'T just send me via snail mail or email a set of instructions on how to "fix" the drills. I WASN'T required to show where I had bought the drills,nor if I had a "license to drill with them" or anything of the sort. I shipped the b0rked drills off to them on their nickle, I got patched drills back.
I say apply the SAME rules to software on CD's that are produced and sold for a tangible profit. if they want real money, they need to provide real normal warranties. Make them be forced to take your old CD back at their expense, and have to send you a new CD with the patches, etc. Lather rinse repeat until they bingo it's a much better idea to do it *right* in the first place.
IF they were forced by law to provide a replacement of their indistry-alleged "tangible" product that they tangibly "profit" from, it would cost them and wake them up. It would cause one of those "paradigm" shifts in the software world, BUT,in the long run, I would be willing to bet that software would be much more intensely audited and tested before it shipped in the future.
That and there REALLY needs to be a law that eliminates the "nothing is our fault, neener neener neener EULA" crap. If they want a tangible profit, they need to have a similar law applied to them that tangible products elsewhere are forced to conform to. It's called normal consumer product warranties.
A long time ago I can see the need for software to be given a time frame to get up to speed on development. It is a mature sophisticated,entrenched and profitable industry now, these companies can be forced to be treated as competent adults in the market place if they are selling a product, no different from other industries. And there should be an actual legal time limit for products that are recallable, and it needs to be MANY years. In some cases, forever.
FORCE them to provide FREE replacement CDs on a one to one basis, no questions asked, that have all the same functionality of the original product, but have had the patches applied.
As many times as it takes.
Yes, "recalls" can be expensive to the company,THAT'S THE POINT, it has been shown in every other industry that it works, it is making for much better products in the market place, safer, more functional, better, and these companies are still profitable.
"Caveat emptor" is NOT the law of the land with other products, because we as a society decided that that sucked, bigtime, and passedlaws about it.
The software companies want it both ways, to be treated as if all their product is a tangible when it comes to profits and income, but they want no responsibility for their "products". Seriously insecure and malfunctioning products everyplace else get recalled. You aren't forced to become your own mechanic and just told how to fix stuff, even if the part is offered.
/. Double-standard: Developers or Users (Score:3, Troll)
Developers are responsible for secure code? Or, is it the Users?
Remember legislation that might effect open source projects into being responsible for the security of their code? Remember the uproar that caused?
Or is this another friendly gray-area-it-depends-if-it's-convenient-for-my-cu
Not OT, just a different scale. (Score:5, Insightful)
The problem is not end users. The problem is not the people writing the virii. The problem is so easy to see and so vanilla that most people have such a hard time seeing something so simple.
Windows is shit. It's swiss cheese for virii. It is an all around horrible OS. I'm not thinking about far earlier versions and where they got us. That part of MS history was rather nice. But where we are... uh... going today (lol) is to hell in a handbasket.
Security is not a product, it's a process. And step 1 is to get Windoze off of your servers.
I await the fan-boys who will scream how Win2K with Service Pack 69 is perfect. Jesus help them...
Re:Not OT, just a different scale. (Score:2, Interesting)
Windows is shit.
This is so wrongheaded--Not windows eval, but the rest.
Yes, OS X is a great, infinitely more secure, OS. Yes, Linux is cool too.
And YES, the problem is too End Users, and Operators, and Developers, and Blackhats, and well...Us.
Windows sucks, and it deserves criticism for its security implementati
The solution, quite frankly... (Score:2, Insightful)
Please don't assume direct responsibility (Score:3, Insightful)
If you thought PHBs were bad, just wait until your CEO (or even better), board of directors, starts telling you how to secure your/their computer networks from worms, viruses and other attacks.
The system you get will be the worst melange of marketing-driven products with all the right buzzwords.
Which comes fIrst? Security Budget or CEO Bonus? (Score:2, Funny)
part of a larger problem (Score:4, Insightful)
Our idea of addressing crime is stiffer sentences and more prisons. Reactive, not proactive.
Our idea of fighting the spam problem is to pass more laws. Reactive, not proactive.
Most corporations don't really take security seriously until they have a serious security situation (say that 3 times fast) Reactive, not proactive.
The same thing goes for users. Nobody worries about viruses or worms until the third time they have to re-install Windows. Reactive, not proactive.
I have clients who know MS Outlook is a bad program, but they're too lazy to "learn something new"; same thing with IE alternatives. They'll spend 2 minutes installing Firefox and if one web site they use doesn't come up right, then they switch back to IE and blame it on the software.
Our idea of planning seems to involve reaching our hand out to stick a CD in our hard drive which promises to be proactive for us.
It seems for the majority, our society as a whole always seeks the "solution" to a problem which offers the most instant gratification. We use as an excuse, the adage, "If it ain't broke, don't fix it." even when we know something is broken but it hasn't fallen on our heads yet. The new adage should be, "If it doesn't explode in OUR face, then don't fix it."
I suspect the true solution to this problem lies in reprogramming the mainstream to appreciate the value of planning ahead and the not-always-obvious cause-and-effect relationship therein.
that being said... (Score:2)
Re:I second this :) (Score:2)
Re:Sue Microsoft (Score:2)
Besides, MS's lawyers in court would put on a song and dance show about how no Microsoft system is exploited by a flaw until after the flaw is discovered and the patch released. If the computer users would just install the patches faster, there would be no problem.
It