Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Internet Security The Almighty Buck

Russ Cooper's Internet Penalties Plan 435

sagman writes "Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly... Russ is taking a poll on his site. Russ states in an email that he wrote this up at the request of a US Senator staffer..."
This discussion has been archived. No new comments can be posted.

Russ Cooper's Internet Penalties Plan

Comments Filter:
  • by inertia187 ( 156602 ) * on Tuesday September 16, 2003 @04:08PM (#6979436) Homepage Journal
    I can just see the virus protection software making changes to their notifications to keep track of attacks that could cost people money and list it in a tally window: "You've saved $764 in internet fines this year because you used Morton AntiVirus 2005! Want to upgrade to the Pro version?"

    The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.
    • I don't think insurance can (or want to) pay fines for you.
      • by kilgore_47 ( 262118 ) <kilgore_47 AT yahoo DOT com> on Wednesday September 17, 2003 @01:10AM (#6983414) Homepage Journal
        Riight, lets punish the ignorant victims for their ignorance... 'Cause fining the richest man in the world, or his company that is the cause of most of the problems, why.. that... that would be crazy!

        *shakes head*

        This is a horrible idea for oh so many reasons. The first that comes to mind is that government mandates about ISP logging and packet blocking are a bad thing. Once a national infrastructure is in place that allows a government sponsored program to declare certain packets or application signatures "bad", what's to stop them from adding more things than just viruses? It would be trivial, technically, to write a 'virus definition' for p2p traffic. It would be almost as trivial, and only a bit more expensive, to get this done on a political level (a certain senator from disney [senate.gov] would probably love to help out). When the DMCA crowd is done adding their firewall rules, maybe the Patriot Act fan club will want to throw in a few too... What it comes down to is that the U.S. government cannot be allowed to regulate the internet in this manner.

        Which also brings up another point; being US-only, this system is pretty worthless for stopping attacks. To be effective, the law would need to require extensive "border" filtering at sites with international peers. See point above about why this is really bad. Fortunately, this whole proposition is such preposterous crazytalk that I don't think it actually has much of any chance at happening.

        I think a better idea would be to implement new regulations surrounding software warranties. I don't know how exactly it should be done, but I do know that (a) if a company's ReallyExpensiveProduct routinely breaks and causes large financial damages for it's users, the company should be somehow held liable, and they shouldn't be able to get out of it with a clause in an EULA. But at the same time, (b) independent programmers who are giving their software away need to be able to do it without taking on liability, or they won't be able to do it at all, and we won't have Free software. The No Warranty clause of the GPL is a very important one. It would be great if paying for software meant you had more guarantee that it was going to work... it's really a bit bizarre that today the software you can get for free works better than the software that costs money. Perhaps a sliding scale price based warranty would help with that.
    • by SuperBanana ( 662181 ) on Tuesday September 16, 2003 @04:36PM (#6979759)
      The Pro version will include an insurance plan in case you go on vacation for a week and leave your XP box on and a new exploit surfaces while you're gone.

      Vacation? I don't leave my win2k box on when I go to WORK, lest a new exploit surrface before I get home :-)

  • by soren42 ( 700305 ) * <j@nospam.son-kay.com> on Tuesday September 16, 2003 @04:08PM (#6979438) Homepage Journal
    The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.

    ISPs probably would have too much volume to deal with to investigate every packet, so it becomes easier to pay the fine than fight the system.

    There's got to be a better solution than this.
    • by eln ( 21727 ) on Tuesday September 16, 2003 @04:17PM (#6979552)
      Yes, this would effectively push >90% of today's Internet users off the network. While some people might think this is a good thing, I doubt the many thousands of people that would lose their jobs in an already down economy would agree.

      The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms relating to privacy rights, freedoms related to what one can do with one's own property, and implementation of such a thing without a.) forcing every American to spend money on virus scanning software or b.) jacking up everyone's tax rates. This doesn't even take into account what sort of staggering class action lawsuit would result if a destructive virus was not picked up by the now-required scanning software.

      All in all, this is a kneejerk reaction of the worst kind.
      • by isomeme ( 177414 ) <cdberry@gmail.com> on Tuesday September 16, 2003 @04:36PM (#6979753) Journal
        There was a science fiction story many years ago (circa 1980, IIRC) in Analog (again IIRC) which predicted widespread networked home computers, and the threat of hostile programs spreading among them. In the story, the US government mandated installation of (what we would call) antivirus software, developed and provided by the government. An attorney successfully gets the program thrown out on Constitutional grounds, showing that it violates the Third Amendment [findlaw.com], since a program guarding against national security threats is effectively a "soldier".
      • by njchick ( 611256 ) on Tuesday September 16, 2003 @04:41PM (#6979812) Journal
        It would push users to ISPs that do filtering for them for a few bucks a month. Also home firewalls would become more popular. That's it. It's easy to convey an idea to the end users if it's about their money.
      • by ryanvm ( 247662 ) on Tuesday September 16, 2003 @04:57PM (#6979957)
        The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms

        Virus scanning software is complete bullshit. Explain to me how I have NEVER been aflicted with a computer virus, yet I also do not run antivirus software. (And yes, I'm running Windows :)

        Smart users don't need antivirus software. Keep your machine patched and don't open executable attachments. Problem solved. Furthermore, the most dangerous viruses spread faster than the virus definitions anyway.
      • The only way to do something like this is to make virus scanning software compulsory, which opens up an entirely new can of worms relating to privacy rights, freedoms related to what one can do with one's own property, and implementation of such a thing without a.) forcing every American to spend money on virus scanning software or b.) jacking up everyone's tax rates.

        You're right that it would be difficult for the government to require that individuals install anti-virus software and the like. However,

    • The problem with this system is that it opens people who already aren't that skilled at running a computer to a new kind of attack. Imagine someone spoofing your IP and broadcasting worm packets, running up your fines.

      Since part of the plan is for ISPs to monitor outbound traffic, that would only become a real issue of someone on your same subnet, that was served by the same gateway router, spoofed your address. Otherwise it would be real easy to say, "check the outbound logs on the router at xxx.xxx.x

      • You make an excellent point, but that is still a real risk on a system similar to my home system. I use Time Warner's RoadRunner Cable Modem service, and have hundreds of people on my subnet.

        In fact, a good percentage of attacks in general against my systems have been from "local" machines.

        Besides, what better way to get back at that neighbor that pissed you off - run up their fines!
      • > Since part of the plan is for ISPs to monitor outbound traffic, that would only become a real issue of someone on your same subnet, that was served by the same gateway router, spoofed your address. Otherwise it would be real easy to say, "check the outbound logs on the router at xxx.xxx.xxx.1." Then it would pretty obvious that those packets originated on a different subnet and not from your machine, since the logs on your servicing gateway would be clean.

        Spoken like a man who hasn't seen th

  • by grub ( 11606 ) <slashdot@grub.net> on Tuesday September 16, 2003 @04:09PM (#6979448) Homepage Journal

    "..whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly .."

    Rather than fining the people (victims?) of poorly written software and OSes, why not have a class-action suit against the corporations that make the worms & viruses possible in the first place? Most people are up in arms when the RIAA goes after the wallet of individuals who knowingly download their Evil MP3s whereas the bulk of users that get these infections just don't know any better.

    Fining lusers won't give them clues, education will.
    • by McAddress ( 673660 ) on Tuesday September 16, 2003 @04:15PM (#6979520)
      forget a lawsuit. fine the maker of the software for each copy of an OS or other piece of software that propogates a bug. After all, the OS belongs to MS. I only have a license.
      • by eln ( 21727 ) on Tuesday September 16, 2003 @04:21PM (#6979597)
        Sounds great for Microsoft, but in a market where successfully introducing a new competing OS is already near impossible, such a policy would push any fledgling OS company instantly into bankruptcy the minute a minor security flaw is detected in their software. Microsoft is probably the only software company in the US right now that could begin to absorb the costs of such a policy, leaving it the only company standing.

        You think Microsoft owning 90% of the market is bad, wait until they own 100%.
    • by Kraegar ( 565221 ) on Tuesday September 16, 2003 @04:18PM (#6979566)
      So who do we file a class action suit against when a flaw like this [slashdot.org] is turned in to a worm?

      I'm no Microsoft fan, but neither am I of the belief that all Open Source software (or Mac software, or *nix software) is perfect. Pull off your blinders, and realize that the solution rests not just in the hands of some major corporation, but also in the hands of anyone who chooses to place their computer on the 'net.

      The blame lies in both courts.

    • Rather than fining the people (victims?) of poorly written software and OSes, why not have a class-action suit against the corporations that make the worms & viruses possible in the first place?

      A wonderful idea.

      You understand, of course, that such corporations as RedHat, SuSE, etc. will be among those sued..?

      And there is really no reason to limit this to corporations only. A buffer overflow in some Linux code? Look into the source for the copyright notice and sue the hell out of the poor schmuck who
    • Yep, time to sue K & R for writing 'C', the world's crappiest language. You wouldn't see buffer overruns in a real programming language.
  • by TopShelf ( 92521 ) * on Tuesday September 16, 2003 @04:10PM (#6979452) Homepage Journal
    I'd much prefer bounties.
  • Enforcement (Score:2, Insightful)

    by devphaeton ( 695736 )
    Make all the laws you want. Enforcement will always be the issue that causes less-than-satisfactory results.

    Same for spam, parasiteware, etc.

    oh, btw.. Almost First Post!
  • Great (Score:4, Insightful)

    by Anonymous Coward on Tuesday September 16, 2003 @04:10PM (#6979459)
    Great,

    Just what I need, my grandma getting hit with fines because she wants email to talk to the grandkids.
  • Failing to install a patch is not good enough a reason to punish anyone.

    I maintain several win and linux computers and I certainly don't have the time to lurk security mailing lists to stay ahead of every friggin' exploit.

    • Failing to install a patch is not good enough a reason to punish anyone.

      No. But crippling your local broadband segment because of a virus for which a patch exists does count as a good enough reason.


      I certainly don't have the time to lurk security mailing lists to stay ahead of every friggin' exploit.

      Then, put simply, you do not do your job (assuming security on those boxes does fall under your responsibility). Doing a quick check on the major exploits discovered on any given day takes about 5 min
  • Soo (Score:5, Insightful)

    by Jacer ( 574383 ) on Tuesday September 16, 2003 @04:12PM (#6979479) Homepage
    What about foriegn computers that propogate this problem?
  • Factor this in to the TCO comparisons of Windows and Linux. Companies are being hit by these worms as well.

    Of course the Microsoft lobby will make sure that it never happens, and if it did then a group of virus writers would convene in a well hidden room in Redmond . . .
  • Soo... (Score:2, Funny)

    by WhytTiger ( 595699 )
    does this mean that we could fine the Microsoft Corporation ... ONE... HUNDRED... BILLION DOLLARS???

    muuwaahahahahahahaha!!!

    • Re:Soo... (Score:2, Funny)

      by benoitg ( 302050 )
      Board of Microsoft explodes in laughter

      Man with the eye patch clears his throat and whispers:

      "Dr Evil, one hundred billion dollars isn't much money for Microsoft these days, Bill Gate ALONE makes ..."
  • Too strict (Score:5, Insightful)

    by Tyrdium ( 670229 ) on Tuesday September 16, 2003 @04:12PM (#6979493) Homepage
    What he proposes is way too strict. Right now, I run through a firewall and proxy, keep my system up to date, etc. Is it my fault if someone hacks into my computer and uses it? No. I've done everything possible to make my computer secure, short of spending thousands of dollars on corporate-level firewalls, etc., or disconnecting it from the internet completely. No computer is 100% hackproof.
    • Re:Too strict (Score:5, Insightful)

      by zurab ( 188064 ) on Tuesday September 16, 2003 @04:58PM (#6979963)
      Is it my fault if someone hacks into my computer and uses it?


      Apparently, judging from the editorial. It's like someone rear-ending you and you are responsible because you didn't move out of the way soon enough. Also read the following quote:

      The fines would be used by ISPs to support the significant efforts required to continually block identified attack traffic.

      What a nice way to encourage ISPs to scan their own [users'] network for vulnerabilities and inject them with viruses to increase their revenues.
  • What about a penalty for Microsoft for being the reason behind the viruses in the first place? You can't fine granny for not patching her computer - it's unethical and just plain ignorant.
    • by brkello ( 642429 ) on Tuesday September 16, 2003 @04:24PM (#6979627)
      Give me a break. What about Microsoft? Any computer on a network is vulnerable, even Linux boxes, why don't we fine Red Hat? Who should we go after when there is a crime? Maybe the criminal who wrote the freaking virus. I guarantee you, any OS that is the most used is going to be hacked...often. You don't fine grandma, nor do you fine the OS company, you find the hackers/script kiddies/etc, and you fine and jail them. Ignorant indeed.
    • who write the viruses and the worms in the first place, they're the ones who are responsible for any damage done.
  • by Jason1729 ( 561790 ) on Tuesday September 16, 2003 @04:13PM (#6979500)
    If someone's negligence allows their computer to participate in a DoS, why should they have to pay money to a 3rd party regulatory body or government?

    Jason
    ProrQuotes [profquotes.com]
  • /Points an laughs

    Glad not the live in the US. How the fcuk do they expect to police and enforce that in Asia and the rest of the world.

    I am all in favor of fining software makers, that may get them to at least beta test there work before its shipped.
    • How the fcuk do they expect to ....

      While I find this perfume [fcuk.com] intriguing, I didn't realize it was already so popular as to be invoked as a profanity. Is it some kind of god where you live?
  • A couple of problems (Score:5, Interesting)

    by aridhol ( 112307 ) <ka_lac@hotmail.com> on Tuesday September 16, 2003 @04:13PM (#6979505) Homepage Journal
    First, I think this will lead to ISPs only allowing "approved" OSs on their networks, in order to prevent themselves from getting fined. Unfortunately, the approved list will probably contain the worst offenders.

    Second:

    ISPs must receive freedom from liability for dropping the identified traffic. False detections are the fault of the "Independent Authority", who should also be free from liability.
    Sorry we blocked your critical data, but you can't do anything about it.
  • In order for some entity to levy a fine, there must first be some sort of law broken. As far as I know, there are no laws requiring virus protection or mandatory software/OS updates.

    Are we really willing to consider allowing our computers' software, configurations, etc. to be dictated to us by the government? After all, isn't one of the selling points of "free" software having a choice in which OS/programs we use?

    I don't want to be told by anybody that I must/must not download any updates to any softwar
    • In order for some entity to levy a fine, there must first be some sort of law broken. As far as I know, there are no laws requiring virus protection or mandatory software/OS updates.

      "Turing. You are under arrest."

      William Gibson, Neuromancer

  • Well this is certainly not a well thought out idea. Why should a consumer of the product be responsible for the product? Computers are not pets, they're an appliance. If a computer is malfunctioning, hold the manufacturer responsible! You should start with holding MS responsible for their bugs and refuse their license which allows them to be untouchable.
  • by RichMan ( 8097 ) on Tuesday September 16, 2003 @04:15PM (#6979519)
    For the majority of enduser systems out there the user does not own the software on the system. Microsoft owns the software and has all rights to modify and control the software.

    Is the enduser responsible or the actual owner of the software?
  • This guy needs a reality check. A majority of computer users are dumb. When they get OSes like XP, they have absolutely no idea how to secure it. The problem lies in the OS and not in the user.
    • A majority of computer users are dumb. When they get OSes like XP, they have absolutely no idea how to secure it.

      And these dumb users would have an easier time patching Linux? Come on. Any computer on a network is vulnerable, even ones that are patched and maintained. The problem is not in the OS (though every effort should be put in to security both before and after a product is released), but with the people who are breaking the law: the virus writers and the people who initially unleash them. They
  • a fine for slashdotting a site into oblivion?
  • Lawsuits abound (Score:4, Interesting)

    by chia_monkey ( 593501 ) on Tuesday September 16, 2003 @04:15PM (#6979530) Journal
    I just see lawsuits left and right with this one. On one hand, you've got Ma and Pa Kettle who know how to turn on their computer, check their email, and play solitaire. All of a suddent they're notified they owe $2.4 billion because their computer was used to take down sixteen major corporations. Do they get to sue the ISP for not filtering? Or do they get to sue the virus programmer if they're caught? Or hell, do I get to sue them because maybe they infected me and my computer infected the corner store. Sure my fine was only $50, but maybe I'll sue them $250,000 for pain and suffering (hey, this is America, we do that). Scary...
  • I'm sorry, I'm sorry. Russ was just a little crabby yesterday when he came up with this idea.

    I personally blame my parents, they smoked pot in college, and being older than me, he managed to inhale. Luckily I was raised in a less dirty-hippy fashion.

    But, again, my apologies.
  • by Medieval ( 41719 ) on Tuesday September 16, 2003 @04:16PM (#6979536) Homepage

    The included URL [ntbugtraq.com], for reference.

    I was recently quoted in a WashingtonPost.com article saying I was in favor of fines against people who emit viruses or worms (not just originate, but infectees who perpetuate attacks.) There wasn't any meat in that article describing my proposal, so it comes off sounding kind of cold. I've had this proposal for quite some time, after being asked by a U.S. Senator staffer once to write something up to identify what's lacking in the U.S. National CyberSecurity Strategy document.

    I've tried to explain it as clearly as I can, and have included a poll to take your feedback on whether you think the idea would be valuable to you. I'd appreciate it if you'd give it a read and take the poll.

    I hereby acknowledge that the poll is hosted on my little T1, so you may well experience bandwidth-related fun. At least you only have to click two buttons to take the vote.

    Feel free to repost this request to other lists.

    Cheers,
    Russ - NTBugtraq Editor
  • by AxelTorvalds ( 544851 ) on Tuesday September 16, 2003 @04:16PM (#6979547)
    Instead of trying to get money out of them (look at all the young pirates bitching about being sued for a few grand, they don't have money) why don't we just cut their link for a period of time, say 8 days? It's short enough that you can deal but long enough to really piss you off so you had better make sure you don't let that stuff happen.
    • Yeah, so if your company network/servers get hit by a worm and you need the internet for your business, you must effectively close your shop for 8 days. The economical impact of the forced shutdown could very well be bigger than the damage done by the worm itself, resulting in a solution which is worse than the problem.
  • Grasping any opportunity at all (never mind if the measure will be effective, or even if it is practical) just to squeeze some more tax dollars out of their constituents.
  • Problem with this... (Score:4, Interesting)

    by chrisgeleven ( 514645 ) on Tuesday September 16, 2003 @04:17PM (#6979553) Homepage
    people aren't licensed/educated properly to use the internet. So how will they know that they have to update virus definitions and patch their systems? By e-mail notifications? When I used to work for a local ISP doing tech support, most people only checked their ISP e-mail once a month for their monthly statements, they instead had hotmail accounts for their regular e-mail. We would have to call customers non-stop to remind them to check their ISP e-mail for their bill. Now we would have to call them for their weekly virus breakout?

    The key is some type of manditory education before you can advocate fines. My grandmother doesn't know a thing about antivirus protection, she just expects it to work. My grandmother doesn't know a thing about Windows Update, because she assumes the computer is safe.

    So what can I do? There is no easy answers, but I guarentee fines are the last resort since none of the other options have been tried at a large scale.
  • by Dark Coder ( 66759 ) on Tuesday September 16, 2003 @04:19PM (#6979570)
    The operating system vendors should face the music.

    If the U.S. Federal government mandates automobile recall because of some faulty protection system, exceeding exepected normal operation or rusted-thru "firewall", then the same should apply toward operating systems; be that may Microsoft, Linux or Unix-based.
  • So I can see how when a bill comes in from Nigeria to some random department's web server at a university in Myanmar that the threat of fine will have a profound impact, NOT!

    The penalty that is understood is loss of network service.

    Successively, pestilant host owners should be notified and given a decent interval to fix their problem.

    If not, then the ISP is notified and given a decent interval to get the owner to clean up his act or to disconnect service.

    Likewise, up the chain, to the largest ISPs, who

  • To computer and network insurance.

    Take computers used, software used, servers used, general topo of network, speed of pipes (together) and competancy of admin. The conglomeration is the "Computer and Network Insurance (CANI)".

    I wonder how much would be charged for a competant unix admin, on heavilly firewalled subnet of mac and windows (seperated, of course) boxen, with Linux servers, and a T-3. --- Probably not as much as Winders with MCSE.
  • My brother had a cold last week. I have a cold this week that I got from him. Can I sue him?
    • "My brother had a cold last week. I have a cold this week that I got from him. Can I sue him?"

      What the hell is happening to America?

      Back in the good old days you'd just beat the living shit out of him.

  • If they can fine people who don't know their kids are downloading music. Sure lets fine virus spreaders. But how?
    • Simple. Trap the virus, release relevant patches, then after a short grace period, re-engineer the virus to snoop the user's credit card details and make a small payment into my bank account on a daily basis, causing the fine to continue until the security hole is fixed.

      A plan with no drawbacks, I feel.
  • by Rosco P. Coltrane ( 209368 ) on Tuesday September 16, 2003 @04:25PM (#6979632)
    Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...

    - Russ Cooper is editor at NTBugTraq
    - NTBugTraq is a division of TruSecure Corporation [trusecure.com]
    - Russ Cooper is chief scientist at TruSecure Corporation [trusecure.com]
    - TruSecure Corporation [trusecure.com] sells security solutions and services [trusecure.com].

    In other news, the Haagen Das corporation is pushing a proposal to hasten global warming ...

    Another fine impartial article brought to you by Slashdot.

  • Is this one of those things where the goverment tells us not to do it, but deep down they really WANT us to do it and KNOW we will do it anyway? Like $peeding?
  • Seems to be when an car company [autosafety.org] creates a damaging defect, it isn't the driver who has to pay a fine.

    Why should joe user, have to pay for the latest RPC hole?

    I have to say although the article lost me from about the first line I loved this :

    We aren't trying to penalize everyone for not being up-to-date or security savvy, but the level of attacks which continue to occur daily after any en-masse attack is enormous.

    Uhhh yes you are...

    Correct me if I'm wrong, but arn't fines a 'penality'? Sorry, but flat

  • Another dumb idea... License the user [cbsnews.com]
    Both ideas have some dumb, expensive slow-moving govt body out there... WRONG.
  • People continue to smoke (in the USA) even though it is heavily taxed, not to mention bad for your health (if you are genetically susceptible...), disgusting, and stinky.

    I skimmed the article earlier today and I didn't see it address the education aspect of the problem. If the corporate and education networks are vulnerable, how can you expect joe schmoe to know what to do in a timely fashion? Windows XP and Red Hat have auto update options, but there is a certain level of trust (or ignorance) you need to
  • I really hope that Russ's computer doesn't get Owned or someone spoof's his IP address's. or something else that rings up fines on him without his doing.

    Unless he can provide an answer to someone that will make them 100% compliante and immune then his idea is as idiotic as the others.

    Fines for proven abusers? Yeah, I'll take that.

    fine the little guy being abused? nope.

    Fine isp's , corperations, and known asshats.

  • To Whom It May Concern,

    If you are willing to personally verify that each person with a computer is aware of the threat, your plan sounds fine. By 'verify' I mean contact through some means other than via computer and receive a response from said user. Essentially, one would have to telephone each computer user in order to do this.

    Without such explicit notice, users would not necessarily know that their computer could be commiting a 'crime'. In fact, as the populace becomes more computer literate and th
  • Actually, I've felt that dumb operators of computers should be treated just like dumb operators of motor vehicles. Give'm a ticket when their tail lights are out.

    This would open up a whole new realm for "Microsoft Haters" but perhaps it would result in Microsoft's patches having a much faster response time as well. But imagine being fined even $5 for your software being unpatched or something...

    There are thousands of other problems that could result. Microsoft would cheer this thing even though it'd gi
  • I've also pondered whether this would be a valid approach or not. Virus stories in the media tend to portray the people who are actually spreading the viruses as innocent victims, with only the original author being the "bad guy". But the "bad guy" wouldn't have been able to do any damage unless people opened virus attachments, ran unpatched systems, and other no-no's.

    Also, this type of approach is not unprecedented... if I fail to maintain my car and it spews pollution into the air, the fines are poten

  • "You have been fined 5 credits for having a filthy PC"
  • People should be held accountible for their computers. Just because they didn't write the worm, doesn't mean they're not at fault. It's time that people started taking responsibility with their computers, and actually.. o i don't know... learning how to secure them? And someone mentioned something about kicking 90% of Internet users offline. I don't think the ignorance rate is THAT high, but I still say good riddance. (Yes I'm a bitter asshole, thank you.)
  • It's not the users' fault. Kids with nothing but time and money cause these attacks. THEY are the criminals. Lock 'em up and throw away the key. This has got to be one of the stupidest ideas coming out of gov't in a long time, and we all know how many stupid ideas come from the gov't. Start doing this, and the Net very quickly becomes a gov't controlled entity, making the "Digital Divide" absolutely huge. And it's not necessarily the software makers' fault. They may have genuinely missed it through n
  • Who would determine what's fineable or not? The 'Identification Authority' panel of industry experts? Anti-Virus experts? The same ones who make money selling software to prevent viruses/worms? Sounds like a good scheme to sell more antivirus software. More good ole' scare-tactics from the antivirus folks; 'Buy our product or you could be fined'. The determination of a 'fineable' event strikes me as very subjective! What's next, manditory antivirus software? Wouldn't the antivirus companies love that!

    Conti
  • by WolfWithoutAClause ( 162946 ) on Tuesday September 16, 2003 @04:36PM (#6979763) Homepage
    ...to the government for me getting subverted by a worm/virus?

    Wouldn't it be better to give the government an incentive to help solve the problem rather than give them an incentive to get some obscure, amoral, and deeply secret government department to release new and more virulent attacks so as to up their income?

    Sure, they probably wouldn't, officially; but why take the risk that some individual in the government would be in a position to benefit from this kind of thing?

    These kinds of theoretical problems always sound impossible, but I'm nearly always surprised to find out how often they really do crop up in practice.

  • by One Louder ( 595430 ) on Tuesday September 16, 2003 @04:37PM (#6979770)
    Unfortunately, at this point it's nearly impossible for a new user to keep from getting infected.

    Let's say Joe Consumer is interested in a computer - he goes down to MicroCompuCenterUSA and buys a spanking new Windows XP-based machine, plugs in the cable modem, turns it on.

    *WHAMMO*

    He's infected before he even gets a chance to get the latest updates, assuming he even know that's something he's supposed to do.

    My sister-in-law when through this exact scenario just recently. She got nailed by Blaster within a few minutes of powering up the machine for the first time. She has no idea what a firewall is, and would certainly wonder why she would need one with a brand-new computer.

    This proposal is a little like buying a new car and having the wheels fall off as you drive off the lot, then being fined for causing an accident.

  • I see no mention of any punishment for the programmer who writes the virus. Does everyone here think that those bastards are doing a public service or something? Here's an idea: what we need is to rethink the priorities - let's punish all the innocent people for unwittingly being accomplices and let the actual criminals off scot-free! After all, they're only targeting Windows machines and not Linux, so who cares? It's not like these idiots are too busy to keep their machines updated, what with work, family,
  • by 0xA ( 71424 ) on Tuesday September 16, 2003 @04:37PM (#6979776)
    I had this conversation last month:

    Boss: I thought I told you to put that RPC patch an all our client's servers.
    Me: I did.
    Boss: How come these guys have Blaster then?
    Me: I dunno.

    Now imgaine having that conversation starting out with:

    Boss: On of our clients is being fined for worm traffic...

    As much as I realize that people failing to update is one of the largest enablers of these worms, I know it is possible to do everything you are suppsed to and still get nailed. Firewalled (externally) and patched but I'm still cleaning it up. I don't think I deserve a fine for that.

  • This won't work. After all, the virus writers, crackers, etc are the ones breaking the laws stupid!

    What DOES need to happen is for the more "grey" forms of cracking to be eliminated..i.e. Gator and such. Programs that install without user intervention and don't leave an entry in add/remove programs are viruses...same thing. Also, ISPs need to be able to handle updating users on their own...this would allow them to require/force patches before you ever get access to the internet. AOL [yes, a realy bad

  • How about fining MS instead of innocent users?
  • If they are compulsory, then whichever companies make the approved scanners have a license to print money, right? I can see it now:

    McCrafty Scanpro 2004, $399 for a 1 year subscription, or $39.99 a month.

    Or you can go with Ed Norton Antivirus Live SuperCop mark VI - the Revenge for $399 for a 1 year subscription.

    You need to buy one of them, which one is it? What's that you say? These cost more than your OS and you can't afford it? Sucks to be you... Maybe you should go back to BBSs then.

    If the gov
  • "Russ...is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly... Russ is taking a poll on his site."

    No doubt he'll change his mind when his site gets assimilated by the next big worm.
  • expansion of governmental surviellence to me.

    Yummy, where do I sign up?

    KFG
  • 90% of the people who sign/agree to this are the same ignorant people who NEVER update windows, don't have an antivirus software, and think that because they don't look at porn it "can't happen to them"...
  • This scheme appears to be unenforcable. Once again, the assumption is made that the entire internet exists withing the legal boundaries of the US. A better scheme would be to warn computer owners of a dangerous condition, and then if it is not fixed in a reasonable amount of time (e.g. 48 hours) then simply blacklist them; e.g. "well-behaved" routers would simply reject any packets from them. Of course, then they would still be free to propagate worms on their local subnet, but other users of their subnet a
  • Sooner or later if the costs of a software product outweigh the benefits, the market will marginalize it. I don't see a more effective, permanent, or viable option than this.
  • fining the software manufacturer for allowing the exploit/hole/security problem? Bet a lot of software companies would make a LOT more rock solid apps/os's...
  • There's no need to read it.

    Any attempt to hold individual (ignorant) users liable for allowing their machines to propogate viruses, worms, spam will be a complete waste of government money, and it won't cause people to behave any differently.

  • Will the fines apply to users of buggy software for which no patch is available? Surely this is unacceptable, although not in principle. While perhaps common sense would suggest that you not run an httpd daemon from l33t_D00d357, it seems that drawing a line of what is and is not "sufficiently buggy" software is not a decision we want the Congress in the business of making.

    Conceivably we could fine sites running exploitable servers for which patches exist, and say, have existed for two weeks or more.

    Howev
  • by istartedi ( 132515 ) on Tuesday September 16, 2003 @04:46PM (#6979859) Journal

    I'd have to go back to calling brokers on the phone, and writing checks, licking stamps, and sending things through the mail. I'd have to sign up at the library if there was something that I had to get from the 'net. That's assuming the library can stand the liability. If they can't, I'd probably be limited to the library's proprietary DBs on their local LAN.

    In other words, if you want to kill the 'net, just turn my PC into a slot machine that has unlimited negative payout odds.

    This sounds like another example of "letting the terrorists win". It would turn the 'net into a "fascist police state".

    Oh... unless there is an OS that is gauranteed secure through every revision, which we all know there can't be.

    Now, if they capped the fine it might be reasonable. What would I do? Buy expensive AV software? No. I'd buy insurance against the fine and continue to exercise good practices (e.g., not using OE for mail, not downloading crap software that runs in my taskbar, etc.) Does anybody sell "virus" insurance?

  • by druske ( 550305 ) on Tuesday September 16, 2003 @04:48PM (#6979878)
    Okay, the Slashdot crowd is probably quite a bit more tech-savvy than our old pal Bubba, clicking away at every link that arrives in his inbox and updating his software only when he buys a new machine with it.

    But I'm not sure penalizing Bubba is the right answer. Maybe Bubba is ignorant; on the other hand, he might have a legitimate mental handicap. How much responsibility should someone with Alzheimer's disease or a learning disability carry? What about someone who's simply too old or too young to grasp security issues? Where should the line be drawn, and how could we charge according to ability? And how much would it cost to administer such a program?
  • by Darlok ( 131116 ) on Tuesday September 16, 2003 @05:01PM (#6979983)
    For the love of... I think the last paragraph of this article contains the most telling statement: "...make every effort to assist in bringing about a change in the way the Internet is managed..."

    The first point is that the Internet is NOT managed, at least in the sense I believe Russ is advocating it should be. Not to go all scary-conservative here, but this is just like the discussion over banning guns -- if you get rid of all the handguns in people's closets, then only the criminals will have them. If you legislate enforceable fines for doing, effectively, nothing, then you force out the majority of people who are scared of incurring any liability, and put a powerful weapon in the hands of those who would cause trouble.

    Example:

    Gee, I don't like Bob. Bob gets his connection through UUNet. His Windows IIS has never been patched, so next time he goes on vacation I'm going to write a worm that exploits MS00-078 [microsoft.com]. Now, I'm going to turn him in to the "Identification Authority" and hope that while he's gone, he racks up enormous fines. Meanwhile, UUNet has to block port 80 for, effectively, every customer on its network if my worm has managed to infect even one other vulnerable machine.

    Suddenly, script kiddies have the ability to embargo the entire net by taking advantage of bugs that happen to listen on well-known ports. I would point out today's earlier Slashdot article [slashdot.org]. Should all of our ISPs be blocking SSH traffic now?

    You can't legislate against stupidity. Nor can you make perfect software. Nor can you expect to fine neophytes into becoming security experts. Even trying would simply place incredible power in the hands of the software vendors, and then huge segments of the computing world become subject to destruction from one malformed "patch", or even worse, when someone finds a way to exploit the update mechanisms.

    This is the worst possible sort of power transference. Because people can not, will not, or in some cases _should_ not independently deal with their own technology issues, you empower central entities with an enormous amount of control over individual users. Novice users will relinquish that control, or be forced to pay some ridiculous sum of money in fines. In the end, chances are you end up with even worse problems than you started with.

  • BAD idea (Score:5, Insightful)

    by acidrain69 ( 632468 ) on Tuesday September 16, 2003 @05:04PM (#6980016) Journal
    Grandma: "What is this fine in the mail? What is a firewall? Why am I being fined? Is is the gremlins in my computer again?"

    Not to mention underfunded organizations like Libraries and schools that may not be completely up to speed. This is a stupid idea. I put this up on the shelf with that idea to destroy people's computers for "piracy".

    I find it amazing that people are so amazed that no one patches their computers. Think of your grandparents. What do they know about firewalls and TCP/IP and man-in-the-middle attacks? My mother has a VAGUE understanding of updating software and that it's important, but she doesn't know why. If you don't know why you are doing something, it's hard to continue doing it; and they are bound to miss something important along the way.

    Someone had a good idea on another thread. ISP's should be the firewall for the little guy, and if you are in the know, you just opt-out. I work for SBC tech support. They decided to block port 135 due to all the MSBlast+derivatives activity. I think it's only temporary, but it is a good solution. No one really has any reason to be using port 135 over the net anyway. Locally, yes, internet no. You should be using a VPN if it is that important to you.

You are in a maze of little twisting passages, all different.

Working...