Date: Sun, 7 Mar 2004 12:56:35 -0700
From: Christopher J. Wolff
My favorite idiom is; "You're either part of the problem or
part of the solution."
Thanks for your contribution.
What's your solution?
There's no one single answer. That's the whole point. The
closest thing to a single answer would be "shift the cost of
failure to the responsible party", but that's still insufficient.
One must use many tactics -- prefix-list, filter-list, customer
education, SAV, etc. -- and expect the same from upstreams,
peers, and downstreams. Note that it's much easier to ask
something of others when one has demonstrated willingness to do
Software vendors should be held more accountable for exploitable
bugs that go unfixed. Admins should be held more accountable for
systems that go unpatched. I realize not every car owner is a
mechanic, but car owners who drive oil-burning, tailpipe-dragging
jalopies with no headlights quickly learn that's no excuse.
What about using a non-executable stack segment in $os on
platforms where that's possible/necessary? Teaching about buffer
overruns and race conditions in elementary programming classes
sounds worthy to me, too.
In short: My solution is for all these _parts_ of the answer to
receive the attention and action they deserve. It's a bit harder
than griping on NANOG about the lack of turnkey answer every
three weeks, but probably at least effective enough to warrant a
bit of attention.
People gripe about the cost of exploits and attacks, yet complain
about the costs of preventative measures. If the preventative
measures are too expensive, then evidently the consequences are
That said, I'm eagerly awaiting your silver bullet. (Or are you
part of the problem?)