Nato warns of strike against cyber attackers

[In the message entitled "Re: Nato warns of strike against cyber attackers" on Jun 9, 0:26, Steven Bellovin writes:]

A liability scheme, with penalties on users and vendors, is certainly =
worth considering. Such a scheme would also have side-effects -- think =
of the effect on open source software. It would also be a lovely source =
of income for lawyers, and would inhibit new software development. The =
tradeoff may be worth while -- or it may not, because I have yet to see =
evidence that *anyone* can produce really secure software without =
driving up costs at least five-fold.

The vast majority of users that I interact with (and yes, I am first to admit
that it has been only thousands, perhaps less than 10,000 over the years, so
it is a small sample) are quite happy to be informed of a compromised system.

It's not, for the most part, that they are malicious. Just unaware. The bad
guys are very stealthy, and the "but, I can't see anything wrong on my
screen!" is a huge obstacle to overcome. Once they are made aware of the
problem, the vast majority work quickly to fix it. Yes, some are clueless.
Some want "someone else" to fix it. But most are simply unaware that they
have been owned, and want the infection gone.

We've tried to educate users for tens of years of the dangers of unsafe
computing. Doesn't work. The users have been trained to click and install
whatever they are told, because "that makes it work".

But when they _are_ compromised, and _are_ informed, most users do seek out a
fix. Some will do it themselves. Some will hire someone to do it for them.

When abuse desks content-filter reports, and don't pass on notifications to
the customer, or "wait until there are more complaints", or... this ends up
with networks that have massive levels of infection. Yes, I know - we're all
busy, and abuse@ is kind of the last priority on most networks, but it really
is bad out there, and we need the network operators to help. Please.

For those network operators that would like a 5 year view on their network,
please drop me an email with your ASN, and I'll be happy to send you a text
file, xls, or ods (your pick) of a view of the historical spam traffic.
No obligation, and no salesman will call. Really.