Nato warns of strike against cyber attackers

So? If said end customer is operating a network-connected system without
sufficient knowledge to properly maintain it and prevent it from doing mischief
to the rest of the network, why should the rest of us subsidize her negligence?
I don't see where making her pay is a bad thing.

I see that you don't understand that.

The internet may be a vast ocean where bad guys keep dumping garbage,
but, if software vendors stopped building highly exploitable code and ISPs
started disconnecting abusing systems rapidly, it would have a major effect
on the constantly changing currents. If abuse departments were fully funded
by cleanup fees charged to negligent users who failed to secure their systems
properly, it would both incentivize users to do proper security _AND_ provide
for more responsive abuse departments as issues are reduced and their
budget scales linearly with the amount of abuse being conducted.

The reality is that things change. Forty-three years ago, you could still
buy a car that didn't have seat belts. Thirty years ago, most people still
didn't wear seat belts. Twenty years ago, air bags began appearing in
large volume in passenger vehicles. Throughout this period, cars have been
de-stiffened with crumple zones, etc., in order to make them safer for
passengers in the event of a crash. Mandatory child seat laws have been
enacted at various times throughout. A little more than ten years ago, air
bags were mandatory. Ten years ago, LATCH clips for child safety seats
became mandatory. We now have side impact air bags, etc.

Generally speaking, we do not penalize car owners for owning an older car,
and we've maybe only made them retrofit seat belts (but not air bags,
crumple zones, etc) into them, despite the fact that some of those big old
boats can be quite deadly to other drivers in today's more easily-damaged
cars. We've increased auto safety by mandating better cars, and by
penalizing users who fail to make use of the safety features.

There is only so much "proper security" you can expect the average PC user
to do. The average PC user expects to be able to check e-mail, view the
web, edit some documents, and listen to some songs. The average car driver
expects to be able to drive around and do things. You can try to mandate
that the average car driver must change their own oil, just as you can try
to mandate that the average computer must do what you've naively referred
to as "proper security", but the reality is that grandma doesn't want to
get under her car, doesn't have the knowledge or tools, and would rather
spend $30 at SpeedyLube. If we can not make security a similarly easy
target for the end-user, rather than telling them to "take it in to
NerdForce and spend some random amount between $50 and twice the cost of
a new computer," then we - as the people who have designed and provided
technology - have failed, and we are trying to pass off responsibility
for our collective failure onto the end user.

I'm all fine with noting that certain products are particularly awful.
However, we have to be aware that users are simply not going to be required
to go get a CompSci degree specializing in risk management and virus
cleansing prior to being allowed to buy a computer. This implies that our
operating systems need to be more secure, way more secure, our applications
need to be less permissive, probably way less permissive, probably even
sandboxed by default, our networks need to be more resilient to threats,
ranging from simple things such as BCP38 and automatic detection of certain
obvious violations, to more comprehensive things such as mandatory virus
scanning by e-mail providers, etc., ... there's a lot that could be done,
that most on the technology side of things have been unwilling to commit
to.

We can make their Internet cars safer for them - but we largely haven't.
Now we can all look forward to misguided government efforts to mandate
some of this stuff.

... JG

No, but we can and do require cars to have functional brakes and minimum tread depths, and to be tested periodically.

Obviously this is acceptable because the failure modes for cars are worse, but the proposed solution is less intrusive being after the fact.

Excuse topposting, on mobile.

I'm all fine with noting that certain products are particularly awful.
However, we have to be aware that users are simply not going to be required
to go get a CompSci degree specializing in risk management and virus
cleansing prior to being allowed to buy a computer. This implies that our
operating systems need to be more secure, way more secure, our applications
need to be less permissive, probably way less permissive, probably even
sandboxed by default, our networks need to be more resilient to threats,
ranging from simple things such as BCP38 and automatic detection of certain
obvious violations, to more comprehensive things such as mandatory virus
scanning by e-mail providers, etc., ... there's a lot that could be done,
that most on the technology side of things have been unwilling to commit
to.

Great comments Joe, and I agree with you that there is a lot more that
can be done and should be done, but there is a main difference with
your recount about the auto industry, all those changes were pushed by
evolving regulation and changes in the law and enforcement.

Going back then to a previous question, do we want more/any regulation ?

Cheers
Jorge

So? If said end customer is operating a network-connected system without
sufficient knowledge to properly maintain it and prevent it from doing mischief
to the rest of the network, why should the rest of us subsidize her negligence?
I don't see where making her pay is a bad thing.

I see that you don't understand that.

Seems to me that you are the one not understanding...

I can't refinance my mortgage right now to take advantage of the current interest
rates. Why? Because irresponsible people got into loans they couldn't
afford and engaged in speculative transactions. Their failure resulted in
a huge drop in value to my house which brought me below the magic
80% loan to value ratio, which, because of said same bad actors became
a legal restriction instead of a target number around which lenders had
some flexibility. So, because I had a house I could afford and a reasonable
mortgage, I'm now getting penalized by paying higher taxes to cover
mortgage absorptions, reductions, and modifications for these irresponsible
people. I'm getting penalized by paying higher interest rates because due
to the damage they did to my property value and the laws they forced
to be created, I can't refinance.

I'm mad as hell and frankly, I don't want to take it any more.

Do you see that? Do you still think I don't have a legitimate point on this?

I'm tired of subsidizing stupidity and bad actors. It's too expensive. I don't
want to do it any more. We already have too many stupid people and bad
actors. We really don't need to subsidize or encourage the creation of more.

The internet may be a vast ocean where bad guys keep dumping garbage,
but, if software vendors stopped building highly exploitable code and ISPs
started disconnecting abusing systems rapidly, it would have a major effect
on the constantly changing currents. If abuse departments were fully funded
by cleanup fees charged to negligent users who failed to secure their systems
properly, it would both incentivize users to do proper security _AND_ provide
for more responsive abuse departments as issues are reduced and their
budget scales linearly with the amount of abuse being conducted.

The reality is that things change. Forty-three years ago, you could still
buy a car that didn't have seat belts. Thirty years ago, most people still
didn't wear seat belts. Twenty years ago, air bags began appearing in
large volume in passenger vehicles. Throughout this period, cars have been
de-stiffened with crumple zones, etc., in order to make them safer for
passengers in the event of a crash. Mandatory child seat laws have been
enacted at various times throughout. A little more than ten years ago, air
bags were mandatory. Ten years ago, LATCH clips for child safety seats
became mandatory. We now have side impact air bags, etc.

Sure.

Generally speaking, we do not penalize car owners for owning an older car,
and we've maybe only made them retrofit seat belts (but not air bags,
crumple zones, etc) into them, despite the fact that some of those big old
boats can be quite deadly to other drivers in today's more easily-damaged
cars. We've increased auto safety by mandating better cars, and by
penalizing users who fail to make use of the safety features.

Right, but, owners of older cars are primarily placing themselves at risk, not
others.

In this case, it's a question of others putting me at risk. That, generally,
isn't tolerated.

There is only so much "proper security" you can expect the average PC user
to do. The average PC user expects to be able to check e-mail, view the
web, edit some documents, and listen to some songs. The average car driver
expects to be able to drive around and do things. You can try to mandate
that the average car driver must change their own oil, just as you can try
to mandate that the average computer must do what you've naively referred
to as "proper security", but the reality is that grandma doesn't want to
get under her car, doesn't have the knowledge or tools, and would rather
spend $30 at SpeedyLube. If we can not make security a similarly easy
target for the end-user, rather than telling them to "take it in to
NerdForce and spend some random amount between $50 and twice the cost of
a new computer," then we - as the people who have designed and provided
technology - have failed, and we are trying to pass off responsibility
for our collective failure onto the end user.

I disagree. It used to be that anyone could drive a car. Today, you need
to take instruction on driving and pass a test showing you are competent
to operate a motor vehicle before you are allowed to drive legally.

Things change, as you say. I have no problem with the same requirement
being added to attaching a computer to the network.

If you drive a car in a reckless manner so as to endanger others, you are
criminally liable for violating the safe driving laws as well as civilly liable
for the damages you cause. Why should operating an unsafe computer
be any different?

I'm all fine with noting that certain products are particularly awful.
However, we have to be aware that users are simply not going to be required
to go get a CompSci degree specializing in risk management and virus
cleansing prior to being allowed to buy a computer. This implies that our
operating systems need to be more secure, way more secure, our applications
need to be less permissive, probably way less permissive, probably even
sandboxed by default, our networks need to be more resilient to threats,
ranging from simple things such as BCP38 and automatic detection of certain
obvious violations, to more comprehensive things such as mandatory virus
scanning by e-mail providers, etc., ... there's a lot that could be done,
that most on the technology side of things have been unwilling to commit
to.

I'm not out to target specific products. Yes, I'll celebrate the death of
our favorite convicted felon in Redmond, but, that's not the point.

I don't have a CompSci degree specializing in that stuff and I seem to
be able to run clean systems. I don't have a CompSci degree at all.
It's not that hard to run clean systems, actually. Mostly it takes not being
willing to click yes to every download and exercising minimal judgment
about which web sites you choose to trust.

The point is that if I run a clean system, why should I have to pay a
subsidy to those that do not? I'm tired of this mentality that says let's
penalize the good actors to subsidize the bad actors. I'm tired of it
with mortgages. I'm tired of it with businesses. I'm tired of watching
the government, time after time, reward bad behavior and punish
good behavior and then wonder why they get more bad and less
good behavior.

We can make their Internet cars safer for them - but we largely haven't.
Now we can all look forward to misguided government efforts to mandate
some of this stuff.

I'm not opposed to making operating systems and applications safer.
As I said, just as with cars, the manufacturers should be held liable
by the consumers. However, the consumer that is operating the
car that plows a group of pedestrians is liable to the pedestrians.
The manufacturer is usually liable to the operator through subrogation.

Owen

There is only so much "proper security" you can expect the average PC user
to do.

Sure - but if their computer, as a result of their ignorance, starts
belching out spam, ISPs should be able at very least to counteract the
problem. For example, by disconnecting that user and telling them why
they have been disconnected. Why should it be the ISP's duty to silently
absorb the blows? Why should the user have no responsibility here?

To carry your analogy a bit too far, if someone is roaming the streets
in a beat-up jalopy with wobbly wheels, no lights, no brakes, no
mirrors, and sideswiping parked cars, is it up to the city to somehow
clear the way for that driver? No - the car is taken off the road and
the driver told to fix it or get a new one. If the problem appears to be
the driver rather than the vehicle, the driver is told they cannot drive
until they have obtained a Clue.

If the user, as a result of their computer being zombified or whatever,
has to

"take it in to
NerdForce and spend some random amount between $50 and twice the cost of
a new computer,"

...then that's the user's problem. They can solve it with insurance
(appropriate policies will come into being), or they can solve it by
becoming more knowledgeable, or they can solve it by hiring know how.
But it is *their* problem. The fact that it is the user's problem will
drive the industry to solve that problem, because anywhere there is a
problem there is a market for a solution.

then we - as the people who have designed and provided
technology - have failed, and we are trying to pass off responsibility
for our collective failure onto the end user.

I think what's being called for is not total abdication of
responsibility - just some sharing of the responsibility.

This implies that our
operating systems need to be more secure, way more secure, our applications
need to be less permissive, probably way less permissive, probably even
sandboxed by default

Yep! And the fastest way to get more secure systems is to make consumers
accountable, so that they demand accountability from their vendors. And
so it goes, all the way up the chain. Make people accountable. At every
level.

We can make their Internet cars safer for them - but we largely haven't.

I'm not sure that the word "we" is appropriate here. Who is "we"? How
can (say) network operators be held responsible for (say) a weakness in
Adobe Flash? At that level too, the consumer needs comeback - on the
providers of weak software.

Regards, K.

I'm not opposed to making operating systems and applications safer.
As I said, just as with cars, the manufacturers should be held liable
by the consumers. However, the consumer that is operating the
car that plows a group of pedestrians is liable to the pedestrians.
The manufacturer is usually liable to the operator through subrogation.

That's why at least in the US by *regulation* you must have insurance
to be able to operate a car, instead of mitigating the safety issues
that represents a teenager texting while driving we deal with the
consequences.

Perhaps we have to call the insurance industry to come up with something.

Cheers
Jorge

Once upon a time, Alexander Harrowell <a.harrowell@gmail.com> said:

No, but we can and do require cars to have functional brakes and minimum tread depths, and to be tested periodically.

Not in this state.

Once upon a time, Jorge Amodio <jmamodio@gmail.com> said:

That's why at least in the US by *regulation* you must have insurance
to be able to operate a car, instead of mitigating the safety issues
that represents a teenager texting while driving we deal with the
consequences.

The insurance requirement is a state-by-state thing. It was only added
here a few years ago, and I don't think it is universal.

I believe at least 48, if not 50 states now have compulsory financial
responsibility laws.

However, even if you didn't have insurance, that never exempted you
from liability, it just made you less likely to be able to meet your
obligations under that liability.

Owen

You might not have the state inspection rip-off, but I'll bet that if
your state accepts federal highway money, you have mechanical condition
standards that include tires, brakes, seat belts and a lot of other things.

Similar answer as the one for the brakes and tires thing.

Implementation may vary from state to state, just like the mechanical
standards thing. When last I lived in California, there was no
"insurance" requirement but there was a "proof of financial
responsibility" requirement that was most easily (for most people) by
carrying insurance to certain standards for Public Liability and
Property Damage.

Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others.

CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators

FDCPA exists because the debt collectors couldn't resist the temptation to harass and intimidate consumers, and behave ethically.

It's just a matter of time, and really unavoidable. The thing is, these industries have no one to blame but themselves. In all cases, these laws/regulation only came into affect AFTER situations got out of control.

Lately, the courts have been ruling that companies like LimeWire are responsible for their products being used for piracy/downloading because they knew what was going on, but were turning a blind eye.

Why not apply the same standards to ISPs? If it can be shown that you had knowledge of specific abuse coming from your network, but for whatever reason, opted to ignore it and turn a blind eye, then you are responsible.

When I see abuse from my network or am made aware of it, I isolate and drop on my edge the IPs in question, then investigate and respond. Most times, it takes me maybe 10-15 minutes to track down the user responsible, shut off their server or host, then terminate their stupid self.

A little bit of effort goes a long way. But, if you refuse to put in the effort (I'm looking at you, GoDaddy Abuse Desk), then of course the problems won't go away.

.. and a change in the minimum drinking age?

Adrian

(Before you go "That's not relevant to the discussion", think again. Hard.)

Going back then to a previous question, do we want more/any regulation ?

Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others.

CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators

Which is good, because it certainly eliminated most of the SPAM. -- NOT!

FDCPA exists because the debt collectors couldn't resist the temptation to harass and intimidate consumers, and behave ethically.

And of course, it has caused them all to do so, now, right? -- NOT!

It's just a matter of time, and really unavoidable. The thing is, these industries have no one to blame but themselves. In all cases, these laws/regulation only came into affect AFTER situations got out of control.

Software has been out of control for a long time and I hope that the gov't will start by ruling the "not responsible for our negligence or the damage it causes" clauses of software licenses invalid. That would actually be a major positive step because it would allow consumers to sue software manufacturers for their defects and the damages they cause leading to a radical change in the nature of how software developers approach responsibility for quality in their products. Right now, most consumer operating systems are "unsafe at any speed".

Lately, the courts have been ruling that companies like LimeWire are responsible for their products being used for piracy/downloading because they knew what was going on, but were turning a blind eye.

This is a positive step, IMHO, but, now companies like Apple and Micr0$0ft need to be held to similar standards.

Why not apply the same standards to ISPs? If it can be shown that you had knowledge of specific abuse coming from your network, but for whatever reason, opted to ignore it and turn a blind eye, then you are responsible.

I agree.

When I see abuse from my network or am made aware of it, I isolate and drop on my edge the IPs in question, then investigate and respond. Most times, it takes me maybe 10-15 minutes to track down the user responsible, shut off their server or host, then terminate their stupid self.

Yep.

A little bit of effort goes a long way. But, if you refuse to put in the effort (I'm looking at you, GoDaddy Abuse Desk), then of course the problems won't go away.

Agreed.

Owen

It is actually an outstanding example of something of something I spoke
of here earlier.

Without any exception that I know of, regulations are written to protect
the entrenched. CAN-SPAM was written to protect spammers, not to
prevent anything important to them.

Going back then to a previous question, do we want more/any regulation ?

Laws and regulation exist because people can't behave civilly and be expected to respect the rights/boundries/property others.

CAN-SPAM exists because the e-mail marketing business refused to self regulate and respect the wishes of consumers/administrators

Which is good, because it certainly eliminated most of the SPAM. -- NOT!

It is actually an outstanding example of something of something I spoke
of here earlier.

Without any exception that I know of, regulations are written to protect
the entrenched. CAN-SPAM was written to protect spammers, not to
prevent anything important to them.

Actually, as much as it would make so much more sense if that were the
case, it simply isn't true. CAN-SPAM was written to be a compromise that
was supposed to allow consumers to opt out of receiving SPAM and
prevent SPAMMERs from sending unwanted messages.

Sadly, of course, it hasn't done either one.

Owen

Owen DeLong wrote:

Software has been out of control for a long time and I hope that the gov't will start by ruling the "not responsible for our negligence or the damage it causes" clauses of software licenses invalid.

The beauty of my "attractive nuisance" argument is that the EULA doesn't shield Microsoft from the damage their software causes to a 3rd party such as the ISP who has to deal with the botnet infections of their customers.

jc

Going back then to a previous question, do we want more/any regulation ?

Yes.

All vulnerable industries should have their use of network
communications regulated. This means all power stations, electricity
line operators, dam gate operators, etc. They should all be required
to meet a standard of practice for secure network communications, air
gap between SCADA networks and all other networks, and annual network
inspections to ensure compliance.

If any organization operates an infrastructure which could be
vulnerable to cyberattack that would damage the country in which they
operate, that organization needs to be regulated to ensure that their
networks cannot be exploited for cyberattack purposes. That is the
correct and measured response which does not involve the military
except possibly in a security advisory role, and which is within the
powers of governments.

I would expect that the increased awareness of network security that
resulted would pay dividends in business and home use of networks.

--Michael Dillon

I would expect that the increased awareness of network security that
resulted would pay dividends in business and home use of networks.

I'd expect a lot of nice business for audit firms with the right government connections, and another checklist with a magic acronym that has everything to do with security theatre and nothing to do with either actual security or the reality of operating a network.

But perhaps I'm jaded from dealing with current auditors.

Regards,
Tim.

s/cannot be/minimize the risk of/

And "would damage the country" is a very fuzzy concept that you really don't
want to go anywhere near. Remember Microsoft arguing that a Federal judge
shouldn't impose an injunction that was going to make them miss a ship
date, on the grounds that the resulting delay would cause lost productivity
at customer sites and harm the economy?

(Mind you, I thought MS was making a good case they *should* be regulated,
if their ship dates actually had that much influence..