Vivien M. wrote:
Now, if hooking up an unsecured computer to a network was
punishable by a $1000 fine, and law enforcement somehow
had the staff to prosecute all offenders (or a
representative sample), I'm sure everybody would agree
that suddenly they'd be able to afford antiviruses.
It's not that I don't like the idea, but it's been tried before. Making
stupidity punishable by fines does not work; if it did we would not have
a budget deficit issue.
Michel.
Well, it seems to work relatively well when it comes to motor vehicles...
Oh, sure, there are still lots of morons driving unsafe poorly-maintained
vehicles around, but I'm sure there would be WAY way more if traffic laws
(and inspection requirements, etc, depending on your jurisdiction) went
byebye tomorrow. The problem, in any case, is one of limited enforcement
resources: triple the highway police force, and I'm sure a lot more morons
will get caught/fined/forced to fix their vehicles.
If stricter laws on computers forced even 50% of people to start caring a
little more, wouldn't that be progress? The day a couple of grandmothers get
taken away in handcuffs because a script kiddie took up residence in her
computer is the day a few people will wake up to the fact that computers
need regular maintenance...
Vivien
If stricter laws on computers forced even 50% of people to start caring a
little more, wouldn't that be progress? The day a couple of grandmothers get
taken away in handcuffs because a script kiddie took up residence in her
computer is the day a few people will wake up to the fact that computers
need regular maintenance...
The the script kiddie gets taken away in handcuffs and lined up for the
electric chair is when we see progress. I think you're confusing the
criminal and the victim!
Adi
I have no objection to the electric chair for script kiddies, but tracing
them seems to be somewhat challenging sometimes. Identifying people who
don't maintain their computers is usually easier 
And no, I'm not confusing the criminal and the victim. If you leave a loaded
handgun on your front porch and I come along and take it, then shoot your
neighbour's kid with it, then I would expect both you and I to be prosecuted
(though not for the same crime, of course).
Vivien
I have no objection to the electric chair for script kiddies
an interesting position. and how do you feel about folk who
violate rfcs?
randy
The Hague has tribunals for crimes against humanity...
Well, it seems to work relatively well when it comes to motor vehicles...
Oh, sure, there are still lots of morons driving unsafe poorly-maintained
vehicles around, but I'm sure there would be WAY way more if traffic laws
(and inspection requirements, etc, depending on your jurisdiction) went
byebye tomorrow. The problem, in any case, is one of limited enforcement
resources: triple the highway police force, and I'm sure a lot more morons
will get caught/fined/forced to fix their vehicles.
Maybe we should first have laws that prohibit making and selling computers
without firewalls? In this context I should be fine making cars without
brakes,
and other security items and just accuse my customers of negligence if they
happen to have an accident?
Rgds,
-GSH
This is going in the Very Wrong Direction.
Consider that no firewall would have stopped MyDoom from spreading, unless
it was sufficiently anal-retentive as to stomp on *outbound* SYN packets to
anyplace except the user's preferred SMTP server (and even then, it would only
slow things down, and is prone to "adjustment" by the worm similar to the
way some malware turns off A/V software).
When did Microsoft start *shipping* a firewall? Why are there still problems?
Because it was shipped disabled. And they're doing the right thing and
shipping with it enabled - but now there will be support calls on how to
get a port open so XYZ will work...
I wouldn't recommend trying to expand it to "prohibit making and selling
computers that are insecure", since no computer is 100% secure, and there's
no objective "secure enough" standard - closest you will get there is
probably Dell's offer to ship machines pre-hardened to Center for Internet
Security guidelines.
It would help if systems would only execute code that is signed properly. This would make malware traceable. However the current way of getting your code signed is in many cases too costly for the casual open source developer so people are used to running unsigned or selfsigned application even when the facilities to check signatures would already exist in the system. (though for example in Windows, signatures are only checked at install, not runtime)
Pete
People are used to doing dumb things. Here's a depressing story: