Re: [tlug] System security and public policy [was: Anyone seen this gizmo yet?]

["Stephen J. Turnbull" <stephen@example.com>]

Edward Middleton writes:

 > My preference would be to go the other way.  Make willfully ignorant
 > users liable for damage caused by their computer usage,

They already are.  The problem is that it's too expensive to follow
up.  What are you going to do, sue 1 million members of a botnet and
prove for each one that DDoS packets from their machine caused $10 of
damage (eg, lost business on your website), and request $10 million of
damages split 1 million ways?

What you could do practically is require a "browser's license" to make
a network connection, just as it's illegal to drive a car if you don't
have a driver's license.  Then the government would revoke it if you
had a certain number of points, give you a "gold license" if you avoid
getting pwnzered for 5 years, etc.  But you can just imagine how far
that proposal will get....

 > but pass on the liability to vendors if the user has followed
 > reasonable security guidelines drawn up by a competent third party,
 > be it NPO etc.

 > That would force vendors to be clear about the security of their
 > systems but protect them from willfully ignorant users.

IMHO, a system that can be exploited when run by an ignorant user is
insufficiently secure.  A conservative (ie, limiting liability to
vendors) interpretation of "run" is "out of the box in default
configuration".  More aggressive interpretations of "run" would allow
the user to switch on standard SMTP, HTTP, and SSH listeners in some
default configuration determined by the vendor (eg, SMTP and HTTP
might be available only to localhost).

 > AFAICT most of the botnet problems are caused by people failing to
 > patch known security holes that have vendor patches.

AFAIK (which isn't all that far, but ...) all botnet problems are
caused by allowing remote, untrusted users to run arbitrary code on
your machine.  We've known that for over 30 years now, since the early
Mac virus-on-a-floppy epidemics.  The vendors, especially Microsoft,
have not learned from that.  If there is a single guiding principle to
the design of Windows, it's "if it looks like code, try to run it, and
don't bother the user with trivia."

 > I don't think its reasonable to hold vendors responsible for this.

The security holes are there because of the fundamental design
principles the vendors subscribe to.  It's true that most of the time
the vendors find the problem and release patches before the bad guys
develop exploits, but some will always leak.  My conclusion is that in
a networked environment, it should be *hard* to run code that can have
side effects (changing local data or making network connections).
Plan 9 seems to have a handle on that.  Unix's model isn't great but
it's workable (if configured conservatively).  Windows' model is
negligent AFAICT.

Note that I'm mostly focusing on the OS here.  Even if you manage to
suborn the httpd, you shouldn't be able to take over the OS.  How much
less so for a browser!

 > Running a reasonably secure windows installation means at the
 > minimum avoiding outlook, using a virus scanners, setting up a
 > firewall, regularly security patching, taking seminars on the
 > latest fishing methods etc. there goes your TCO ;)

Sure, but what we're talking about here is not putting M$FT on a level
playing field, it's a public health problem.  I don't want users to be
liable for huge costs to run Windows securely, I want Windows to run
securely.  It's most straightforward to achieve that goal by
redesigning Windows to run securely by default.