Re: [tlug] System security and public policy [was: Anyone seen this gizmo yet?]

[Edward Middleton <emiddleton@example.com>]

Stephen J. Turnbull wrote:
> Edward Middleton writes:
>
>  > My preference would be to go the other way.  Make willfully ignorant
>  > users liable for damage caused by their computer usage,
>
> They already are.  The problem is that it's too expensive to follow
> up.  What are you going to do, sue 1 million members of a botnet and
> prove for each one that DDoS packets from their machine caused $10 of
> damage (eg, lost business on your website), and request $10 million of
> damages split 1 million ways?
>   

Require ISP's to put it in their TOS,  and treat it like any other
network abuse.

>  > AFAICT most of the botnet problems are caused by people failing to
>  > patch known security holes that have vendor patches.
>
> AFAIK (which isn't all that far, but ...) all botnet problems are
> caused by allowing remote, untrusted users to run arbitrary code on
> your machine.  We've known that for over 30 years now, since the early
> Mac virus-on-a-floppy epidemics.  The vendors, especially Microsoft,
> have not learned from that.  If there is a single guiding principle to
> the design of Windows, it's "if it looks like code, try to run it, and
> don't bother the user with trivia." 

This isn't a windows only problem.  I don't know any browser that
supports JavaScript and comes with it disabled by default, and flash has
something like 90% market penetration.  Are you going to be happy
without YouTube ;)

Coupled this with the inability of users to determine whether something
came from a  trusted source.  The standard mantra about email is don't
open documents, programs etc. from untrusted sources.  How does one
determine this with email, check the digital signature ;)  Until
recently the only check required to issue an SSL certificate was to
check the domain name was registered by the applicant, because bad
people can't own domain names ;)

>  > Running a reasonably secure windows installation means at the
>  > minimum avoiding outlook, using a virus scanners, setting up a
>  > firewall, regularly security patching, taking seminars on the
>  > latest fishing methods etc. there goes your TCO ;)
>
> Sure, but what we're talking about here is not putting M$FT on a level
> playing field, it's a public health problem.  I don't want users to be
> liable for huge costs to run Windows securely, I want Windows to run
> securely.  It's most straightforward to achieve that goal by
> redesigning Windows to run securely by default.  

Microsoft's last attempt at this was Vista, need I say more.

Edward