Re: Recent Attacks

[Matthew_S_Cramer () armstrong com]

David LeBlanc <dleblanc () mindspring com> wrote:

> At 02:18 PM 2/21/00 -0500, Matthew_S_Cramer () armstrong com wrote:
>
> > The people that should be held responsible for this attack, if any, are the
> > people that allow insecure systems on the internet.
>
> So we ought to blame the victim?


Well, your analogy is flawed.  Let me clarify.....


> I have a lot of problem with this
> approach.  So what you're saying is that if I don't install a Lowjack
> system, and someone puts my car on a tow truck and steals it, that it was
> my fault for not protecting myself?


Well, like with automobiles, there is "best practice".  A best practice of
automobiles is to not leave them running and unattended in a high crime area.
So that is a better analogy: you leave your car running and unattended for 7
days in a high crime area and then want sympathy when you find out is stolen?
You'll get none from me......


Similarly, people put systems on the internet and ignore "best practice".  An
unpatched Redhat 4.2 linux machine on the internet is just being asked to be
0wned.  Do the people that put that box out there and who ignored security
concerns share some guilt?  Absolutely!  Is it libelous?  Dunno.  Maybe it
should be.


Again, return to Marcus's gun analogy.  Here is my modification: a loaded
machine gun left on my front porch unattended for a week.  The gun is stolen and
used in a murder.  Sure, I am a "victim" because my gun was stolen.  Do I
deserve blame?  You betcha.  This is how I see unsecure, easily penetrated by
known exploits, systems on the internet - unattended loaded machine guns.


> Next, we can start blaming the people who wrote the software because
> they're human and make mistakes, too.


Actually, I find the "Disclaimer: we make no promise that this software will
actually work and make no claim that it will not totally destroy your system"
nauseating.  I'd like to see some liability for crap software.  Give the M$
lawyers something to do......


> While we're at it, lets blame
> everyone except the people who sit there at their keyboard and attack
> others.  Maybe we ought to blame society for raising a bunch of anti-social
> kids, too.


Strawman.........


> For example, our highways are vulnerable to the pour-oil-off-the-bridge
> attack.  You go pour 50 gallons of motor oil off of a local bridge onto the
> interstate, and you'll cause a denial of service.  So, who should we blame
> here?


[snip]

Again a flawed analogy.  Consider again the loaded gun scenario......


> I didn't mean to go off on a rant (and don't mean anything personal), but
> this one point really makes me irate.
>
> A lot of my job is trying to get people to apply patches, correct
> misconfigurations, etc.


Mine too.  It is frustrating to be ignored.  Maybe some possible liability will
up the stakes.


> The vast majority of them had no idea that there
> was a problem.  It is obviously prudent to check your systems, and stay up
> to date on patches,


Yep, that's my point.  It is "common sense".  The fact that certain people are
ignorant of common sense is never an excuse.

See, the .gov and many .com's would like to see this problem solved with
legislation: "throw the script kiddies in jail".  Yeah, make them serve more
time than convicted hitmen or mafiosos.  NOT.

This is a technical problem, there are technical solutions.  People are ignoring
the technical solutions (the info is OUT THERE ALREADY) and proposing
legislation and criminal solutions.  If people need motivations to use the
technical solutions, I say throw some liability their way, that's all.


> but assigning blame to the owners of the system is
> wrong in most cases.


All I say is apply the same rigours as we do in other industries.  If you go
against the best practices of an industry, you have to expect some liability.
Throwing some script kiddies in jail, even with harsh penalties, won't fix
things.  Look at the example of the drug war.....


Regards,

Matt