Re: A question for the list...

["Stephen P. Berry" <spb () meshuggeneh net>]

Brian King writes:

> > Are owners of long term compromised systems really "innocents"?  If
> > people have left systems compromised with worms that are attacking other
> > networks and reports have been ignored for significant amounts of time,
> > then surely the compromised party are guilty of negligence ?

> I would say that it depends who is administering the system.  I wouldn't
> call a clueless personal user negligent, but it is expected that a
> network administrator knows how to patch and protect computer systems
> under his/her control.  To be negligent means that the person could fix
> the problem but didn't.

This is often true, but not universally true.  Another commonly applied
standard of negligence compares the costs of prevention versus the costs
of remediation.  I.e., if an security incident would cost less the recover
from than it would cost to prevent, then (by this standard) failing to
prevent it would not constitute negligence.

Indeed, one could make the case that the -perception- that this is true of the
general case is one of the predominant explanations of the state of security on
the internet in general.  In other words, most organisations can perceive
the (immediate) costs of Doing The Right Thing (in security terms), and have
an expectation of low (long term) costs of doing nothing and hoping for
the best.

Whether or not you believe this is a sane (or ethical) way of modelling the
problem, it is nevertheless worth noting that some industries can muddle
along quite happily this way.  Credit card issuers, for example, deal with
the absolutely grotesque credit card security model by simply accepting the
losses due to credit card theft and fraud as part of the costs of doing 
business.
There are far better authentication schemes available than the know-the-card-
number-and-expiry method currently in nearly universal use---they're just
more expensive to deploy.


Note that I'm not suggesting that I -agree- with this view.  In general,
I do not.  I think that should be some minimum standard for building and
deploying networks, just like there's a minimum standard for the construction
of buildings and cars (for example).  But it is worth noting that this
bias is just that---a bias;  it isn't built on an well-established legal or
ethical standards with are (currently) generally accepted.  I think that a
fairly strong case could be made for a minimum standard on these terms...but
I don't think such standards currently exist in any meaningful form.

And, incidentally, I think that building consensus about these sorts of
standards will have much more beneficial effects (long term) on overall network
security than any scheme involving retribution attacks on compromised
systems...no matter how optimistically you model the effects of such actions.




-spb

Attachment: _bin
Description: