Re: Nato warns of strike against cyber attackers

[Joe Greco <jgreco () ns sol net>]

> > I am pretty sure I saw stats that suggested that old cars that crashed into
> > new cars did substantially more damage to the new car and its occupants than
> > an equivalent crash between two new cars, something to do with the old car
> > not absorbing about half the impact into its own (nonexistent) crumple
> > zones, though there are obvious deficiencies in the protection afforded to
> > the occupants of the old car as well...
>
> Old cars without crumple zones tend to do more damage to new cars
> with crumple zones. Occupants of new cars tend to receive less damage
> because the crumple zones absorb some of the energy while occupants
> of older cars receive more of the energy transferred directly to them due
> to the higher stiffness of the older car.
>
> At least in the studies I have read.

I'm talking about the difference between the levels of damage to a new car 
where you have a crash between an old and new car, and a crash between two
new cars.  The evidence that an old car is more lethal to its occupants is
well known.  We were discussing damage inflicted upon others, so that is
not relevant.

> > Generally speaking, because the computer is unsafe by design, and most of
> > the problems we're discussing are not "driving the car in a reckless
> > manner."  I do not live in mortal fear that I am going to steer my car into
> > the median and it's going to jump over into oncoming traffic and ram into
> > an oncoming semi, because that's simply not something I'd do, and it's not
> > something the car designers expected would be a regular thing to do.  On
> > the other hand, I do live in mortal fear of opening a PDF document on a
> > Windows machine, something that both Adobe and Microsoft deliberately
> > engineered to be as easy and trivial as possible, and which millions of
> > people do on a daily and regular basis, but which nonetheless can have
> > the undesirable side effect of infecting my computer with the latest
> > stealth exploit, at least if I read the news correctly.
>
> I don't agree with your premise. Yes, some operating systems are unsafe
> by design, but, not all.  As I said, you should be accountable for the behavior
> of your computer. If you can show that the behavior was the result of faulty
> software, then, you should be able to recover from the manufacturer of that
> software (assuming you paid a professional for your software).

That is a nice theory, but does not play out in practice.  If you are
suggesting that part of the solution to the overall problem is to
legislate such liability, overriding any EULA's in the process, we can
certainly discuss that.

> Just as a driver of a car with a stuck accelerator due to manufacturer defect
> is liable to the pedestrians they plow, and, the manufacturer is liable to the
> driver, I see no reason not to have a similar liability chain for software.

Doesn't exist at this time, see EULA.

> Strangely, I don't live in mortal fear of opening a PDF document on my
> Macs or Linux systems.  As such, I don't see why we should all be punished
> for the fact that you chose to buy software from the morons in Redmond.
> A bad choice made by a majority of people is still a bad choice.
> (Note: You are the one who singled out Micr0$0ft first.)

The latest Adobe vulnerability applies to pretty much all platforms.  It
is, in this case, a Flash vulnerability, but others have been PDF.  You
can use an alternative Flash or PDF player, of course, but that's not a
guarantee, it's just lowering the risk.

> > As a Windows user, I *am* *expected* to open web documents and go browsing
> > around.  The Internet has been deliberately designed with millions upon
> > millions of domains and web sites; it's ridiculous to suggest that users
> > should be aware that visiting a particular web site is likely to be
> > harmful, especially given that we can't even keep servers safe, and some
> > legitimate high-volume web sites have even been known to serve up bad
> > stuff.
>
> I assume all web sites are potentially harmful unless I have good reason
> to believe otherwise. Why shouldn't everyone be expected to behave
> in a similar manner?
>
> Seems to me that is the only rational approach.  Don't you tell your kids
> not to talk to strangers? Isn't this sort of the same thing?

I haven't been a child for many years.  Generally speaking, I expect to
be able to talk to another person without significant risk.  

What you suggest makes sense from a security point of view, but many people
are only able to identify a small handful of websites as being ones they
"know".  If you're suggesting that people should never visit other websites,
then that really limits the usefulness of the Internet.  Why shouldn't it
be, instead, that web browsers are made to be safe and invulnerable?

> > > I'm not out to target specific products. Yes, I'll celebrate the death of
> > > our favorite convicted felon in Redmond, but, that's not the point.
> > >
> > > I don't have a CompSci degree specializing in that stuff and I seem to
> > > be able to run clean systems. I don't have a CompSci degree at all.
> > > It's not that hard to run clean systems, actually. Mostly it takes not being
> > > willing to click yes to every download and exercising minimal judgment
> > > about which web sites you choose to trust.
> >
> > It takes an understanding of how it all works behind the scenes in order
> > to understand what all those silly "Yes/No" prompts mean; that whole
> > mechanism is part of what I mean when I say "defective by design."
>
> Agreed.  Interestingly, I don't have very many of those prompts on my
> Mac, and, when I do, it seems to me that I have very little need to understand
> what is going on behind the scenes to make an intelligent choice in
> response. Generally it says "You are about to open an application
> that you downloaded from a web site.  Are you sure you want to do
> this? If you aren't sure you can trust the website, you should say no."

Yes, but we're not discussing you and your Mac, we're discussing Grandma
and the Windows box her son bought her for Christmas last year.

> > Why is it okay to click "Yes" when a website asks if we want to install
> > "Flash" or "Silverlight" but it's not okay to click "Yes" when a website
> > asks if we want to install "DodgyCodec"?  How do you explain that to your
> > grandmother?
>
> Poor choices of examples... I'm not sure it is OK to click yes for Flash.
> It's pretty obviously a huge vulnerability. 

Yet it's so clearly required to view a large percentage of the web (at
least to hear the iPhone/iPad users grumble).  And "everybody has it."

> However, I usually tell people
> to make that decision along the lines of how much they think they should
> trust the website.  Micr0$0ft starts at -10. Adobe starts at -5. $randomsite
> starts at -50. Paypal starts at 0. Apple starts at 2. as an example of some
> of my trust levels.
>
> > > The point is that if I run a clean system, why should I have to pay a
> > > subsidy to those that do not? I'm tired of this mentality that says let's
> > > penalize the good actors to subsidize the bad actors. I'm tired of it
> > > with mortgages. I'm tired of it with businesses. I'm tired of watching
> > > the government, time after time, reward bad behavior and punish
> > > good behavior and then wonder why they get more bad and less
> > > good behavior.  
> >
> > Hey, I agree.  Look, we run a clean network here.  I have the same gripes.
> > We see all sorts of probe traffic and crap, why should we bother being
> > clean?  Why should we have to go to extra work to defend against networks
> > that aren't?
>
> I'm not saying "why should I bother being clean?" I think I should bother
> being clean because it should be the minimal obligation to society if
> you connect to the network. I'm saying why should we accept and be
> forced to pay subsidies to those who ignore that responsibility?
> I'm saying that we should have accountability and the ability to recover
> our costs from those that aren't.  You'd be surprised how fast that
> would reduce the number of those that aren't.

If there was some reasonable and fair manner to do that, maybe.  However,
as it stands, end users are left holding that bag, and absent some
mechanism to allow them to recover costs from their software vendor, it
strikes me as just as unfair as when we're left holding the bag.

> > > > We can make their Internet cars safer for them - but we largely haven't.
> > > > Now we can all look forward to misguided government efforts to mandate
> > > > some of this stuff.
> > > I'm not opposed to making operating systems and applications safer.
> > > As I said, just as with cars, the manufacturers should be held liable
> > > by the consumers.  However, the consumer that is operating the
> > > car that plows a group of pedestrians is liable to the pedestrians.
> > > The manufacturer is usually liable to the operator through subrogation.
> >
> > Which would mean anything if we had computer users that were deliberately
> > injuring or killing people with their computers.  Unfortunately, I'd say
> > that most sick computers are more akin to those awful oil-burning, smog-
> > generating, black-smoke-belching cars.  You don't have much of a private
> > right of action against the guy that drives by you and blasts a wave of
> > awful black particulate matter out his exhaust at you.  We've handled a
> > lot of that through mandatory emissions inspections (not sure how
> > universal that is).  Regulation, in that case, seems to be a generally
> > positive effect.
>
> Nope... Even if the consumer plows the pedestrians because of a defect
> in the vehicle, the pedestrians generally sue the driver who then goes
> after the manufacturer through subrogation.
>
> If it wasn't a defect in the car, then, the manufacturer has no liability, but,
> whether deliberate or negligent, the driver still does.

Again, though, we just don't have that situation.

> > I don't see any simple solutions, regardless.
> A proper chain of liability wouldn't be too difficult and would go a long
> way to solving the problem.
>
> A few users who paid the price of clicking yes in the wrong place would
> serve as a good lesson for the majority of users. 

Would they?  Would they really?

> A few users successfully
> getting their costs reimbursed by Micr0$0ft would lead to major changes
> in Micr0$0ft's approach to software development.

Except that won't happen as it stands.

> Global "charge everyone a security fee" proposals will only preserve the
> status quo. Heck, McAfee and Norton are arguably implementations of
> just that sort of thing.


... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.