Nimda et.al. versus ISP responsibility - Laying responsibility where it belongs

[Fred Cohen <fc () all net>]

I have read this discussion with great interest, but I put it to you
that the responsibility for threats, vulnerabilities, and consequences
in this case can hardly be laid on the users.

For years the ISPs have decided to try to act as common carriers and
taken no responsibility for preventing forgeries of all sorts.

For years software manufacturers have taken time to market as more
important than quality of products - with security running very logw on
the list. 

For yuears those who teach people how to program have only taught
minimal functionality and nothing of substance about assurance or
quality.

For years the government has refused to try to enforce liability laws
against providers of all sorts for the damage caused by their poor quality.

For years users have bought what the ads said worked at the lowest price
they could get it for. 

For years the doctrine of self-defense - which has existed in the
physical world since forever - has not been applied to cyber systems.

For years the authors of these things have gone untracked and unpunished
because we did not want to take the necessary steps as a matter of
public policy. 

In my view, the responsibility for NIMDA lies clearly in Microsoft's lap
and the lap of the author, but there is plenty of blame to go around.  I
say forget about telling the ISPs what to do - start a class action suit
against Microsoft for putting this crap into the market knowing full
well how it might be exploited and knowing full well that it was
choosing time to market over quality.  The class is all users of
Microsoft IIS servers and every person who has a system that has been
affected by the virus.  The dmages are the total cost of all actions
taken to defend against or monitor this infection, in cluding all time
taken by all parties involved.  Put them out of business unless and
until they can act responsibly.

FC
--This communication is confidential to the parties it is intended to serve--
Fred Cohen              Fred Cohen & Associates.........tel/fax:925-454-0171
fc () all net           The University of New Haven.....http://www.unhca.com/
http://all.net/         Sandia National Laboratories....tel:925-294-2087


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com