Re: MUST READ NYT article on the (ever-more-sophitsticated) bot wars

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Mary Shaw" <mary.shaw () gmail com>
Date: December 10, 2008 9:23:35 AM EST
To: dave () farber net
Subject: Re: [IP] Re: NYT article on the (ever-more-sophitsticated)  
bot wars

There's an important difference between a home swimming pool and a  
home computer: the homeowner's ability to comprehend what it means to  
be responsible.

We expect the public at large to know enough about the germ theory of  
disease to refrain from exchanging bodily fluids if they're  
contagious.  We're upset (if not actually surprised) when they ignore  
this, and we want to hold them responsible.

We expect the public at large to know enough about Newtonian mechanics  
to understand that a gun accelerates a small bullet to a high speed,  
so the bullet applies great force when it hits something. We're upset  
(if not actually surprised) when they ignore this, and we want to hold  
them responsible.

We expect the public at large to know enough about child psychology  
and the physiology of drowning to understand that a swimming pool can  
be an attractive nuisance. We're upset (if not actually surprised)  
when they ignore this, and we want to hold them responsible.

However, the computing profession has not equipped the public at large  
with a rough-and-ready version of a theory of computer security. The  
computing profession might expect the public at large to know enough  
enough to secure home computers, but the rest of the population does  
not.  Therefore, no one else gets upset when they don't apply this  
understanding that they don't have, so no one but us computer geeks  
wants to hold them responsible.

The other piece of magical thinking in play here is the comprehension  
of the typical home computer owner of almost everything related to the  
home computer, especially security and system administration.  Until  
the computing profession provides a comprehensible theory (and  
comprehensible tools for applying it) that explain the risks and  
responsible actions, it's unreasonable to expect the public at large  
to act responsibly.

Mary Shaw

On Wed, Dec 10, 2008 at 5:38 AM, David Farber <dave () farber net> wrote:


Begin forwarded message:

From: Tony Lauck <tlauck () madriver com>
Date: December 9, 2008 12:07:25 PM EST
To: dave () farber net

Subject: Re: [IP] Re:   NYT article on the (ever-more-sophitsticated)  
bot wars

There is an simple legal change that could be made that would lead to  
an improved cybersecurity situation:

1.  Owners of networked computers would be held legally responsible  
for all activities performed by their computers, including those  
caused by viruses and BOTs. They would be responsible if their  
computers sent information that caused harm. They would also be  
responsible if their computers took local action on the basis of bogus  
information that they received. They would be responsible, period.

2.  Computer software and hardware vendors would not be able to  
disclaim liability for security bugs. They would share responsibility  
with their customers for the effects of these bugs.

Eventually, laws like these are going be passed, just as laws require  
swimming pools to be secured with locked gates and fences.  It may be  
a bit early for such draconian simplicity, but it would be a good idea  
for the industry to think about what they would do were such laws to  
pass.

Tony Lauck
https://www.aglauck.com


[[snip]]





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com