nanog mailing list archives

Re: Level3 routing issues?

From: Scott Francis <darkuncle () darkuncle net>
Date: Mon, 27 Jan 2003 01:57:40 -0800

On Sat, Jan 25, 2003 at 06:51:01PM +0000, steve () telecomplete co uk said:

True altho it does appear to affect MS more so than it ought to even
considering
their market lead.


What evidence do you have here? If I count the number of DDOS attacks
from insecure Linux boxes that we've seen in the last year, I'd say that its 
on par.


I think you are on the right lines below in suggesting that products and
services should be supplied safe and not require additional maintenance out of
the box to make them so (additional changes should make them weaker)


"secure by default" is a wonderful goal that has, to date, failed to reach
very many vendors, either commercial or otherwise. As the number of hosts
connected to the Net continues to rise, and as broadband continues to spread,
we can expect to see the damage caused by insecure software grow. When the
damage reaches a certain critical mass (whatever that may be; I thought we'd
have reached it already), those who are coughing up millions of dollars (if
not now, that figure will certainly be realistic very soon) to deal with the
effects of insecure software will eventually stop accepting this as merely
"the way things are". At that point, the lawyers will get involved, and there
will be a change in the way software liability is viewed, and a resulting
change in the focus from vendors (commercial ones, anyway).

====
When the costs of releasing insecure and buggy software exceeds the profit
from doing so, vendors will make security a priority. Not before.
====

(As far as free/open software goes ... figuring liability there could be
significantly more tricky, if the lawyers decided it was worth it at all.
Microsoft, for instance, makes a much more lucrative target (and a better
public lesson) than suing, say, the Apache Group. Most commercial software
licenses declaim any and all responsibility, as do their GPL/BSD
counterparts, but commercial entities are easier to chase down legally.)

IANAL, nor am I a fortune teller. I also admit to far less operational
experience than most of the folks on this list. This is what I see coming. I
suppose time will tell whether I'm a crackpot or a visionary. :)

-- 
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui

Attachment: _bin
Description:

Current thread:

Re: Level3 routing issues?, (continued)
- - - Re: Level3 routing issues? Neil J. McRae (Jan 25)
    - Re: Level3 routing issues? Scott Francis (Jan 27)
    - Re: Level3 routing issues? Grant A. Kirkwood (Jan 25)
    - Re: Level3 routing issues? Jack Bates (Jan 25)
    - Re: Level3 routing issues? Neil J. McRae (Jan 25)
    - Re: Level3 routing issues? Stephen J. Wilcox (Jan 25)
    - Re: Level3 routing issues? Neil J. McRae (Jan 25)
    - Re: Level3 routing issues? Stephen J. Wilcox (Jan 25)
    - Re: Level3 routing issues? Rafi Sadowsky (Jan 25)
    - Re: Level3 routing issues? Stephen J. Wilcox (Jan 25)
    - Re: Level3 routing issues? Scott Francis (Jan 27)
    - Re: Level3 routing issues? Avleen Vig (Jan 25)
    - Re: Level3 routing issues? Christopher L. Morrow (Jan 25)
    - Re: Level3 routing issues? Avleen Vig (Jan 25)
    - Re: Level3 routing issues? Marc Slemko (Jan 25)
    - worm design (Re: Level3 routing issues?) E.B. Dreger (Jan 25)
    - Re: Level3 routing issues? Neil J. McRae (Jan 25)
    - Re: Level3 routing issues? Bill Woodcock (Jan 25)
    - Re: Level3 routing issues? Avleen Vig (Jan 25)
    - Re: Level3 routing issues? K. Scott Bethke (Jan 25)
    - Re: Level3 routing issues? Christopher L. Morrow (Jan 25)

(Thread continues...)