Re: Over a decade of DDOS--any progress yet?

[Valdis.Kletnieks () vt edu]

On Wed, 08 Dec 2010 07:43:52 PST, JC Dill said:

> Why isn't ANYONE going after Microsoft over this?  If Microsoft were 
> held accountable for the spam and DDOSs that spew from their crappy 
> software, they would find a way to stop the problem.  I've raised this 
> issue before, IMHO Windows OSs are "attractive nuisances" and that legal 
> argument can be used to hold Microsoft responsible for not putting an 
> adequate "fence" around their "attractive nuisance".

Unfortunately, this is one you really don't want to do.  Microsoft's current
offerings are about as hardened as the competition (Apple and Linux, mostly)
right out of the box.  And it's not clear that you can *make* a system much
harder and still sell it to consumers (try using a Linux box with SELinux
turned on in full MLS/MCS mode - quite secure, but *not* the easiest thing in
the world to admin, especially if you ever add a third-party program that
doesn't have a suitable MLS security policy description already).

> If all the big ISPs banded together to file suit against Microsoft, they 
> could share the cost (and pain) of the lawsuit.

And if you win the lawsuit, what does that get you?  Microsoft goes broke,
quits shipping security updates to everybody - and things are even worse
than before, because now *everybody* is unpatched.

The second issue is that if you *do* establish a legal precident that
software vendors are liable for faults no matter what the contract/EULA
says, you're going to see pretty much all the open-source projects pack
up and go home unless they find a way to protect themselves.  Quite
likely some commercial software vendors will bail as well, or charge a *lot*
more for their stuff.

Be careful what you ask for, for you may surely get it.

Attachment: _bin
Description: