nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nato warns of strike against cyber attackers

From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Wed, 9 Jun 2010 00:36:29 -0400
On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote:


Problem is there's no financial liability for producing massively exploitable software.
No financial penalty for operating a compromised system.
No penalty for ignoring abuse complaints.
Etc.

Imagine how fast things would change in Redmond if Micr0$0ft had to pay the cleanup costs for each and every 
infected system and any damage said infected system did prior to the owner/operator becoming aware of the infection.



It isn't Microsoft.  It once was, but Vista and Windows 7 are really solid, probably much better than Linux or Mac 
OS.  (Note that I run NetBSD and Mac OS; I don't run Windows not because it's insecure but because it's an unpleasant 
work environment for me.)

Microsoft is targeted because they have the market.  If Steve Jobs keeps succeeding with his reality distortion 
field, we'll see a lot more attacks on Macs in a very few years.  It's also Flash and Acrobat Reader.  It's also 
users who click to install every plug-in recommended by every dodgy web site they visit.  It's also users who don't 
install patches, including those for XP (which really was that buggy).  There's plenty of blame to go around here....

A liability scheme, with penalties on users and vendors, is certainly worth considering.  Such a scheme would also 
have side-effects -- think of the effect on open source software.  It would also be a lovely source of income for 
lawyers, and would inhibit new software development.  The tradeoff may be worth while -- or it may not, because I 
have yet to see evidence that *anyone* can produce really secure software without driving up costs at least five-fold.


I agree the miscreants go for the bigger bang for the buck.  That said, earlier versions of Windows really were soft 
targets.  I don't know enough about Win7 to comment, but I respect Steve and will accept his opinion.  Let's hope MS 
keeps up the good work - I do not want to bash Windows (no matter how fun it is :), I want to stop being attacked.

But it is not -just- market share.  There are a lot more Windows Mobile compromises, viruses, etc., than iOS, Symbian, 
and RIM.  I think combined.  Yet Windows Mobile has the lowest market share of the four.  So unless that is spill over 
because Windows Mobile & Windows Desktop have the same vulnerabilities, it shows that market share is only one piece of 
the puzzle.

All that said, the biggest problem is users.  Social Engineering is a far bigger threat than anything in software.  And 
I don't know how we stop that.  Anyone have an idea?

-- 
TTFN,
patrick
Previous By Date Next
Previous By Thread Next

Current thread: