Re: Nato warns of strike against cyber attackers

[Karl Auer <kauer () biplane com au>]

On Wed, 2010-06-09 at 08:50 -0500, Joe Greco wrote:
> Primarily because the product that they've been given to use is defective
> by design.

Indeed. So one approach is to remove the protection such defective
designs currently enjoy.

> supposed to play out for the single mom with a latchkey kid?  Let's be
> realistic here.  It's the computer that ought to be safer.

Fine. Agreed. Now what mechanisms do you suggest for achieving that?
Technical suggestions are no good, because noone will implement them
unless they have to, or unless implementing them in some way improves
the product so it sells better.

> modest improvements on the part of users, sure, but to place it all on 
> them is simply a fantastic display of incredible naivete.

Indeed. And certainly not something I'd advocate. at least not without
making sure that they, in turn, could pass the responsibility on.

> That shows an incredible lack of understanding of how the market actually
> works.  It's nice in theory.

It would be a lot more pleasant discussing things with you if you
understood that people may disagree with you without necessarily being
naive or stupid.

> We (as technical people) have caused this problem because we've failed to 
> design computers and networks that are resistant to this sort of thing.

And why did we do that? What allowed us to get away with it? Answer:
Inadequate application of ordinary product liability law to the
producers of software. Acceptance of ridiculous EULAs that in any sane
legal system would not be worth the cellophane they are printed behind.
And so forth. I know the ecosystem that arose around software is more
complicated than that, but you get the idea.

> Trying to pin it on the users is of course easy, because users (generally
> speaking) are "stupid" and are "at fault" for not doing "enough" to
> "secure" their own systems, but that's a ridiculous smugness on our part.

You're right. And again, I am not advocating that. People are always
going to be stupid (or ignorant, which is not the same thing as stupid).
The trick is to give them a way out - whether it's insurance, education
or effective legal remedy. That way they can choose how to handle the
risk that *they* represent - in computers just as in any other realm of
life.

> I'm fine with that, but as long as we keep handing loaded guns without 
> any reasonably-identifiable safeties to the end users, we can expect to
> keep getting shot at now and then.

You keep stating the problem, where what others are trying to do is
frame a solution. Right now we are just absorbing the impact; that is
not sustainable, as long as the people providing the avenues of attack
(through ignorance or whatever) have no obligation at all to do better.

> > Yep! And the fastest way to get more secure systems is to make consumers
> > accountable, so that they demand accountability from their vendors. And
> > so it goes, all the way up the chain. Make people accountable. At every
> > level.
>
> Again, that shows an incredible lack of understanding of how the market
> actually works.  It's still nice in theory.

There are whole industries built around vehicular safety. There are
numerous varieties of insurance that protect people - at every level -
from their own failures.

Where there is no accountability in a human system, failure is
practically guaranteed - whether in the form of tyranny, monopoly,
danger to life and limb or whatever. The idea of accountability and the
drive to attain it forms the basis of most legal and democratic systems,
and of uncountable numbers of smaller systems in democratic societies.
Now, what were you saying about "theory"?

>   Do you really think that the game of
> telephone works?  Are we really going to be able to hold customers
> accountable?  And if we do, are they really going to put vendor feet to
> the fire?  Or is Microsoft just going to laugh and point at their EULA,
> and say, "our legal department will bankrupt you, you silly little twerp"?

Please, read more carefully. "At every level". If the consumer is made
responsible, they must simultaneously get some avenue of recourse. Those
ridiculous EULAs should be the first things against the wall :-)

> Everyone has carefully made it clear that they're not liable to the users,
> so the users are left holding the bag, and nobody who's actually
> responsible is able to be held responsible by the end users.

Correct. That is the current situation, and it needs to be altered. On
the one hand consumers benefit because they will finally have recourse
for defective software, but with that gain comes increased
responsibility.

> Yes, "we" needs to include all the technical stakeholders, and "we" as
> network operators ought to be able to tell "we" the website operators to
> tell "we" the web designers to stop using Flash if it's that big a
> liability.  This, of course, fails for the same reasons that expecting
> end users to hold vendors responsible does, but there are a lot less of
> us technical stakeholders than there are end users, so if we really want
> to play that sort of game, we should try it here at home first.

Try what?

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer () biplane com au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF

Attachment: signature.asc
Description: This is a digitally signed message part