At 03:43 PM 2/22/00 -0500, Matthew_S_Cramerat_private wrote: >David LeBlanc <dleblancat_private> wrote: >>I have a lot of problem with this >>approach. So what you're saying is that if I don't install a Lowjack >>system, and someone puts my car on a tow truck and steals it, that it was >>my fault for not protecting myself? >Well, like with automobiles, there is "best practice". A best practice of >automobiles is to not leave them running and unattended in a high crime area. Actually, best practice is to lock the door, and take the key with you. A decent car thief can overcome that very, very quickly. The analogy is very close - most systems on the internet don't have extremely dumb stuff - blank root or admin passwords, etc (though there are plenty of these) - what they do have are flaws that a skilled person can exploit. >So that is a better analogy: you leave your car running and unattended for 7 >days in a high crime area and then want sympathy when you find out is stolen? >You'll get none from me...... We still throw people in jail for stealing cars that have the keys in them. I don't think you understand how easily and quickly an ordinary vehicle can be stolen, even without a key and the doors locked. >>Next, we can start blaming the people who wrote the software because >>they're human and make mistakes, too. >Actually, I find the "Disclaimer: we make no promise that this software will >actually work and make no claim that it will not totally destroy your system" >nauseating. So you're saying that all programmers ought to start buying malpractice insurance, like doctors. Fun, fun, fun. The cure may be worse than the disease. > I'd like to see some liability for crap software. Give the M$ >lawyers something to do...... They seem rather busy at the moment. I see a lot of software that has flaws, from a lot of different people. Show me an app with no bugs, and I'll show you "hello world"**. Marcus had a bug in NFR a while back - would you turn the lawyers loose on him, bankrupt him with legal fees, and cause the company to disappear? Is this going to really make anything better? I understand the problem, but I don't have a good solution. Keeping anyone's lawyers busy is usually not a good solution. >>The vast majority of them had no idea that there >>was a problem. It is obviously prudent to check your systems, and stay up >>to date on patches, >Yep, that's my point. It is "common sense". The fact that certain people are >ignorant of common sense is never an excuse. Yeah, but most people don't have much, and even those that do are sometimes running on not enough coffee, so... >See, the .gov and many .com's would like to see this problem solved with >legislation: "throw the script kiddies in jail". Yeah, make them serve more >time than convicted hitmen or mafiosos. NOT. I wouldn't go overboard, but at the moment computer crime goes almost completely unprosecuted. I think if more script kiddies ended up in jail, maybe some otherwise good kids might make fewer mistakes. I'm a big fan of making people responsible for their actions - you break into my house, steal my stuff, and you go to jail, and pay restitution. No restitution? Go to jail, do not pass go. Same thing with my computers. Maybe I did leave a patch off - whups. Send me mail or something, I'll say thanks. Break in? Real-world issue - we found a wallet in the parking lot the other day. The guy dropped it getting out of his car. He screwed up. Taking the money out of it, and going on a credit-card fraud spree is still illegal. Just because no one mugged the man to get his wallet doesn't mean he deserves to be stolen from. >This is a technical problem, there are technical solutions. It is a technical, ethical, and behavioral problem. The social norms for activity on the internet are different than in the rest of the world, and we have a problem. >People are ignoring >the technical solutions (the info is OUT THERE ALREADY) Maybe the technical solutions don't work very well. Right now, if you want to really know what's going on, you have to subscribe to about 3-4 highly technical, very geeky security lists, and wade through HUGE amounts of noise. This isn't a viable solution for the masses. If it isn't working, we must be doing it wrong. >and proposing >legislation and criminal solutions. If people need motivations to use the >technical solutions, I say throw some liability their way, that's all. I think there are adequate laws in place - the real problem is that law enforcement is way behind the curve. How many people do you know who call the cops when they get hacked? There are good reasons why they don't, and that needs to be fixed. >>but assigning blame to the owners of the system is >>wrong in most cases. >All I say is apply the same rigours as we do in other industries. If you go >against the best practices of an industry, you have to expect some liability. Honestly, I think we've all got a lot of work to do - ISPs need to make a lot of changes, both to try and help good customers do the right thing, and to prevent the script kiddies from using their facility to do the wrong thing. Law enforcement needs to get more effective. Programmers need to pay more attention to security. People who write software and OS's need to make security user-friendly. There's no silver bullet. >Throwing some script kiddies in jail, even with harsh penalties, won't fix >things. No, but not ever throwing them in jail will indeed make it worse. I think if you're being realistic, you have to acknowledge that law enforcement is part of the solution, but can't be the whole solution. It's like just about anything - too much is bad, too little is bad, and we usually oscillate between too little and too much trying to find just right. >Look at the example of the drug war..... Well - considering that I graduated high school in 1977, and that at the time, it was pretty common to see people walking around on FSU campus smoking a joint in broad daylight. Far too many people were using far too many drugs. There was a reaction, law enforcement got a bit more vigorous, and fewer people walk around stoned. Personally, I think it is mostly a medical problem, and shouldn't be a legal problem, but let's not go off on that tangent. I did want to point out that increased law enforcement did have an overall positive effect, but didn't eliminate the problem - and that a lack of law enforcement led to the problem becoming worse. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:14 PDT