I have read this discussion with great interest, but I put it to you that the responsibility for threats, vulnerabilities, and consequences in this case can hardly be laid on the users. For years the ISPs have decided to try to act as common carriers and taken no responsibility for preventing forgeries of all sorts. For years software manufacturers have taken time to market as more important than quality of products - with security running very logw on the list. For yuears those who teach people how to program have only taught minimal functionality and nothing of substance about assurance or quality. For years the government has refused to try to enforce liability laws against providers of all sorts for the damage caused by their poor quality. For years users have bought what the ads said worked at the lowest price they could get it for. For years the doctrine of self-defense - which has existed in the physical world since forever - has not been applied to cyber systems. For years the authors of these things have gone untracked and unpunished because we did not want to take the necessary steps as a matter of public policy. In my view, the responsibility for NIMDA lies clearly in Microsoft's lap and the lap of the author, but there is plenty of blame to go around. I say forget about telling the ISPs what to do - start a class action suit against Microsoft for putting this crap into the market knowing full well how it might be exploited and knowing full well that it was choosing time to market over quality. The class is all users of Microsoft IIS servers and every person who has a system that has been affected by the virus. The dmages are the total cost of all actions taken to defend against or monitor this infection, in cluding all time taken by all parties involved. Put them out of business unless and until they can act responsibly. FC --This communication is confidential to the parties it is intended to serve-- Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171 fcat_private The University of New Haven.....http://www.unhca.com/ http://all.net/ Sandia National Laboratories....tel:925-294-2087 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 16:37:41 PDT