Nimda et.al. versus ISP responsibility - Laying responsibility where it belongs

From: Fred Cohen (fc@all.net)
Date: 09/28/01


Message-Id: <200109272254.PAA22868@big.all.net>
Subject: Nimda et.al. versus ISP responsibility - Laying responsibility where it belongs
To: incidents@securityfocus.com
Date: Thu, 27 Sep 2001 15:54:47 -0700 (PDT)
From: Fred Cohen <fc@all.net>

I have read this discussion with great interest, but I put it to you
that the responsibility for threats, vulnerabilities, and consequences
in this case can hardly be laid on the users.

For years the ISPs have decided to try to act as common carriers and
taken no responsibility for preventing forgeries of all sorts.

For years software manufacturers have taken time to market as more
important than quality of products - with security running very logw on
the list.

For yuears those who teach people how to program have only taught
minimal functionality and nothing of substance about assurance or
quality.

For years the government has refused to try to enforce liability laws
against providers of all sorts for the damage caused by their poor quality.

For years users have bought what the ads said worked at the lowest price
they could get it for.

For years the doctrine of self-defense - which has existed in the
physical world since forever - has not been applied to cyber systems.

For years the authors of these things have gone untracked and unpunished
because we did not want to take the necessary steps as a matter of
public policy.

In my view, the responsibility for NIMDA lies clearly in Microsoft's lap
and the lap of the author, but there is plenty of blame to go around. I
say forget about telling the ISPs what to do - start a class action suit
against Microsoft for putting this crap into the market knowing full
well how it might be exploited and knowing full well that it was
choosing time to market over quality. The class is all users of
Microsoft IIS servers and every person who has a system that has been
affected by the virus. The dmages are the total cost of all actions
taken to defend against or monitor this infection, in cluding all time
taken by all parties involved. Put them out of business unless and
until they can act responsibly.

FC
--This communication is confidential to the parties it is intended to serve--
Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171
fc@all.net The University of New Haven.....http://www.unhca.com/
http://all.net/ Sandia National Laboratories....tel:925-294-2087

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Nimda et.al. versus ISP responsibility
    ... Subject: Nimda et.al. ... versus ISP responsibility ... Blame for this should not be the users, should not be the ISPs, and should ...
    (Incidents)
  • Re: Port 135 Probes Continue
    ... but Microsoft uses a number of well known ports which should ... >to take responsibility for what happens to it. ... some people do, and when enough people do, then some ISPs will make the ... to all the legitimate Internet ports for all users, ...
    (comp.security.unix)
  • Re: Port 135 Probes Continue
    ... but Microsoft uses a number of well known ports which should ... >to take responsibility for what happens to it. ... some people do, and when enough people do, then some ISPs will make the ... to all the legitimate Internet ports for all users, ...
    (comp.security.misc)
  • Re: Port 135 Probes Continue
    ... but Microsoft uses a number of well known ports which should ... >to take responsibility for what happens to it. ... some people do, and when enough people do, then some ISPs will make the ... to all the legitimate Internet ports for all users, ...
    (comp.os.linux.security)
  • Re: Software Reuse In Embedded code
    ... its quality, but it does not eliminate it. ... But my point is not that I or anyone else doesn't use third-party code - ... responsibility for testing, and making sure it is suitable for the job. ...
    (comp.arch.embedded)