Re: A question for the list...

From: Stephen P. Berry (
Date: 05/22/03

  • Next message: Andrew Anderson: "Re: DDoS Attack"
    To: "King, Brian" <>
    Date: Thu, 22 May 2003 14:18:16 -0700

    Brian King writes:

    >>Are owners of long term compromised systems really "innocents"? If
    >>people have left systems compromised with worms that are attacking other
    >>networks and reports have been ignored for significant amounts of time,
    >>then surely the compromised party are guilty of negligence ?

    > I would say that it depends who is administering the system. I wouldn't
    > call a clueless personal user negligent, but it is expected that a
    > network administrator knows how to patch and protect computer systems
    > under his/her control. To be negligent means that the person could fix
    > the problem but didn't.

    This is often true, but not universally true. Another commonly applied
    standard of negligence compares the costs of prevention versus the costs
    of remediation. I.e., if an security incident would cost less the recover
    from than it would cost to prevent, then (by this standard) failing to
    prevent it would not constitute negligence.

    Indeed, one could make the case that the -perception- that this is true of the
    general case is one of the predominant explanations of the state of security on
    the internet in general. In other words, most organisations can perceive
    the (immediate) costs of Doing The Right Thing (in security terms), and have
    an expectation of low (long term) costs of doing nothing and hoping for
    the best.

    Whether or not you believe this is a sane (or ethical) way of modelling the
    problem, it is nevertheless worth noting that some industries can muddle
    along quite happily this way. Credit card issuers, for example, deal with
    the absolutely grotesque credit card security model by simply accepting the
    losses due to credit card theft and fraud as part of the costs of doing
    There are far better authentication schemes available than the know-the-card-
    number-and-expiry method currently in nearly universal use---they're just
    more expensive to deploy.

    Note that I'm not suggesting that I -agree- with this view. In general,
    I do not. I think that should be some minimum standard for building and
    deploying networks, just like there's a minimum standard for the construction
    of buildings and cars (for example). But it is worth noting that this
    bias is just that---a bias; it isn't built on an well-established legal or
    ethical standards with are (currently) generally accepted. I think that a
    fairly strong case could be made for a minimum standard on these terms...but
    I don't think such standards currently exist in any meaningful form.

    And, incidentally, I think that building consensus about these sorts of
    standards will have much more beneficial effects (long term) on overall network
    security than any scheme involving retribution attacks on compromised matter how optimistically you model the effects of such actions.



  • Next message: Andrew Anderson: "Re: DDoS Attack"

    Relevant Pages

    • Networks looking to reclaim Fridays
      ... Challenge is to keep costs down while still attracting viewers ... priorities for the networks," said Brad Adgate, senior vp research at ... reason is the programming. ... the challenge is to keep the night alive while keeping the costs ...
    • Networks experiencing runaway production costs
      ... As congloms squeeze movie prod'n costs, primetime TV budgets start to ... where studios invest heavily in tentpoles that have one big ... networks gravitate toward more single-camera comedies like "My Name Is ...
    • Re: TV/ Steam Railroads, was: Telex [Telecom]
      ... Based on NYT articles and some broadcast history books. ... had their own standard which meant a set could only get one station. ... set manufacturers, networks, advertising sponsors, and independently ...
    • Re: Is there an upgrade to SQL 2005 Standard ?
      ... Hardware costs are significant portion of overall cost. ... The expanded CAL rights in SBS 2003 R2 only cover SQL 2005 WE. ... Good to know that SQL 2005 Standard will run on SBS 2003 R2. ...
    • Re: multiple pay rate for resources
      ... standard rate for all ... >hours for all work performed as regular work, ... Project is a budget ... >as rents and utilities, recruiting and training costs, ...