Make OS Liable for Security
From: Fred_McGriff (fmcgriff_at_nospam.com)
Date: Thu, 18 Sep 2003 21:22:36 GMT
WAS a thread in Re: Drivers License required for surfing?
> > Why not make it illegal to ship or offer for download an operating
> > system unless all inbound and outbound ports are closed by default?
> > The OS needs to be explicitly told which programs can access the
> > internet. This could be done during the system install for web
> > browsers and email clients. But, all other programs would need to be
> > turned on after the install.
> the average user doesn't know much about repairing, building and/or
> servicing a car ... the other analogy is require safe vehicle
> inspection for PCs .... people get ticketed and fined for operating a
> vehicle in an unsafe manner or operating an unsafe vehicle
> ... regardless of whether the indiviudal knows how to service a
> vehicle or not.
If I understand you to say that the user should be held responsible and
liable for the short-comings of their operating system; I cannot disagree
more. In fact, I am surprised a class action lawsuit has not already been
launched against all operating system sellers who do not ship their products
in a stable state by default.
When I buy a car, I trust and expect the breaks to work and the fuel tank
to not leak gasoline. Any car manufacturer knowingly selling a vehicle with
such defects would be held liable for consequences. In the same vein,
manufacturers should be liable for knowingly shipping any operating system
in a condition which makes it impossible to get updated security patches
without becoming infected by the worms which hunt for vulnerable Linux
and/or Windows boxes.
I encountered such a situation with a newly bought Toshiba laptop with the
latest version of Windows XP installed. The user became infected within two
minutes of connecting to the internet and could not install the needed
security patches because the worm kept shutting down the computer. Tech
support was useless, only telling the person to reinstall the operating
system. It took one week to get the computer patched and the vulnerabilities
That person is an ordinary user and has no more knowledge of minimal
computer security than I have of changing oil in my car. I have never done
this and I would not know where to start. Furthermore, I cannot change any
bulbs, fuses, or filters in my car.
If Windows XP were to ship with its firewall on and blocking all ports by
default and with port 135 turned off by default, the individual would have
been able to patch the computer without becoming infected. Similarly, all
Linux distros should ship with a firewall installed and by default blocking
all inbound ports.
Frankly, I am surprised a class action lawsuit against Microsoft, Red Hat,
Mandrake, SUSE, and most other commercial operating system makers has not
As far as I can see, only companies such as Engarde ship operating systems
which are locked down by default. Even Microsoft is beginning to appreciate
the commercial and legal risks -- shipping Windows 2003 with internet
servers turned off by default.
We, along with most readers of this news group, do out part. But, most of
us are not ordinary users and we cannot continue to blame other people for
our errors in judgement. In our company, I am responsible for what happens
on the computers. If a user does something wrong, I accept responsibility
for my failure to make such an event unlikely. This means being pro-active
about pending and imagined security issues and re-active when something does
go wrong. I expect no less from multi-million and billion dollar companies
like Microsoft, Sun, SCO, Red Hat, Mandrake, SUSE, Mac.