Re: Controversial paper - Good response article on ZDNet

From: George Ou (533george_ou234_at_netzero234.com)
Date: 10/14/03 

Date: Tue, 14 Oct 2003 06:17:33 GMT

On Mon, 13 Oct 2003 13:46:16 GMT, Mack
<macckone@a_nospamjunk123_ol.com> wrote:
>>The point is, you can't punish a car maker for the actions of a
>>malicious individual and you can't punish a software maker because a
>>malicious individual uses a compromised system to take down the
>>Internet.

>In my state if you leave the keys in the ignition it is a crime and
>you are liable if someone then steals your car and runs over someone.
>If the car maker made a car that didn't need a key they would
>be liable. Right now the software is the car without a key.
>Right now the software does fail mysteriously way to often.
>If it were a car the manufacturer would be held liable under
>the "lemon laws".

That's still absurd. In most small towns, people don't even lock
their doors or their cars.

>>If an OSS software had a design flaw that systematically attacked a
>>website and brought it down, I don't care if it's free, the author
>>should be liable. The same goes for pay software.
>
>If it is systematic then it is unlikely to be a design flaw.

It's happened. Netgear's routers recently did a systematic DoS on a
Universities time servers and network. It was a flaw.

>As for companies charging for software I believe they should
>be fined relative to the amount of damage.
>Harmless bugs=no damage.
>Crashes Internet=major damage.

And of course, you would nullify my agreement with my vendor if you
had your way, thus taking away my rights. Sure you would let me sign
it, but you wouldn't allow it to hold up in court. That's simply
wrong no matter how you justify it.

>I don't believe that every little bug should result in a lawsuit.
>The serious ones should. Hospitals, Airports and Nuclear
>facilities are large and complex systems. They have suprisingly
>few major flaws in critical software, some of which is very complex.
>Why should an OS or major application running on millions of systems
>have so many and not be held accountable?

I don't believe there should ever be law suits for flaws resulting
from bugs if a vendor provides timely fixes. The owner of the
software is more responsible for patching their software if the
patches are available and they don't apply them. For Christ sakes,
Windows XP defaults to download all critical patches in the background
by default, the user just needs to hit "Apply".

I only think there should be a law suit if a flaw in the software made
it systematically attack a system.

>That particular lawsuit led to all fertilizer having a chemical added
>which prevents its use as an explosive. The chemical in question
>had been previously offered as a preventative measure. The makers
>refused because "it cost too much".

The same thing could have been achieved another way without a lawsuit.

But while we're at it, should we require all automobiles to have
safety systems such that they are monitored by an operator with a fail
safe in case someone decides to kill people?

Should gasoline be made to only ignite in a combustion engine, so that
they can't be used as fire bombs? While we're at it, what liability
is in all those house hold products in "The Anarchist's cookbook"?
Why have we not banned bath tubs yet?

The reality is, there are bad people in this world that can make a
weapon out of anything, and we have to deal with the people, not the
house hold items they use. One only needs to look inside a prison to
see what ingenious deadly weapons can be fabricated out of things that
are specifically designed to be "safe".

>Airlines in the 9/11 incident are being sued because even though
>they knew that hijackers could easily get through the flimsy doors
>on the planes better doors were not installed. Again, because
>"it cost too much".

That's a whole different beast. There should not be doors that lead
to the cockpit from the passenger compartment. But again, it doesn't
require a lawsuit to fix. Those people are just being greedy after
getting 1.6 million dollars.

Anyways, this is getting way too long. We need to be focused on real
security, and not these distractions from so call serious papers based
on less than honorable motives of companies who stand to benefit from
Microsoft's pain. You keep saying that it's too much to ask people to
implement good security, but you're wrong. It can be done if good
security is packaged. Blaster is a symptom of a much larger problem,
and that's lack of firewall security.

Microsoft has bundled an extremely effective solution in its ICF
(Internet Connection Firewall) which only requires a simple "check
mark" to activate. I think MS should take it a step further by
activating it by default. The reason they have not done that is
because of the home networking problems that it would create. But, it
wouldn't be a problem if the default firewall permitted all private IP
addresses inbound access by default and blocked all inbound for all
public IP addresses. I think all the OS vendors should do this by
default, and that alone would be the best thing that you can do for
the Internet. Not some self serving paper.

George Ou
http://www.LANArchitect.net