Re: Controversial paper - Good response article on ZDNet

From: Mack (macckone_at_a_nospamjunk123_ol.com)
Date: 10/15/03 

Date: Wed, 15 Oct 2003 11:06:44 GMT

On Tue, 14 Oct 2003 06:17:33 GMT, George Ou
<533george_ou234@netzero234.com> wrote:

>On Mon, 13 Oct 2003 13:46:16 GMT, Mack
><macckone@a_nospamjunk123_ol.com> wrote:
>>>The point is, you can't punish a car maker for the actions of a
>>>malicious individual and you can't punish a software maker because a
>>>malicious individual uses a compromised system to take down the
>>>Internet.
>
>>In my state if you leave the keys in the ignition it is a crime and
>>you are liable if someone then steals your car and runs over someone.
>>If the car maker made a car that didn't need a key they would
>>be liable. Right now the software is the car without a key.
>>Right now the software does fail mysteriously way to often.
>>If it were a car the manufacturer would be held liable under
>>the "lemon laws".
>
>That's still absurd. In most small towns, people don't even lock
>their doors or their cars.

And most people on the internet don't lock their computers.
Weekly they get hijacked and most of the ones hijacked
don't even know it.

>
>>>If an OSS software had a design flaw that systematically attacked a
>>>website and brought it down, I don't care if it's free, the author
>>>should be liable. The same goes for pay software.
>>
>>If it is systematic then it is unlikely to be a design flaw.
>
>It's happened. Netgear's routers recently did a systematic DoS on a
>Universities time servers and network. It was a flaw.
>

Now that is nasty didn't hear about that one. I am sure Netgear
is getting sued over that one.

>>As for companies charging for software I believe they should
>>be fined relative to the amount of damage.
>>Harmless bugs=no damage.
>>Crashes Internet=major damage.
>
>And of course, you would nullify my agreement with my vendor if you
>had your way, thus taking away my rights. Sure you would let me sign
>it, but you wouldn't allow it to hold up in court. That's simply
>wrong no matter how you justify it.
>
>>I don't believe that every little bug should result in a lawsuit.
>>The serious ones should. Hospitals, Airports and Nuclear
>>facilities are large and complex systems. They have suprisingly
>>few major flaws in critical software, some of which is very complex.
>>Why should an OS or major application running on millions of systems
>>have so many and not be held accountable?
>
>I don't believe there should ever be law suits for flaws resulting
>from bugs if a vendor provides timely fixes. The owner of the
>software is more responsible for patching their software if the
>patches are available and they don't apply them. For Christ sakes,
>Windows XP defaults to download all critical patches in the background
>by default, the user just needs to hit "Apply".
>
>I only think there should be a law suit if a flaw in the software made
>it systematically attack a system.
>
I would prefer they fix the software before it ever gets out the
door. Do you have a solution to the problem that is better?
Some people who don't apply patches do it because of the
nasty damage caused by some patches in the past.
My system still hasn't recovered from Blaster patch I
Appearently one of the system crashes corrupted something.

>>That particular lawsuit led to all fertilizer having a chemical added
>>which prevents its use as an explosive. The chemical in question
>>had been previously offered as a preventative measure. The makers
>>refused because "it cost too much".
>
>The same thing could have been achieved another way without a lawsuit.
Name a way.

>
>But while we're at it, should we require all automobiles to have
>safety systems such that they are monitored by an operator with a fail
>safe in case someone decides to kill people?
That has been suggested. It is a relative simple sonar braking
system.

>
>Should gasoline be made to only ignite in a combustion engine, so that
>they can't be used as fire bombs? While we're at it, what liability
If not for the extensive lobbying they would have but not for that
reason. The reason for doing so is to prevent explosions from
accidentally spilled gasoline.

>is in all those house hold products in "The Anarchist's cookbook"?
>Why have we not banned bath tubs yet?
>
>The reality is, there are bad people in this world that can make a
>weapon out of anything, and we have to deal with the people, not the
>house hold items they use. One only needs to look inside a prison to
>see what ingenious deadly weapons can be fabricated out of things that
>are specifically designed to be "safe".
Well the 'Patriot Act' did make it possible to give hackers the death
penalty as terrorists. So they don't have to worry about those other
ingenious inmates. They can be put to death in a nice safe sanitary
way.

>
>
>>Airlines in the 9/11 incident are being sued because even though
>>they knew that hijackers could easily get through the flimsy doors
>>on the planes better doors were not installed. Again, because
>>"it cost too much".
>
>That's a whole different beast. There should not be doors that lead
>to the cockpit from the passenger compartment. But again, it doesn't
>require a lawsuit to fix. Those people are just being greedy after
>getting 1.6 million dollars.
>
>
>
>Anyways, this is getting way too long. We need to be focused on real
>security, and not these distractions from so call serious papers based
>on less than honorable motives of companies who stand to benefit from
>Microsoft's pain. You keep saying that it's too much to ask people to
>implement good security, but you're wrong. It can be done if good
>security is packaged. Blaster is a symptom of a much larger problem,
>and that's lack of firewall security.
>
>Microsoft has bundled an extremely effective solution in its ICF
>(Internet Connection Firewall) which only requires a simple "check
>mark" to activate. I think MS should take it a step further by
>activating it by default. The reason they have not done that is
>because of the home networking problems that it would create. But, it
>wouldn't be a problem if the default firewall permitted all private IP
>addresses inbound access by default and blocked all inbound for all
>public IP addresses. I think all the OS vendors should do this by
>default, and that alone would be the best thing that you can do for
>the Internet. Not some self serving paper.
ICF is far from effective. It prevents any non-standard TCP/IP stack
from running. This includes a large number of POPs connection
software. Before you even say it, I agree that they should change
to a standard package and use PPP. My DSL doesn't even
work with ICF and it uses the standard TCP/IP and PPP.
Yes, it prevents outside attacks but it also prevents me from
using the internet. ICF also prevents a large number of very
popular communication packages from working properly. AIM,
Yahoo IM, and mIRC just to name a few. ICF also does not detect
trojan substitutions.

I use an old version of TPF, it is very effective, doesn't crash, and
is totally user unfriendly, yes unfriendly. But somehow I managed to
teach my mother who can't even figure out how to use a web
browser how to use it.

>
>
>
>George Ou
>http://www.LANArchitect.net

Leslie 'Mack' McBride
remove text between _ marks to respond via e-mail