On Jan 16, 2016, at 07:15 , Patrick W. Gilmore <patrick@ianai.net> wrote:
On Jan 16, 2016, at 9:53 AM, Rich Kulawiec <rsk@gsp.org <mailto:rsk@gsp.org>> wrote:
On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote:
I see a great deal of folks on nanog clamoring to buy ddos gear. Packets are starting to become like spam email, where 90% are pure rubbish, and us good guys have to spend a lot of money and time sorting signal from noise.
I've said this many times: abuse does not magically fall out of the sky. It comes from hosts, on networks, run by people. It is time -- well past time -- to hold those people *personally* acountable.
Not doing so leaves us where we are today: millions -- heck, hundreds of millions -- of dollars are being spent on defenses THAT WOULD NOT BE NECESSARY if those people performed their jobs at a mere baseline level of competence and diligence.
Shared fate systems suck in some ways. But I disagree that “a mere baseline level of competence and diligence” is even close to what is required.
Making the owner of the host responsible for an attack -personally- responsible would require every grandma & 6 year old to have insurance before buying a laptop or Xbox. And would bankrupt your favorite startup no matter how smart & competent the first time a zero-day caught them by surprise.
Agreed… I think, instead, that the commercial purveyors of vulnerable software should be held liable.
Of course, forcing Uncle Bob to call his insurance carrier before buying a smartphone, and having San Hill Road take even greater risks when investing, and giving lawyers yet another vector for frivolous lawsuits, wouldn’t have the slightest effect on the global economy.
On the other hand, that 100s of millions of dollars is a rounding error in the wealth & public good created by that same shared fate system.
Overall, I think we’re doing well.
While I agree with you (scary, huh) about most of this, I do think that there is legitimate liability to be had by commercial software vendors that have so far held themselves immune to prosecution. We have already seen that vulnerabilities in open source software tend to get corrected much faster than in closed commercial software. We’ve also seen that opening up source code to inspection by the community tends to make the vulnerabilities known faster (which is a double-edge sword to be certain). I’m not saying we should eliminate closed commercial software, but I do think giving it a free pass on the liability for the damage it inflicts is something that should no longer be tolerated.
Before anyone pounces on me, I hate spam, dos, etc. as much as anyone else. (You know how much personal, unpaid time I’ve put into fighting both, Rich.) If we can find the originators of these things, we should hang them by their thumbs and beat them senseless. We should do everything we can to make ISPs implement BCP38, get software vendors to QA better, and educate users to be less, well, idiotic.
+1
But I am also pragmatic. Life sucks, it is not fair. But the idea of making either grandma or the network engineer at an ISP or even the CEO of a hosting company personally responsible for things like zero-days or minor errors which can be exploited to the tune of greater than their personal wealth or even their corporate market cap is a recipe for bringing everything to a screeching halt.
Agreed. Perhaps liability with some sort of safe harbor provision for corrections released within 30 days of notification of vulnerability would be a better choice than outright complete liability. However, if you want to sell software without giving users the ability to plug the holes you created, whether by design or by accident, should come with a responsibility to plug them on a timely basis.
I kinda like the ride we’re on, bumps and all. Let’s not bring it to a screeching halt.
Meh… If we did, a new ride would soon take its place. Owen