[In the message entitled "Re: Nato warns of strike against cyber attackers" on Jun 9, 0:26, Steven Bellovin writes:]
A liability scheme, with penalties on users and vendors, is certainly = worth considering. Such a scheme would also have side-effects -- think = of the effect on open source software. It would also be a lovely source = of income for lawyers, and would inhibit new software development. The = tradeoff may be worth while -- or it may not, because I have yet to see = evidence that *anyone* can produce really secure software without = driving up costs at least five-fold.
The vast majority of users that I interact with (and yes, I am first to admit that it has been only thousands, perhaps less than 10,000 over the years, so it is a small sample) are quite happy to be informed of a compromised system. It's not, for the most part, that they are malicious. Just unaware. The bad guys are very stealthy, and the "but, I can't see anything wrong on my screen!" is a huge obstacle to overcome. Once they are made aware of the problem, the vast majority work quickly to fix it. Yes, some are clueless. Some want "someone else" to fix it. But most are simply unaware that they have been owned, and want the infection gone. We've tried to educate users for tens of years of the dangers of unsafe computing. Doesn't work. The users have been trained to click and install whatever they are told, because "that makes it work". But when they _are_ compromised, and _are_ informed, most users do seek out a fix. Some will do it themselves. Some will hire someone to do it for them. When abuse desks content-filter reports, and don't pass on notifications to the customer, or "wait until there are more complaints", or... this ends up with networks that have massive levels of infection. Yes, I know - we're all busy, and abuse@ is kind of the last priority on most networks, but it really is bad out there, and we need the network operators to help. Please. For those network operators that would like a 5 year view on their network, please drop me an email with your ASN, and I'll be happy to send you a text file, xls, or ods (your pick) of a view of the historical spam traffic. No obligation, and no salesman will call. Really. --