RE: Stopping open proxies and open relays
Vivien M. wrote: Now, if hooking up an unsecured computer to a network was punishable by a $1000 fine, and law enforcement somehow had the staff to prosecute all offenders (or a representative sample), I'm sure everybody would agree that suddenly they'd be able to afford antiviruses.
It's not that I don't like the idea, but it's been tried before. Making stupidity punishable by fines does not work; if it did we would not have a budget deficit issue. Michel.
-----Original Message----- From: Michel Py [mailto:michel@arneill-py.sacramento.ca.us] Sent: February 7, 2004 12:43 AM To: Vivien M.; nanog@merit.edu Subject: RE: Stopping open proxies and open relays
Vivien M. wrote: Now, if hooking up an unsecured computer to a network was punishable by a $1000 fine, and law enforcement somehow had the staff to prosecute all offenders (or a representative sample), I'm sure everybody would agree that suddenly they'd be able to afford antiviruses.
It's not that I don't like the idea, but it's been tried before. Making stupidity punishable by fines does not work; if it did we would not have a budget deficit issue.
Well, it seems to work relatively well when it comes to motor vehicles... Oh, sure, there are still lots of morons driving unsafe poorly-maintained vehicles around, but I'm sure there would be WAY way more if traffic laws (and inspection requirements, etc, depending on your jurisdiction) went byebye tomorrow. The problem, in any case, is one of limited enforcement resources: triple the highway police force, and I'm sure a lot more morons will get caught/fined/forced to fix their vehicles. If stricter laws on computers forced even 50% of people to start caring a little more, wouldn't that be progress? The day a couple of grandmothers get taken away in handcuffs because a script kiddie took up residence in her computer is the day a few people will wake up to the fact that computers need regular maintenance... Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
If stricter laws on computers forced even 50% of people to start caring a little more, wouldn't that be progress? The day a couple of grandmothers get taken away in handcuffs because a script kiddie took up residence in her computer is the day a few people will wake up to the fact that computers need regular maintenance...
The the script kiddie gets taken away in handcuffs and lined up for the electric chair is when we see progress. I think you're confusing the criminal and the victim! Adi
-----Original Message----- From: Adi Linden [mailto:adil@adis.on.ca] Sent: February 7, 2004 12:54 AM To: Vivien M. Cc: 'Michel Py'; nanog@merit.edu Subject: RE: Stopping open proxies and open relays
If stricter laws on computers forced even 50% of people to start caring a little more, wouldn't that be progress? The day a couple of grandmothers get taken away in handcuffs because a script kiddie took up residence in her computer is the day a few people will wake up to the fact that computers need regular maintenance...
The the script kiddie gets taken away in handcuffs and lined up for the electric chair is when we see progress. I think you're confusing the criminal and the victim!
I have no objection to the electric chair for script kiddies, but tracing them seems to be somewhat challenging sometimes. Identifying people who don't maintain their computers is usually easier :) And no, I'm not confusing the criminal and the victim. If you leave a loaded handgun on your front porch and I come along and take it, then shoot your neighbour's kid with it, then I would expect both you and I to be prosecuted (though not for the same crime, of course). Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
On Sat, 07 Feb 2004 01:09:42 EST, Randy Bush said:
I have no objection to the electric chair for script kiddies
an interesting position. and how do you feel about folk who violate rfcs?
The Hague has tribunals for crimes against humanity... :)
Well, it seems to work relatively well when it comes to motor vehicles... Oh, sure, there are still lots of morons driving unsafe poorly-maintained vehicles around, but I'm sure there would be WAY way more if traffic laws (and inspection requirements, etc, depending on your jurisdiction) went byebye tomorrow. The problem, in any case, is one of limited enforcement resources: triple the highway police force, and I'm sure a lot more morons will get caught/fined/forced to fix their vehicles.
Maybe we should first have laws that prohibit making and selling computers without firewalls? In this context I should be fine making cars without brakes, and other security items and just accuse my customers of negligence if they happen to have an accident? Rgds, -GSH
On Sat, 07 Feb 2004 12:03:22 GMT, =?iso-8859-1?Q?Gu=F0bj=F6rn_Hreinsson?= <gsh@centrum.is> said:
Maybe we should first have laws that prohibit making and selling computers without firewalls? In this context I should be fine making cars without
This is going in the Very Wrong Direction. Consider that no firewall would have stopped MyDoom from spreading, unless it was sufficiently anal-retentive as to stomp on *outbound* SYN packets to anyplace except the user's preferred SMTP server (and even then, it would only slow things down, and is prone to "adjustment" by the worm similar to the way some malware turns off A/V software). When did Microsoft start *shipping* a firewall? Why are there still problems? Because it was shipped disabled. And they're doing the right thing and shipping with it enabled - but now there will be support calls on how to get a port open so XYZ will work... I wouldn't recommend trying to expand it to "prohibit making and selling computers that are insecure", since no computer is 100% secure, and there's no objective "secure enough" standard - closest you will get there is probably Dell's offer to ship machines pre-hardened to Center for Internet Security guidelines.
Valdis.Kletnieks@vt.edu wrote:
I wouldn't recommend trying to expand it to "prohibit making and selling computers that are insecure", since no computer is 100% secure, and there's no objective "secure enough" standard - closest you will get there is probably Dell's offer to ship machines pre-hardened to Center for Internet Security guidelines.
It would help if systems would only execute code that is signed properly. This would make malware traceable. However the current way of getting your code signed is in many cases too costly for the casual open source developer so people are used to running unsigned or selfsigned application even when the facilities to check signatures would already exist in the system. (though for example in Windows, signatures are only checked at install, not runtime) Pete
On Sat, 07 Feb 2004 20:27:11 +0200, Petri Helenius said:
It would help if systems would only execute code that is signed properly. This would make malware traceable. However the current way of getting your code signed is in many cases too costly for the casual open source developer so people are used to running unsigned or selfsigned application even when the facilities to check signatures would already exist in the system. (though for example in Windows, signatures are only checked at install, not runtime)
People are used to doing dumb things. Here's a depressing story: http://www.pcpro.co.uk/news/news_story.php?id=53390
participants (7)
-
Adi Linden -
Guðbjörn Hreinsson -
Michel Py -
Petri Helenius -
Randy Bush -
Valdis.Kletnieks@vt.edu -
Vivien M.