Are ISP's responsible for worms and viruses
Bruce Schneier seems to think so... ////// http://www.theregister.co.uk/2005/10/19/schneier_talks_law/ By John Oates in Vienna 19th October 2005 RSA Europe 2005 ISPs must be made liable for viruses and other bad network traffic, Bruce Schneier, security guru and founder and CTO of Counterpane Internet Security, told The Register yesterday. He said: "It's about externalities - like a chemical company polluting a river - they don't live downstream and they don't care what happens. You need regulation to make it bad business for them not to care. You need to raise the cost of doing it wrong." Schneier said there was a parallel with the success of the environmental movement - protests and court cases made it too expensive to keep polluting and made it better business to be greener. ////// Let's one up this and blame vendors like Microsoft and hold them liable too. http://news.google.com/news?hl=en&ned=us&q=microsoft+patch+worm&btnG=Search+News =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89 "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey
RSA Europe 2005 ISPs must be made liable for viruses and other bad network traffic, Bruce Schneier, security guru and founder and CTO of Counterpane Internet Security, told The Register yesterday.
Are local town councils responsible for crack dealers and crack users when that activity takes place within the bounds of the town? In some countries, the answer is yes. http://www.brent.gov.uk/www.nsf/0/19fbe6f14c0f0a8f80256ee600411b1c?OpenDocum... To summarize: Brent is one of the boroughs that forms the English city formerly known as Greater London. Like most town councils in the UK, they own housing developments that provide homes for those unable to afford their own place to live, i.e. welfare housing. Even though there was not enough evidence to convict the powerful drug dealers, the council was able to leverage the Anti-Social Behviour Act to eject the residents of a particular house/property. These ASBOs (AntiSocial Behaviour Orders) are also used in the UK to deal with noisy neighbours, unruly people on buses, football hooligans, people with habits of getting drunk and disorderly, abandoned cars, etc. Note that "The Register" is a UK publication. Also note that the substance of the above-quoted article is that various groups COOPERATED and WORKED TOGETHER to solve the problem. This included the police, the owners of the property, the users of neighbouring properties. I hope you see the parallels here. Mind you, it would help if some of the anti-abuse groups would band together under some umbrella organization that ISPs could join. Botnet researchers, SPAM fighters, etc. That way there could be some sort of good housekeeping seal of approval that ISPs can use to competitive advantage in the marketplace. At that point, money starts to talk and there is an economic incentive to clean up your act and get that "seal". --Michael Dillon
On 10/20/05, Michael.Dillon@btradianz.com wrote:
Mind you, it would help if some of the anti-abuse groups would band together under some umbrella organization that ISPs could join. Botnet researchers, SPAM fighters, etc.
The Messaging Anti-Abuse Working Group (MAAWG) and the Anti-Phishing Working Group (APWG) are conducting a joint meeting in Montreal next month, largely focusing on phishing and zombies. http://www.maawg.org/ -- you don't have to be a member of either organization to attend the main sessions. -- J.D. Falk a decade of cybernothing.org <jdfalk@cybernothing.org> registered 24 June 1995
Mind you, it would help if some of the anti-abuse groups would band together under some umbrella organization that ISPs could join. Botnet researchers, SPAM fighters, etc. That way there could be some sort of good housekeeping seal of approval that ISPs can use to competitive advantage in the marketplace. At that point, money starts to talk and there is an economic incentive to clean up your act and get that "seal".
What would help more would be if people realized that worms and viruses aren't like crack, they're more like biological WMD. As such, it is unlikely to be a productive solution holding the city where the WMD are being delivered liable. That becomes a game of legal whack-a-mole. What is needed, instead, is to hold the companies selling the technology used to build these WMD liable. If companies that made vulnerable OSs were held liable for the damage caused by those vulnerabilities, you would rapidly see $$ make a BIG difference in the security quality of OS Software. Why do we have seat belts in every car manufactured today? Because auto makers started getting held responsible for injuries caused by the failure to install them. As much as I think product liability law, especially in the US, has become insane, the software industry (where it so far hasn't really been applied) is one area SCREAMING for this to happen. Eliminate (or even significantly reduce) the number of systems being sold with virus friendly toolkits and features enabled by default, and, you will go a long way towards reducing the spam and virus/worm problem. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
Owen DeLong wrote:
If companies that made vulnerable OSs were held liable for the damage caused by those vulnerabilities, you would rapidly see $$ make a BIG difference in the security quality of OS Software.
How would that work for free/open source OSs/software? Who exactly would be held liable? The contributors? Free OSs are just as capable of sending out malware/virus infected emails, etc. as commercial systems.
Owen
Frem.
--On October 20, 2005 9:32:44 PM +0100 Freminlins <freminlins@gmail.com> wrote:
Owen DeLong wrote:
If companies that made vulnerable OSs were held liable for the damage caused by those vulnerabilities, you would rapidly see $$ make a BIG difference in the security quality of OS Software.
How would that work for free/open source OSs/software? Who exactly would be held liable? The contributors? Free OSs are just as capable of sending out malware/virus infected emails, etc. as commercial systems.
That depends: Free closed source: I would presume the closed source provider or no one. Hard to assign liability when money did not change hands. No money, no duty to care in most cases. Product liability is pretty much limited to products that are sold. Open Source: I would expect no liability exists because... 1. No money changes hands, no duty to care. 2. End user has full access to source, so, has at least shared responsibility for fitness to purpose. 3. Full access to source means end user cannot claim that vulnerability was hidden from end user. 4. Full access to source means end user has ability to correct vulnerability as soon as identified. Finally, while your statement is theoretically true, in practice, resolutions to vulnerabilities in open source software tend to be delivered much faster than in closed source software. Even allowing for the difference in market share, the percentage of open source based systems which are owned and acting as spambots is much lower than the percentage of closed-source systems which are doing so. (note: in this, although it is hybrid closed/open, I'll even count MacOS X in the open source for this purpose). Owen
participants (5)
-
Freminlins -
J. Oquendo -
J.D. Falk -
Michael.Dillon@btradianz.com -
Owen DeLong