Re: [tlug] System security and public policy [was: Anyone seen this gizmo yet?]

["Stephen J. Turnbull" <stephen@example.com>]

Edward Middleton writes:
 > Stephen J. Turnbull wrote:
 > > Edward Middleton writes:
 > >
 > >  > My preference would be to go the other way.  Make willfully ignorant
 > >  > users liable for damage caused by their computer usage,
 > >
 > > They already are.  The problem is that it's too expensive to follow
 > > up.  What are you going to do, sue 1 million members of a botnet and
 > > prove for each one that DDoS packets from their machine caused $10 of
 > > damage (eg, lost business on your website), and request $10 million of
 > > damages split 1 million ways?
 > >   
 > 
 > Require ISP's to put it in their TOS,  and treat it like any other
 > network abuse.

First, you have to track the packets back to their sources.  Maybe you
can do that, but it's not going to be cheap.  Then you have to go
through "process" at the ISP.  So, suppose you succeed.  So they lose
their ISP.  *But that doesn't shine the victim's shoes.*  You're not
talking about liability, just an administrative slap-on-the-wrist.

OK, so now what?  Make the ISPs liable?  To do that, you have to
permit them to care about what their users send, which destroys their
common carrier status and opens the door to all kinds of abusive
practices in the name of avoiding liability (eg, my "ISP", aka "the
MIT of Japan", for many years didn't pass ICMP through the firewall; I
think now they just refuse "echo" packets).

 > This isn't a windows only problem.  I don't know any browser that
 > supports JavaScript and comes with it disabled by default,

Sue the browser authors.

 > and flash has something like 90% market penetration.

Even more attractive.  Sue Adobe.

 > Coupled this with the inability of users to determine whether something
 > came from a  trusted source.

Dunno what to do about that.  Sure, you can make the users liable, but
that's hard to enforce.  I'm not sure I like the implications of
stripping the ISPs of common carrier status; we'll never get net
neutrality back.

 > > Sure, but what we're talking about here is not putting M$FT on a level
 > > playing field, it's a public health problem.  I don't want users to be
 > > liable for huge costs to run Windows securely, I want Windows to run
 > > securely.  It's most straightforward to achieve that goal by
 > > redesigning Windows to run securely by default.  
 > 
 > Microsoft's last attempt at this was Vista, need I say more.

Yes, I do believe you do need to say more.  You need to say what you
think Microsoft would do if they were faced with the possibility of
class action suits on the scale of what hit the tobacco industry in
the U.S.  "Let me tell you, them boys ain't dumb."  (Thank you, Mark
Knopfler!)