corner the market; shoulder the responsibility

[InfoSec News <isn () C4I ORG>]

Forwarded by: "lsi" <lsi () lsi clara net>

http://www.vandra.clara.net/opinions/damages.htm

October 30, 2000

"security experts" suggest harsher penalties for the creators of
viruses and worms such as I Love You.. but this is missing the point.

Those viruses and worms would not be effective except for a particular
flaw in the design of a given piece of computing equipment.

This indicates that it is more likely the manufacturer of the
equipment which should be penalised, if anybody is to be, as it is
they that produced the defective product in question.

A witchhunt does nothing to address the source of the problem: bad
code at Microsoft Corporation.

To step further back, there would not be such a problem at all, if
there were alternative manufacturers to choose from. The
anti-competitive nature of the personal computer operating system
marketplace leaves customers vulnerable.

That is, if there were alternatives to Windows, it wouldnt matter so
much about some-such virus that infects [a particular vandors email
program].

A witchhunt diverts attention from the systematic subversion of this
market by the same aforementioned Microsoft Corporation.

The consequences of negligent coding by this company are varied:

1. more benign virus, worm and trojan horse outbreaks
2. loss of privacy and increased exposure to espionage
3. increased exposure to hijacking (remotely seizing control of
   another computer and using it to commit further crime)

With reference to the first point, benign incidents are expensive;
cleaning up after Melissa was expensive enough, yet it did almost
nothing destructive; I Love You was more expensive - and took the
opportunity to delete data, JPEG and MP3 files - popular formats for
images and music. The next I Love You could be much more destructive -
and more expensive still.

With reference to the second point, the recent penetration of
Microsoft (by hackers) demonstrates the value of commercial
intellectual property, and the potential loss it represents, should it
emerge in the public domain.

With reference to the third point, it would be in everybodys interests
to ensure that its machines were not hijacked, as if they are then
used in a serious crime, then the administrator of that machine may
well be questioned as to whether they had taken reasonable steps to
prevent such an occurrence. If they have not taken reasonable steps
they may be liable for damages.

The cost of damages sustained while this problem is resolved - and
there is no indication that such a resolution is likely anytime soon,
given the legal predicaments and proven ineptitude of the
aforementioned Microsoft Corporation, and the sluggishness of the
market they helped undermine - is likely to be very large.

Given that the aforementioned Microsoft Corporation has been found
guilty of anti-competitive trade practice, and given that even their
own network cannot be made safe - surely there is a case to be made
that the cost of the aforementioned damages should be borne by them.

It may be prudent to audit the cost of security, with respect to
operating system patches, upgrade expenses, downtime, lost
productivity and wages, etc., so as to present them in a log of claims
in a class action.

But perhaps most prudent would be to support, more than ever,
alternatives to Microsoft products. There is no business case to rely
on a single source or manufacturer of anything. And there are plenty
of reasons to nurture the life back into the market. But supporting
the status quo is a good way to demonstrate that you knowingly exposed
yourself to the risks.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".