Information Security News mailing list archives
corner the market; shoulder the responsibility
From: InfoSec News <isn () C4I ORG>
Date: Mon, 30 Oct 2000 19:33:45 -0600
Forwarded by: "lsi" <lsi () lsi clara net> http://www.vandra.clara.net/opinions/damages.htm October 30, 2000 "security experts" suggest harsher penalties for the creators of viruses and worms such as I Love You.. but this is missing the point. Those viruses and worms would not be effective except for a particular flaw in the design of a given piece of computing equipment. This indicates that it is more likely the manufacturer of the equipment which should be penalised, if anybody is to be, as it is they that produced the defective product in question. A witchhunt does nothing to address the source of the problem: bad code at Microsoft Corporation. To step further back, there would not be such a problem at all, if there were alternative manufacturers to choose from. The anti-competitive nature of the personal computer operating system marketplace leaves customers vulnerable. That is, if there were alternatives to Windows, it wouldnt matter so much about some-such virus that infects [a particular vandors email program]. A witchhunt diverts attention from the systematic subversion of this market by the same aforementioned Microsoft Corporation. The consequences of negligent coding by this company are varied: 1. more benign virus, worm and trojan horse outbreaks 2. loss of privacy and increased exposure to espionage 3. increased exposure to hijacking (remotely seizing control of another computer and using it to commit further crime) With reference to the first point, benign incidents are expensive; cleaning up after Melissa was expensive enough, yet it did almost nothing destructive; I Love You was more expensive - and took the opportunity to delete data, JPEG and MP3 files - popular formats for images and music. The next I Love You could be much more destructive - and more expensive still. With reference to the second point, the recent penetration of Microsoft (by hackers) demonstrates the value of commercial intellectual property, and the potential loss it represents, should it emerge in the public domain. With reference to the third point, it would be in everybodys interests to ensure that its machines were not hijacked, as if they are then used in a serious crime, then the administrator of that machine may well be questioned as to whether they had taken reasonable steps to prevent such an occurrence. If they have not taken reasonable steps they may be liable for damages. The cost of damages sustained while this problem is resolved - and there is no indication that such a resolution is likely anytime soon, given the legal predicaments and proven ineptitude of the aforementioned Microsoft Corporation, and the sluggishness of the market they helped undermine - is likely to be very large. Given that the aforementioned Microsoft Corporation has been found guilty of anti-competitive trade practice, and given that even their own network cannot be made safe - surely there is a case to be made that the cost of the aforementioned damages should be borne by them. It may be prudent to audit the cost of security, with respect to operating system patches, upgrade expenses, downtime, lost productivity and wages, etc., so as to present them in a log of claims in a class action. But perhaps most prudent would be to support, more than ever, alternatives to Microsoft products. There is no business case to rely on a single source or manufacturer of anything. And there are plenty of reasons to nurture the life back into the market. But supporting the status quo is a good way to demonstrate that you knowingly exposed yourself to the risks. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- corner the market; shoulder the responsibility InfoSec News (Oct 31)