nanog mailing list archives
Re: Over a decade of DDOS--any progress yet?
From: Matthew Petach <mpetach () netflight com>
Date: Thu, 9 Dec 2010 00:37:28 -0800
On Wed, Dec 8, 2010 at 8:02 PM, JC Dill <jcdill.lists () gmail com> wrote:
On 08/12/10 1:38 PM, Valdis.Kletnieks () vt edu wrote:The second issue is that if you *do* establish a legal precident that software vendors are liable for faults no matter what the contract/EULA says,It doesn't matter what contract an auto maker makes with someone who purchases the car, if the brakes fail and the car hits ME, I can sue the auto maker due to the defective brakes. If they design the car in a way that a 3rd party can easily tamper with the brakes, and then the car hits me, I can also sue the auto maker. They are legally required to take due care in how they design the car to ensure that innocent bystanders aren't injured or killed by a design defect. IMHO, there's no difference in the core responsibility that software makers should be held to, to ensure that their software isn't easily compromised and used to attack and injure 3rd parties. The EULA is a red herring, as it only applies to the purchaser (who agrees to the EULA when they purchase the computer or software), not to 3rd parties who are injured. If the software doesn't work as designed and the purchaser is unhappy, that's between them and the company they bought the software from. But when it injures a 3rd party, that's a whole different ball game. I truly don't understand why ISP's (who bear the brunt of the burden of the fall-out from the compromised software, as they fight spam and have to provide customer support to users who complain that the "internet is slow" etc.) haven't said ENOUGH. jc
If you look at the national vulnerability database listings, though, it's really not clear who you'd need to go after: http://blogs.technet.com/b/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx Granted, that was two years ago; but it sure seems that just vilifying Microsoft, satisfying though it might be, would be to ignore the breadth of the problem. Matt
Current thread:
- Re: Over a decade of DDOS--any progress yet?, (continued)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 08)
- Re: Over a decade of DDOS--any progress yet? JC Dill (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Jack Bates (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Seth Mattinen (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Curtis Maurand (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Greg Whynott (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Simon Leinen (Dec 11)
- Re: [nanog] Re: Over a decade of DDOS--any progress yet? Aaron Peterson (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Valdis . Kletnieks (Dec 08)
- Re: Over a decade of DDOS--any progress yet? JC Dill (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Matthew Petach (Dec 09)
- RE: Over a decade of DDOS--any progress yet? George Bonser (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Lamar Owen (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Rich Kulawiec (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Matthew Petach (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Valdis . Kletnieks (Dec 09)
- RE: Over a decade of DDOS--any progress yet? Drew Weaver (Dec 08)
- Re: Over a decade of DDOS--any progress yet? jim deleskie (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Joel Jaeggli (Dec 14)
- Re: Over a decade of DDOS--any progress yet? Thomas Mangin (Dec 08)