On Dec 2, 2008, at 8:36 AM, Gerald Klaas wrote:
Sue the ISP? Why would it be any easier for an ISP to determine
that Granny's PC is pwn3d than it is for the rest of us? Why not
sue Granny? (a la MPAA)
Only the ISP is able to fully monitor the network traffic of their
customers. It is not reasonable to expect ISP customers, or even
third-party monitoring services, will be able to track this problem
nearly as well. The simple impediment to a solution is that ISP don't
want to inform their customers that they are part of a bot-net.
Customers are then likely to blame the ISP for having allowed bad
actors access to their system, and will expect expensive support as a
result.
ISPs need a financial incentive to deal with the bot-net issue, rather
than their current incentive to ignore the problem. If ISPs are to be
held accountable for containing a bot-net plague, they should be
allowed to impose additional fees whenever they detect a compromised
customer. Customers should be required to obtain bot-net insurance to
defray the costs related to dealing with bot-net systems. Insurance
companies that competitively set a price for their service, will
assess the risks based upon the vulnerability and serviceability of
the infected OS being insured. Of course, insurance companies have
clearinghouses to rate repeat offenders.
In deed, OS vendors are guilty of contributing to the problem.
Scrubbing compromised systems has been complicated by the snarled
amalgam of application settings, library extensions dependent upon a
plethora of data structures within each API, and an endless variety of
exchanged active content. When hardware vendors offer writable flash
on motherboards, video cards, hard and DVD drives, once a system
becomes compromised, it becomes extremely difficult to ensure malware
does not remain hidden beneath some virtual device or file system.
This situation could be seen as being analogous to SUV manufactures
whose products consume too much fuel, are dangerous to drive, and that
are too expensive repair. Customers may eventually opt for cleaner,
smaller, better organized, and ultimately much safer solutions.
Prices charged by insurance companies may help consumers make informed
decisions that are forced to consider the burden caused by unsafe
products. Any government regulation regarding consumer product
security is likely to favor those vendors able to influence
legislature, which seems unlikely to improve the situation. It would
seem that requiring bot-net insurance would offer the incentives
needed for market driven solutions.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg