[Dshield] Wired article on dealing with viruses and worms

Doug White doug at clickdoug.com
Thu Sep 11 17:17:29 GMT 2003


Schwarz is, in my opinion, of the Dr. Spock mentality.  That is, to prevent a
risk, remove the tool.
In the original Dr. Spock books on child rearing, completely left teaching
personal responsibility and ethics in the dust, instead replacing this tradition
with removing the exposure to the tools of disaster.  His opposition to corporal
punishment has so ingrained modern society, that it is criminalized in many, if
most jurisdictions today.
Following his logic, one would eliminate all firearms, because someone could
possibly use one to commit a crime, or to remove all automobiles for the same
reason. He taught that by placing all your coffee table trinkets in an
inaccessible place, would be the best way to prevent them from being damaged or
broken or damaged by the curious toddler. (one example)

Many computer users, use their systems for purposes other than was intended by
the maker and the operating system authors.  Many software developers add a
layer of security of their data by transmitting and receiving data over
non-standard ports.   Using his solution, all this room for innovation would be
simply eliminated, and narrow the actual availability of resources for
innovation that are there in the first place.  In any publicly accessible place,
and following human nature, there will be some that will exploit these resources
for nefarious purposes, some going nowhere, and some causing massive compromise
of unsecured and exposed systems.

On the periphery it is now a cottage industry to bash IBM, Microsoft and others
for their own supposedly lack of built-in security.  With all the exploits that
spread like wildfire, the idea that innovation gets lost.  Marketing and
competition leads the developers to add gee-whiz gizmos and features to their
offerings, and many of them are good, and well thought out, if one excludes any
thought of the "feature" being misused. by the miscreant.  Before Microsoft
became to dominant in the operating system deployment, the going cottage
industry was hacking into and cracking the security of Unix/Linux systems, which
incidentally is still alive and well.  Frequent updating and patching is
required for those systems just about as often as Windows systems.
Cracking into web servers (most of which are Apache) is still happening often
enough to make the news, as is windows vulnerabilities.

Of course, the mode the computer user is educated, and as skills grow, the
systems under their control are maintained in as secure a manner as possible,
however, one must be constantly aware that as more and more of the consuming
public becomes connected, there will always be entry level users who will have
to jump on the learning curve just as we all did in the beginning.  As long as
all these systems are co-joined by the miracle if the World Wide Web, and faster
"always-on" broadband connections, we will all be at risk for intrusions by the
miscreants.

If any solution were to be encapsulated into law, it would be a revision of
privacy statutes to better enable the victim to determine the source of the
intrusion and be able to associate it with a name, address, and geographical
location without the horrendous expense and associated delays of using the
courts system which is largely run and administrated by non-technical savvy
officials.  There likewise should be an accommodation for errors and omissions,
with the higher priority placed on intent.

Most of us geeks have dreamed of being the developer of the program, applet, or
system that will be the end-all, to die for, application that will make them
rich and powerful.  Few ever even consider that there is a procedure that must
be followed, just as it is important to document and test your code in a
non-hostile environment before releasing it to marketing.  Human nature and
imposed deadlines hamper this system, and shortcuts are frequently taken, and
precautions omitted.

Do we blame this on a lack of standards?  Perhaps so, but who is responsible for
setting them?  And who is responsible for policing them?  Anarchy has ruled the
internet from the very beginning, from domain registrars, to versions of DNS,
all the way to accounting software.  All suffer from a lack of enforceable
standards, probably better described as innovation.   They are always trying to
build the better mousetrap, right?  If I don't like your standards, and try to
do things in a different, hopefully a more efficient way, am I so wrong?


======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
======================================
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "Mark Squire" <msquire at lagraphico.com>
To: <list at dshield.org>
Sent: Thursday, September 11, 2003 10:58 AM
Subject: [Dshield] Wired article on dealing with viruses and worms


What do you all think of Schwarz's comments?

http://www.wired.com/news/infostructure/0,1377,60391,00.html
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list