[Dshield] Blackworm liability with ISPs?

Kenneth Coney superc at visuallink.com
Fri Feb 3 01:38:26 GMT 2006

There is no way of certifying a machine as being Internet safe because
between the time of the certification issuance and the customer getting
the machine home and connecting it to the web sometime next week new
exploits and related malware will emerge, sometimes weeks before the new
patch or fix.  Joe Sixpack's "certified safe" machine could therefore
become corrupted within minutes of going on line for the first time.
Should he then sue the certifier?  Further, not all third party
softwares mesh seamlessly with each other.  If you start patching
everything willy nilly you will soon find yourself with some programs
that now run strangely or not at all.  Years ago a popular website
offered a free online audit that crawled through your machine with a
script and automatically stuck in the latest version or patch for all
software it found no matter what it was.  Some machines quickly became
paperweights after rebooting when the script or its writers made
errors.  The website replaced the script with a tamer version that
instead merely suggested patches.  Some users are totally unaware of the
third party software in their machine.  How many home users know about
Detto Technologies, Bounce or Otto from Compaq, or know about the
Gemplus, Gentee, Koan, Acme, Oak Technology or NewSoft software in their
machines and exactly what and how they do?  If they didn't see the name
on the disk when they installed a game or utility CD, how do you want
them to know those 3rd party softwares are there?  We still have
thousands of users who are completely clueless when told to go to
Program Files and who need careful instructions on how to do that much.

I don't like licensing users because it will quickly become a filter
used to keep the bulk of humanity off the Internet where "dangerous"
thoughts, concepts and knowledge can be found.  Even a simple test with
a low nominal fee will effectively close cultural, economic and
educational doors that should not be closed to many who won't have the
nominal fee.  There are places where portable generators running on
scavenged gasoline power the village PC that connects every few days.
You want them to have testing and pay fees too?  No organization will be
content with a $1 fee that authorizes everything.  $5, $10, $20 and $100
or more fees will quickly follow.  Within months their will be lower
school licenses for kids in school, licenses that only allow web access
during the hours of.., every third Monday, Monday to Friday, from 9-5
licenses, Telecommuter browser licenses, 24 hour licenses, web cam and
VOIP authorization riders, techie licenses to allow pinging and other
"dangerous" practices unsafe for children and their morality, annual
certification testing, International access licenses, semi annual
certification testing, etc.  All fee driven.  All powering a huge paper
pushing bureaucracy that will within a year forget why it all began and
become more interested in generating new fees than in ensuring a safe
Internet.  Log on will require licensing verification.  Internet data
analysis police to search for Internet users whose license has expired
or who has visited a site his license didn't approve him to see, etc.
Yes, they will fine users whose browser doesn't display the latest AV
license signatures, and fine those with bogus signatures too.  We will
applaud their heroism as they force their way into the homes of those
unlicensed users with obsolete software patches.  The Internet will
become so safe, no one will bother to go there.  Only an elite few will
be able to afford the required fees.

I don't pretend to know the solution.  I do know the two above aren't
it.  I am beginning to see a trend of people who were initially excited
about computers turning them off and walking away.  They are finding
weekly patching to be a pain and a nuisance they aren't interested in.
The saturation limit for Joe Sixpack updating is once, and occasionally
twice a year.  Make him do it every quarter, and he finds excuses to not
turn the computer on.  Make it more often, and he finds a way to go back
to the  typewriter.  Automatic updating is fine, IF no reboot is
required, and IF a long distance call appearing on the phone bill is not
involved.  Nothing worse than suddenly hearing your modem in the next
room dialing out at 3AM.  Spyware, or auto update?, only the techie
knows.  Fortunately fewer ISPs in the US require long distance calls.  A
decade ago I couldn't get on the Internet without a $3 phone call just
to connect.  Getting the mail at 28K with a dial up always cost me $5 or
more.  Got a local provider these days.  That makes it easier.  Still
don't have DSL or cable out here, but maybe someday.  Assume Joe Sixpack
lives near here (he does), now come up with a solution that he is
comfortable with, that keeps him online so he can be dragged kicking and
screaming into a global society.

More information about the list mailing list