On 09-Jun-2010, at 12:36 PM, Patrick W. Gilmore wrote:
> On Jun 9, 2010, at 12:26 AM, Steven Bellovin wrote:
>
>>> Problem is there's no financial liability for producing massively
>>> exploitable software.
>>> No financial penalty for operating a compromised system.
>>> No penalty for ignoring abuse complaints.
>>> Etc.
>>>
>>> Imagine how fast things would change in Redmond if Micr0$0ft had to pay the
>>> cleanup costs for each and every infected system and any damage said
>>> infected system did prior to the owner/operator becoming aware of the
>>> infection.
>>>
>>
>> It isn't Microsoft. It once was, but Vista and Windows 7 are really solid,
>> probably much better than Linux or Mac OS. (Note that I run NetBSD and Mac
>> OS; I don't run Windows not because it's insecure but because it's an
>> unpleasant work environment for me.)
>>
>> Microsoft is targeted because they have the market. If Steve Jobs keeps
>> succeeding with his reality distortion field, we'll see a lot more attacks
>> on Macs in a very few years. It's also Flash and Acrobat Reader. It's also
>> users who click to install every plug-in recommended by every dodgy web site
>> they visit. It's also users who don't install patches, including those for
>> XP (which really was that buggy). There's plenty of blame to go around
>> here....
>>
>> A liability scheme, with penalties on users and vendors, is certainly worth
>> considering. Such a scheme would also have side-effects -- think of the
>> effect on open source software. It would also be a lovely source of income
>> for lawyers, and would inhibit new software development. The tradeoff may
>> be worth while -- or it may not, because I have yet to see evidence that
>> *anyone* can produce really secure software without driving up costs at
>> least five-fold.
>
> I agree the miscreants go for the bigger bang for the buck. That said,
> earlier versions of Windows really were soft targets. I don't know enough
> about Win7 to comment, but I respect Steve and will accept his opinion.
> Let's hope MS keeps up the good work - I do not want to bash Windows (no
> matter how fun it is :), I want to stop being attacked.
>
> But it is not -just- market share. There are a lot more Windows Mobile
> compromises, viruses, etc., than iOS, Symbian, and RIM. I think combined.
> Yet Windows Mobile has the lowest market share of the four. So unless that
> is spill over because Windows Mobile & Windows Desktop have the same
> vulnerabilities, it shows that market share is only one piece of the puzzle.
>
> All that said, the biggest problem is users. Social Engineering is a far
> bigger threat than anything in software. And I don't know how we stop that.
> Anyone have an idea?
>
Remove the users. The problem goes away. Just kidding on that. Really, the only
way ahead is educating the users of the threats and all and maybe a "learning
experience" is due for most of them.
> --
> TTFN,
> patrick
>
>
