[wplug] OT: "Enough" security

Bill Moran wmoran at potentialtech.com
Mon May 16 08:20:26 EDT 2005 

Michael Smith <michael at smith-li.com> wrote:

> The HT Security notice that's been circulating recently brings to 
> mind...
> 
> I've been interested for some time in the personal responsibility 
> ramifications of I.T. security. Should a home user be held responsible 
> for attacks launched from his zombie computer based on the fact that he 
> didn't (know to) secure it properly?
> 
> What about power users? Should those of us with more computer literacy 
> than the average user be more responsible for securing our systems?
> 
> I think the answer to both of these questions is "yes," as a matter of 
> degrees. Given, however, that no connected computer can ever be 100% 
> secure, how much is enough? If my mom leaves windows automatic updater 
> running, and antispyware and antivirus active and UTD, is she then 
> fulfilling her responsibilities as a member of the Internet community?

I think there's a balance between control and responsibility.  If you want
to have 100% control over your computer (like must of us power users do)
then you assume 100% responsibility for what happens with it.  If you don't
want 100% responsibility, then you need to be willing to give up some
control.

I think there's a market for "leased" computers, where the user only has
a normal user account, and the lessor is responsible for anything that
goes on with that computer.  If the user wants some particular software
installed, he must contact the lessor to have it done (probably remotely).

Linux/BSD are excellent candidates for this kind of system, BTW, because
they are easy to manage remotely.

A lot of users won't like this, because they'll have to plan when they
want new software, and they won't be able to steal software.  Other users
might be overjoyed to know that it's someone elses problem.

> What about me? Does the fact that I run a highly customized Gentoo box 
> leave me with more responsibility, or does keeping it up-to-date and 
> keeping my overall network secure fulfil that?

I think you're doing you due diligence.  Of course, that's not an 100%
guarantee.  But, in your case, you're not a huge target.  You're just
someone that a crook wants to hijack to add to his botnet.  If he
can't get in on the first few tries, he'll move on to an easier target.

> What are your thoughts? If anyone knows the legal ramifications, that'd 
> be interesting, and I'd also like to know your positions on the 
> morality of the matter.

The biggest problem on the Internet right now is the botnets.  It's easy
for a criminal to hijack thousands of computers, backdoor them and use
them for just about anything (most spam is sent this way these days ...
there was an interesting talk at BSDCan last week by the OpenBSD guys).

The only way that I can think of to shut down the botnet problem is to
make it much harder to create botnets.  In order to do that, someone has
to start taking responsibility for the 1000s of unsecured computers out
there.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

More information about the wplug mailing list