North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Level3 routing issues?
- From: Scott Francis
- Date: Mon Jan 27 05:00:27 2003
On Sat, Jan 25, 2003 at 06:51:01PM +0000, firstname.lastname@example.org said:
>>> True altho it does appear to affect MS more so than it ought to even
>>> their market lead.
>> What evidence do you have here? If I count the number of DDOS attacks
>> from insecure Linux boxes that we've seen in the last year, I'd say that its
>> on par.
> I think you are on the right lines below in suggesting that products and
> services should be supplied safe and not require additional maintenance out of
> the box to make them so (additional changes should make them weaker)
"secure by default" is a wonderful goal that has, to date, failed to reach
very many vendors, either commercial or otherwise. As the number of hosts
connected to the Net continues to rise, and as broadband continues to spread,
we can expect to see the damage caused by insecure software grow. When the
damage reaches a certain critical mass (whatever that may be; I thought we'd
have reached it already), those who are coughing up millions of dollars (if
not now, that figure will certainly be realistic very soon) to deal with the
effects of insecure software will eventually stop accepting this as merely
"the way things are". At that point, the lawyers will get involved, and there
will be a change in the way software liability is viewed, and a resulting
change in the focus from vendors (commercial ones, anyway).
When the costs of releasing insecure and buggy software exceeds the profit
from doing so, vendors will make security a priority. Not before.
(As far as free/open software goes ... figuring liability there could be
significantly more tricky, if the lawyers decided it was worth it at all.
Microsoft, for instance, makes a much more lucrative target (and a better
public lesson) than suing, say, the Apache Group. Most commercial software
licenses declaim any and all responsibility, as do their GPL/BSD
counterparts, but commercial entities are easier to chase down legally.)
IANAL, nor am I a fortune teller. I also admit to far less operational
experience than most of the folks on this list. This is what I see coming. I
suppose time will tell whether I'm a crackpot or a visionary. :)
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
GPG key CB33CCA7 has been revoked; I am now 5537F527
illum oportet crescere me autem minui
Description: PGP signature