[e2e] Re: crippled Internet

Mike Fisk mfisk at lanl.gov
Thu Apr 19 13:23:13 PDT 2001

On Wed, 18 Apr 2001, Ted Faber wrote:

> On Wed, Apr 18, 2001 at 04:10:19PM -0700, Mike Fisk wrote:
> > On Wed, 18 Apr 2001, Ted Faber wrote:
> >>[My Mom should be financially responsible if her machine gets hacked?]
> > 
> > Many folks have suggested that the security/quality of software won't be
> > improved until the financial effects of poor quality software are felt by
> > customers.  This is usually mentioned in the context of CFOs looking at
> > ownership costs, but it could apply to consumers as well.  If network
> > providers, the victims, law enforcement, and other parties are to spend
> > money reacting to such incidents, why not place some of the burden on the
> > owners of systems that enable such attacks?
> Keeping individual network nodes secure is such an arms race that
> requiring individual commodity users to keep on top of it is
> excessive.  The benefit of having a computer in your house to read
> e-mail and buy books from Amazon is only worth so much hassle, and if
> the risks are financially significant, users will simply stop using
> the service.  Driving away most of the Internet's users will make it
> more secure, but less useful.

A machine that only supports basic, client-side applications could be an
order of magnitude more secure than today's typical machine that has lots
of network services enabled.  Beyond that, people know how to avoid having
many of the types of vulnerabilities that continue to persist (automatic
bounds checking, type safety, sandboxes, etc.), but there is very little
incentive for anybody to take the time to implement them.

> Consider the credit card industry.  The financial effects of credit
> card fraud are at least as significant as Internet security, and the
> result hasn't been increased liability of cardholders who don't
> properly protect their card information, but the opposite.  User fees
> and interest rates get a little higher, and if a card is compromised
> the credit card company usually detects it and indemnifies the
> manufacturers.  That service is paid for by higher interest rates and
> user fees.  That seems like a more likely model than requiring users
> to become security experts.

So there is a possibility that society will decide to amortize these costs
into the system as a sort of insurance policy.  As in other areas, people
may purchase their own insurance.  Maybe when I lease my Windows 2010
terminal, the price will include some cost of insurance (whether held by
me or the manufacturer) to cover the costs associated with breakins.  
That will give me an incentive to pick a brand of terminal with lower
insurance costs.  And that gives all of the manufacturers a reason to
improve in quality.

I can read Consumer Reports, or the insurance industry tests and learn
that a Volvo is statistically safer than a Ford Pinto without having any
kind of knowledge about mechanical engineering or automobile safety.

ISPs could also use other forms of negative feedback, such as terminating
service, that don't depend on financial penalties.

Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab
See http://home.lanl.gov/mfisk/ for contact information

More information about the end2end-interest mailing list