[e2e] Re: crippled Internet

[Henning G. Schulzrinne]

Ted Faber wrote:
> 
> On Thu, Apr 19, 2001 at 05:23:34PM +0100, Lloyd Wood wrote:
> > On Wed, 18 Apr 2001, Ted Faber wrote:
> > > Unless I've misunderstood you, you're going to charge my Mom if her
> > > Windows box gets hacked and used in a DoS attack on Yahoo.
> >
> > If the traffic generated by Mom's Windows box has a faked source
> > address, someone else could end up paying for the traffic Yahoo
> > generates (in good faith)  in return.
> 
> That seems to be a potential outcome of the proposal.  I can't tell if
> you think that's good, bad, or indifferent.
> 
> I agree that computers hijacked for DoS impose real costs on other
> users.  I don't think that the burden of securing them using current
> technology can reasonably be placed on users.  It's more reasonable to
> have someone indemnify the ISPs (Internet malpractice insurance, if
> you will) and have them pass that cost indirectly to users.  Such an
> insurer will make ISP requirements, etc.  And obviously, if a user
> decides to surf uninsured when such insurance is available, then
> they're personally liable.
> 

The insurance model has the advantage that it still creates the
appropriate feedback. Just like automobile manufacturers need to make
sure that their crash rating is reasonably good to avoid their buyers
paying excessive premiums and like home insurance agencies impose
certain conditions, this might get the OS vendors and developers to pay
attention to security. ("If you want to insure that Windows 3.1 system
here, this will cost you $100/month. Linux/NSA is only $1/month. We'll
give you a good-driver discount if you subscribe to the automated
security bug fix service.") Right now, there is no real incentive for
users or their admins and vendors to fix their systems, as long as the
attacks only use them as a springboard (as in the typical Outlook
viruses).
-- 
Henning Schulzrinne   http://www.cs.columbia.edu/~hgs