North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: botnets: web servers, end-systems and Vint Cerf

  • From: Roland Dobbins
  • Date: Fri Feb 16 13:25:40 2007
  • Authentication-results: sj-dkim-7; [email protected]; dkim=pass ( sig from verified; );
  • Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1836; t=1171647999; x=1172511999; c=relaxed/simple; s=sjdkim7002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;; [email protected]; z=From:=20Roland=20Dobbins=20<[email protected]> |Subject:=20Re=3A=20botnets=3A=20web=20servers,=20end-systems=20and=20Vin t=20Cerf |Sender:=20; bh=lALI95tvyeDDzALC2Uogk4tIrM6zRfNeelSyfqFD6Y0=; b=h9F1oH1qGcFpR7QhoJ+LpCqfEHqefAUgrpH+x9/kq4Ej+X1ei1vx5GE5bWckomx2Q0NWLh0b JcFYsmzFKbGWu2vJ3uzCV1up9HVuT2fDbgoQnME7o2oVG7Yux+Tmam0E;

On Feb 16, 2007, at 9:12 AM, <[email protected]> wrote:

It is regularly done with servers connected to the Internet.
There is no *COMPUTING* problem or technical problem.

I beg to differ. Yes, it is possible for tech-savvy users to secure their machines pretty effectively. But the level of technical knowledge required to do so is completely out of line with, say, the level of automotive knowledge required to safely operate an automobile.

The problem of the 100 million machines is a social or business problem.
We know how they can be secured, but the solution is not being

We know how -people with specialized knowledge- can secure them, not ordinary people - and I submit that we in fact do not know how to clean and validate compromised systems running modern general-purpose operating systems, that the only sane option is re-installation of OS and applications from scratch.

There have been very real strides in increasing the default security posture of general-purpose operating systems and applications in recent years, but there is still a large gap in terms of what a consumer ought to be able to reasonably expect in terms of security and resiliency from his operating systems/applications, and what he actually gets. This gap has been narrowed, but is still quite wide, and will be for the foreseeable future (witness the current renaissance in the area of browser/HTML/XSS/Javascript vulnerabilities as an example of how the miscreants can change their focus as needs must).

Roland Dobbins <[email protected]> // 408.527.6376 voice

The telephone demands complete participation.

-- Marshall McLuhan