In message <20040610051613.GJ20881(a)stateless>, Nicholas Lee writes:
On Thu, Jun 10, 2004 at 04:58:31PM +1200, Ewen McNeill wrote:
[... suggesting] anti-spam legislation, a legal duty be placed on people not to connect/allow to remain connected an insecure/0wned/infected system under their control.
Unlike vehicles, access to the internet for most people is not via a "public road". [...] A WOF/license for driving the internet just seems like needless legisation.
I actually didn't suggest a WOF/license for driving on the Internet (this time -- although I do actually think it's a good idea). What I suggested was that those who have allowed systems they own to become unsafe/damaged so that they cause harm to others should be made responsible for that harm. And it doesn't seem like needless legislation to me. It's not _my_ systems (or any of the ones I'm responsible for administering) which are sending thousands of spam messages, viruses, worms, to machines across the world. I just get to receive thousands of them a day via all these machines of people who are not taking responisbility for the systems they're connecting to a common resource (viz, the Internet). As Juha says there is a problem with patches not being available. I'd be quite happy to allow "no vendor patch" as a complete defense for the end user (although if the issue is well known the vendor should perhaps be culpable). I'd even be willing to conceed "vendor patch too recently released, couldn't patch everything" with in a reasonable amount of time of the patch coming out. Simply persuading someone to take responsibility for the never-been-patched, installed-stuff-at-random, insecure-OS-design boxes would dramatically reduce the problem.
ISPs already have the power to regulate users this way via their TOS. Its clear though that all ISPs would have to subscribe to the above for it to have long-term effect.
The days of ISPs taking responsibility for the actions of their users appear to be a fading memory. It's unlikely any ISP would block users with infected machines these days unless all ISPs did it; the only way that all ISPs are likely to do it is if it's a legal requirement. (Otherwise it's a prisoner's dilemma situation.) Ewen