Linux Today: Linux News On Internet Time.

Editor's Note: Instead of Throwing Everyone In Jail, Fix Your Lousy Products

Dec 05, 2008, 23:03 (30 Talkback[s])
(Other stories by Carla Schroder)

by Carla Schroder
Managing Editor

Jim Sansing wrote an excellent rebuttal to Mikko Hypponen's article Growth in Internet crime calls for growth in punishment, Punishment vs. Prevention. Mr. Sansing's article has several ideas that are considerably more sensible than Mr. Hypponen's:

"The truth is, much of the problem is technological."

Then he makes several good suggestions on preventive technological measures, such as establishing a certification program for secure programming, and strong security in common Internet protocols. To me they make more sense than the usual tired, useless advice emitted by the security industry, which in all these years of "fighting" malware has not advanced beyond "Don't open suspicious attachments and be careful which Web sites you visit, oh and buy our products." They do not address prevention at all; they're still stuck at locking the barn door after the horse has been stolen. Competing products war with each other and suck up system resources like drunks on benders. Windows users might as well just connect all their computers to each other and let them duke it out on their own.

Have any of them-- has one single vendor, whether it's Symantec or Trend or McAfee or F-Secure or anyone-- ever said "Quit throwing your money down a rathole-- stop using Windows, or at least don't put it on the Internet"? Wouldn't that little tidbit of honesty be refreshing? But no, they'll never do that. If the same conditions existed in, say, the small home appliances industry people would be getting electrocuted by their toasters and hair dryers every day, and the manufacturers would advise them to learn correct handling of live wires, and a thriving industry of insulated safety garments would prey on the survivors. If they made safety gear for swimmers it would be so bulky and uncomfortable they either wouldn't use it, or they would drown under the weight of it.

Following current trends, anyone who criticized them would be persecuted under the DMCA.

Feh on the Security Industry

I've been unimpressed by the computer security industry for many years. They're reactive, marginally effective, have an unhealthy dependence on the status quo, and they're way too willing to give their corporate buddies a pass on the very same egregious behaviors that they condemn when it's someone who is not a fellow goodoldboy. Or goodoldgirl, as the case may be.

My favorite example is the infamous Sony rootkit (the first one, not the second one). F-Secure doesn't look very heroic in that fiasco, despite their heroic efforts to appear heroic:

"It didn't take a computer scientist with a PhD to sniff out Sony BMG's software glitch. It was spotted by John Guarino, owner of TecAngels.com, a two-person PC-repair outfit in midtown Manhattan...After investigating, he discovered that it was Sony BMG's software.

"That's when F-Secure got into the act. Guarino sent an e-mail to the Finnish company..."

The article goes on to explain why F-Secure didn't go public:

"F-Secure and First4Internet made little progress because they couldn't agree on the terms of a nondisclosure agreement."

When Mark Russinovich broke the story, F-Secure followed hot on his heels and glommed the glory. Interestingly, and I am sure it's a total coincidence and completely unrelated, Microsoft purchased Mr. Russinovich's company, Sysinternals, a few months later. It's ever so cynical to believe that they were purchased to silence any possible future outbursts of truth; why would a company that is whole-hog into FUD, DRM, lock-in, and controlling customer's equipment and data want to do that?

Not Only Bribes, But Lousy Bribes

I don't do many product reviews because I can't afford to purchase many items for independent reviews, and if I do accept a review unit then I am forced to deal with the vendor more than I want to, which is often not a positive experience. My absolute worst experiences were with security products. I still remember some Internet-gateway-in-a-box thingy that I reviewed some years ago-- it was hot purple with gaudy orange cables. I commented on the colors in the review, and the vendor crabbed at me about it. It had very noisy cooling fans, which is not a good thing for a device billed as "place it anywhere, even on your desk!" Right, if you want hearing loss. They didn't like that either. My advice to make it quiet both in colors and noise, instead of getting on my case, was not appreciated.

After the first Sony rootkit debacle things heated up for the security industry, and some of them were desperate for some good press. I won't name names because I'm chicken, but suddenly I was getting offers of all-expenses paid trips to conferences, cool hardware things for "permanent loan", and all the (Windows-based, of course) software I wanted. I hate conferences, especially the kind infested with clingy parasitical propaganda people, and I don't need gobs of stuff cluttering up my house, so even if I were receptive they weren't hitting the right buttons. The worst offer of all was to be a salaried in-house shill writing white papers and "helpful" "technical" articles. Easy half-time work for full pay! I don't mean to sound like I think I'm some kind of saint, but I do have some pride, and if all I wanted to do was make money I'd be a drug dealer because it's more honorable.

While law enforcement does need to join the new millennium and have a role in investigating and prosecuting cybercrime, it's only useful after a crime has been committed. When anyone talks about involving law enforcement in prevention, it almost always means eroding more of our liberties and invading our private lives even more. So please read Jim's article, and if you have any additional suggestions I'd love to hear them. It would be nice to actually figure out what to do before every thought, word, and deed are criminalized.