As an alternative, I believe that civil or criminal liability on the part of the "victim" who allows their box to be used for attack propagation is something that should be considered.

Consider an automobile analogy: If someone hotwires my car while it is parked in my driveway, and then they go out and wreck some other cars, I MAY have no liability. If I just left the keys in the ignition while it was parked on the street, I most assuredly failed in any common sense manner to exercise due care, and if the thief kills someone I could easily see that I might have a difficult time in court keeping my home, and perhaps even staying out of jail.

As a first step, applying civil law to reclaim damages resulting from improperly secured hosts would probably raise quite a bit of awareness, and improve the base security of most machines on the net. Of course, the global nature of the threat coupled with the jurisdictional limitations of civil law pose a challenge.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/203/24151#24151