Honestly, do you do this solely to make people mad at you?

There are two major problems with this type of approach, as I see it. The first is determining that an attack on another machine is, in fact, retaliatory. This may be "obvious" in some cases; not so much in others.

More importantly, consider that your real enemy is not a machine, but a person. If you propose a countermeasure that mitigates another computer's capabilities, be prepared to answer for it when someone writes a program that tricks your system into unleashing the countermeasure on an unsuspecting target.

(These are both utilitarian arguments. Your moral argument seems to be the computer equivalent of "an armed society is a civil society." It doesn't really stop the NRA when that argument is rebutted, so I won't try it here, except to provide examples of armed, uncivil societies -- rural Afghanistan or Somalia, for example. What does the Internet have that they don't have? Law?)

But you don't want to hear why your proposed solution is wrong -- you want "your own solution." Well, holding the administrators accountable for patching servers and vendors for writing quality software and responding to security breaches in a timely manner? As a compromise, we could hold them accountable by terminating their internet access after a documented period of non-compliance, after suitably informing them of the problem.

Sorry if that's too banal for your inner Wyatt Earp, but I think it's a good deal fairer to people who are both perpetrators and victims -- and, occasionally, even well-meaning folks like yourself!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/203/24153#24153