Norbert Bollow wrote:
Claudio Jeker jeker@networx.ch wrote:
Actually what about Microsoft and all those other big shot software comapanies distributing crap and providing the hotbeds for the botnets?
What kind of legal rule would provide an appropriate disincentive to software companies regarding this?
None.
Especially operating systems are made for running code on. Bots are just normal programs, fortunately they kinda behave in a weird way so that they can be detected. How is any software author going to protect against that. There is a way of course: require signed code for everything, and we all know what a public outcry it was when Microsoft requires drivers to be signed (which as everybody else knows stopped a lot of these random crashes and bluescreens as suddenly only working drivers where being used...). And then of course if M$ would push signed applications there is always the propaganda about 'freedom' and 'being restricted' etc. Nokia's S60 platform (and some others) requires signed binaries, iPhone does so, does that work for you or are you unhappy that you have to pay upward to 5000 eur to be able to play in the S60 game?
Operating Systems give us the freedom to deploy any kind of application, this though also allows any stupid person to simply click on that .exe in that email, or "download that new version of Flash" and other nice tricks. For these tricks there is not much any software author can do about, as from the OS point of view, people are just installing yet another normal program. Nothing special.
Fortunately for the authors of software the licenses applied to most "Open Source" software contain lines like[1]:
"... IN NO EVENT SHALL <copyright holder> BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES..."
which is more or less similar to what Microsoft has[2]:
"... Except for any refund elected by Microsoft, YOU ARE NOT ENTITLED TO ANY DAMAGES, INCLUDING BUT NOT LIMITED TO CONSEQUENTIAL DAMAGES, if the Product does not meet Microsoft’s Limited Warranty, and, to the maximum extent allowed by applicable law, even if any remedy fails of its essential purpose ..."
Aka, you are peeped, don't sue them for it. Which is good actually because how is the software author going to know that you are going to use their tool inside a medical appliance which is going to accidentally kill people because you are running some program on it? :)
As such, if there is anything law can do about it, then it is to deny Internet access to people who let their computers be infected as they do not properly upgrade their machines and/or let their machines be infected. A nice 'fine' scheme might be in order too, the money earned with that can then be invested in cleaning up the mess around the world. (This of course is never going to work either).
Something ISPs can do is setup 'quarantine networks', when they find a user is infected with something, put them in quarantine till they resolve the issue: http://www.quarantainenet.nl/?language=en;page=main-home Of course, that will cost a whole lot of helldesk calls and thus the price of the service will go up and it only cleans the local network, not all those hordes of bots on the other side of the planet...
Greets, Jeroen
[1] http://en.wikipedia.org/wiki/BSD_licenses [2] http://download.microsoft.com/documents/useterms/Windows%20XP_Professional_E...