Lilian Edwards on Killing Zombies – consumer network security

At the VI Computer Law World Conference, Lilian Edwards presented a good overview of the growing problem of insecurity of consumer computers, in the context of zombie networks. Having understood the problem, what are the possible solutions?

  • Criminal sanctions for exploiters: unfortunately, you only catch either the infected victims or script-kiddies – operators are very difficult to track.
  • Incentivise ISPs to provide better security: get ISPs to monitor traffic to identify infected systems, or block outgoing port 25, for example. The negative here, of course, is that ISPs will monitor traffic and block access to services.
  • Imposing Criminal or civil liability on end users: this option is generally distasteful, because it is effectively a sanction on the elderly, poor, or undeducated. On the other hand, it may be effective if there are viable ISPs which restrict access to trusted services, and insurance providers begin to provide accessible policies. In this way, users who want more flexible access are exposed to greater liability, and are therefore expected to take better care of their systems. The same negatives apply here: the majority of home users will be restricted in what they can potentially do. The argument that granny doesn't need anything other than access to the ISPs mail sever and HTTP proxy virtually guarantees that new services will never find critical mass.
  • Provide a gated-internet – a closed community where only trusted partners are able to communicate. Increases security, at the cost of freedom. This would results in the loss of nearly all the benefits of a low-cost common carrier network.
  • Push liability to software publishers: an idea that appeals to Microsoft-bashers, but neglects to consider (a) the fact that most users are reluctant to upgrade to new versions of software; (b) the upwards pressure on software costs; and © the effect on other producers of software, particularly free software developers.

Lilian concluded that computer security needs to be treated as a common good if we are to protect ourselves. Surprisingly, there was quite a lot of support at the conference for a redesign towards trusted networking – there is a danger that people may not be considering exactly who will be prevented from benefiting from cheap communication when only trusted providers can speak. The increasing fears for security (not to mention the near-panic over spam) are leading people towards knee-jerk reactions. Thankfully, when the negative impact of trusted networking was explained, most people at the conference seemed prepared to take a more reasoned approach.

Interestingly, most people were broadly supportive of A A Adams' suggestion that governments provide open source virus and firewall products, with funded free updates. I think that this is a very sensible approach. With education and free security updates, we should see a real increase in security of consumer computers, without interfering with end-to-end neutrality.