Cyber security responsibility?

Girl_from_Ipanema · July 22, 2018, 3:28pm

Continuing the discussion from GOP leaders: We're not inviting Putin to address Congress:

@Orygun posted this link in the other thread and, as I’m wont to do, my mind went away from the discussion of Putin and to Cyber security.

In the linked article, Microsoft informs us of activity that they’ve identified by the location that it reports to. This thread is not questioning Microsoft’s information, but what they and others do with that knowledge.

This is a common scenario on a variety of scales.

Some antimalware software will add thousands of entries to a computers’ hosts file to prevent that computer from being able to reach sites that are known to host malicious payloads.

Some devices are sold to large enterprises which watch all of the network traffic and if a device reaches out to a known malicious address, the computers are disabled until they’ve been addressed.

This is not ‘new’ capability. In ‘layman’s’ terms, it would be like preventing a phone call from going through.

As costly as these events are on every level individual, business, government, etc. Do software companies bear some responsibility toward protection of their customers?

If they know where these malicious and illegal sites are, why don’t they code a block to it in their regular updates? They absolutely can. Are they being negligent by not doing so?

One of the frustrating attitudes for me has been a snobbish attitude toward end users which, in some cases, borders on contempt and I can see how those attitudes bubble into various aspects of design and support. There’s an attitude that people should know computers if they’re going to use them and if they don’t take the time to ‘learn’ them, then they shouldn’t be using them. But that’s not a realistic attitude and I wonder if if plays any role in the escalation of malware.

Should OS creators be required include blocks for malicious sites in their updates? Should Google be required to block those domains and IPs at their domain name servers? Should ISPs? Should exchange admins?

I know a lot of us are ‘purists’ in the sense that we don’t want the government mucking about with our lives and the internet, but I also know that when a bad thing reaches a particularly egregious point it becomes the lesser of two evils.

Do any of you have an opinion on this? Do companies have a moral or legal responsibility?

I honestly have to say, I don’t know. To my mind, this is one of those theoretical conversations that sounds good until you get it all put together and then ask yourself who you trust to hold they keys and I’d be interested to hear others’ thoughts on the matter.

ETA: I’m aware of the possibility of false positives. I’d like for this to be a policy/responsibility/how-to-address discussion vs a who knows more about IT discussion, if possible.

Auto129 · July 22, 2018, 3:45pm

Webadvertising frequently falls on the wrong side of cyber security and there is so much money to be made by letting malware and viruses infect the computers of novices that I doubt non-obtrusive legally required countermeasures will last till the end of the the first day.

Theres also not much of an incentive to protect users. Websites are so desperate for ad revenue that they don’t do their due diligence in protecting their users from malicious ads. And the advertisers put so much effort into getting views that “due diligence” would take a full time staff.

Girl_from_Ipanema · July 22, 2018, 3:51pm

You bring up an interesting aside with the mention of malicious and compromised web ads. I’m of the opinion that ad blockers should be a standard inclusion in any image, but I also know how problematic they can be for end users when they inadvertently block necessary content.

One adblocker (I’d have to go see which) is beginning to look toward enterprise support and I think that as they refine it and enterprises can manage it via gpo, it will become a standard install.

I agree that there’s no money in it and along with that, there IS a financial gain to be had by selling the cure.

When does it reach the point that the government steps in and starts insisting? Could businesses or enough affected users win a class action suit? Should they?

ETA: I’ve noticed that ad block companies are beginning to work with advertisers to come up with “acceptable advertisers.” It seems that most of that discussion centers around aesthetics as opposed to security. I’m not sure anyone wants to make any claims as it pertains to security with the legal implications of such.

Auto129 · July 22, 2018, 4:04pm

I really like the move towards acceptable ads, and I think that somehow that needs to be encouraged till it picks up speed.

The threat of government regulation can force the private sector to move on self-regulating–which is why games have the ESRB now–I wouldn’t want to see legal measures actually pass though.

Girl_from_Ipanema · July 22, 2018, 4:45pm

Me too. I think most people aren’t averse to advertising itself, just the indiscriminate overuse and some who are aware of the potential threat.

Do you remember those roll-down ads? I think the one I encountered most was for gold. It was a gorgeous ad but covered most of the screen when it rolled down and created real functional issues on sites that served it as it didn’t always retract when it should.

I pretty much agree that I wouldn’t want to see legal measures, but the chaos that ensues keeps the idea nagging at me.

It’s a mess. If companies or government did do something like that, it wouldn’t be a week before discrimination suits began.

Maybe some sort of group like the ACLU to hold companies accountable when they’re grossly negligent.

I dunno.