My solution: Deal with it at the ISP level, first with education, then with threats, and finally with blacklisting.
The problem here is that all the proposed solutions have major drawbacks. I have to say that I think civil litigation and the concept of software liability are about the worst things that could happen to the industry. Think about it, it's the whole tools vs. acts debate. Do we restrict tools, or restrict the actions that people can take using these tools? The door to banning software that does certain things has been opened a little bit by the DMCA. Open it much more and it has the potential to strangle innovation in the software industry. Just look at all the unintended ways the DMCA has been used to stifle software and research. Add to this the high costs of liability insurance, and the fear of getting sued. So who gets rich from this? The lawyers. It's always the lawyers.
Now imagine a law being crafted where all the special interests get a crack at defining the word 'insecure.' Am I taking this too far? I don't think I am. I think any legislation that defines standards for secure software is bound to look a lot like the CBDTPA.
Software developer certification is also a perennial idea that is often brought up by those with a weak grasp of analogy. There are three flaws in the argument that software should be like other products that are engineered. One, the blame is being misplaced. The problem isn't the people who make the software, it's the people who implement the system. Software is sold strictly on an as-is, caveat emptor basis. This is necessary in order to keep up with the pace of advancement of computer science and hardware. It is up to the consumer to implement reasonably secure systems, not up to the supplier to craft perfect tools. Two, safety isn't the issue. We already have regulation of mission-critical software, e.g. medical, nuclear, and air traffic control. Anything else is taken care of by the market, as it should be. Safety isn't the issue, lost revenue is the issue. When safety ceases to be the issue, the law should cease to be involved. Is Microsoft's release of buggy software an argument for certification? No, the market has shown that it will tolerate a small amount of security issues in return for a whole lot of interoperable software. Three, software engineering is only remotely related to engineering in other fields. Clearly rigorous specification, proof, and testing are essential to constructing a building, but these processes have specific advantages and drawbacks when it comes to constructing software. Are we willing to give up low cost and fast-paced development for software that is moderately more secure?
And yes, this WOULD get rid of the 16 year old genius creating revolutionary software. I don't see how you can say this, without realizing it would be a terrible idea to certify software developers! Sure it's not 1981, but it's downright naive to think that all of the 'eureka' software inventions have already been made. I don't see one decent reason for certification, and this repercussion alone makes it a colossally bad idea.
Well I said, everything is a bad idea. Strike-back is also a bad idea, but not for the reasons Schnier mentions. As was pointed out, it has elements of self-defense as well as revenge. I also think Schnier was focusing more on DOS attacks and virus attacks that can be traced to a specific, malicious source. These should of course be harshly punished by the law, but I think a bigger problem is insecure systems passing worms such as code red and nimda. The solution, folks, is the same as spam. Deal with it at the ISP level, first with education, then with threats, and finally with blacklisting. Even with the fact that blocking doesn't reduce the bandwidth load, it would be hypocritical to condone some forms of retaliation while rejecting others. Sure, you can demonstrate damages in the form of lost bandwidth. Well the movie industry can demonstrate damages in the form of lost sales, let's not use this logic to justify them breaking into PCs. Schnier is right on that point.
Unlike spam, cutting off the perpetrator is not going to stop the worm from propagating. Once it's already in the wild, there's not much you can do to contain it. Because of this, as well as for the sake of research, there is no reason to ban the creation of worms, virii, and other malware. There's definitely unethical software, but there should be no such thing as illegal software.
jimmysquid.com - I take pictures.