'Business responsible for security of digital products and services'

LXer Feature: 04-Nov-2006 Old news, but still very interesting for our readers: 'De Consumentenbond' (The Dutch Consumer Union) recently said digital security issues (virusses, spam etc.) are too complex for consumers to handle. Therefore, these issues should be handled by professional business, not by consumers. Also, business should be responsible for damage caused by insecure products it sold. Note: Click on "Read more" for my English summary, click on "Full Story" to go to the story at the Dutch-only site of 'De Consumentenbond'. Parts of it are subscription-only.

The results of the survey aren't very surprising: A quarter of all people finds it difficult to protect their PC, about 90% says it is the responsibility of the user to protect their desktop, but also, about three quarter says the provider is also responsible. Interesting is, 85% says their PC should contain all necessary additional security software when they buy it.

Thinking about Linux and BSD, that would be, they expect their newly bought computer to be safe by default. As most of us know, Windows isn't that secure by default. Consumers also want security software to be a part of their Internet installation software, and they wish for a simple program to test how secure their desktop is.

In their article, 'De Consumentenbond' asks why consumers have to add security to their product. In a short impression of a discussion they held between politicians, a Microsoft spokesman, Internet providers and the union itself, I saw a slide about airbags. Of course, they were comparing security software to car software: A consumer doesn't have to look for his airbag himself, and he doesn't have to 'install' it; cars are secure by default. Windows XP, especially when connected to the Internet, isn't. 'De Consumentenbond' says, every company is responsible for the security of its products, and every company includes the Internet providers and software companies like Microsoft.

The Microsoft spokesman defended his company by comparing computer security to a house: Even if the house is secured, you cannot be sure nobody will burglarize in your house. The same is true for PC's. Though I must admit it's even possible to 'break in' in GNU/Linux and BSD distributions, it is a lot harder.

Also, it might be nice to emphasize on an issue most people often forget in discussions: When talking about security, a lot of people say Windows can be rather secure if the right anti-virus software and a good firewall are installed, preferably in combination with ad/spawary-removal tools. By saying so, they suggest Windows is as secure as Linux.

However, by making this comparison, they forget they compare a security-optimized Windows setup to a non-optimezed Linux setup. I used to run a hardened kernel with PaX enabled, for example, and Linux can be optimized for security using things like pam modules. At the moment however, most Linux-users don't seem to need this extra security not enabled by default, while Windows users do need extra security measures after default installation.

The Internet providers told they already try hard to secure their customers, and promised to try even harder in the future. Of course, they have an interest in that: all those viruses and zombie-boxes cause a lot of unneeded datatraffic.

Last, but not least, 'De Consumentenbond' also stresses consumers should be careful when using the internet, because even if things are secure by default, companies can never prevent consumers from doing stupid things.

So, what do you think? Are software distributors and Internet providers responsible for damage caused by their insecure products? Let us know!

Full Story