Readers had a number of strong things to say about my Identifying Compromised Websites story, but they were by no means of one mind in their views. Some said websites absolutely have a duty to inform visitors of the possibility they were infected on a previous visit, while others argued that any form of website liability could irreparably damage the Internet.
"At one time they hid the results of hospital death statistics," one reader wrote. "Their excuse was that hospitals would not accurately report statistics if the information was made public. Eventually, they concluded that if the law required the hospitals to report information and the hospitals lied to protect themselves, then that constituted FRAUD and would be prosecuted. Simple problem; simple solution. So the argument for the cover-up of sites compromised by Download.ject does not hold water. They are not divulging the names to protect them from their own malfeasance of not updating servers with the latest Microsoft patch. Shame on them and shame on the government for protecting them."
But would forcing websites to disclose their security failings have a chilling effect? "Yes, I would like to know if I've visited a compromised site," wrote another reader. "But, I believe the security burden lies with the client, because the alternative would destroy the reason for my Internet use in the first place. Just as software liability threatens free software, so website liability threatens independent web sites. If that kind of accountability becomes mandatory, then the barrier to entry for website authors will be raised. Instead of merely being able to post content, you'll have to be bonded and insured, etc. In effect, the Internet will cease to be a voice for the masses and instead promote only corporate mantra. As with every preceding period in history, only the rich will have a voice, for they can afford the liability insurance."
Still others though felt that such liability concerns were groundless. "The notion that websites would face lawsuits for not downloading the latest Microsoft patch is hogwash, plain and simple" wrote another reader. "You could no more sue a company for running their site with buggy software than you can sue Microsoft for selling the buggy software in the first place ... The industry is just using this as an excuse to preserve the code of silence."
Well, all I know is that I wish more companies would take the approach one reader recalled a client of his had once adopted. "A few years ago, my client's PCs were infected with a virus, which promptly mailed itself out to his address book," the reader wrote. "He and his people had ignored my warnings and advice about protection, of which even a minimal dose would have prevented the incident. I got him cleaned up and he straightened up his security. And then he did something that surprised me. He called every one of his customers, personally -- hundreds of them -- to apologize and to offer any assistance he could in cleaning up. He offered my services to them, at no charge, if they had any questions or needed help deciding what to do. Nobody told him to do this. He values his customers. He made sure they knew it, and he assured them he'd make every effort to prevent it from happening again."
Read and post comments about this story here.
12:33:15 AM 
|
|
