Who's to blame for the hold that spam, spyware and viruses have on the Internet?

According to security software vendors, lax PC retailers should be fingered, for allowing "unroadworthy vehicles" out of their doors onto the information highway, to be attacked by viruses and converted into spam-spreading bots.

The lesson of installing patches promptly should be dinned into users, said delegates to last week's Australian IT media conference, with some suggesting "the government should do something" to prevent inadequately patched PCs being sold, as it had legislated trading practices for motor vehicles and home appliances.

Karl Hanmore of the Bank of Queensland said the "end guys" -- users -- should take a large share of the blame for not installing operating-system updates when they are made readily and simply available.

But other delegates to last week's Australian IT media conference pointed an accusing finger back at the security companies. If certain downloadable applications, such as those carrying adware and spyware, are dangerous, then the filter-merchants should be blocking them, or at least making the buyer aware of the danger, said more than one delegate.

This left Sophos's Paul Ducklin protesting that he was not going to be appointed "the moral, political and legal judge of all software."

He had earlier approached Federal IT Minister Helen Coonan about the adware/spyware problem, but, put on the spot himself, he pointed to the very real legal problems of blocking a user's voluntary download of an application he/she saw as useful, especially if the user had assented to a clearly worded agreement mentioning its less desirable aspects.

The "good guys" could be the ones who ended up in court for illegal restraint of trade, he said.

To tell the user "please read the agreement attached to this product thoroughly before signing it" smacked of playing "nanny", said another delegate, backing Ducklin.

If filter companies were going to warn of the dangers of software, said a third, "then we should warn about iexplore.exe (Microsoft's Internet Explorer browser) because the scheme of 'zones' on which its security relies is known to be a flawed concept."

Sven Radavics of firewall vendor Watchguard sees the problem as not just with inadequately-patched operating systems, but with "50-dollar firewalls" which are inadequate for today's complex Internet threats.

"There is no legal definition of a firewall," he said. Some companies are still selling a Network Address Translation device as a "firewall", because it hides internal addresses. "Most security professionals don't even think stateful packet inspection is enough any more, and application proxies are making a comeback."

The company firewall and password model doesn't work any more, said Hanmore: "A company is no longer a single entity inside a firewall."

A lot of people work on the road, attach their machines to the Internet in all kinds of places and bring the results back inside the supposed wall. "We should be pulling these functions back to the workstation, with every employee carrying their own firewall and intrusion detection system."