Killing Others' Malicious Processes 468
Roland Piquepaille writes "This opinion is not mine, but the one of Tim Mullen, from SecurityFocus Online. In this story, he expresses some strong ideas regarding systems infected by worms. "I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network. I've even written code to demonstrate the process. Though the initial news coverage of the concept was grossly inaccurate in conveying my ideas, it has stirred up a constructive dialog. I knew my idea was controversial, but I was wrong about something -- I figured everyone in the security biz would "get it" and that the hard part would be convincing everyone else that if they can't or won't secure their machines, we as the defenders would have the right to terminate the process attacking us. It has turned out to be the opposite." The author then looks at the criticisms about this strikeback idea raised by some security experts -- to dismiss them of course. Check this column for a summary or read the original story for more details."
Killing Others' Malicious Processes (Score:5, Funny)
RIAA : Great. Now, who's running Kazaa ?
Re:Killing Others' Malicious Processes (Score:5, Insightful)
Jokes about the RIAA aside, which has indeed asked for laws to allow it to do exactly what you deem jokeworthy, the fact is that most people consider their PCs their own property but not their own responsibility. The view appears to be that it's ok for someone to leave a machine on the Internet available for anyone to take over, that the person who puts it there has no responsibility, and that anyone who complains, tries to get it fixed, etc, is in the wrong.
Friends, I know that we all consider those who crack computers to be the ultimate culprits in any situation where a computer is damaged, but that doesn't mean that people shouldn't take responsibility their own parts in allowing this to happen. Someone who quite blatently leaves his or her keys in their car and parks outside bars would not be viewed by most people as completely blameless in the event that a drunk staggers out, takes the car, and drives it into a shop window.
Leaving a machine unsecured and unmonitored on the Internet is a sure-fire way of ensuring it is hacked and used to attack other machines. We know this. Yet people continue to do it. They do not secure their machines once hacked, and they allow their own machines to attack others once hacked. This is negligence, pure and simple.
This quagmire of negligent sysadmins not securing their machines, not allowing their machines to be shut down by victims yet not willing to consider the consequences of their failure to secure their machines and to turn off machines that attack others will not disappear by itself. Unless people are prepared to actually act, not just talk about it on Slashdot, nothing will ever get done. Apathy is not an option.
You can help by getting off your rear and writing to your congressman [house.gov] or senator [senate.gov]. Tell them that negligent sysadmins who are happy to keep their computers connected to the Internet all of the time but aren't willing to take basic, simple, security precautions to ensure they play with others are a danger to the security of the Internet, a menace to other 'net users, and cause billions of dollars of damage every year. Tell them that you appreciate the work being done by groups like Security Focus, BugTraq, and even the efforts made by Microsoft to secure their systems and provide easy ways of keeping their products secure, but that if those responsible for computers that are on the Internet do not make use of the tools and features made available to them, you will be forced to use less and less secure and intelligently designed alternatives. Let them know that SMP may make or break whether you can efficiently deploy OpenBSD on your workstations and servers. Explain the concerns you have about freedom, openness, and choice, and how incompetent system administration harms all three. Let them know that this is an issue that effects YOU directly, that YOU vote, and that your vote will be influenced, indeed dependent, on whether or not they are willing to propose laws that provide proper deterents to poor system administratorship and allow those attacked by poorly managed machines to fight back.
You CAN make a difference. Don't treat voting as a right, treat it as a duty. Keep informed, keep your political representatives informed on how you feel. And, most importantly of all, vote.
Legalised hacking.. (Score:5, Insightful)
This will be abused like all the other technology laws.
Simple fix (Score:2, Interesting)
I'm constantly getting hit from taiwan and SE Asia so I block the whole class C if it gets worse I go up from there. Seems to solve 99% of my problems.
Re:Simple fix (Score:3, Insightful)
Re:Simple fix (Score:4, Insightful)
Yours, yes. Lots of people, and almost all companies, pay for their internet access, often by traffic. Blocking the crap at the firewall doesn't take care of that problem. In many cases, it makes it worse (due to retries).
Re:Legalised hacking.. (Score:3, Funny)
Yo Yo
Ya say ya wanna have a licence ta hack
That is really whack!
If ya think we're gonna give ya a licence ta hack
You be smokin'crack!
Yo!
Re:Legalised hacking.. (Score:4, Insightful)
Imagine I am your next door neighbour and I have a dead animal on my porch, the stench and health hazard is more than an annoyance to you. You can take action against that by removing the dead animal from my space but you would enter my premises doing so. Instead you can call the police or any other agency that might take the trouble to show up and deal with it.
On the internet there is no 911. There is an uplink admin that might take action but the uplink might have a legal obligation to keep the link up. If the attacks take up a significant portion of your bandwidth you are seriously compromised, you are probably paying for the bandwidth the attacker is using while trying to compromise your system.
Taking out the worm on the attacking system is what one could call a "surgical strike", you deal with it.
It could be illegal to do so and for this you take responsibility.
But is it immoral? Those here who seem to argue from a moral perspective saying it's wrong to try to stop worm attacks by entering and killing the worm on the attacking machine apparently are not server admins themselves. When you are under attack all you want is for it to stop.
Re:Legalised hacking.. (Score:5, Insightful)
Leave them alone !? (Score:3, Insightful)
Let them fix their worm problems themselves or they may not appreciate it.
It is normal and nice to tell them they have a problem but your work stops here !
Re:Leave them alone !? (Score:5, Interesting)
Re:Leave them alone !? (Score:3, Interesting)
That is bsolutely the correct way to go, rmadmin. I report the problem server to abuse@problemserver'sISP and they usually inform the server's sysadmin/dork and disconnect the server until the problem is fixed.
Re:Leave them alone !? (Score:2, Interesting)
I'm not sure that this is what the author of the article was talking about. But, I think you're more on track than he is.
Maybe I'm missing the author's point, but it didn't seem like he offered any clear solutions? Who will have authority to kill the said processes? Will the ability for those authorities to do so be implemented in the OS?
It's a noble idea, but certainly not ready for prime time. Holding people legally accountable for their own systems seems like a better solution, although nobody really sees that happening in the near future. For now, shutting the trouble machines out of the network while the user of the machine isolates the problem seems to be the easiest, safest, and most reasonable way to deal with worms and whatnot.
Re:Leave them alone !? (Score:3, Insightful)
"But sir... I know nothing of exchange!"
"No matter, go over there and run some antivirus or something"
"...sigh..."
I've ever since moved on to greener pastures. Still, my belief is that if there's no one at the offending site that can solve the problem, leave them alone unless they ask for help and pay you for your services.
Re:Leave them alone !? (Score:4, Insightful)
Of course then you also have ISP's that are so backlogged that they don't respond to a security issue for days to begin with, or the ISP's in China that can't read english so just ignore you.
Though rose-colored glasses this is fine. In the real world it fails.
A good example was code-red. It wasn't just one server once in a while trying to infect your server, it was HUNDREDS. Simultaniously. How the fuck do you handle that though notification? How long are you willing to let your business be offline?
Code-red was just another wake-up call. The next worm might be MUCH more malicious and do MUCH more harm to the internet.
No Duty to Retreat... (Score:5, Interesting)
This concept relates to self-defense, and deadly force. Follow along with me...
If a person is in public, and is threatened, that person must make every reasonable effort to avoid the use of deadly force as a means of self defense, prior to useing such force. He must attempt to leave the scene, etc. In short, there is a Duty to Retreat.
If, however, that person is in his home, his own property, that person may use deadly force as a means of self defense without having to exhaust every means of escape or avoidance. On his own property, a person has No Duty to Retreat.
How is the scenario for Cyber-attack any different? Unlike most of the people commenting on this article, I believe you do have the right to take active measures in protecting your property.
Obviously, we're not talking about deadly force... We're simply talking about electronic countermeasures.
If an unsecured system on the Internet has been infected by a malicious program, and is now launching it's own attack against your system, your property, denying you the use of bandwidth or resources that you are paying for, I think you're perfectly within your rights to put the attack down, and if necessary, the offending system.
A person utilizing the Internet has a certain responsibility not to cause harm, either through action, or inaction. Most people on the Internet today seem tragically unaware of this. Without this, the Internet is ripe for a tragedy of the commons situation.
Is it wrong to still believe that with Rights come Responsibilities, or that with Priviledge comes Obligation?
Your rights to swing your arms around recklessly ends at the tip of your fingers, and at the beginning of my nose.
I think Tim Mullen is 100% correct, and I'm surprised there aren't more people that agree with him.
Re:No Duty to Retreat... (Score:4, Insightful)
This situation is a much closer analogy.
Re:No Duty to Retreat... (Score:4, Interesting)
It is very much a state-specific concept. For instance, Florida has Castle Doctine in it's law, you have no duty to retreat from your home if someone is attacking you. New York has no such law, and actually specifically states that you must retreat if you have any possible option to do so. If you get trapped in your basement by a home invader, and you have a 16"x16" window in your basement that you might possibly be able to squeeze through to get away, you *must* try to get out through that window before you may legally use deadly force to defend yourself.
Also note that, for businesses and private individuals, there is nothing resembing Castle Doctrine for a place of business, only for a personal residence. Physical security forces are a special case, as they are nearly quasi-governmental.
But this proposal raises several other interesting problems. One of the neat statistics that 2nd Amendment supporters love is the accidental shooting statistics comparison between police and people that legally carry a concealed weapon. Police are much more likely to shoot an "innocent bystander" or similar than someone with a CCW permit. The reason for this, if you look into things, is that a CWW permit holder is usually involved in the assualt/crime from the beginning and knows exactly who the bad guys are. The CCW holder is usually the one *being* assualted, and can see the assaulter right in front of them. The cops come in in the middle of things, and have to figure out who the bad guys are in mid-stream, sometimes under extreme time pressures.
This relates to the Strikeback proposal rather directly. How many DDOS attacks use IP spoofing? Will you know who is attacking your system with certainty? How many systems are you allowed to incorrectly strike back at before you are legally liable?
Which incompetent admins that can't secure their own systems are you going to let decide who to strike back at???
Think of this in terms of the sniper attacks in the DC area last year. How much worse would it have been if 10 people nearby had pulled out guns and started randomly shooting at nearby vehicles that looked like they might be able to hide someone with a rifle? Thankfully, most people that carry a concealed weapon have more sense than to shoot at targets they are unsure of. I don't believe that of BOFHs on the internet.
Re:No Duty to Retreat... (Score:3, Interesting)
You raise valid questions, and so have some others. Most of them, however, seem to think I'm out to shoot someone that sends an ICMP Echo Request in my general direction. :) As tempting as that may be, from time to time, we're not actually talking about killing anyone in this discussion.
How many DDOS attacks use IP spoofing? Probably a great many of them, but for most worms, IP spoofing is impossible, because the initiator in most cases needs to get responses back from the victim host. Using a spoofed IP address would make that nearly impossible.
Obviously, electronic countermeasures would have to be very specific. A set of counter responses would have to be tailored to counter a specific worm.
As an example, when NIMDA was running rampant, fully 5 months after appropriate patches had been offerred my Microsoft, and it was clear that there were a number of system administrators that had no interest in updating their systems, I put the NIMDA countermeasure on my system (I'd seen it posted here, as a matter of fact. That one had a problem, but I modified it to simply shut down the remote system, rather than disabling IIS first, and then attempting to shut down the system (That wouldn't have worked.)).
My logfiles were filled with invalid queries from infected systems... Hundreds of log lines per system. After employing the countermeasure, I'd get 5 or 6 lines in my log, and then silence from the infected host. My script left a message in the offender's log files stating that they were infected, and containing the URLs to all of the appropriate Microsoft documents, and the patches that needed to be installed.
Was I wrong to do so?
I'm sure there are plenty of people that think I was. I fully understand their perspective.
On the other hand, I think I was within my rights. It's pretty clear that 5 months after the outbreak, the people operating those systems were either unaware of the problem, or unconcerned about it's impact on others.
Let's say your auto manufacturer issues a recall about an unsafe braking system in your vehicle, directing you to take the vehicle into an authorized service center for corrective measures at no cost, and you choose not to do it. Months later, you experience a brake failure, and slam into another car. In my book, you're guilty of negligence.
I view the people that failed to patch their systems, 5 months after the NIMDA outbreak, when patches existed even prior to the NIMDA outbreak, in the same manner. Negligent. You've allowed your property to become a public hazard through inaction.
It isn't as if I built a scanner, to go out and sweep the Internet for people with infected systems, and attempted to shut hosts down at random. My script sat in wait. It retaliated only against systems that had brought the malicious code to bear on my system, and my bandwidth.
(As a result of NIMDA, to this day I am still unable to receive inbound connections on Port 80, because my ISP has set up filtering.)
Re:No Duty to Retreat... (Score:4, Insightful)
Your comparison of Nimda to a brake recall on a car is actually rather interesting. It allows us to consider a lot of things that might actually make sense here, and some that don't make much sense.
First, your comparison to a brake recall would make more sense if the people driving the vehicle didn't know their vehicle *had* brakes. Many (not most, I believe, but a large minority) of the people that were running non-patched systems when Nimda became a problem didn't know they were running IIS. This is one of the reasons MS switched to services off by default.
Second, the manufacturer found the problem, but didn't actually send out notices, just put a note on a web site somewhere where most people don't even know to look. Unless you make a specific effort to become aware of security issues, you won't know. You either join a mailing list and wade through way too much traffic for people that have real work to do also, or regularly visit a website and, again, read through too much traffic. Yes, I'm assuming these are not dedicated sysadmins, which is the case for most small and medium-sized businesses and homes.
Third, for people that get regular service done at a dealer service center, the driver may not know or care about recall work, the dealer does it for them. That's supposed to be one of the reasons you get regular maintenance done by the dealer. Not just because you like paying horrible prices for an oil change.
This is actually worth thinking about from the point of view of computer services companies. If IBM Global Services has a support contract with your company to maintain computers, and doesn't supply a patch, they are probably negligent. If IGS doesn't do it, is the company that owns the computers negligent, if they though IGS would? (No, I don't work for IBM, they are just a convenient example.)
Does a home user have a requirement to have their computer serviced regularly by a professional? How about a small business owner?
If a small business buys a microwave oven for the break room and that microwave is subject to a recall because it causes fires... If the business never hears about this (never sent in their warranty card so they don't get notices, and they don't check an online recall site) and doesn't replace it, if someone dies in a fire caused by that microwave oven, is the business liable for not exercising due dilligence?
Frankly, I don't know. I just know this is more complicated than we'd like to pretend it is. I'm looking for a quote here, something along the lines of "For every complicated problem, there is a solution that is simple, easy, and wrong."
Re:No Duty to Retreat... (Score:3, Interesting)
I don't think you would do that but I have met some people that would.
About a year ago I got an email from some guy telling me I had I virus on one of my company's computers and it was trying to hack into his system. He was rather upset. When I investigated I found that it was actually just an SQL replication agent that I had put the wrong IP address into. I guess he had one of those personal firewall programs that pops up a dialog any time somebody tries to connect to your computer so it looks like it is actually doing something. I sent him a message saying I was sorry for the mistake, it won't happen again etc. He wrote back that saying I was obviously an idiot, I tried to hack him and if it happened again he would call the cops.
A week later I am starting a replication manually and I enter the IP wrong again, same one, it was very similar. Buddy flies off the handle, emails me 6 times, emails abuse@myisp 10 times, calls my office etc. I spent a week explaining this to people.
Now you know, and I know that a couple connection attempts to your machine on a port that is not open is no big deal. It is almost always a mistake. Your average user does not know this. I don't even want to think about what would have gone on if this guy had access to "Evil Hacker EZ Revenge Kit" or something like it.
I agree with this idea in a theoretical sense but I think it is too dangerous to become a common practice.
Re:No Duty to Retreat... (Score:4, Interesting)
There is a concept in law called "No Duty to Retreat," and I see no reason why it cannot be applied in much the same way to cases like this. This concept relates to self-defense, and deadly force. [....] If, however, that person is in his home, his own property, that person may use deadly force as a means of self defense without having to exhaust every means of escape or avoidance.
On his own property, a person has No Duty to Retreat.
What you say is correct in many, but not all jurisdictions in the USA. For example, in Florida [directedfire.com], your statement would be correct, since they allow the use of deadly force to protect any of your property. In contrast, Massachusetts [geocities.com] residents may not use deadly force to protect their property, although they can use it in self defense. Specifically: According to what I just googled [nwmissouri.edu], Kentucky, Massachusetts, Maryland, Missouri, Ohio, South Carolina, Virginia, Washington, Wisconsin and Wyoming don't even allow the use of deadly force to protect a dwelling. Surprisingly, it looks as though Maryland [direct-action.org] actually allows more latitude in the use of deadly force to protect your business than it does to protect your home. (If someone in one of those jurisdictions has better info, feel free to correct me.)
Anyway, the short version here is that jurisdictions differ widely in a) what you are allowed to defend, and b) what means you are allowed to use in defense.
How is the scenario for Cyber-attack any different?
First off, this idea is a defense of property. It is not a matter of defending you or your family against death or bodily injury. All states allow the use of deadly force in to protect you and your family, but they differ widely in what *else* they let you protect with deadly force; i.e. you may not be allowed to use deadly force to protect your property.
Obviously, we're not talking about deadly force... We're simply talking about electronic countermeasures
You correctly noted that computer strikeback is not the same as the use of deadly force, but you failed to note that the states have similar disparities in computer laws. For example, the Oklahoma Computer Crimes Act of 1984 makes it a felony to Why strikeback is a bad idea.
What is legal in your jurisdiction may not be legal in your targets jurisdiction, or in the jurisdictions of the computers, switches and routers that your attack travels through enroute to the the target
It may not be effective in eliminating the problems your network is having from the target site - if you strike back against a machine and accidently harm it, you could find yourself in a protracted feud with the owner of that system (a la "hatfields vs. mccoys") which ends up being more of a bother to you
If you cause collateral damage, you could be liable for it - e.g. someone is flooding you with easily spoofable ICMP and UDP packets and you foolishly DoS the machine whose IP address appears in the header, thus shutting down a small business owner's website. There's a good chance you'll get sued if they know what happened.
it may not be cost effective to accurately trace and identify the machine that is attacking you.
Re:Leave them alone !? (Score:4, Interesting)
Yes, but the correct approach is to complain to your ISP and have them firewall the offending packets off upstream, without making you pay for them. If you're a business customer this shouldn't be a problem for the ISP.
Then he said: "If A PROCESS among their machine is attacking me & costing me, then have I the right to kill that process's action..?"
No; you're not killing an action by firewalling their traffic. You are blocking it, just as you have the right to put a lock on your front door to block a thief from entering your house. You're not tying the thief to a telephone pole; he still has his liberty -- you're just keeping him out of YOUR house, which is YOUR right. See? Your rights end where the thief's rights begin, and vice versa.
Then he said: "If not, then assaulting/damaging others' ( by losing them their ISP/connection, or costing them thousands of dollars in bandwidth, or obliterating their livelihood's function ) is a right, and neither one's-own-resources, nor defensive-action is *equal* a right."
Now, you're using a non sequitur. You cannot proceed from the other proposition to this conclusion; it just doesn't work. Here is what I think the "rights" situation is (just to be clear):
I have the right to take action on MY OWN MACHINE, to prevent your machine from interfering with me. Thus, I can firewall your machine off from me, and I can ask my ISP to put in an upstream firewall to protect my business. This only affects MY machine, so it doesn't impact any legitimate rights of the attacker.
Even if an attacker is DOS'ing your server, you do not have the right to attempt to counter-hack him. Your rights end where his begin, you see: he has the right to expect privacy and noninterference on his system just as YOU do on yours.
The only appropriate action is to involve your ISP and the authorities. They can then take LEGAL action against the source of the attacks.
Re:Leave them alone !? (Score:3, Insightful)
This is not a hole. While it may be true that IF someone is trying to kill me, and therefore is presenting an immediate threat to my life, THEN I am permitted to use appropriate force and possibly even kill him without getting in trouble, this has nothing whatsoever to do with some hacker kid flooding my network. A DOS attack is simply not a direct threat to your life or limb and so you cannot use self defense as a defense. This is a false analogy.
A better analogy would be the case where someone was committing libel against you. You are entitled to get a lawyer, seek an injunction against the person, obtain a court order forcing them to stop... But (for example) If they're talking trash about you on a radio station, you're not entitled to break in at 4AM and use a baseball bat on the transmitter, or sneak up on the roof and cut down the antenna with an acetylene torch. Trying a stunt like that goes right over the line into criminal activity. Just as trying to hack a hacker is criminal activity, whether you tell yourself it's self defense or not.
It sucks, but if your ISP won't help you find another ISP. Or get a lawyer, and get a court order. Sue the hacker's ISP. Sue the hacker. Basically, DO SOMETHING (LEGAL) ABOUT IT. Running around like a villager with a coil of rope, a torch and a pitchfork isn't going to get you any satisfaction. It might get you put in jail for a while though.
actually (Score:2, Interesting)
Re:actually (Score:4, Informative)
I'm pretty sure no one liked it.(I think the creator got bashed for it actually.) Mainly for the reason that changing something to fix a worm might break another process running on your machine if not done the correct way.
If you are so worried about another machine trying to break into your own, I'd be securing yours better so you wouldn't have to worry...
cheese, the friendly worm (Score:3, Informative)
Read about it here, including a nice set of pros and cons here [sans.org]
Re:actually (Score:2, Informative)
That's probably because the author, "Max Vision", programmed his worm to leave a backdoor open on your system - after it patched BIND to a safe version. He's in jail now.
Vigilante justice? (Score:5, Insightful)
Exactly who decides what constitutes "relentlessly attacking your network"?
A simple NMAP scan? What about Netbios scans? @Home scans for open NNTP servers... etc etc..
the courts (Score:2)
If you slap me I can't just shoot you, but if you stab me: you'd better be ready.
More discussion at Counterpane (Score:5, Informative)
There is a good justification in Mullen's letter as to why this proposal is different from the RIAA's proposed attacks on computers that they suspect of hosting unauthorised copyrighted material.
Re:More discussion at Counterpane (Score:5, Interesting)
So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways. "
That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.
You say you can't afford to pay? Tough. Should have thought of that before you put your insecure system online. You say it's the fault of the manufacturer for selling the insecure system in the first place? Take them to court. Too expensive? Well, if their system is too expensive to use, then people won't use it.
you sue me : I sue GNU (Score:3, Funny)
I'm sorry but my brain comes with a EULA
This brain is supplied "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose and the accuracy of the information contained within it
Computers are not Cars, but even so . . . (Score:3, Insightful)
Treating computer processes and network connections as extensions of human being ignores the great complexity of computer systems and the irreducible nuances to responsibility, origin, and intent such machines introduce.
Translating your argument into the world of atoms, that would be like holding someone responsible for a vandal who goes into someone's unlocked car, releases the emergency brake, and lets the car go careering into a crowd of innocent bystanders. Just because computers seem to "act" does not mean that their actions are always the fault of their owners, secure systems or no.
The key is to hold those who crack systems accountable for their actions and to educate victims about how to better secure their systems. Those users unwilling or unable to secure their systems should pay third parties to secure their systems for them.
Even the best secured system is not uncrackable. Would you hold the best sysadmin in the world responsible for a script kiddie's lucky guess?
Your post says you would.
Re:Computers are not Cars, but even so . . . (Score:5, Interesting)
For exameple, if someone owns a gun but keeps it locked in a safe in their house and stores the ammo somewhere else, yet some master thief manages to steal their gun and use it in a crime, I doubt anyone would say that is the fault of the gun owner. However, if the same gun owner left the gun loaded and laying around on their front lawn and someone came by, picked it up, and shot somebody, they would be sued and/or arrested for their negligence.
The problem is determining at what point is a computer user negligent. Is your average consumer negligent for connecting their Windows box to a high-speed connection and not using any firewall software? Or is it someone who turns on various services like file sharing without knowing full well what they are getting into? Or is it anyone who takes reasonable precautions, but when they get cracked they don't realize it until their box has had a chance to eat up tons of somebody else's bandwidth?
Plaigarist! Karma Thief! Loser! (Score:3, Informative)
Re:More discussion at Counterpane (Score:3, Interesting)
While I may agree with some of this, I think it should be pointed out that securing your systems is not a binary operation; you can be a competent sysadmin and still get owned by the latest exploit if you didn't find out about it quickly enough. You can also get nailed by some obscure exploit that a duly diligent admin might not have known about.
You might also get nailed if you run an insecure application or allow users to run code on your system. My concern is that if you have a precedent like this, no one who can't afford an army of lawyers could afford to take the risk of being online, because the risk of getting sued into penury is too great.
Do we want to foster a system where only the very wealthy or highly-connected can afford to run a server on the Internet?
Re:More discussion at Counterpane (Score:2)
Duty of care (Score:5, Interesting)
At some point, being stupid becomes negligent.
Well (Score:2, Informative)
Re:Well (Score:5, Interesting)
Because they're being arrogant enough to assume that it would be them screwing with your machine, not the other way round.
Obviously, security experts are perfect and would never have malicious processes running on their machine. Whereas you little people are obviously weak and fallible, and need the demi-gods to come in and hack you. In your best interests of course. And they won't ever make mistakes whilst they're there, promise.
I'm entirely against this proposal. If there's a problem with particular machines, it should be dealt with at the ISP level. Now eforcable rules and remedies there I'm completely in favour of.
Cheers,
Ian
I don't think he's misunderstood.... (Score:4, Insightful)
Let's check this quote from his page:
I think the main reason for the knee-jerk criticism from the likes of Schultz is that they work largely in a theoretical rose-colored world of security, where all problems are solved after a cup of coffee and a bit of pontification. Those who actually work in the operational end of network and system security see things as they really are.
In other words, "if you don't agree with me, you're not a real security guy".
I, personally, feel that breaking into someone else's machine without permission is an ethical violation. But, according to this schmuck, that's not valid because I don't see things "as they really are".
Re:I don't think he's misunderstood.... (Score:4, Interesting)
The fact is, there's nothing a DDOS victim can directly do to stop the attack. They have to call their ISP to plant a firewall upstream of their wire so that useless data doesn't clog the connection. Maybe it'd be better to automate that in the router protcols, something along the lines of "xxx.xxx.xxx.xxx has requested that trafic being sent to it by yyy.yyy.yyy.yyy be routed to the bit bucket for the next 6 hours." That'd effectively make the attackers disappear from the attackee, and could be sent out as soon as the attack is realized.
Imagine the fun you'll have forging such requests (Score:3, Insightful)
Re:I don't think he's misunderstood.... (Score:2)
I completely agree. It is also, and more importantly, a criminal violation. This isn't the Wild West Internet anymore. You're perfectly able to block all incoming packets from any infected worm host at your gateway router. Anyone who believes that vigilante justice is either legal, or ethical needs a wakeup call. I hope this guy actually tries it and gets himself landed in court for his trouble.
Re:I don't think he's misunderstood.... (Score:5, Insightful)
Here's an interesting distinction (found in the letters on Crypto-Gram): If you reverse-attack a machine that's attacking you, is it vigilante justice or is it self-defense? Vigilante justice is when you hunt somebody down after the fact, self-defense is when you stop somebody during the act. Both have significant case law, and self-defense is quite justifiable under certain circumstances (action was done to avert a threat of immediate, significant harm, harm caused by the action was not disproportionate to the harm avoided, etc). I think a strong case for self-defense can be made here.
Re:I don't think he's misunderstood.... (Score:4, Interesting)
Self-defense does not apply only to people. It also applies to things, animals, and pretty much any noun that threatens you.
What you say is DEFINITELY true here, though:
Heh, let's confuse the metaphors even more
Computers, to me, seem to be particularly analogous to working animals. Although a computer is not sentient, in many respects this machine is much like a domesticated animal. We can play with it, we can use it for useful tasks, and if we wish to domesticate it we must take care of it in certain ways. Unfortunately, many people don't realize their duties as a computer owner, and let their system be infected by virulence which threatens the neighboring herds with the same. We could deal with just that, but the virulence causes their animals to attack mine. I am within my rights to kill an animal attacking my animals. The confusion comes because we need to chase these animals across "property lines". It's like they own a monkey that stands on their side of the fence and chucks rocks at the windows of my house. The authorities think it's kind of funny and don't know what to do about it, I have broken windows, and building a bigger fence just entertains the monkey.
I say, shoot the monkey. Problem solved, and if the monkey's owner gets upset about it, they can deal with me, and I can counter-sue for all my broken glass.
There's a guy next door (Score:5, Funny)
Tomorow I'm going to pin the fucker down and cut out the bit of his brain that makes him sing that horrible song over and over again.
gimmee the keys to your house (Score:2)
So what, I'm going to have to build in a SOAP [w3.org] interface to give a potential stranger the right/authority to wack processes on my system or web site? I can't even begin to list the number of security issues this raises.
No way. If you think I've got a worm, call my IT guy and block my IP on your firewall until it gets fixed.
Re:gimmee the keys to your house (Score:2)
I mean how are they going to enforce this? You'd better believe I'd take every effort to nuke the server on my own boxes. If someone thinks I'm DOSing them then of course I'll take steps but they go through me to get to my machine.
And if a user a can disable it (and they will be able to - there is no such thing as 'client side security') then an attacking worm can surely do the same . . .
loss of business (Score:4, Insightful)
If you're going to take it on yourself to fix other people's machines, what if this causes them loss of business? And there's also varying definitions of what "strikeback" or "fixing" could mean. What if someone decides to "fix" your database server by shutting it down? Shouldn't they be held liable for the damages caused, just as someone who does that maliciously can be held liable?
There's just too many holes in this strikeback philosophy. It opens the door to tons of abuse too: "I only broke into this machine to fix it, I swear, gov'nor!"
I think it would also result in pretty dire situations when a machine equipped for strikeback mistakenly decides another machine (also strike-back-enabled) needs to be "fixed", and starts attempting to hack into it - and then the other one detects it as well, and they start concurrently trying to hack into each other... probably saturating the network with crap on the way...
Daniel
ISP can sorta do this (Score:5, Insightful)
Re:ISP can sorta do this (Score:3)
The rights of the many and the few (Score:5, Insightful)
This is an interesting point, because it shows the essential flaw in this logic. In all of these examples, who is acting? "The authorities", namely, the government. In this absurb "strikeback" proposal, who is acting? Vigilante sysadmins. If anything, his examples prove that we need a national cybersecurity enforcement agency, which is responsible for taking machines offline when they get virus-infected. Clearly, this is a bad idea, and that's why strikeback will never work.
Re:The rights of the many and the few (Score:3, Interesting)
some logic problems (Score:3, Interesting)
And now DUCK, because here comes the straw man:
I think the main reason for the knee-jerk criticism from the likes of Schultz is that they work largely in a theoretical rose-colored world of security, where all problems are solved after a cup of coffee and a bit of pontification
While it's valid to argue that Shultz is responding knee-jerkedly (somebody have a better adverb?) It's not valid to attack him by virtue of the fact that he's an academic and to denigrate him with the cheap-shot coffee comment.
Academics study things like unintended consequences, the big picture, etc.. These are things most geeks can't be bothered to consider. While stupid academics tend to rise to the top in the media, very few are actually addle-headed theoretical bloviators. These smart people can contribute a lot to our discussions.
As for the actual argument about killing others' rogue processes, I don't have anything original to say, but in the "real world" it would be called vigilantism and trespassing.
All your process are now belong to us... (Score:3)
Next you will be telling us that it's ok for government A to overthrow government B if it thinks B is destabilizing to it.
HHOS
The money quote (Score:5, Insightful)
So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways.
That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.
You say you can't afford to pay? Tough. Should have thought of that before you put your insecure system online. You say it's the fault of the manufacturer for selling the insecure system in the first place? Take them to court. Too expensive? Well, if their system is too expensive to use, then people won't use it.
Re:The money quote (Score:2)
Re:The money quote (Score:5, Insightful)
If your car is stolen because you left it unlocked in a parking lot and used in a hit-and-run accident, the car owner should not be held responsible. Yes, it is his fault that he didn't lock his car, but it shouldn't be illegal for him to leave his car unlocked. The crime committed here was by the thief.
Likewise, if your computer is used in a DDoS attack on a commercial website, you should not be held responsible unless you intentionally left it vulnerable specifically for use in an attack. The insecure computer has done nothing wrong, the blame is in the hands of the person who used the computer for a malicious attack.
Blaming the owner of the insecure computer is simply cutting one head off of a hydra.
Re:The money quote (Score:5, Insightful)
Likewise, if your computer is used in a DDoS attack on a commercial website, you should not be held responsible unless you intentionally left it vulnerable specifically for use in an attack. The insecure computer has done nothing wrong, the blame is in the hands of the person who used the computer for a malicious attack.
Just to pick a nit, the difference is that, in the case of a DDOS attack, once the owner of the system becomes aware of the problem, he has the power, and therefore the responsibility, to correct it. If someone allows his system to continue attacking someone elses, even if he didn't cause the problem, he should be held responsible.
Once the car is stolen, the car is no longer under the owner's control. Once the system is compromised, the sysadmin can still control it, even if it means pulling the plug.
That said, I still don't think it gives the victim of an attack the right to go in and muck about in someone else's machine.
Re:The money quote (Score:4, Interesting)
1) Create a worm that will at some point perform a DDOS attack on my machine. Make sure it's nice and quiet so that it isn't detected until attack day.
2) Wait until my site is attacked by the worm. Whine and moan about the lack of security on the other machines.
3) Pick from among the richest "attackers" and sue their pants off...
(Oh yeah,
A friend of mine once said, "The only secure system is one that's not connected to the wall outlet." The hackers will always find something new to break into and everyone else will diligently (sometimes) try to stop them. The problem is that everyone's idea of diligence is different and someone with an itchy trigger finger killing off my processes at the drop of the hat isn't my idea of better security.
Plus, whatever means the security patrol uses to shutdown the offending processes will likely be exploitable in itself. If ssh is getting hacked then certainly this little back-door will too.
Re:The money quote (Score:4, Interesting)
I maintain a small number of servers, for a research project. All of these run the minimum of services for our purposes, have their own firewalls (in addition to the main organisational firewall), and once I apply the new packages for RHSA-2003:001, they will be up to date with all available patches.
This does not mean that they are unhackable. While it may be unlikely that someone will write a worm that uses a previously unknown bug, it could happen. By what you're saying, I'd still be liable. Should I have checked every single line of code my box runs?
As much as it may frustrate people when they get DDOS by wormed systems, this is not the solution. Better arrangements for having ISPs disconnect wormed systems, in my opinion, is the solution.
Re:The money quote (Score:3, Insightful)
What about those boxes that are essentially never updated? These are the *vast* majority of machines on the network, causing all the problems and eating all the bandwidth.
It's fine and great that you keep your box patched and up to date, but at some point, failure to do so should be considered negligent. You put a box on the network, don't keep it up to date, eventually it gets rooted, and starts attacking everyone else. Everyone else is justifiably pissed off at you now for not taking care of your own shit.
Either they need to have a legal recourse for your negligence, in order to force you to stop being so negligent, or they need to have a legal means of self defense. You won't fix your box, they should be able to.
The key is not is this right or not, it most certainly is right. The key is where is the line drawn? How up to date with patches and fixes should be required to keep it? Exactly at what point does stupidity become negligence?
Bad idea... (Score:2)
Wouldn't it be nice if there were programs that could automatically determine what's a worm or virus, and then attack the process from within the machine? No need for an outside user, just have the system kill its own rogue process as soon as it starts. Oh, it does exist. It's called Anti-Virus...
Schneier calls this "vigilantism" (Score:4, Informative)
Hell no (Score:5, Insightful)
I think this guy lives in the world of theory, where everything works "in theory".
I don't want some idiot out in the world thinking he knows more about my system than I do going in and thinking he's doing everyone a favor -- when he's actually doing damage to my system. Intentions don't mean a crock of dog doo.
If my system is spewing garbage, then it should be the right of the ISP to pull the plug until I get it fixed. That's the way these things should work.
But there's no way I want fools poking into my computer, no matter what.
Re:Hell no (Score:2)
Trying to close open windows (Score:5, Insightful)
Why?
Well it all boils down to an attempt to legitimise hacking. If it was allowed that we could "strikeback" ( which is just a cute word for hack ) and disable the attacking process, then where do we draw the line. I think we can all agree on the extremes, but lets consider another example.
What if a website was posted on slashdot, would all of the rampaging geeks be classed as attacking processes and therefore be liable to be struckback and eliminated. I am certain that the website administrator would consider the massive increase in traffic to be an "attack" as their poor server disappears in smoke.
Personally if you are likely to be attacked get better security. You can't enter somebody's house just to close an open window.
Re:Trying to close open windows (Score:2)
Two idependent issues (Score:3, Insightful)
The second one is a legal issue. Does the attacked person(both sides) has any legal recourse? Do they have any credible claims for damage?
Vigilante justice, at best is stupid and at worst, can lead to a more dangerous society than one without.
Re:Two idependent issues (Score:3, Insightful)
But if we're willing to concede that it depends, when talking about killing people, then why not also concede it in situations where the stakes are much lower? If I can kill a person who is attacking me, why can't I attack a computer that is attacking mine?
Errant Machines (Score:4, Insightful)
well... (Score:2, Insightful)
hacking (don't paint it any other way, you're breaking into someone's system) someone else's machine is not the answer. the system is not any more secure after you've killed it's process, it is still wormed, and the most important thing is that the admin of that machine hasn't learned a thing!
but then what do i know, i'm not a security expert...
PHP-attack against Code Red (Score:3, Informative)
Would they be OK?
no trespassing! (Score:2, Insightful)
I don't think it's ever right to trespass, whether it's for the "common good" or not. If it's not yours, stay clear. If a worm is hammering your system, call the offending ISP. If they don't reply call their upstream provider. If they don't reply call your ISP and tell them to block it before it gets to you. If they don't reply - tough shit, get a new ISP. It's the same thing as the spam blacklists - ISPs will never learn to provide better service if people don't start voting with their wallets.
I've done it before. (Score:3, Informative)
People don't like this (Score:5, Insightful)
I also find out that what people think is "if you know someone hacked into my server, then it must have been you that hacked my server". And this brings up the next point, if you start hacking people's computers to stop the worms, they are going to think that it was you who unleashed the worm, it is logical, they just don't know better.
What must happen is not System Administrators "hacking" every computer in the internet infected by code red or nimbda. What must happen is legislation that makes every person running a computer personably responsible for the security of that same computer. If people don't secure their server they must be penalized, instead of letting us fix the problem... even if they want us to.
So everybody gets to do this? (Score:5, Insightful)
Counter attack is dangerous (Score:3, Insightful)
What if the counterattack software has its own buffer overflow? Then we get a cat and mouse game of one machine simulating an attack and when the counter attack is made the attacker could send a response to force a buffer overflow making the counter attack
Whose rights?? (Score:5, Insightful)
In your country perhaps, but where I live not all of those suppositions are true. And here one sees an inherent problem that such a system would create - you may be operating within the legal framework of (for instance) the US, but does that give you the rights to close down a process on a machine in Iraq, or North Korea, or any other country for that mattter?
Flawed logic (Score:5, Insightful)
This is flawed logic. The correct logic flows like so: Anyone who opposes a bill allowing corporate entities to attack our systems should oppose any technique that allows any other organization or individual to do the same.
Mr. Mullen's proposal is almost identical to the proposal made by the RIAA: let someone legally crack into a computer that is being used to do inconvenient things.
While I sympathize with Mr. Mullen's intent, this approach was wrong when suggested by the RIAA and it is wrong when suggested by Mr. Mullen.
Unfortunately, the best approach I can suggest that both contains the problem (eventually) and protects everyone's privacy to the largest possible extent is to isolate the offending computer from the rest of the Internet (possibly shutting down the user's outgoing Internet feed) until that user fixes the problematic system.
Of course, the details are the killer. How is something like this accomplished quickly enough to minimize the damage done to systems receiving the barrage of data? And does a Slashdotting result in Slashdot's Internet feed being cut?
This type of problem definitely needs a solution, but vigilante attacks are not the solution.
This is net vigilante-ism at the worst. (Score:2)
The real problem. (Score:3, Insightful)
It is stupid to think a random person will be able to properly fix your system. Even if he is "Skilled" enough to break in he may not undertand what the system is for or what it is used for. Just because he thinks he is smart it dosent nessarly mean he is.
Passive Strikeback (Score:2)
By "passive strikeback", I mean a tool that does nothing more than respond to an active attacker in such a way that it turns the tables. I assume that most worms and spammer-tools are as poorly written as the buffer overruns and other assorted security holes they exploit. That being so, I would love some respectable white-hats to write open source tools which target weaknesses in the offending malware, so that when said malware comes a-knocking at my server, I might gently rip out its intestines and strangle it with its own entrails.
I'll settle for strikeback tools that do nothing more than neutralise the malware, although I'd be sorely tempted to do more in the case of spammer tools. Sending the malware into a flat spin, hang, or deadlock may be preferable to simple termination in many cases.
This guy's logic just doesn't make sense... (Score:2)
"If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one."
Security people are idiots... (Score:2)
Let's say my next-door neighbor and I live in a old neighborhood with big trees. If my neighbors tree has a disease that is affecting my tree, I do not have the right to trespass on my neighbors property and chop down or treat his tree.
The interests of security do not give someone the right to trespass on my property without due process. If Mr. Mullen wants to get some sort of court order, fine, but he does not have the right to screw with other people's computers for some perceived security problem.
If Tim Mullen can be identified hacking into any computer I am responsible for, he will be arrested and sued for computer crimes. Whether he is wearing a "white" hat or a "black" hat is irrelevant.
Gray Areas (Score:2, Interesting)
Having been the victim of the effects of Code Red (our Linux boxes we not affected, but the hosting facility we were in was overwhelmed with traffic from all of it's unpatched IIS servers), I can certainly see the reason as to why this software was developed. Our site was inaccessible for close to half a day, because of other people's inability to keep security at the forefront of their minds. We were powerless to do anthing but wait for our hosting providers to track down all of the offending servers at our location and fix them.
I remember being so angry at the time and I would have welcomed the scenario where a "strikeback" type of application would have put a stop to this problem in an automated fashion. I'm sure part of the creator's reasoning is that if people's systems are left vulnerable to various worms, then there should be no problem allowing his software to "fix" the problem. Perhaps an applicable anaolgy would be a fire spreading from house to house on your block and "strikeback" acting as the firemen putting a stop to it. Firemen often make a huge mess of buildings when putting out fires (cutting through walls and roofs, dousing everything with water, etc), but the ends justify the means.
On the other hand, the "strikeback" process could almost be considered like a vigilante mob, having the best of intentions, but essentially operating outside the bounds of the law. Secretly, we might root for them, but in essence we really need the police to do the job, thereby obviating the need for the vigilante mob.
In regards to the world of crimes committed against servers, I just don't who the actual police are. So many of these attacks happen without anyone being punished. The FBI has a policy of not even spending any time investigating any computer crimes where the damages cannot be proven to exceed US $20,000. That leaves a great deal of smaller businesses / websites essentially unprotected by anything except for their own ability to manage their security efficently.
Strikeback is just a reaction to the frustration of having to deal with all of these continuously spawning worms / attacks without anything being done to counteract them other that react after the carnage is already done. I'm not saying it's the right solution, but I certain can see why it is here ...
Incorrect and a solution already exists. (Score:3, Interesting)
You simply block off their traffic.
Close your blinds, your door, or whatever real world analogy you would like to try and apply. You have the right to send the same traffic back to them, monkeyseemonkeydo, but in no way is it possible to justify altering the running of their machine. Doing so, is no better than the malicious process already causing the damage.
Happened to me (Score:3, Interesting)
Analogy (Score:3, Insightful)
A guy in the apartment above you has left his door unlocked and then gone away. A malicous child walks in and turns the tap on for a laugh and then leaves. A while later the apartment is flooded and water is pouring though the ceiling into your property. Do you have the right to walk in though his unlocked door and turn off the tap?
I know what I'd do. It might not be legal, but I don't think anyone would stop me or arrest me and I don't think the owner would mind that much either.
Nick...
My letter to Tim Mullen (Score:5, Interesting)
I'd agree that if a worm is running on someone's machine without their knowledge, then the owner of that machine has no rights to that process (the obvious exception being the person who is spreading the worm, who runs it intentionally on his or her own machine, but we'll ignore him or her for now). In order for you to terminate that process, however, you have to break into their machine, and run your own process. You are, in effect, creating your own worm. Your worm may only run for a short while, and may be "for the greater good", but that doesn't change the fact that you are running code on other poeple's machines without their consent.
Even if we opt to ignore the ethics and look at this from a more practical angle, can you guarantee that your strikeback process is not going to adversely affect the machines it cleanses? What if your strikeback process causes a machine gathering scientific data to reboot, or kills the wrong task? This has the potential to set someone back by several days in their work. What if it reboots a machine monitoring medical equipment? You could end up killing more than just a process, if you catch my meaning, however unlikely that may be.
Since you are intentionally running a process on someone else's machine, you are accountable for it's results. If you cause damage to a machine, or cause data to be lost, even if it is inadvertant, you open yourself up to litigation from the owners of those machines.
God Damn Mongolians! (Score:3, Funny)
Code that will neutralize South Korea!?
Sloppy rights talk - this is about property rights (Score:4, Interesting)
Computers don't have rights or responsibilities. Processes don't have rights or responsibilities. If computer A attacks computer B (via a worm or whatever else.) and computer B "strikes back", self-defense is a fair metaphor, but it isn't a relevant legal or ethical argument, because the computer don't have rights.
Computers are property. More specifically, my computer is my property. I have a right to keep my property, and you have a responsibility to keep your hands off my property, and if you don't keep your end of that agreement, you've broken the law and I can bring the government into it.
Yes, your property rights are violated if my computer has a worm that attacks yours. Maybe the government will acknowledge that and step in, and maybe it won't. If you don't like the way the government handles this, elect somebody who will change it, write a letter to your legislators. But the government's refusal to step in doesn't mean, as Mullen asserts, that the owner of the attacking computer has no responsibility. It just means that the government has opted not to hold him responsible. The only way to fix that is democratically.
But suppose Mullen is right about that, and this person has no responsibility. He says "no responsibility means no rights". Wrong. The constitution says that no person shall be deprived of life, liberty or property without due process of law. In practice, that limits the action of government, not offended sysadmins. But the principle here is that my rights are my rights, and nothing I do, however, bad, foreits them automatically. Maybe, after a fair legal process, society (i.e. government) may decide to take away some of my rights (i.e. lock me up, fine me, whatever). But not before. That's a fundamental part of the social contract which makes us civilized.
Then Mullen makes a different argument: the rights of the many outweight the rights of the few. (Thank you, Spock.) Maybe. But the same principle applies. My rights are my rights. Maybe you can get a court order to require me to donate blood, if it will save 100 lives. But if you take my blood without getting the court order, you have still violated my rights and broken the law.
Now, if the guy who took my blood is a real hero, and believes what he did was right and necessary, then he'll say that going to jail is a small price to pay for saving 100 lives. Good for him. If Mullen really believes this is a case where the law runs contrary to ethics and morality, he can wear a grey hat and illegally hack systems for the greater good. But unless he's willing to wear a black hat, he'd better admit what he's doing it illegal, and a violation of rights, and be prepared to take the punishment when he does it.
IANAL, yadda.
sounds like using a sledge on a thumbtack (Score:4, Insightful)
I realize that it's frustrating as a sysadmin to see attacks from the same place, by the same virus/worm all the time, but the answer isn't a counter strike. it's to simply contain the virus and let the people that are infected unfuck themselves and learn from their mistakes.
besides, even if it weren't morally and ethically wrong, just who would control such a program? would sysadmins have to be federally or state liscensed, much like concealed weapons holders? who would be there to ensure that the vigilante sysadmins weren't abusing their abilities and crushing boxes left and right, then claiming that they were being attacked.
no, a knee jerk reaction of "wtf! this mother fucker's infected and trying spread it on to me! fuck him! I'll fuck his box up for that shit! stupid dumbass n00b!" isn't going to advance the Internet community, sysadmins or users anywhere. just stick to blacklisting IPs and domains. it works.
Totally irresponsible (Score:3, Insightful)
System owners get in trouble because suddenly someone has another reason to mess with their machine. It's not clear-cut for even an expert- You might say that it's criminal negligence to leave a system unsecured. Actually, no. We don't have the legal definition for these things yet. Furthermore, there's already an incentive for system owners to secure their own machines- the integrity of their own services and data.
Vigilantes are also on thin ice because it's easy to do more than you intended when "defending the law", and even the cops are in danger when they fuck up. What will you do when you accidentally cause collateral damage in the commission of your act of citizen policing? What if you just have the totally wrong machine? You don't have the authority of a uniform and a department to back you up.
All in all, this is a thoughtless proposal that should never be accepted by any legal authority worthy of the name.
The main problem I see... (Score:3, Interesting)
He sees the world this way: 1. People are negligent, and allow machines to become compromised, which allows harm to come your way. 2. Therefore, if people will not defend their own machines, you should be able to defend yours by disabling theirs.
This is a little like the following: 1. People are negligent, and allow their cars to get stolen, which allows hit-and-run drivers to take you out with them. 2. Therefore, if people will not defend their own cars, you should be able to defend yours by being given a rocket launcher to disable theirs.
The second example sounds kinda weird, doesn't it?
I've watched "World's Scariest Police Chases" and suchwhat. If a driver's acting like a maniac, the police bust out these cars with large ramming devices on them, and beat the crap out of the offending vehicle. If someone is driving recklessly on the highway, I can't just take my SUV and ram them off the road myself.
While I may have justification for doing so -- after all, that driver is endangering me and those around me -- I do not have authority. There is a reason that only police are given the power of arrest and other various things they have. (Just try walking around with a pistol in broad daylight in Philadelphia, for example.)
Mullen would have us all issued shotguns, to defend ourselves from any would-be vandals and thieves who enter our homes. While it is justifiable for us to use these weapons against those who would cause us harm, is it really wise to give everyone a shotgun? There are most certainly those who would use them improperly. The obvious solution, of course, is to give everyone some sort of shield, that prevents them from being hit by a shotgun shell, to protect us from bad users of shotguns. But, uhm, then shotguns don't work against the vandals, because they have shields too. So a perpetual arms race against ourselves would develop.
There's a reason weapons aren't issued to us for our own defense -- collectively, we are not responsible enough to operate that way. Only special agencies are given the Authority to administer Justice; justice itself does not belong to the rest of us. Unfortunately, we don't have an "internet police force", nor would one even be desirable.
But ISPs can still pull the plug on users who aren't operating "correctly," and University and other networks can block down a MAC address if it's causing trouble. And that's about as close as we really should want.
No problem, the law works that way already (Score:3, Interesting)
I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network.
Technically speaking, you do. No, I'm not kidding. It's called the right of "abatement", and it's a right dating back a millenium or so. It's even a defence to criminal charges that you were exercising your right of abatement in a manner that was reasonable in the circumstances.
The problem with this is that they might still charge you.
Now if you're willing to take the risk, the right of abatement is a right to take steps to prevent a trespass or nuisance affecting your property or your enjoyment of your property, even if this requires violating the property rights of somebody else from whose property the trespass or nuisance originates. For example, if somebody sits outside your house at midnight, playing a ghetto blaster at maximum volume, and refuses your request to stop, you can slap them around until they stop, or smash the ghetto blaster. Legally, you will be exercising your right to abate a nuisance.
Yes, theoretically this could be applied against spammers and open relays too.
Re:I consider ms software a malicious process... (Score:2, Insightful)
Re:Vigilantism (Score:3, Insightful)
It says two things: first, that you're worried your systems won't withstand an onslaught, and second, that you're immature enough to resort to vigilanteism when blocking sources could've been good.
Quite what a tool to do this sort of thing for you would accomplish is beyond me. The potential for auto-DoS (read: shooting yourself in the head) is quite high. The likelihood of contributing to the problem (increased traffic over an inadequate link, for example) is all the higher for it.
Read up on iptables -m limit, and see what happens.