http://www.vnunet.com/Comment/1153264
The above link is cause for concern for anyone not yet secured to the best of their ability. In essence it is saying that if your computer is taken over and used in a DDoS attack, then you could be liable.
Printable View
http://www.vnunet.com/Comment/1153264
The above link is cause for concern for anyone not yet secured to the best of their ability. In essence it is saying that if your computer is taken over and used in a DDoS attack, then you could be liable.
Man that would suck, especially since even the most secure systems are never hacker-proof. Let's hope that doesn't pass!
So you think any ******* who slaps his computer online which then costs someone else untold sums of damage should not be held accountable? If I buy a dog, set it loose in my neighborhood and it bites someone, I'm liable. If I buy a computer stick it on the net and its used to destroy millions of dollars worth of data, I say "oops,sorry?"
-Maestr0
I think computer companies and O.S makers should include a cd rom or Dvd with every new computer and available on the web if they want a copy for their friends and family explaining to the user in laymans terms what they should do to secure their computer such as install a firewall, antivirus and software to get rid of scumware,data miners Etc. and if those things are in place and up todate then the user shouldn't be held responsible if someone hacks their box and uses it for malicious purposes.
Yeah.. right. How are they going to enforce this?
These computer users that are being infected, don't even know they are infected.
They DO have antivirus. It came with their computer... they just didn't know they had to update it. You can't blame a computer user for not wanting to download/apply a service pack that is 150mb in size, only to find out that their dial up connection dropped 9 hours into it and they have to start all over. Then after they apply that, they have to apply another half dozen updates and reboot after each one. It could take someone a whole weekend to do that. I know I wouldn't download a service pack if it took that long. I'd just say forget it... what do I care. I only use my PC for internet and email. Luckily, I'm on broadband... but not everyone has access to broadband, or doesn't have the need for it.
I don't know if anyone here has ever tried to download a file off the internet using JUNO. But, they kill your connection after 15min of inactivity on the browser. Nevermind traffic activity. They want you browsing the whole time or they drop you. (Found out the hard way.. trying to download a 10mb driver package file that took over 3 hours to figure out why the connection kept beind dropped.)
Are they going to start giving out free courses that a user must attend to obtain a new computer or operating system or internet connection? They have to find out how to secure it and present some sort of proof that they know what they're doing? A security "liscense/permit"? Driving a car is a privledge. You must have a license to legally operate a vehicle. If not, you'd be putting hundreds/thousands of other operators at risk daily. Can the same idea be applied to computing?
IMO- It all comes down to education.
Don't get me wrong. I'm all for educating users and making the internet a safer place... but how would they enforce it?
You have a good point, Maestr0, and I'm tempted to agree, but at the same time, every computer user isn't security-knowledgable and can't afford the hours upon hours it takes to become so. I say this tongue-in-cheek because I wish everyone was security-minded, but not everyone can be an IS expert or even fairly computer savvy. And like I was saying initially, even secure systems aren't hacker-proof. What about those whose defenses were past regardless? They would, theoretically, be held liable despite their best efforts. I dunno, I guess it's a bit of a moral dillemma there.
But I also agree with phisphreek. I have a hard time seeing something like this actually succeed in passing and being enforced. Ya never know though.
I'm not saying you have to hold the end user accountable for e-mail viruses, I'm speaking of corporate and institutional ressponsibilty to their users(and their data) as well as their responsibilty that company resources are not being used for criminal purposes. I think it is reasonable and fair to expect an entity to excerise due care when handling the sensitive data of others as well as making sure their property is not being used to damage the property of others. Just what exactly 'Due care' is still open for debate but I think some sort of system of accountabilty needs to be developed to allow the internet to mature enough for people to have the confidence that they can conduct business(or surf pr0n :)) online in a timely and secure fashion.
-Maestr0
neg·li·gence
1. The state or quality of being negligent.
2. A negligent act or a failure to act.
3. Law. Failure to exercise the degree of care considered reasonable under the circumstances, resulting in an unintended injury to another party.
Gotcha. Yeah, I totally agree with that. Any corporation not security-minded enough for that is just asking for trouble anyway.
hmmmm, I'm not to convinced by all of this. I don't see how this will solve anything.
It would simply make the DoS attackers life a lot easier. Because now there is going to be even less of a chance of being caught as there will always be some stupid user about not knowing what they are doing.
I belive that some thing like Should licence be required to go online? would be a much better approach to all of this.
Okay, so this Fletcher guy built a weak resevoir on his land that exploded. Thats fine. He built it, he should be responsible. But if you think that I'm going to sit here, and be held responsible for holes in a buggy OS that Microsoft put out, I beg to differ. There is no way that I am going to be held responsible for my computer being taken over because of a hole that MS forgot to patch. The vendor of the software that got exploited will be the one taken down. I would love to see them try and take me to court over some **** like this. or better yet my 89 year old grandma who has DSL at her house on her computer. My lawyers would have a field day with this.
So basically I'm calling bullshit on this one. There is no way that any court is going to hold any end user responsible because the operating system on that computer had holes. The OS vendor will ultimately be responsible.
case closed
xmad
I think you miss the point.
Nobody will be sued over a hole in any software when NO patch is available.
But, if you don't install the available patch and your computer is use in a DDoS, you will be sue, because you are negligent.
Maybe they should have thought about that before they released their software. In the automobile industry, when something they release is screwed up, they do what is called a "Recall" and they send out that information, by mail, to all the owners of their product. They also suggest and provide exact details on where I can take my product to be fixed for me, for free. If MS or any other software vendor did this, then I could be held liable. But until they do that....
Case closed.
I agree that everyone should install patches. But, when they have SO many patches that the downloading takes 10+ hours to download on dial up... then I should be compensated for the inconvenience, time wasted, etc.Quote:
Originally posted here by forn28
I think you miss the point.
Nobody will be sued over a hole in any software when NO patch is available.
But, if you don't install the available patch and your computer is use in a DDoS, you will be sue, because you are negligent.
Sure, I can order the CD that includes patches... but I have to PAY for it. It should be availabe for free.
http://www.microsoft.com/WindowsXP/p...p1/ordercd.asp
Well, I still am inclined to think something like this will never happen in the near future -- I think we'll have taxed Internet before anything this crazy passes! But on the other hand, I guess stranger things have happened. Good luck enforcing it though.
And indeed, those blasted CD patches should be free, but that's a whole other topic altogether. Grr....
Maestro:
The problrm here is that every dog owner knows that their dog can and might bite. 99% of all computer owners have no idea that their camputer _can_ bite let alone will.Quote:
If I buy a dog, set it loose in my neighborhood and it bites someone, I'm liable. If I buy a computer stick it on the net and its used to destroy millions of dollars worth of data, I say "oops,sorry?"
This subject is way too difficult for the lawyers and the legislators to be sticking their "ignorant of the facts" noses into it yet and for now it should remain as-is. The people best qualified to deal with such issues are doing it right now - the geeks.
You cant hold people whos computers are used for a destructive purpose without their knowledge. Its like convicting a 2 year old of murder. The 2 year old did not relise it was wrong or what they did. As someone who uses windows doesnt know the ins and outs of their system or knowledge or tcp/ip. You cant force people to know a certain amount to use a computer, its like making it a crime to be stupid. There simple are not enough jain cells for that many people.
I think what comcast is doing is a step in the right direction....
http://www.infoworld.com/article/04/...astspam_1.html
Now, they just need to take it a step further. Instead of just looking for hijacked spam relays... looks for zombies, trojaned hosts, etc
I have analogy speaking to a few who agree with the ruling. I agree with Tiger Shark, you know your dog is prone to attack or bite and it's often the case in proven case law that dog owners can be held liable if the dog has a history of problems or the owner stands by and does nothing to save/help a victim from an attack by an animal in his control.
This analogy, the way I see it, does not apply in the realm of computers. It's more like if the dog got rabies (a virus) and went wild why you were at work and ate through the fence (your OS) in your yard and ran across the street (the internet) and bit Mr. Jones while he was polishing his 1969 Buick… the liability on the dog owner in reasonable terms is almost nil.
Or perhaps it's like this; a criminal breaks into your house, steals your gun and later uses it as a weapon to kill Sean Penn. All this while you were at work and have a strong alibi and have never been to Los Angeles. In fact you don’t even know the gun is gone or the house was broken into because last month your dog got rabies. The failure of your window that was forced open and the failure of your ability to hide your gun from thieves do not make you liable.
Perhaps Sean Penn's body guards (your office network, firewall, administrators) are liable for failing to stop an attack, then again who could reasonably be held liable for something of a surprise that is impossible to foresee? But if the person owning a computer is liable to patch a vulnerability then body guards of the system or liable as well. And equally so. The whole thing counterbalances itself and cancels out any mitigating circumstance. Seems a waste of energy.
Tiger,
While I'm inclined to agree with you that 99% of the users don't know their computer can "bite" is probably true, we have an old saying in the states I'm sure you've heard: "Ignorance of the law is no excuse." Whether the user is aware of it or not, their computer can be used to cause very real damages to someone else and ignorance is not an acceptable excuse for this. If you cannot drive, or have no knowledge of how to exercise due care when operating a motor vehicle, you shouldnt be operating one and are still liable for any damage you cause with it. (Telling the judge "I didn't know my dog would bite someone." will not fly in my state I don't know about yours) Don't misunderstand me, I'm not advocating suing grandma because someone hax0r3d her new Dell, but lets look at the legal definition of negligence(http://www.encyclopedia.com/html/n1/negligen.asp):
the breach of an obligation (duty) to act with care, or the failure to act as a reasonable and prudent person would under similar circumstances.
NOTE: Although I havent really looked I believe in legal cases the level of due care in negligence cases is commensurate to the defendants skill. ie. Companies/SysAdmins know better than home users and should behave like it.
This does not indicate to me that anyone whose machine is used for any illegal purpose is going to be prosecuted, but rather anyone who does not act reasonably and prudently MAY be found negligent ie. Are you even attempting to prevent damages which are well known and preventable through a little common sense? (As you can see this does not mean you are responsible for flaws in your OS, if anything it means the OS developer has an obligation to secure their system within reason prior to distribution) . I seriously doubt anyone will argue this type of case against an individual, but rather could be used to target a company or organization which has not used due care secure their assets against those who would steal or use them for malicous intent. In other words its COMMON SENSE. If you roll out 300 workstations with no patches and leave them accesable to world and they are used in a DDOS not only are you an ******* but you are negligent as well same goes if you leave your customer database available to the universe. This is especially imporatant when you think about companies which are storing sensitive data about you and me online and are not properly protecting these assets. I dont know about you but if company with a database containing my personal information and financial records is compromised because they didnt have a patch applied since 1996 and the only thing they have to say is "ooops, sorry" then I'm going to sic my dog on them. :)
-Maestr0
EDIT: (Just saw your post RoadClosed :))
Exactly, much like a home user would not be found negligent in this case either. And speaking of analogies :) I dont think your Sean Penn Conspiracy is accurate either. The house analogy doesnt sit well with me. First off, theres no 'gun' hiding in your private little house, your house IS the gun so maybe more of a tank than a house? Second, the internet is not PRIVATE! People stuck on this breaking into my house thing need to get the **** over it, it's not your house its not even your road. It more like you left your tank in THE road with keys in it and some one used your tank to blow up SCO's headquarters and you wanna cry because you didnt know anyone would steal your tank and how dare they open the hatch to look and see if the keys are in it, and besides I didnt know it was a tank.Quote:
the liability on the dog owner in reasonable terms is almost nil.
I don't subscribe much to the internet being a house thing, other than trying to make a point that you cannot hold someone liable for the actions of another who is acting in secret. By taking something that does indeed physically belong to a person, such as their computer, and using it as a tool to commit a crime. The internet is indeed public but the data housed in your computer is yours property, if that wasn't the case then why make the argument to protect it?
Most owners are that ignorant they are not even registered with MS.. When GM has a Recall they still have to set up advertisments..why?Quote:
when something they release is screwed up, they do what is called a "Recall" and they send out that information, by mail, to all the owners of their product.
Both sides of the argument here have very valid points.. Every OS has holes, every OS has the potential to be comprimised.. If You were to use the an automibile in comparison.. Vehicle owners are "booked" every day for having "unsafe vehicles" because of their ignorence.. that is other than those who deliberatly drive unsafe vehicles.. "aah, so that is what that noise is officer".. trouble is most computer users don't hear the noise or see the bald tyres, some leave the maintainance to the 10yearold inhome computer expert or the 12 yearold from down the road who gets the printer working that the 10yrold can't..
Question: What is the first hole in the operating System is Netsky using?
Answer: User (ID-ten-T errors)
very true.. especially if the user shows that they are taking "Reasonable Care"..yes my system is auto patched, the Av defs update daily, and the firewall is set to parnoid..Quote:
you cannot hold someone liable for the actions of another who is acting in secret.
Cheers
I think the car anaology is missing something, the thrid party that takes control of it and uses your lack of maintenance and upkeep to crash it into SCO's front door and maim the watchman eating a donut.
//edit haven't heard the ID Ten joke for a while. :)
I've read the thread, and I think that the main point is being missed, the article seems ? to be implying that 'if you take NO precautions / do not act responsibly ? THEN you COULD be up for the courts. Also it is not saying that it IS happening, just that the POTENTIAL is there, it will probably happen in the next couple of years ?? and IMHO it will not be any IT Professional, who by dint of their job description will be 'acting responsibly ? and hopefully will have the system hardened. And it definately will NOT be some poor old granny, If it HAS to happen, we can only hope that Mr S. Kiddie will be on the spot,
"Irresponsible ?? Me; No Officer, I was just doing me mate a favour, No sir, I haven't seen him for a while. Since the day of the alleged incident actually"
Another angle on this is that is now a criminal offence to send SPAM from the UK to private email addresses. This was an EU directive, so this will soon be true for the whole of the EU.
So using the same argument, it could mean that the owner of a hijacked PC could be prosecuted. I don't think there is anything in the UK legislation that says it has to be intentional, which really comes back to the question as to whether or not you can be held negligent for allowing this to happen ....
I agree that MS should make CDs for things like WinXP SP1 available for free.
And they should definitely do so when they release SP2.
You can get things like this for 'free' if you buy certain PC magazines, as it will be on the cover disk. But of course, you do have to pay for the magazine!
Take the computer owner to court..... Accuse him/her of not taking reasonable precautions to protect their system and the "cover all" answer that sends them straight home without even a slap on the wrist will be.............
"But, you honor, I turn it off when I'm not using it"
Case closed!!!!!
We are really back to the age old argument that Government needs to keep it's dumb nose out of things it really doesn't understand..... But we all know that government has no clue how to do that either..... :mad:
The fact is computers will always be broken into, there will always be security problems, not even the whitehouse's webserver was safe. So its there fault they didnt secure their server? Im sure they have 100 techs workign 24/7 trying to secure it but they still cant. Ok so home users should install a firewall and antivirus and so on. Shouldnt they be able to go buy a pc and it should 'just work' like in the good old days. Therefore in conclusion i blame microsoft :)
I'm not sure this is entirely MSs fault.
Sure, their software is full of holes, but if they sold a new version of Windows that included a proper firewall & AV scanner, what would the reaction be?
Anti trust law suits in the US & the EU, so they are really in a no win situation here.
Look at IE, Java, Media player etc. etc.
MS would love to snap up a couple of companies & include their software.
I've never understood this anti trust argument - if you don't like Windows then go for linux instead, which is becoming a genuine competitor for your average home user.
Why shouldn't MS be allowed to do all it can to secure its systems ?
Microsoft should be able to bundle a companys firewall and antivirus with their product and have it on by default. This would be the most acceptable solution and is as far as microsoft should go. But with the trusted computing solution they have came up with they have gone too far. Microsoft should provide security tools with their software and have advice on how to use them so the end user has everything they need for basic security with their computer. They can still use another firewall if they wish ect, but the average person is still protected.
I admit its a tough thing to balance.
Since When!???Quote:
Shouldnt they be able to go buy a pc and it should 'just work' like in the good old days.
hahaha.....reliable computers....