Security

Cybersecurity: It's our problem

Two law professors want a paradigm shift in how we approach cybersecurity. Michael Kassner discusses this new theory and wants to know what you think about it.

Let's face it: we're not winning the battle against cybercrime. Why is that? Because not enough money is being spent or are the cybercriminals that much smarter?

I'm not sure. My only thought is that possibly we're going about it all wrong. Maybe cyberspace is too virtual or too nebulous for the "good guys" to triumph using normal crime-busting. That's all the further I took my sociology exercise until Rich (SanteeWelding) introduced me to an interesting alternative.

The experts

Before getting into the details, I'd like to introduce you to the people that came up with this rather unusual proposal. The article that Rich sent me, eventually lead me to a paper titled Distributed Security: A new model of law enforcement. It was co-authored by Susan Brenner of the University of Dayton School of Law and Leo L. Clarke formerly of the Thomas M. Cooley School of Law.

I'll warn you the paper is long. But don't let that scare you. Knowing that, I'd like to follow their format, yet compress it into a "you get the idea" article for those who don't have time for the full-length thesis.

The way it's done now

Brenner and Clarke first explain that our current criminal law has its roots in the Industrial Revolution and is based on punishing the person convicted of a crime with what is deemed an appropriate penalty by society:

"Currently, sanctions against criminals, such as prison sentences, fines, and the freezing of assets rely on a system that can entrap the criminals in order to bring them to justice."

As you can see our entire criminal justice system relies on the fact that the criminal is apprehended.

The problem

The current legal system fails miserably when it comes to cybercrime, simply because it's difficult to capture the criminal. Let's look at why:

  • Criminals operate through distributed networks or botnets, leaving little chance of tracing the activity back to them.
  • Criminals operate from locations where their activities aren't considered illegal or may even be state sponsored.
  • Criminals gravitate to countries that refuse to extradite.

From the above points it's easy to see where the current system falls apart when considering cybercrime, retribution is almost non-existent.

Enhance the existing system

Brenner and Clarke offer some insight on how changing the existing legal structure may be of some help. I'll let you decide if their assertions are plausible or not:

  • Provide an international forum where the involved countries will create laws and work together, in an attempt to put the fear of retribution back into the criminal's mind.
  • Allow sanctioned law-enforcement services to actively fight cybercrime by reverse hacking in the form of malware, DDoS attacks or any means that are deemed necessary to shut down criminal activity.
  • Allow civilians to react when they become targets of a cybercrime by using reverse-hacking tools similar to those available to law-enforcement services.

To me, the above solutions are more of the same and piling bad on top of bad doesn't improve anything. But wait, Brenner and Clarke aren't done yet, here's where they step outside the box.

Prevention not reaction

Prevention is not a new approach, what makes their thinking unique is how they want to accomplish prevention:

"The critical aspect of the new model lies not in prescribing specific preventive measures but in shifting the focus from reaction ("cybercrime is law enforcement's responsibility") to prevention ("It's my responsibility to protect myself").

We must realize that we are the front line of defense against cybercrime; we must understand that our carelessness could facilitate a successful cyberterrorist or information warfare attack on the critical infrastructures of our society."

So, there's the big shift. They want each of us to take responsibility for our on-line activities. That makes sense to me, but I'm an IT security advocate. What's their plan for gathering every computer user in the world into one-cohesive group?

Now for the kicker

To say the least Brenner and Clarke are realistic. They know that users won't buy into this type of program automatically. So they got creative. Remember, I mentioned earlier that the problem with cybercrime is that criminals are hard to apprehend. Well, that doesn't apply to us users does it? I'll let them explain how it works:

  • One who uses cyberspace to engage in activity without having taken all reasonable measures to protect herself from being victimized assumes the risk.
  • The fact that one assumed the risk of victimization cannot be used as an affirmative defense in a prosecution for conduct involved in that victimization.

So, place all the responsibility on the user, eliminating any possibility of civil litigation. Just to make sure, let's include the option of criminal prosecution for negligence. Here's their reasoning:

"Assumed risk creates a disincentive by negating the expectation that law enforcement will redress one's victimization by apprehending and sanctioning the perpetrator.

The second principle creates such a disincentive by imposing criminal liability on those who fail to prevent cybercrime. One who aids and abets a crime is liable for it as if he committed it."

That's quite a shift

It seems that they want to hold each of us liable for the health of the entire Internet. I've been trying to come up with a real-world example of something similar. But, I'm not having much luck. If you have examples, I'd appreciate hearing about them.

Final thoughts

You can imagine the range of emotions I went through as I read Brenner and Clarke's report. After all is said, I feel they have a good grasp of the problem. What I'm not sure about is their solution.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

131 comments
Deadly Ernest
Deadly Ernest

in application. I see three major areas for discussion. 1. Penalty legal system The current legal system has its roots a lot deeper than the industrial revolution, and I'm surprised Law professors don't know that, but then they may not have really studied the more ancient law systems used in Europe, but concentrated on the US systems. The current legal system in the US and most of the world is derived from the Norman law system established in England by William the Conqueror. Prior to that most of the British Isles had a number of variants of the Celtic and Druidic laws which were based on compensation for the wrong done. Thus murder was punished by the murderer paying compensation in large amounts to the family, or becoming their servant, at set rates, to work it off. But yes, the legal system does need to be greatly cleaned up, criminal and civil law. 2. response I disagree with allowing people to attack back. the current system requires the police to clearly identify the bad guy before they attack. What they promote is anyone can attack on suspicion. Sorry, not on. BTW Interpol and various other special international police bodies currently allow a lot of international cooperation. 3. responsibility People aren't tech experts. What they propose re making the user responsible is like holding the owner of a stolen car responsible for the robbery it gets used in. Sorry, it doesn't fly. yes, people should be held responsible for NOT taking basic precautions while on the internet. So we use the same principles used in tort case where the user has to show they took reasonable precautions to get all their compensation back when the bad guy gets caught, if they do. a side issue here, but very important, is to make the software companies much more immediately responsible and liable for fixing security holes found in their software. If a company sells a product found to have a security hole that can be used by the bad guys, they should be given a very limited time to have a fix out and all users notified. Failure to do so within the time limit means immediate hefty fines levied on them. Say ten dollars per copy sold. This means they get hit in direct proportion to the level of usage of their software. this also puts full responsibility on the software companies to right decent code and test it properly before release. How's that for a controversial concept.

BALTHOR
BALTHOR

However,I think that if enough people are apathetic we would stand a good chance of wearing the cyber crooks out.

rustedtech
rustedtech

With just those details alone, it doesn't sound tractable to me, and it smacks of litigation gone wild. Also, it sends a message that the criminal bears no responsibility, thus encouraging criminal behavior. Let's get real here. Most computer users aren't dupes, but it only takes a tiny percentage to ruin it for everyone else. Junk mail wouldn't have legs if that 0.1% wouldn't respond to it. Despite all our best efforts, did junk mail go away? No. And is it the fault of the consumer? Over 99% no.

LyleTaylor
LyleTaylor

So, if I can use an analogy here, if I want to go into an insecure area (e.g., a slum), I need to make sure that I'm protected from those wanting to do me harm. And if someone does (for example, I get mugged while there), it's my fault, because I didn't take "reasonable" precautions while I was there? That doesn't sound like a sound basis for a legal system to me. What it really seems to be is that they realize they can't do much about it, so they're throwing their hands up and declaring "you should know better," so they can wash their hands of it.

Michael Kassner
Michael Kassner

I'd love to hear your opinion on whether Brenner and Clarke (two law professors) have an a valid approach for cybersecurity or not. If not what's wrong with it?

santeewelding
santeewelding

In your tract is, "allowing people". All you say seems to flow from that, I would hope not, your understanding of law. ed: one too many "thats"

Michael Kassner
Michael Kassner

I also think your solution has just as much traction as any other.

Michael Kassner
Michael Kassner

I also was wondering how they would determine what amount of prevention would be sufficient to avoid getting prosecuted. To me that's a moving target and not something that can be easily quantified.

Curious00000001
Curious00000001

This is what we need to stop is people acting suprised when they are attacked. In a perfect world noone would have any worries about anything. In the real world police should not have to worry about idiots who go into slums driving a BMW flashing cash being robbed which is exactly what an unsecured computer looks like to an attacker. If you are in a "rough" area i.e. internet facing, then you have to take some responsibility for protecting yourself as much as possible and if reasonable protection fails then you can worry about calling the police. Ignorance is never an acceptable excuse.

mhara42
mhara42

I agree. It also sounds like "it's the rape victim's fault because they were asking for it". I don't think something like this would hold up in court. Seems like the easy out.

seanferd
seanferd

Consider leaving your car running, with the keys in it, in an area known for criminal activity. The car is stolen, and used to commit other crimes. Now, you are both a (somewhat less sympathetic) victim, and have enabled criminals to commit crimes, including the theft of your car. Both you and the criminals are at fault. Mind you, I don't entirely buy in to this proposed idea, but many, many victims of "cybercrime" (ugh) have allowed themselves to be victimized, after repeated warnings. Adware? Not a big deal. Identity theft? Yeah, you are culpable, even if not responsible, if you have not made a best effort to secure you computer. In the case of large corporations losing your personal info to criminals, would you not blame the corporation as well as the criminals? See, they haven't bothered to really secure their network or websites because they expect insurance to cover it.

Michael Kassner
Michael Kassner

Still, they make the distinction that the attacker is present and therefore accessible in your example. Whereas that seldom happens when the attack is via the Internet.

Michael Kassner
Michael Kassner

That the author of the article seemingly avoided some of the more juicy parts of the report.

toddah
toddah

Just as a good corporate system will allow access of any computer only after a sandboxed viewing of the system state to determine if you are running Antivirus, firewall and are not attemptiong to open any well known hacking ports the ISP's could make this a prerequisit to allowing actual connection to the web backbone. this would serve a multitude a purposes in one fell swoop and also allow us to have a reasonable point of entry screening. Just like you are required to have a drivers license and a car in a reasonable state of repair to enjoy the public roadways in a responsible way you need a reasonably configured machine to access the public web. ISP's would hate it because of additional cost/time but I am almost sure they could recoupe the investment in unused bandwidth taken up by botnet traffic and the like.

Deadly Ernest
Deadly Ernest

in this. The bit where they say give the users the tools and power to hit back at the cyber criminal, let's forget about them using a bot of some sort but assume they got the real bad guy's correct IP. Under NSW law, you can get ten years hard time for initiating a cyber attack on anyone for any reason. So the US passes this law, a bad guy in Australia attacks you, you retaliate. The matter comes to the attention of the NSW police. They identify you. Bingo, they start proceedings for extradition as a cyber criminal. I bet you don't feel so happy about striking back now. I keep waiting for the law passed some years back allowing RIAA et al to launch an attack at a person who shares copyright files to bite them when they attack someone in NSW. The US law doesn't protect them here.

macgvr
macgvr

I deal with users of every stripe as I provide computer support. They range from, I barely know how to turn it on, to, the educated, knowledgeable non-professional. There are people out there who haven't got a clue and, unfortunately, can never be made to truly understand what they need to in order to fully protect themselves. They just aren't equipped to deal with the complexities of setting up their computer properly and maintaining it. For those of us who are knowledgeable it seems impossible that someone else could fail to understand what seems simple to us. Trust me, they are out there, they don't understand. So, are we then saying, let these hapless ones fend for themselves? It is open season on those who are simply not equipped to defend themselves? That seems not only cold but very ineffective. There are far too many out there who would be victims and they would be the ones who keep the criminal enterprises in business. There has to be another way than saying everyone fends for themselves. I agree that more education would be helpful and is important but we can't rely on that alone. As we educate people the bad guys would just come up with new ways to deceive and mislead.

james.atkin
james.atkin

If you paid top price for a new car, would you expect or want to have to fit the locks yourself? How many of us would be able to do a good job of it? You expect to be able to lock the doors from the inside while driving through a slum, and be reasonably safe? And we expect it to be simple, a turn of a key, or push of a button. WE all work and live with constant exposure to IT security, but when I think about explaining to my Grandmother...shudder.

britnat
britnat

While the pro-active responses proposed by Brenner and Clarke may horrify the liberal fraternity, here's my view: we are already involved in the Third World War - civilized society versus the criminal world and the cyber terrorists. Right now the good guys (and the bleeding heart liberals consider themselves in the forefront of this side) are losing every round. The ciminals of course just want to suck society dry - but sooner or later a "cyber Hitler" will launch a major strike, for whatever reasons. Evil cannot be contained indefinitely. It must be eradicated. Either the good guys take the initiative, or we can look forward to another dark age, like after the fall of the Roman Empire.

Ming Kang Tan
Ming Kang Tan

I used to know someone who has the most secured system in the world. Let me share this with everyone. It would be a better idea than the 2 profs. This person who claimed that he has the most secured system in the world and this is how he secured the system. He disabled all network adaptors, wireless and wired; disconnected the LAN line from the system; removed all floppy, CD rom and DVD drive on the system; disabled the power unit; and, unplugged the connectors to the hard drive; removed the hard drive and throw it into the sea. Then he claimed, there the most secured system in the world. No one would be able to get any of my information from the system. Not even myself! :) Let see if everyone does that. We would most likely being out of all the fun or a connected world! The good profs seems to forget that we are the imperfect human and the story of not slaughtering the goose that lay the golden egg. As human we err, we could never have a perfect world and hence the experts are there to help the victims, the enforcements to enforce the damage to those that do harm to those who could have protect themselves. The forces of any kinds are there to protect or prevent anyone in the harms way. This is how human become who we are now, by living in communities with individuals of glaring faults and weakness and not requiring all to be the superhuman. I will end this with the rather less known quote from the movie A Few Good Men: Downey: What did we do wrong? We did nothing wrong. Dawson: Yeah, we did. We were supposed to fight for the people who couldn't fight for themselves. We were supposed to fight for Willie. We all may be Willie including the good profs.

RU_Trustified
RU_Trustified

...distributed risk, but NOT distributed security. As I have mentioned a few times before, systems were not designed to be secure. The dysfunctional infosec industry has a terrible track record; look at the state of security after BILLIONS have been spent. In my experience I would say many so called security experts don't really understand security-only how to follow the herd and follow "best practices". The expectation that carrot or stick applied to Joe Everyman will produce any kind of signicant result is a pure pipe dream. What is actually needed is a fix for the problem that is the root cause of security issues we face, and something that will protect users from themselves.

rdavidson
rdavidson

my user account and password are equal to my locked doors and windows, my monitored alarm system like my anti-virus and firewall. If someone breaks into my home by circumventing the locked door, breaking a window, or compromising the alarm system, it's my fault??? I like the idea of reverse attack... let me equip my door handles with 10,000 volts or pressurize my house so a broken window explodes violently outward or setting off the alarm releases a billowing cloud of tear gas in the house... then I'll take on some responsibility for getting burglarized. I can only do so much without violating the law myself. I have to rely on law enforcement to use its tools to find the criminal. The problem with reverse attack is that the attackee turned attacker will have to prove he was attacked first, otherwise he risks a lawsuit. I tend to agree with the notion that software developers (i.e. Microsoft and others) are the lead contributers to the problem. Not for the lack of knowledge on how to do it better but the lust for money to push to market products that aren't suitable. They create a false feeling of security (I think AV companies are the worse) that everything is taken care of for them.

eryk81
eryk81

Making every Internet user responsible for them selves and prosecuting those users for negligence, unwillingness to act, or purposely not acting is a great thing. However, what constitute due diligence and absolving them of wrong doing. If an attacker can subvert the users protection systems (AV and Firewall) would they still be liable? It reminds me of a law that was enacted in California that made the parents of teens having a party liable for underage drinking irregardless of the the parents knowledge of the party taking place or not. What constitutes due diligence and would there for absolve the user from actions taken by another? How would we be protected by this? If due diligence was defined by a panel of experts and novices, then I could see taking on more accountability for my computer and those in my care.

shardeth-15902278
shardeth-15902278

Sounds like someone is pining for the wild wild west- vigilantes, gunfighters... yeehaa! Who decides what is sufficient due diligence w/respect to securing oneself? How many different AV scanners is sufficient (they all miss some, so should people be required to run two or three different av scanners)? Will purchase of wireless devices be age restricted to prevent some enthusiastic youngster's computing curiosity from inadvertently making his dad accountable for data theft? What level of computer security education are we expecting of people who - in some cases - may not even be all that fond of computers, but must have access to the internet for some needful activities? And how often do we expect them to update that education, given that the security landscape changes almost daily, and given that even security "experts" have different views on correct and sufficient security controls? Is their going to be some central news-board people must check daily to determine which browser or browser plug-in(s) they can't use due to known unpatched vulnerabilities?

jgarner
jgarner

I have been in the IT business for 29 Plus years. I observed many years ago that the household, Cybercaf?, and/or library user had to take responsibility for what occurs at their finger tips. Our nation is full of people whom do not want to take responsibility for their actions. It is our responsibility! I provided free security seminars for two years for individuals and small businesses. Limited attendance! Yes, I'm a certified Information Security Instructor. Marketing was times were aligned with people?s schedules. Still no one attended. Until individuals have to pay for security issues originating from their technology assets, it is some else?s problem. Come on everyone be accountable for your computer adventures.

tmalo627
tmalo627

Criminals these days are not afraid of the law. If they were they wouldn't be making the decisions they do. The biggest deterrent to criminals is that someone might fight back against what they are doing. So in a sense prevention is the way to go. How to go about getting that prevention require the means to react. So lets use both in conjunction instead of being forced to choose between the two. Let's prevent what we can, and react to what we can not prevent. Am I alone in this line of thought?

edennis
edennis

Information Security is what I do for a living. I have worked in the information technology world for 30 years now. I have the training and know-how to protect my home systems and network, but there are no guarantees. I do not believe that there are tools available that are configurable by the average user to guarantee their system is protected. What level of training to the average user would be necessary to protect them from the cyber predators? One of my jobs was in education. We gave our student body laptops to help educate them for 21st Century employment. The one area that fell through the cracks was the medical field. They did not have time to learn computers or computer security; they were too busy learning anatomy. Same things could be said of our Law Professors. Get real please!! Do you really think that lawyers have the time to learn computer security to protect the systems and network that they work within? The computer operating system, hardware and software manufacturers cannot make these systems secure. Therefore lets make it the responsibility of the user. Lawmakers do not understand the technology and therefore have problems creating laws to protect the public. Someone should point out the the law professors that they (and law makers) are computer users. Do they know enough to protect their own computers and networks?

techrepublic
techrepublic

I work in the Information Security industry and have a pretty good handle on the threats and mitigation's but even I have fallen behind on some of the ever changing threats. Things like "man in the browser" attacks are carried out without the victims knowledge. This can happen even if they have the latest and greatest security software and all the latest patches so how can you put the blame on the victim. You also can't expect your average builder or hair dresser to understand what is required to protect themselves. They are busy earning a living and generally living life. They shouldn't have to become security experts as well. Most people know they should have AV and some even know a firewall is a must but do they actually know what both of those components do and why it is important. I don't think so. Get real it should be up to the software developers and the system architects to design and implement the controls. The vendors should ensure their software is secure.

cod3fr3ak
cod3fr3ak

These guys are basically avoiding the issue, which is we as information systems specialists are failing at our jobs. Its like an outbreak of typhus, with us being the doctors. These guys are basically saying that the citizens should make sure they test their drinking water before consumption, and if they don't they are liable for the damages incurred. Even though we built the pipes, and pumps, and found the water supply that turns out to be infected. Absolute minimums, in this realm, do not exist. The level of security knowledge required constantly fluctuates. I recall hearing about a My Space scam where the criminals hack the targets account using information gleaned from the targets My Space friends. The infosec threat is always changing and the minimum requirements are never static. I used to tell my a close friend, she should not use email addresses with her real name in it because scammers will use a regexp to pull that information out, and then send custom scams to her and her friends using a friends address. Think she changed it? She didn't understand how simple it would be to do something like that. How little effort it required and how much profit could be gained by doing it. In short she had no clue, but worse she did not even possess the minimum level of knowledge to be able to understand and utilize the information I gave her. Think about it like this. Driving is a shared responsibility. Drivers agree to get tested and receive a license, learn the rules and then rely on the traffic system and roads to function correctly. What would happen if everyday you got in your car the rules changed? Extra precautions were required of the driver, with ever more complex rules and terminology. The traffic signals conveyed more and more information in the form of various blinking patterns that the driver was supposed to lookup to figure out what to do. It simply would not work. Even after decades of telling people to buckle up for safety we still have not achieved 100% compliance (or even 90%, I think its in the low 80's). So we have now made it a law to force compliance -- and still people don't do it! In the case of the seat belt, and single person or vehicle is affected. How do you think that scales on a network of millions, and possibly billions of computers, cell phones, soft drink machines, air traffic control radars, and vacuum cleaners, etc.? One person failing to "buckle up" can have disastrous effect. I think we need to have a serious discussion about what we will allow vendors to sell for use on the internet. Just like the FDA software vendors are selling people poison and are then asking people to be responsible for the e. coli that ate. Absurd. We need and FDA for our information system networks. Who will control it, what will its mandates be, etc. all have to be hashed out. Failure to liaise with other state actors will also be a factor (witness the Chinese milk scandal a few months back.)

CG IT
CG IT

and while mfgs of security software and news media educate the average consumer, there are those who will continue risky behavior even when educated about the risks. The consumer, even when educated will conduct risky behavior just like those that smoke, drink to excess, gamble to excess, take drugs or have casual relations. Should the government protect those who will do the behavior knowing full well the risks, yet then they get stung cry foul the loudest? Should companies be sued for product liability if their software has a security flaw? I think we would see a big change in licensing agreements, a steep drop in companies that will sell software or a huge increase in software prices to compensate for the extortion lawyers would will sue the companies for every little leak just to make a buck.

Deadly Ernest
Deadly Ernest

numbers of the software sold. Lets say company A claims to have sold ten million copies of Operating System 2010 - it's found to have a vulnerability in it they don't fix in a timely manner. Their fine is then,based on $10 per copy, $100 million bucks, no ifs, no buts, and that would hurt. Heck maybe the fine should be a percentage of the current retail price of the software, say 10% - thus failure to fix quickly costs them 10% of their total revenue for that product. We'd see some real movement out of the companies to see their software is properly written and tested, and also quickly fixed.

martian
martian

Either that or he grew a brain while we weren't looking as this is the first ever post of his that actually both made sense and was on topic. What are the odds? ;)

Michael Kassner
Michael Kassner

Then resolve it. The professors took a stab at it. Does their approach make sense to you?

Robbi_IA
Robbi_IA

This is the deal breaker for me - who determines what exactly is reasonable protection? And how to legislate such a thing? Requirements for information security change too quickly for our legislative system to keep up - and then once a regulation is legislated, there is a learning curve...

check_here
check_here

As acknowledged in Micheal's article, it would not hold in the existing legal system. However, given the status of the advocates of this paradigm shift and the chance, a modification in legal system would make it hold. The point is whether such a change is needed or not, or if such a change will achieve the desired objective. My understanding of the proposition by the learned profs as conveyed in Micheal's aarticle is to the effect that since the offender is invicible or difficult to apprehend, the victim is not; and as such, apart from the loss suffered, the victim should be subjected to further possible loss arising from penalty for allowing imself to be attacked! What a justice? in the search of making the world a safe place from cybercrime? The proponents seemed not to have addressed the possibility of victims, for fear of being prosecuted and suffering further losses, might be forced to keep cyber attacks secret, thus giving false impression of safe cyberspace while the bad guys continue to inflict injuries on all of us (blameless?). Then the reality of 'suffering and smiling' wll be dawn on the whole world! Given the reputation of the Profs, there is need to raise voice of concern. By the way, how has the laws passed in the US compelling victims of cyber attacks to report doing? Can reporting authorities and research institutions guarantee reports of attacks? If viewer attacks get reported, fewer vulnerabilities may be discovered, giving rooms for cyber criminals to make more victims than we are experiencing.

Michael Kassner
Michael Kassner

Consider it in the scope that one's persons actions affect the rest of the community. Does that alter your opinion?

kcs5456
kcs5456

Reading the responses in this chain I find a common misconception that makes this idea of control and responsibility difficult to comprehend. The environment we are talking about is cyberspace not the real world. Cyberspace is nebulas and has no boarders or safe places. A cyber criminal can attack any ware any time for any reason with out affecting them selves and achieving their goal. The best real world example of place like that is a war zone or a city under fire. You do not know who to trust and there no safe places with out the proper security and you only talks to people you personally know. You are responsible for you own security. The city will not be safe until there is one controlling force and (most important) everyone accept and support the control. The Internet will never be a safe place as long as software manufactures make poor products. Security system is always behind in innovation. Users are ignorant of basic protection for them selves and how their ignorance can hurt their network, system and users, and hacker are allowed to move freely. The professors of this idea have just rehashed and old Latin saying ?Caveat emptor? (Let the buyer beware) or in this cast ?Let the user beware?. This is our problem and we are the solution to it.

Michael Kassner
Michael Kassner

I suspect that the professors were just trying to open a dialogue with they suggestions. You know how lawyers like to debate.

LyleTaylor
LyleTaylor

that doesn't necessarily justify the view in my mind. They may have just as much difficulty in finding the attacker in the slum. Perhaps there were no witnesses and he attacked me from behind. Perhaps he's left the country since. The only thing you really know that is different is that the attacker was at least present when the attack happened. I agree that the situation is not exactly the same, but I'm not sure the recommendations are valid or appropriate just because it can be much more difficult to find and prosecute the cyberattacker.

Neon Samurai
Neon Samurai

well, for average user's it would help but for other users, it would force the need for an "advanced user" tear and pay rate or some people moving to a business connection and it's rate increase though all they need is freedom to use whatever port they like. If network services could only be bound to a single port, this would also be a more viable approach. You could be sure that 38342 was a specific program rather than a network service intentionally moved to it. In my case, I so a lot of port scans from home as I'm always hammering the servers in my care. I'd suddenly have my ISP screaming at me for some of the traffic I justifiably send out.

Michael Kassner
Michael Kassner

Has a lot of issues, but what are the other choices? I haven't heard any options that would resolve this totally. I like your make developers responsible, but there's more to it than that I think.

Michael Kassner
Michael Kassner

If you read the report, you will see that there are three groups of users, each with certain responsibilities. Are you saying we should just leave it as is? How should we fix this?

larrie_jr
larrie_jr

Sir, I like the cut of your Jib... This is what I have been TRYING to get across in my unsuccesful way through out this post. This paper is a way for the powers to be to shirk their responsibilities to the public in general. That's why we hit the "mark this as a phishing scam" in our hotmail junk boxes. We send them to the powers to be handled for us. Even we 'learned' individuals here on the tech republic are vulnerable to attack. We do our best to protect our individual networks (private and business), and I would HOPE, we try to take care of those close to us...family, fiends, mother-in-laws... the one's who may not be able to defend themselves in this environment. But to make me obligated under threat of criminal retribution?

Michael Kassner
Michael Kassner

Well said and I agree. What you may have missed was that the report sited using three user groups. Each having different needs and expertise level. That makes a difference.

Michael Kassner
Michael Kassner

Your fault. You are abiding by the preventative measures. If you check out the report, there are three user categories. Each will cover the different expertise levels required to make it work correctly.

Michael Kassner
Michael Kassner

The report is the first I've heard of this approach and I proudly wanted to inform the members of a cutting edge development. Hopefully a new and mutually acceptable approach will result.

Michael Kassner
Michael Kassner

Like any new concept it needs to address many issues. The professors jsut see that the existing status quo really isn't working at all.

b4real
b4real

The end user has an expectation, but only that can go so far. I think correct provisioning is more important, backend.

Michael Kassner
Michael Kassner

The professors actually say the identical thing in their report.

Michael Kassner
Michael Kassner

The professors describe three types of users. I think that would address your concerns.

Curious00000001
Curious00000001

The way the current legal system works you are liable for damages if others are harmed due to your "negligence.? If a branch from a tree on your grandma's property falls on your neighbor?s car guess what, your poor old grandma is liable. Ridiculous? Absolutely, would they win the case? Absolutely. If your property (computer) is posing a danger to others (Bot virus, etc) and you do not take action to get it resolved (fix it or pay someone who can) than why not be sued for damages. I would rather see the guy down the street who refuses to pay for AV to fork up the dough in a lawsuit than the grandma who forgot to roll up her garden hose!!!

Michael Kassner
Michael Kassner

Software issues seem to be the over-riding issue. I guess that's obvious, though. Any thoughts on how we can fix it? Also, I wonder. The professors aren't slouches they are well respected, yet seemingly making strange suggestions. Is that part of their effort to raise consciousness?

Michael Kassner
Michael Kassner

Example. What if the rules of the road changed daily. That's good. It always seems to get back to software and the vulnerabilities.

jtmaupin
jtmaupin

There is no way for the average person to stay ahead of the curve in cybersecurity. Innovative hackers are constantly finding new and as yet undiscovered ways to compromise our systems. Something like 1 in 4 major websites are currently compromised. You can't just push it off on the consumer, as there is a long trail of culpable parties along the way. If you are holding the consumer liable for lack of security, then you have to follow thru and hold the hosting agent, and the product company liable for whats on their web presence. Try passing laws that make the corporations behind these websites liable for the threat that they pose to the consumer, and you will have lobbyist crying loud and keeping this from passing. By following this train of thought, simply accessing the Internet will eventually become a crime, as there is no way to guarantee cybersecurity.

Michael Kassner
Michael Kassner

They seem to think that making it a crime to have a sub-standard computer would eliminate some of the risky behavior.

Curious00000001
Curious00000001

IMHO it should be a mix of best practices and common IT sense. Keep your patches, AV, etc up to date; employ a host based firewall, and disable any features you are not using as a baseline. If a homeuser is not IT savey there are plenty of books or free articles online that describe how to do this or even hiring someone to do this for you. I agree that for end users legislating anything specific would be counter productive however legislature for vendors to develop secure products out of the box is badly needed. I dont think this is an exact science as everyones needs and protection level is and should be different. If you are a business with peoples financial data you need much stricter security than the home user who plays solitaire and checks email. I would say a personal firewall and antivirus with basic security settings would be considered reasonable for the general home user while if my bank didnt have a full security suite with trained administrators and security team(s) I would consider them negligent.

check_here
check_here

I guess no one would excuse any user who collaborates with a criminal to commit crime even in an offline environment. Such action itself is tantamount to aiding and abbeting, which in many jurisdictions would attract penalties. So, there would be no need to reverse culpability in commission of cybercrime. Users' responsibility and accountability for their roles in commission of crime are addressed in cyber laws such as criminalising acts done in excess of authority, implying that where a user willing grant a person an authority to use his system to carry out some lawful actions, the person so granted cannot be accused of committing an offence, unless where the act(s) constitutes an offence. Based on the foregoing, the Profs idea may be situated in specifying what constitute minimal requirements for computers connected to the internet, which can then be codified. But in doing this, the nature of security in the cyberspace vis-a-vis day-to-day discoveries of vulnerabilities, exploits, etc shopuld be noted, which may ultimately make a nonsense of such minimal standards.

Michael Kassner
Michael Kassner

Along with making the user more responsible. Both reactionary and prevention.

check_here
check_here

As posted earlier (post 230), the solution lies in acknowledging that perpetrators are brought to book in order to serve as deterrent, rather than punishing victims (thereby encouraging the perpetrators). In order to bring the perpetrators to book, (a) users must be educated CONTINUALLY, (b) users must be encouraged to report attacks and infringements to law enforcement or other established agencies, (c) knowledge and skills of law enforcement agencies must be developed to overcome the challenge of identifying and locating perpetrators (howsover they may hide), (d)there should be sustained advocacy to raise the awareness of the global community to the dangers posed by cybercrime, (e)evolve a global framework similar to that on money laudering, to encourage nations of the world ratify and domesticate a global convention on cyberspace, commit and collaborate on cybercrime, (f) promote and advance products crime-proofing as part of measures aims at assisting law enforcement in aprehending perpetrators of cybercrime, through standardisation, promotions, etc, It is not only than I am not convinced or persuaded to follow the suggestion of the two learned Professors, I see the suggestions as capable of turning the wheel of development backward as enumerated in my last post (post 102)

Michael Kassner
Michael Kassner

I sense that you are not convinced. What would you see as a solution?

Ocie3
Ocie3

at least one mistake, in one of the statements that you quoted from their paper (which I have not read in its entirety): " .... One who aids and abets a crime is liable for it as if he committed it." I am not a lawyer, but I am sure that statement is not true, rather, one who KNOWINGLY aids and abets a crime is liable for it as if he committed it. If someone who is planning to commit an armed robbery stops to refuel their car on the way to the place where they expect to commit the crime, then the person who enables the pump to allow the robber to refuel their car is not guilty of aiding and abetting the armed robber. To be guilty of that, they would have to also know that the driver of the car is planning to commit an armed robbery. Then again, if anyone does indeed know that someone else is planning to commit a crime, then they have a duty to inform the appropriate law enforcement agency or agencies as to what they know. So the argument that people who do not take all "recommended" (?) security precautions to protect their computer are aiding and abetting any criminal(s) who gains control of their computer is, simply, wrong. From what you've disclosed of the paper, the law professors want to blame the victim of the criminal for the crime, simply because it is currently very difficult (and often seems to be impossible) to apprehend and punish perpetrators.

Deadly Ernest
Deadly Ernest

two opinions on each matter, and sometimes three.

BlueKnight
BlueKnight

After each of the lawyers reads the new law, they decide that it doesn't address "X," so they draft a new law to supposedly cover the "inadequacy," but, in the end, nothing is gained... except more laws that say the same thing. Take California law for example. You will find sections in the Penal Code that are also found in the Education Code (and elsewhere), yet there is no difference in them other than the particular Code they are contained in. This is nuts! Michael asked for examples... consider state vehicle code laws where drivers can be cited and fined for having a cracked windshield. The windshield protects the vehicle occupants as long as it is not cracked. Once cracked, it can shatter if struck with enough force and injure the occupants. The penalty here, is an inducement, if you will, to force the driver to maintain the protective shield in good condition. Yet many ignore the law. The problem with cyber security is that there are so many absolutely clueless users in the world, that punishing them will do no good because they simply don't/can't realize they need to change. Like our cell phone law... use it while driving and you'll get fined, and pretty stiffly now too. People at first adapted fairly well, but now, they seem to take the approach that "my phone is convenient and I'll talk on it when I darn well please, so screw your law." Maybe cyber security has to become something that is forced on users, somewhat like seatbelts in cars. But then, there are still people who won't wear seatbelts. Unfortunately their penalty is becoming "roadkill." Hopefully it won't come to that.

Michael Kassner
Michael Kassner

I have to be careful, one of my very good friends is an assistant attorney general.

Deadly Ernest
Deadly Ernest

new law - they came up with nine different interpretations.

tracy.walters
tracy.walters

The analogy that comes to mind for me is that of riding a motorcycle. When I'm out on my bike, I have to be very aware of the drivers around me, most are not malicious, just busy talking on their cell phones, thinking about something else, lighting a cigarette, etc...generally not paying attention. Occasionally, I will run into a malicious or agressive idiot who either 1. wants to see me in a wreck or 2. doesn't care what happens to me. I believe the same type of personality exists on the Internet...the malicious folks want to see damage for either monetary reasons or for the thrill, others want to do it just because they can or want to see if they can. On the Internet, I believe I have the same responsibiltiy as I do driving my Harley, if I don't take reasonable precautions, which are keeping my bike in good repair, wearing the right clothes, watching out for idiots, obeying traffic laws and generally looking after myself, then I get what I deserve. If I drive down the road sightseeing, making crazy turns in front of cars without signaling, not paying attention to anything, I'm probably going to get killed. And it really wouldn't matter to me if the driver is from my town or from Russia...I'm still dead. If you don't take normal precautions on your computer, keep it's software updated, look before you just press buttons (I just hate 'clicky' users) and use common sense, you're going to get nailed. I don't care if you are a Grandma or a computer savvy individual...use the rules of the road on the Internet.

Michael Kassner
Michael Kassner

But, I'm thinking that would take some major political clout to change or add laws and we the people don't have the lobbyists big business does.

Deadly Ernest
Deadly Ernest

things about. As I mentioned in another discussion, if the software is released to early and has vulnerability flaws, the company should be required to drop everything and fix within a small number of days or be forced to pay a hefty fine. Say five or ten percent of the current retail price of that software multiplied by the number for copies they've sold. A five or ten percent loss of total revenue for a product will get their attention and action. A few such issues and they're in the red on the product, four or five and the company is probably bust.

Michael Kassner
Michael Kassner

It almost seems that it's too late to change the accepted behavior of how and when software should be released.

Deadly Ernest
Deadly Ernest

but we still see new software from a major software company being released with the some of the same vulnerabilities their stuff was released with fifteen years ago. until they get penalised big time for such garbage, they won't do anything to fix it.They have suggested a fix which is best summarised as 'give us full control over everything you do on your computer and lock it into our software permanently.' Sorry, that doesn't wash with me. Personally, I think they make little effort to fix all the vulnerabilities as it helps their case to push for the draconian solution they want to put in place.

Michael Kassner
Michael Kassner

It's a very complex issue and I suspect its going to take a major shift or quantum leap in how software is developed. Removing vulnerabilities seems like it would go a long way to resolving this.

Deadly Ernest
Deadly Ernest

have one for this. Even in dictatorial countries they have criminals and others who operate outside the law. I can see a few very important aspects here: 1. The software has to be written better and not released with known or easily identified security holes. If this means the proprietary code makers are going to have to submit their code for peer review by a select panel, then so be it. Also extremely heavy fines for releases with bad code that should have been easily fixed prior to release, and heavier fines for delays in fixing faults that couldn't have been reasonably known prior to release. 2. Better education of users, starting at the manufacturer and retail end. no more 'a computer sells like a toaster' process, but more like a 'computer sells like a sports car' process - talk about security and the need during the sales pitch, make it mandatory. 3. better resources to police working on this, and that includes more international meetings and local laws to foster cooperation like some of the drug laws do. 4. Last, but not least - my favourite saying - Never underestimate the power of human stupidity. People will do stupid things, take that into account.

santeewelding
santeewelding

Who will bell the cat, how, and why. Think for all time.

larrie_jr
larrie_jr

Right or Privilege??? That, my friend, is the most dangerous question of all... When we open the door on that issue, all kinds of nasties come into play; everything from regulation, to policing, to prejudice of the dissemination of information, and on and on and on... If not on this topic, that thought pattern could be put to anything from birthing and parenting (now THERE is an issue which would benefit from privilege apllications), to guns and speech... Beware the road you tread in the name of progress... CONTROL requires someone, or some entity who should be in control... unfortunately, this too often leads to corruption, not control...

Ming Kang Tan
Ming Kang Tan

Haha ... please don't address me as sir ... just a normal fellow here too! :) I don't think the good profs were trying to write a paper to let the 'powers' have their ways as you mentioned. I believe their intents are genuine and pure. However, yes, the paper itself could easily be used to lend arguments to the powers to sway the opinions of general public otherwise. So yes, we need to bring attention to this despite being unpopular or deemed academic by others! You have me here! :) Everyone like a quick silver bullet to shoot at a problem or at the 'bad' guys, but everyone should ask the question, "what if I am on the wrong side of the bullet when I am not the 'bad' guys!

Ming Kang Tan
Ming Kang Tan

Thanks, Michae! I totally agree with you that we should not make a blanket call or argument for all. If we do, there will be not workable solution at all. However, this is therefore my caution. Most will miss this difference over needs and expertise level when come to looking for "A" solution, the legistrators and the enforcements too! When that happen, any well meaning measure may actually haunt those it suppose to protect! This is my caution for ideas with the nature similar to what the good profs are proposing eventhough I may not have objection or better alternatives! Just like the good colonel in A Few Good Men. A good soldier, who would not think twice before putting his own life on the line of fire for his fellow people; strangers, who would never say thanks to him. He too forgot that the weak willie was one of those little people he claimed to protect!

Michael Kassner
Michael Kassner

I'm curious about your mention of security being initially proactive. Could you explain that, please?

larrie_jr
larrie_jr

Yes Michael, I read the paper. I just don't agree with the paper. It talks of regulated gateways, taxation, reporting to authorities... It sounds a lot like China's net... You want to add these types of expense etc, to the organizational levels in this economy? Even if it were to come to fruition, larger companies sell one another credits for pollution; they simply pass the cost on this as well. What of the small business'? Are there supposed to be degrees within the classes? And the architect level is still too broad... And once again I say, you should punish me for getting mugged (cyber attacked)... by a biker gang no less. As the paper stated, Cyber crime is not just generated by individuals unto individuals, all too true one individual can attack many people , and even entire countries are behind these broad range of attacks. Security by nature of the beast is initially proactive, but continually reactive. It is these types of people/entities/countries which perpetrate/create these threats. This paper claims not only technological responsibility, but social engineering resistance is the end users. So now it's a crime to be stupid???

Michael Kassner
Michael Kassner

I'm not following you. Did you read the part where there are three different users? Where the software developers, equipment manufacturers and such are a group and have a certain amount of responsibility? The professors are just asking for accountability from everyone, is that so wrong?

larrie_jr
larrie_jr

"mutally acceptible"? I found THIS idea absurd! I think the paper was a foof-paper; alot of hot air Talking to be heard (or in this cae, writting to be read) is the essence of this paper. The driving analogies and all that require a TEST of COMPETENCY... Shall we "test" the "experts" here on Tech Republic and get the high-end of the spectrum? I would lay dollars to donuts that MOST of these guys would fail if held to these standards. If these guys aren't able to "pass the test" what chance would "Jane Q. Socermom" have? NO... the only reasonable solution is to CREATE a type of Local Cyber Police Force which focuses it's energy on cyber crime... LOCAL crimes... Ones which CAN be prosecuted; i.e. child molestations, child pornography, phishing, etc... As for bots and trojans and viruses... THAT, MY FRIENDS, IS WHY WE GET THE BIG BUCKS!!!

Deadly Ernest
Deadly Ernest

if something doesn't exist or the current version is a special build, then the military will build it from scratch. BUT, if an existing product is on the market and it gets close enough, the military system is to try and get it massaged to suit. The theory is a massaged buy will be quicker and cheaper than a from scratch project. Sadly, this is true as the military from scratch build process requires fifteen million (or there abouts) different people to have their say on what should be put in it before they start on the development outline. Having decide a market available product can do the job, it then goes to a purchasing officer to decide which of the choices they'll get. Now we enter the realm of the marketing area, people who buy purchasing decision makers outright on a regular basis. Sadly, many military purchasing decisions are NOT based on what is the best product, nor the best price, but on what is the preferred product of the purchasing officer or the top dog in purchasing for that project or the project's current top dog - usually what they know best or who bought them the nicest gift recently. I've been caught in the wringer in both these systems in the past. One build from scratch project I was involved with, peripherally, the original was going ahead on a special build as a Unix base. It was a few weeks shy from going on a live pilot test program when the project leader was changed. the new guy was a Windows fan and wouldn't here of having anything but Windows as the underlying OS. So hold everything, go back to square one and redo based on NT. Doing the original from scratch took two years. Redoing it all to work with NT took three years and then didn't work properly all the time. Change of project leader due to the failure to deliver on time, and the new guy had them go back to the original code, update it, and five months later a pilot project was in the field. All works well, a few more adjustments for new capabilities and back for testing. Within a year it's going live. The time and resources wasted on the NT version was due to a personal decision by someone with the power and authority, not based on what was best. Way too many military purchasing decisions are made this way. BTW - This incident was about six years before I switched to Linux. I was solely a MS Windows for the desktop then, but even I could see the Win NT was NOT going to be able to meet the task.

Neon Samurai
Neon Samurai

As I remember back, they where looking at alternative platforms since XP was end of life and Vista was a no go. MS suddenly became interested in addressing there issues and agreeing to provide support for shorter patch turn around time. I'm sure there is much more to it then that and I don't want to toss in the conspiracy theories. Without being in the office that made the office that made the final decision, who knows. It'd be interesting to hear more from the military side provided it wasn't classified but security through visibility isn't really a military practice.

Michael Kassner
Michael Kassner

I was in the service and as you say they don't scrimp. So there must be something to it. Especially when a complete vessel is relying on it. I have no doubt that it works just fine.

Neon Samurai
Neon Samurai

Big business; sure. Military, these are the folks that can dump money into custom weapons and technology. Why is a ship wide system using Windows in the first place. Million dollar misiles and they can't take the time to do a custom BSD or something? I guess this goes back to Chad's article on China's government and military approach to computer systems vs the US lagging behind.

Michael Kassner
Michael Kassner

A ship-wide Blue Screen during naval exercises. I find it strange that every second Tuesday an IT guy aboard a ship has to wonder if something is going to break.

Neon Samurai
Neon Samurai

Schneier had a comment on it of course. The news hit about three or so months back if not a bit more I think. My understanding is that they are using the custom Windows build for all installs be it on the boats or land offices. Microsoft modified it through configuration and back-porting some of the Vista and Win7 features to eventually meet military standards for information security. They have a standard image across systems. MS can test patches against it then the Navy systems can push it out. I think it cuts down patch times from something like three months too a few days or week at the most. I'd not heard anything since the initial news cooled off though.

Michael Kassner
Michael Kassner

They have running on ships now? I've heard about that and some of the weird problems they encountered.

Neon Samurai
Neon Samurai

Sure, it's just like a toaster; pop in your break, push the button and out pops email. Apple? oh, there are no viruses. Vista? Just look at the Wow; zero to internet in no time. I agree that this is part of the problem. In terms of this discussion, we're talking about a future case where users are held accountable within reason though. I'm assuming that in such a future case, knowing how to run updates would be part of that. It should already be obvious but if they where not sold like maintenance free toasters already many of the current issues would already be addressed.

Deadly Ernest
Deadly Ernest

issue with the updates etc. The average user doesn't KNOW they need to update as they aren't educated about it. Look, when I buy a new car I get this nice book that sets out services and when they should be done, the salesman tells me about having to bring it in for the first two services and tries to get me to book a date at that time. Carry the same situation through to a computer where doing updates is like your regular service. But with the computer there is no manual, let alone a service book, not do the sales people tell you about the need to do regular updates. Hell, you're lucky if they tell you anything about security. Since the users are acting in ignorance, we can only judge them by the information they know at the time; which is none, for most users. Twenty years ago when you bought a computer you got a book that told you about all the parts and what they did, and how to look after them. You got manuals on how to use the software too - I still find many useful answers is the user manuals that came with my early copies of Word for Windows 2a and Excel 4 when helping people. Today computers are sold as plug in and forget consumer things to use. And the users use them that way as they know no better. This is the fault of how the manufacturers and retailers market them.

Neon Samurai
Neon Samurai

We have MS once a month to keep enterprise happy except with the US Navy where they have a custom Windows build which MS will do quality testing against for much shorter patch release times. We have Adobe's once every three months. (Flash 64bit for *nix like OS works great though it's in beta just a short two years after the win32 64bit player; glad to have it finally, sucked to wait so long.) We have some variety in the Linux distributions though generally as fast as a project can patch followed by as fast as the distribution maintainer can provided it to there specific Linux branding. (FF is now in day two of ASAP development for 3.0.12 release. Windows download will be available right away and distributions will take on the update at there own paces) I absolutely agree that it's not just a user issue. Only laws or lost revenue can effect some business models and mostly the second of those two motivations unfortunately.

Neon Samurai
Neon Samurai

I agree, computer vendors need to stop selling toasters. Apple's marketing doesn't help or reflect reality nor does Microsoft's. I definitely think the software vendors have a big part of the responsibility in making updates easy to obtain and available in a timely manner. No more "oh, that's a feature" or "yeah, we don't have any problem in our NIC driver". When the update is available and easy to check for be it an automated taskbar icon or five seconds to run an update utility; who has been irresponsible in not applying it? You and I are lucky, or spoiled, in that updates for the entire system normally come in through the same single utility. We enjoy a faster average turnaround time between bug report and update release. I realize this skews our view to a degree in that other systems require multiple different update utilities for managing system wide software. That too is an issue with the developers and applicable business models. I fully agree though that the software providers are also responsible. This is why I specify users doing all reasonably possible. One can't blame a user for not coding there own patch pack but when the software update is available and waiting, it's (caughcaughconficker..) a user problem. It's not strictly a user problem but a computers problem; everyone from end user, through retailer on up to developers and hardware manufacturers.

Michael Kassner
Michael Kassner

To consider all the other applications. Adobe plans only to update every quarter on MS's patch Tuesday. I doubt seriously if that sufficient, especially since lately Adobe has been a focal point for the bad guys.

Deadly Ernest
Deadly Ernest

knowledge, the people who sell computers to the average user, Dell, and Microsoft do NOT take time impress upon them the need to regularly run upgrades and updates. At best it's a fine print instruction in two point font on the very last line of the instruction manual, if at all. Before you can go ahead and make all users responsible for not patching, you need to have MS running prime time ads about their current patches and why they're important. Think of it like a change to the law. Major law changes that affect a lot of people, like the traffic laws, have huge ad campaigns before they come into effect just so the authorities can say the people have been duly notified of the need to change.

Neon Samurai
Neon Samurai

With Windows, you visit Windows Update or read the taskbar popup; "Hey. Patch available, shall I update your system?" With osX it's a little easier as the update utility includes more. With Ubuntu or symilar its' easier again as the update utility includes everything installed through the repository sources. I agree that malware hunting on a machine may be beyond the average user but proactively keeping software as up to date as provided by the software provider is easy and recognizing that you have something a more skilled user should look at is also an easily learned level of knowledge; My AV software is complaining, I should get this looked at. " Whats worse is that many scammers offer the "security services" as well. Recall the "You have a virus" popups " This is one of the more insidious methods of fraud as the trojan horse posses as the software guard against what it intends to do. Much like using a police badge and uniform to gain entry to a home then robbing it blind and leaving the occupants tied on the couch. I wouldn't even suggest in quotes that such software provides a security service as this is just the social hook used to con the user. The defense is; "you have this AV software right here in your taskbar, if it's not this AV software complaining then it's not to be trusted." I agree that the end user can't be held absolutely responsible and especially agree that software vendors who knowingly ignore reported vulnerabilities are at greater fault. User's can still be considered responsible within reasonable limits though. Patches are not up to date, click on everything with a button before reading it, continue using your machine when your AV is screaming and poppups keep appearing; that is user negligence.

cod3fr3ak
cod3fr3ak

See the problem with this is that the amount of knowledge required to determine if a tree on my property is a threat to my neighbors property is negligible. On the other hand determining whether or not I have a rootkit on my machine takes special knowledge that is not available to the average user. The law also makes provisions for the second occurrence. Whats worse is that many scammers offer the "security services" as well. Recall the "You have a virus" popups, that sent you to a site that installed a virus on your machine. These types of threats are evolving at the speed of the Net, and it is impossible to train or inform a simple user how to navigate through the forest of crapware and malware. To expand even further there are many software vendors that know of flaws and vulnerabilities within their software. These vendors do nothing to address the issue. This happens even in the non-IT world. Recall the Ford Pinto. As an IT professional it is very easy for me to identify possible avenues of attack on my system infrastructure (at home or work). It is not nearly so easy for a layman. This is a fact. And one we must deal with as I outlined above.

cod3fr3ak
cod3fr3ak

but there will always be people who are fanatic in some way and will opt out of whatever social or economic framework that they do not agree with, such is their right. Sometimes it is benign, think Amish or Mennonite. Other times it is dangerous, think Waco Texas or North Korea. In the end we will protect ourselves from the latter and leave the door open for the former.

Michael Kassner
Michael Kassner

And it makes all sorts of sense as money drives the world. The only issue would be the fanatics that could care less about finances.

cod3fr3ak
cod3fr3ak

are you telling me that only other nations harbor criminals? No government has a stake in screwing up the internet. Its too profitable. This reminds me of the people upset because China had anti-sat missiles. So what. They destroy the very communication channel that use to communicate on the world commodity exchanges?!?!? Look all leaders are on some form of the take. The question with regards to government intervention should always be in the vein of what best for commerce and business -- long term. What happened to the Privateers? It became so profitable to trade via the sea only a war could get nations to disrupt the trade. The internet should be the same. I agree that there needs to be MUCH more cooperation between various governments to stop criminals from abusing the ease of the net. However that should go in tandem with requiring software vendors to clean up their act. First we fix our issues at home, then we go to others an refuse to do business with them unless they ensure some level of security on their networks. This can and has been done. When was the last time you heard of a bank complaining that an electronic stock trade or money transfer didn't go through? Hardly ever the banks figured out quickly that they make more money by establishing secure protocols to exchange financial data than they ever would by trying to cheat each other.

Neon Samurai
Neon Samurai

Criminals have always been around. Con Men are nothing new even if they've adopted the new medium of the internet. computer history and enthusiasts are not to blame. If you want to understand what "Hacker" means: http://www.youtube.com/watch?v=_yU1Fi021mM Second, how does one "kill the criminals" because I agree that the correct term is "criminal" but can't see how one enables justice. We can't get a hold of the criminal but the other variable is the user and we can get in contact with that person. I don't think it's so much persecuting the user as it is addressing what enables the criminal to profit, the user's lack of knowledge, lack of regard for what they are doing or lack of management there computer. I wouldn't burn out a user's computer because they got pulled into a botnet but that user should be made aware of it, required to take steps so it doesn't happen again and helped to cleanup the mess on there system. It's not a perfect solution but it's much better than the complete ineffectiveness of hunting the criminal.

teeeceee
teeeceee

The root of the problem is not and never was the software, the internet, nor the average law abiding user. It all started out with us, the computer whizz kids and guru's that hacked and cracked for fun and games. Criminals picked up on that and ran with it. The real problem is the lack of the ability to go after the criminals that are being harbored around the world by governments that turn a blind eye to the activity, because 1. They have a stake in it or 2. Certain of their leaders are on the take from the proceeds. There should be retailiation aimed at the ISPs, governments, and the hackers and malicious code authors that wre hiding in their safe havens. What would be wrong with a government iniated mandate that all traffic originating in say North Korea be blocked. I know, the business concerns that make use of the pipelines would howl. Let them! They might then use their economic influence to get those governments to crack down on the illegal activity. Let's face it IT admins. We cannot stop it without help.

larrie_jr
larrie_jr

This is akin to charging the victim of a mugging with a crime simply because he chose to walk in this particular neighborhood. You would charge a rape victim with a crime, because she didn't wear a chastity belt??? Putting this on the victim is a RETARDED statement and these people should have their degrees REVOKED! While I don't have any alternative opinions (This is truely a situation which cries out for solution), I will not condon a solution simply because a better one hasn't been concieved yet.

Michael Kassner
Michael Kassner

You will see that all of the other parties you referred to are considered users as well. The paper divides users into three categories.

dixon
dixon

...I think we have to accept something less than perfection. One thing that bugs me about those law professors is that they seem to begin with the premise that there can be a perfect solution. From that premise, they then proceed to beat up the wrong people. To me, however, the situation seems akin to human health: although billions of dollars get spent on medical research, and people are urged to eat healthy, exercise, avoid bad habits, drink plenty of water, and get regular checkups, nobody would dare suggest that you won't ever get sick, much less guarantee that you won't. The professors seem to suggest that every illness equals a malpractice suit, either against the doctor or the patient.

Michael Kassner
Michael Kassner

Does have issues. Yet I've to hear of an alternative to what exists that would be better.

dixon
dixon

Scenario: Lawyers succeed in classifying AV companies as some category of "users" who, if not 100% successful in preventing damage from a new virus are guilty of "aiding and abetting" cybercrime. Millions of victims use that as a legal basis for sueing for lost data, downtime, lost productivity, emotional pain, the Irish Potato Famine, and the heartbreak of psoriasis. AV companies decide they can't handle such open-ended liability and shut their doors. When was the last time you saw a virus handily skate past a respected AV product? For me it was yesterday.

Michael Kassner
Michael Kassner

Never thought of that aspect. I guess, it's a good thing I'm just a security analyst and not an attorney or sociologist.

Deadly Ernest
Deadly Ernest

what may help you understand is the situation about part of our medical system here in Australia. About ten years ago we started getting a lot more very frivolous law suits against doctors. You have to remember that when you see the doctor, a very large part of the diagnosis is based on what you tell them. Well, we had some cases where people had not been as forthcoming with the doctors as they needed to be and it resulted in a misdiagnosis. Move on a few months and things are worse. By the time the doctor has started pulling his hair out and ordering every test under the sun, the illness is well progressed due to the patient sending the doctor down the wrong path. Test finally identify the illness and treatment starts. Patient sues for malpractice. Courts hold doctor should have known (maybe by a psychic reading) what the patient didn't say and still come up with the right diagnosis. The result is a lot of doctors now over order tests, they also refuse to start treatments until AFTER all the test results are in and they have a positive match somewhere. This still delays treatment, but is not seen as malpractice, but it delays treatment of all patients. On a side issue related to this, obstetricians have had a few major payouts due to unusually problems with a delivery and the hospital being used doesn't have all the equipment or staff to help with such a low probability problem. Malpractice law suit, huge payout, insurance policies go up, many doctors stop doing obstetric work as they don't get enough OB patients to justify the much higher insurance costs and they can't charge more due to the semi socialised health system. Rather than run at a loss the doctors cease specialist work and go back to being a basic GP - this is more a problem in rural areas than cities where they can get enough of the specialist work. In my region we have about a dozen doctors qualified to do OB work and not one will do it now as they do NOT have the professional insurance coverage to do it. The silly laws are such that even if they do OB work as a GP in an emergency, they are likely to be in breach of their professional liability insurance as they aren't insured for the specialist work. the result is they can be on hand, give verbal advice that they can't be held accountable for, but can't do the work because of the legal system around the insurance situation. The bar for malpractice needs to be lifted a lot. .......... When you apply the same process to this situation, you will see the same thing happening. Make people liable for things out of their control and they stop being involved.

Michael Kassner
Michael Kassner

I'm not sure what you are saying. Could you help me understand, please.

dayen
dayen

There are 5 Billion idiots in the world, so now the goverments can make money finding them will it solved cybercrime NO!! just more money wasted on goverments you think people out side the tech world understand the your out of touch with reality and making victim a victim twice

Michael Kassner
Michael Kassner

Sorry, brain fade today. I'm not following your logic.

dixon
dixon

...watch for AV vendors to shut their doors overnight, quickly followed by door lock manufacturers, doctors, and police forces.

Neon Samurai
Neon Samurai

If the machine is on the network and has any reason to be detectable then there are tools that don't use ICMP. No need for it to be unblocked at all these days. You seem to be taking it to an extreme for the purpose of absurdity. I think there is a very reasonable middle ground between complete negligence and the absurdly zealous level you describe. - does the user regularily check for program udpates and apply them in a timely manner? - does the user employ a firewall with a reasonable rule set? - does the user employ AV active scanning on email and file access? (These would be reasonable to most for just checking email and browsing a few websites.) - does the developer use best practices of security by design when building the website? - does it to form field validation and mitigate script injection? - does the developer address newly discovered issues in the website in a timely manner? - if the developer's site is "cracked" (hacked is not the right word), was the breach made through something the developer was aware of and had not addressed in a reasonable amount of time - if the developer's site was breached, how did they respond to restore the site and correct the issue if it was not previously known? Let's expand up the food chain - does the software developer do reasonable quality control testing - does the software developer address reported vulnerabilities in a timely manner (FF will have 3.0.12 out ASAP to address the JIT vulnerability for example) - does the software developer consider security as a fundamental part of the design - does the software developer provide safe software through practices like off by default and minimal install? - does the software developer enable vulnerabilities in third party software through it's own design decisions? - is the software developer open about discovered vulnerabilities so that mitigating steps can be taken by users until an update is released to address the issues? (FF explains how to disable JIT, MS explains how to address the Kill Bit until ActiveX can be updated) None of this is new or an unrealistic burden. If one's car falls below a safety standard, it is no longer aloud on the road. You mention ICMP, really, there isn't a reason for it in most cases these days and most consumer grade routers can block it easily. You mention mugging victims. If someone is walking down dark alleys waving a fist of bills around and loudly explaining; "I'd kick anyone's but!" are you not going to ask them what they where doing when they do get mugged? Sure, the criminal is the key focus of the law but street smarts and "street proofing" are still a part of it. Do you not teach your children to look both ways before crossing the street or not talk to strangers? The problem is that one can't control the attacking side of the equation. Over thirty years of Internet popularity has shown this. People will do bad things with anything including computer systems and it's not always a simply matter of sending the police over to knock on the door. What can be controlled is the user side of the equation, people can take some responsibility for there own activities and safety just as they do in every other daily task. Negligence applies to everything else, why should people be absolved of a reasonable level of responsibility just because a computer was involved? It's not 1960 anymore and computers are not some obscure device only seen by people wit thick glasses and collar shirts. It's time to take responsibility for one's own safety. The only point I take real issue with is your use of "hacker" which is in the complete wrong context unless you actually did mean "a computer enthusiast, security enthusiast specifically, who owns the system or has obtained prior permission to test it.". If you meant willfully breaking into systems without prior permission then you can simply use the correct title; "criminal" or "cracker" if it needs to sound all computery-cool.

Michael Kassner
Michael Kassner

Fix that. If you read the report, the AV companies are considered users therefore responsible.

Michael Kassner
Michael Kassner

What is your solution, more of the same? I beg you to read the report, I didn't do it justice. It 48 pages long and I could only hit the highlights.

larrie_jr
larrie_jr

We as professionals have issues with reasonable efforts. One man's reasonable is another mans UN-reasonable. Most of these people simply want to check their emails, and maybe do a little web surfing. What would be reasonable in that instance? What about the web developer? Should he/she be held accountable for having his/her site hacked? What about the ISP who could be monitoring bandwidth usage for script kiddies? Hell, let's totally eliminate ICMP because that is the 'ringing of the doorbell' with which hackers use... COME ON!!! Let's just hope you don't get mugged on the way home; you maybe charged with INVITING AN ATTACK!

Deadly Ernest
Deadly Ernest

how does the ISP know this and deal with it.

Saurondor
Saurondor

Your point on having a certain amount of responsibility is very valid. But the main issue doesn't reside there. Insurance companies pay when you have an accident. PC security systems don't. Installing some antivirus or spyware protection is like buying an insurance that doesn't insure you. Paraphrasing the EULA: If you pay us we'll insure your PC, but if it becomes compromised we won't vouch for it.

Michael Kassner
Michael Kassner

You always come up with good thoughts. I especially like this one: "Connecting a PC to the internet without a reasonable effort to make it secure should be considered putting all others at risk when, not if, your zombie PC joins a botnet." It states what I was trying to say.

ITSecurityGuy
ITSecurityGuy

...in Windows Server, since 2003 R2, that allow network administrators to quarantine systems not meeting a particular security standard. ISPs could be required to implement such technology. The technology can even be used to push out security updates to remote users before they're able to connect without being quarantined. Until they meet the level of security protection required by the ISP, the systems would only have access to the resources needed to establish that level of protection. The requirements can include verification that approved AV/AS & firewall products are installed and enabled, with all current updates and that any necessary patches have been applied to the OS and installed apps. After being quarantined for lack of protection, it might also require at least a quick system scan for any malware that might have invaded while adequate protection was not in place, or before such detection was included in previous malware updates. A scan within the preceding week might always be a requirement to avoid quarantine. In order to avoid lengthy connection times as all of this information is confirmed, ISPs could require that an agent similar to Secunia's PSI run in the background, even while offline or, at least, before getting online. The current status could be quickly reported via a hash based upon an algorithm that encodes the time stamp of the status and any deficiencies detected.

Ocie3
Ocie3

has a few holes. Perhaps you were attempting to be novel. A car "left running with the doors locked" is not an invitation to auto thieves. A car with the keys left in the ignition and the doors unlocked is usually the one for which the ordinary thief is looking. (That is called "a crime of opportunity".) The professional thieves don't care whether the doors are locked or whether the keys are available. Usually they tow the target away or haul it away on a trailer to a site where they will not be noticed or disturbed while they work on gaining control of the car. They have their own customized tools for opening the doors, and either (1) gaining control of the car via the existing ignition switch, or (2) replacing the ignition switch with their own ignition switch (for which they have, of course, a key). Any experienced police detective will tell you that arresting a gang of professional car thieves requires a bit of luck and a lot of time, effort and resource$ (both money and manpower). The first problem is recognizing whether two or more car thefts have been committed by "the same people". Eventually, the detectives will probably be able to arrest the people who are committing the thefts. But they probably won't be able to identify the "managers" and "backers" (who invest their time and effort to recruit, train and fund the gang), or obtain enough evidence to prosecute them when they do identify them. Does this sound familiar?? Maybe your analogy of car theft has a lot more in common than it does at first glance, with the organized criminal gangs who appear to be committing most of the cybercrime now.

ITSecurityGuy
ITSecurityGuy

MTBF is just that - a MEAN time between failures, not a MINIMUM time between failures. The change in responsibility for security has nothing to do with hardware reliability, or vendor liability. You don't get sued in a product. You don't get sued on a product. If you put the preposition (in) before the word 'which', you don't repeat it or another preposition (on) at the end of the sentence. It defeats the purpose of putting it in the middle, so you're not "using a preposition to end your sentence WITH". Manufacturing is abbreviated as 'mfg'. Manufacturer is abbreviated as 'mfr' or 'mfxr'. "Able to be" is superfluous. Ergo, the sentence should read "Product liability will lead to mfxrs pulling off the market products for which they might be sued." except there would be no basis for a suit based upon MTBF, especially when the loss of data is caused by the user's negligence by not backing up their data. In fact, potential product liability already does (thankfully) keep products for which the mfxr might be sued off the market. So what? This proposal does nothing to change that. Referring to the auto industry, it wasn't the user's fault that the Corvair could be especially difficult to control in emergency maneuvers, or that Firestone tires fell apart in normal highway usage, and that the Pinto gas tank very often burst into flames when hit from the rear. If there is negligence in the design of the product, but not on the part of the user, then it should NOT be on the market! Using the analogy of the auto safety inspection required by many states, users could be required to visit an official website each year, which would scan for the majority of known exploits and grant their system a 1 year certificate, if their system is deemed to be reasonably well protected. As long as they could show a current certificate, and that they maintained any subscription required to keep their choice of security product current and applied all security patches offered by their software vendors, they would be immune from prosecution. This does not mean that everyone MUST have security software, just that, if you choose to connect without it, AND you are found to have been compromised in a manner that made your system a threat to others, you could be held criminally and civilly liable. Just as those who are self-insured must beware, so should those who believe they are "smart" enough in their browsing and emailing to go without protection. There is no excuse for not using a firewall, AV/AS (especially after MS Security Essentials becomes available for free), Microsoft Update, and Secunia's Personal Software Inspector to keep one's system reasonably safe from intruder's and zombie-dom. If the user were still compromised, they would not be chargeable with a crime. The last paragraph of your message seems to be appropriately separated by an extra blank line, as it's barely related to what preceded it. It seems to start off suggesting that open source is the solution to the perceived (but non-existent) change in product liability. Then it goes off on another tangent, regarding cloud computing as being inevitable anyway. In a nutshell, you're all over the place in this post, aren't you?

ITSecurityGuy
ITSecurityGuy

I can think of several analogies in the "real" world. Most states have financial responsibility laws, requiring driver to carry insurance or show that they are wealthy enough to be self-insured. Many also require autos to pass a safety inspection once or twice a year. Driving without insurance &/or an inspection sticker is a crime, because doing so might result in serious injury &/or property damage to others, for which you might be unable to reimburse the cost for repair, medical bills or loss of life. Connecting a PC to the internet without a reasonable effort to make it secure should be considered putting all others at risk when, not if, your zombie PC joins a botnet.

Spitfire_Sysop
Spitfire_Sysop

When I saw the title "substandard products" I immediately thought that Microsoft should be brought up on criminal negligence charges for every cyber crime ever committed due to their creation of an unsafe environment that allows the intrusion. The average user shouldn't be expected to understand security hardening. As much as I would like them all to pay me to secure their systems, it's just not reasonable.

CG IT
CG IT

Don't forget that there are hordes of lawyers out there with nothing else better to do that look for ways in which to sue a company hoping for a settlement. [I call that extortion but...] If a software company can be held liable for their product being less secure eg as opposed to more secure, based on a set of standards, [IETF or IAB] pretty soon inovation gets stifled because standards require a product to be a certain way. The old open source vs standardized becomes moot. Everyone would have to create their software to a set of standards. Thus standardized software. To change it to meet new threats requires a change in standards. I like the car theft analogy. Is it the car mfgs fault that a car left running with the doors locked and it gets stolen and used in a crime or worse a fatal crash the fault of the mfg? or the idiot that left it running locked and unattended or the person who stole it, used it in a crime or worst a fatal crash?

Michael Kassner
Michael Kassner

I would like to offer one fine point of distinction though. I think there may be a slight difference between a HDD failure and a compromised computer. The line I believe the professors were looking at is when the individual computer affects others as when it's part of a botnet or used as a spam server.

CG IT
CG IT

Then it should be a crime when substandard hard drives fail before their stated MTBF and users lose all their information or it costs them thousands of $$ to restore because the user didn't backup documents. Product liability will lead to mfgs pulling off the market products in which they might be able to be sued on. We've seen this happen in the auto industry and toy industry. While some would see this as a boon to open source, the days of stand alone computers for the consumer market will come to an end with web based computing replacing it. Microsoft announced it will provide free Office applications online and in development are programs to provide an online computing environment based upon a consumers use of a computer, which iw simply to check email, surf the web, and play games. pretty soon the desktop will be replaced by a thin client that has nothing on it but embedded software they really can't change. I wouldn't be surprised if Phones the size of crackberries end up replacing the tried and true desktop computer.

Editor's Picks