lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: jasonc at science.org (Jason Coombs) Subject: Authorities eye MSBlaster suspect > > So you would blame ... > > Nice set of ethics there. > you believed that admins were > at fault for worm infections. > "...it is each admins responsiblity ... not the coder." > a crime victim is affected by the crime ... Before we can make progress in a discussion of blame we have to get the analogy right. A biological virus is comprised of the same programming instructions we possess, and execute, as organisms: nucleic acids. HIV exists. Suppose it were engineered on purpose. It makes logical sense to blame every infection, all affects, every death, on the genetic engineer. Perpetually. Despite proof that shows that the virus is evolving in the wild without further engineering help. Because said virus would not exist, and thus no variants would exist, if not for the engineering effort of the original programmer. Suppose another engineer tinkers with the genetic code of the original HIV and makes something different, better, or just tries to innoculate everyone by turning it into a 'good' virus. The original programmer/engineer would logically continue to bear part of the blame. Bad computer code isn't much different from bad nucleic acids. When a person is responsible for creating the instructions, shouldn't that person be blamed for everything that those instructions, and works derived from those instructions, do that is either 'good' or 'bad'? Logically, yes. In practice, in a context of full disclosure where known 'safe' behaviors, practices, technology, and essential defense mechanisms must be deployed by anyone who chooses to engage in risky behavior because the threat is well understood and is no longer secret, the answer must be no. It is the person who delivers the bad instructions who must be found to be at fault, not the person who created the bad instructions. Legally, this distinction is recognized by some but not all computer crime legislation. There is almost a balance presently, and prosecutors are nearly empowered with the flexibility to decide in which direction to tip that balance on a case-by-case basis. Which way we let the laws tip for future prosecutions is a very important social choice that we're all in the process of making. We could argue that the hypothetical author of HIV is to blame for AIDS infections and deaths even if she never infected anyone simply because she left the virus lying around in proximity to humans who she should have known would end up infected with it. We could argue that by not making it an airborne virus she intentionally added a safety precaution, and without this precaution the original infection(s) caused by proximity to the virus constitute her 'delivery' of the virus to those who were infected. There are many ways to look at the issue, and after considering all available evidence and weighing the applicable ethics and the principles of law, logic, and reason we're all still going to disagree... But to engage in such a discussion, and it is an important one, the notion that crime has occurred simply because there are victims must be challenged. We cannot automatically apply the standards of blame that we use for rape and murder to the harm that is done to people whose computer systems are affected by malicious code. I personally delivered zero MS Blaster.* infections to others, intentionally or unintentionally. On the other hand, I have personally delivered cold and flu infections to others and perhaps some bacterial infections as well, despite the fact that I knew that I was sick. I've personally continued to work, attend school, or live in close proximity to somebody who was infectious, knowing that in doing so I was likely to become a replication vector for the infectious disease and spread the infection to others. Before I was aware of the risk, and my responsibility to protect others by protecting myself, before I knew that there were steps I must take to contain the spread of infectious illness, I posed a severe and unwarranted threat to others. By spreading my cold, flu, or bacterial infections to others 'unintentionally' yet as a direct result of negligence or ignorance I was in fact to blame for the harm that I caused directly to others. Was I to blame for the harm that others subsequently caused to others through additional rounds of infection? I don't know. *Should* I be blamed? Maybe. If there was malicious intent, if the spread of the infection was purposeful, then yes. By virtue of my possession and dissemination of the harmful nucleic acids or bacteria if I've taken appropriate precautions to limit the risk they pose to others? No. Do we blame the hypothetical author of the HIV genetic code for the outbreak of AIDS? If not, by virtue of the lack of effort to spread/deliver/infect, then we can't blame the author of MS Blaster.* for its outbreak. Otherwise, we must make it clear as a matter of law that engaging in research and development that results in harmful organisms, substances, or instructions is, in and of itself, a crime -- whether or not any harm is ever caused by its existence. I'm not smart enough to reconcile all of these conflicting forces in order to arrive at the provably-right answer, which is probably why I'm a proponent of full disclosure. If Microsoft had stepped up to the plate and fulfilled their ethical responsibility to others, well, then the extremely unsafe behavior of a small number of people (analogy: anonymous unprotected sex in the park in the middle of the night) through the ignorant and negligent use of Windows software could not have resulted in direct harm to those of us who intentionally and consciously make an effort to keep our behavior safe because we understand and appreciate the full truth behind such risks, and we're able to take all necessary steps to mitigate them. We also know that there is no such thing as 'safe' despite misguided commonly-held beliefs to the contrary. We should all know that there is no such thing as an 'innocent' whistleblower. Those who take actions that result in loud and disturbing noises will be blamed for the noise that they cause despite the presence of good intent. Despite even the possible existence of an ethical, legal, or social obligation to cause the noise. Were our Windows boxes essentially on fire due to the extreme risk posed by RPC/DCOM? Did *somebody* have an obligation to sound an alarm loud enough to cause real social response to the threat? Are we witnessing anything other than alarms caused by the spread of malware? Would people around the world have taken action to put out the fire if not for the loud ringing of the MS Blaster.* alarm? Some people do leave the building when it's on fire, without waiting for an alarm to tell them to do so... A few of us will even pick up a fire extinguisher and put the small blaze out before it grows instead of running around spreading fear and panic. Sincerely, Jason Coombs jasonc@...ence.org
Powered by blists - more mailing lists