lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jasonc at science.org (Jason Coombs)
Subject: Authorities eye MSBlaster suspect

> > So you would blame ...
> > Nice set of ethics there.
> you believed that admins were
> at fault for worm infections.
> "...it is each admins responsiblity ... not the coder."

> a crime victim is affected by the crime ...

Before we can make progress in a discussion of blame we have to get the
analogy right.

A biological virus is comprised of the same programming instructions we
possess, and execute, as organisms: nucleic acids. HIV exists. Suppose it were
engineered on purpose. It makes logical sense to blame every infection, all
affects, every death, on the genetic engineer. Perpetually. Despite proof that
shows that the virus is evolving in the wild without further engineering help.
Because said virus would not exist, and thus no variants would exist, if not
for the engineering effort of the original programmer.

Suppose another engineer tinkers with the genetic code of the original HIV and
makes something different, better, or just tries to innoculate everyone by
turning it into a 'good' virus. The original programmer/engineer would
logically continue to bear part of the blame.

Bad computer code isn't much different from bad nucleic acids. When a person
is responsible for creating the instructions, shouldn't that person be blamed
for everything that those instructions, and works derived from those
instructions, do that is either 'good' or 'bad'?

Logically, yes.

In practice, in a context of full disclosure where known 'safe' behaviors,
practices, technology, and essential defense mechanisms must be deployed by
anyone who chooses to engage in risky behavior because the threat is well
understood and is no longer secret, the answer must be no.

It is the person who delivers the bad instructions who must be found to be at
fault, not the person who created the bad instructions. Legally, this
distinction is recognized by some but not all computer crime legislation.
There is almost a balance presently, and prosecutors are nearly empowered with
the flexibility to decide in which direction to tip that balance on a
case-by-case basis. Which way we let the laws tip for future prosecutions is a
very important social choice that we're all in the process of making.

We could argue that the hypothetical author of HIV is to blame for AIDS
infections and deaths even if she never infected anyone simply because she
left the virus lying around in proximity to humans who she should have known
would end up infected with it. We could argue that by not making it an
airborne virus she intentionally added a safety precaution, and without this
precaution the original infection(s) caused by proximity to the virus
constitute her 'delivery' of the virus to those who were infected.

There are many ways to look at the issue, and after considering all available
evidence and weighing the applicable ethics and the principles of law, logic,
and reason we're all still going to disagree... But to engage in such a
discussion, and it is an important one, the notion that crime has occurred
simply because there are victims must be challenged. We cannot automatically
apply the standards of blame that we use for rape and murder to the harm that
is done to people whose computer systems are affected by malicious code.

I personally delivered zero MS Blaster.* infections to others, intentionally
or unintentionally. On the other hand, I have personally delivered cold and
flu infections to others and perhaps some bacterial infections as well,
despite the fact that I knew that I was sick. I've personally continued to
work, attend school, or live in close proximity to somebody who was
infectious, knowing that in doing so I was likely to become a replication
vector for the infectious disease and spread the infection to others. Before I
was aware of the risk, and my responsibility to protect others by protecting
myself, before I knew that there were steps I must take to contain the spread
of infectious illness, I posed a severe and unwarranted threat to others. By
spreading my cold, flu, or bacterial infections to others 'unintentionally'
yet as a direct result of negligence or ignorance I was in fact to blame for
the harm that I caused directly to others. Was I to blame for the harm that
others subsequently caused to others through additional rounds of infection? I
don't know. *Should* I be blamed? Maybe. If there was malicious intent, if the
spread of the infection was purposeful, then yes. By virtue of my possession
and dissemination of the harmful nucleic acids or bacteria if I've taken
appropriate precautions to limit the risk they pose to others? No.

Do we blame the hypothetical author of the HIV genetic code for the outbreak
of AIDS? If not, by virtue of the lack of effort to spread/deliver/infect,
then we can't blame the author of MS Blaster.* for its outbreak. Otherwise, we
must make it clear as a matter of law that engaging in research and
development that results in harmful organisms, substances, or instructions is,
in and of itself, a crime -- whether or not any harm is ever caused by its
existence.

I'm not smart enough to reconcile all of these conflicting forces in order to
arrive at the provably-right answer, which is probably why I'm a proponent of
full disclosure.

If Microsoft had stepped up to the plate and fulfilled their ethical
responsibility to others, well, then the extremely unsafe behavior of a small
number of people (analogy: anonymous unprotected sex in the park in the middle
of the night) through the ignorant and negligent use of Windows software could
not have resulted in direct harm to those of us who intentionally and
consciously make an effort to keep our behavior safe because we understand and
appreciate the full truth behind such risks, and we're able to take all
necessary steps to mitigate them. We also know that there is no such thing as
'safe' despite misguided commonly-held beliefs to the contrary.

We should all know that there is no such thing as an 'innocent' whistleblower.
Those who take actions that result in loud and disturbing noises will be
blamed for the noise that they cause despite the presence of good intent.
Despite even the possible existence of an ethical, legal, or social obligation
to cause the noise. Were our Windows boxes essentially on fire due to the
extreme risk posed by RPC/DCOM? Did *somebody* have an obligation to sound an
alarm loud enough to cause real social response to the threat? Are we
witnessing anything other than alarms caused by the spread of malware? Would
people around the world have taken action to put out the fire if not for the
loud ringing of the MS Blaster.* alarm? Some people do leave the building when
it's on fire, without waiting for an alarm to tell them to do so... A few of
us will even pick up a fire extinguisher and put the small blaze out before it
grows instead of running around spreading fear and panic.

Sincerely,

Jason Coombs
jasonc@...ence.org

Powered by blists - more mailing lists