Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Who is liable for internet security?

By Rand Race in News
Thu Jun 01, 2000 at 01:37:54 PM EST
Tags: Security (all tags)
Security

The New York Times has an interesting article about who should be held liable for attacks launched from compromised systems.

To me, blaming only the owners of the compromised systems sounds ludicrous in the current security climate; I sure don't want to be held liable for undocumented exploits on my firewall (closed source... they never listen to me), and small businesses such as the one I work for would be hurt by being forced to carry insurance against such liability. But it does make a good point that bad implementation is a major source of security breaches.


Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o New York Times
o article
o Also by Rand Race


Display: Sort:
Who is liable for internet security? | 32 comments (32 topical, editorial, 0 hidden)
Great job on using the partners.nyt... (2.00 / 1) (#9)
by duxup on Thu Jun 01, 2000 at 09:37:47 AM EST

duxup voted 1 on this story.

Great job on using the partners.nytimes.com site. Some other sites still direct you to the "free" registration site.

I wish people would actually write ... (2.00 / 1) (#8)
by Alhazred on Thu Jun 01, 2000 at 10:33:10 AM EST

Alhazred voted 1 on this story.

I wish people would actually write ARTICLES that are more than 3 sentences, but this is a cool topic, thanks.
That is not dead which may eternal lie And with strange aeons death itself may die.

writeup.... (1.00 / 1) (#4)
by ishbak on Thu Jun 01, 2000 at 10:44:12 AM EST

ishbak voted -1 on this story.

writeup.

I'd like more info in the writeup.... (1.00 / 1) (#5)
by DemiGodez on Thu Jun 01, 2000 at 11:02:57 AM EST

DemiGodez voted -1 on this story.

I'd like more info in the writeup.

Tough to say, started by saying Yes... (1.00 / 1) (#6)
by slycer on Thu Jun 01, 2000 at 11:06:15 AM EST

slycer voted 1 on this story.

Tough to say, started by saying Yes! you should be responsible.. Thought for a minute and think maybe not.. Well, vote of +1 and I will think on this

Ross Anderson and Hal Varian both k... (2.00 / 2) (#11)
by Paul Crowley on Thu Jun 01, 2000 at 11:19:07 AM EST

Paul Crowley voted 1 on this story.

Ross Anderson and Hal Varian both know what they're talking about. It all comes down to Bruce Schneier's oft-repeated phrase: security is a process, not a product.
--
Paul Crowley aka ciphergoth. Crypto and sex politics. Diary.

That would be great! Imagine all t... (2.00 / 1) (#12)
by Vygramul on Thu Jun 01, 2000 at 11:45:09 AM EST

Vygramul voted 1 on this story.

That would be great! Imagine all the Windows NT companys that would have to switch to Linux!
If Brute Force isn't working, you're not using enough.

The argument that we might be liabl... (3.50 / 4) (#2)
by krisn on Thu Jun 01, 2000 at 12:32:56 PM EST

krisn voted 1 on this story.

The argument that we might be liable for downstream attacks because of security breaches here is one of the more powerful ones I use to get manager-types to actually pay attention to security issues. Even though this may not always be 100% true (and perhaps the article is right that a legal standard should be set that favors making us more responsible), even the thought of possible suits makes non-techy managers more conscious of the risks, and that, in my opinion, is a Good Thing.

Good points on both sides of the is... (1.00 / 2) (#7)
by leshert on Thu Jun 01, 2000 at 12:56:29 PM EST

leshert voted 1 on this story.

Good points on both sides of the issue.

Funny, I noticed the article never ... (2.67 / 3) (#3)
by warpeightbot on Thu Jun 01, 2000 at 01:06:12 PM EST

warpeightbot voted 1 on this story.

Funny, I noticed the article never mentioned Redmond by name.... You couldn't use this approach in the American legal system with things like OpenBSD (which doesn't even live in the US) or Slackware, but then when was the last time a hole the size of a Mack truck lasted more than a few days after somebody pointed it out? Hell, when was the last time a hole escaped the OpenBSD auditors? Two years, so claims their website? If Redmond, Mountain View, Austin, and the like had an OpenBSD-like audit process, we wouldn't even be having this discussion. Instead we have a lot of finger pointing and ass covering and major organizations you'd think would know better dropping like flies on the latest script kiddie exploit... jeez.

You missed two points (3.00 / 1) (#17)
by kmself on Thu Jun 01, 2000 at 03:16:09 PM EST

First, the article is addressed to users of software, not vendors. Current (and possible future) licensing arrangements for software (including, incidentally, free software) tend to severely limit vendor/author liability. How enforceable this is I'm not sure.

The point of making users liable for risks raises the question though, not merely of whether you can be fired for using a particular vendor's software, but whether you can be sued for it as well. Say what you will about the litiguous nature of the US society and its legal system, it's done one hell of a lot for getting some reasonably good consumer protections in place. Companies can often act through the legislative process. Lawyers with million and billion dollar PI cases on contingency have the stick for getting the donkey's attention.

The prospect of purchasing a product which opens me up to a severe liability risk is not good. If I were sitting in Redmond, I'd be mulling that one right now.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.
[ Parent ]

Re: You missed two points (4.00 / 1) (#18)
by Inoshiro on Thu Jun 01, 2000 at 04:13:02 PM EST

Being sued for deploying a known bad product is very legal. Why do you think people stopped buying British beef during the mad cow scare? You could easily sue your local McFastFood if the chow they served you killed you.

For "unforseen" exploits (ie: if I found a new remote root exploit that allowed me to DDoS some site through a whole bunch of victims), some leniency will have to be given (perhaps a couple of weeks to fix problems before people can legally sue).

I support the more responsible use of computer equipment, which is why I like the idea of legal responsibility :-)



--
[ イノシロ ]
[ Parent ]
That is ridiculous. It is obvious t... (2.80 / 4) (#1)
by hattig on Thu Jun 01, 2000 at 01:16:03 PM EST

hattig voted 1 on this story.

That is ridiculous. It is obvious that person who broke into the system should be the one who gets the blame, not the person who owns the system. Governments all over the world just want to blame the ISP/Company/Middleman who has nothing to do with it for everything, including holding content that originated at another server on their server (news), etc, you know the story. Instead of blaming the perpetrator, they take the easy option.

That would be like me speeding down a road, but blaming Ford, or getting drunk and being bad and then blaming the company that made the beer.

Re: That is ridiculous. It is obvious t... (4.00 / 1) (#24)
by Anonymous Hero on Thu Jun 01, 2000 at 08:50:38 PM EST

Your analogy is not accurate. This is about providing a tool to others to commit crimes. I don't buy a car to go commit a crime, I buy a car to drive. If you do so deliberately or through negligence rather than by reasonable accident, you should be liable as well as the perpertrator, although not for their crime. I really hope people do start getting sued - then we'll start seeing security problems really dealt with.

[ Parent ]
Re: That is ridiculous. It is obvious t... (none / 0) (#25)
by Anonymous Hero on Fri Jun 02, 2000 at 12:00:57 AM EST

If you had bothered to read the original post you replied to, you might have noticed the line "someone breaks into my house carrying a shotgun".

Your post is conditional on the homeowner advertising the presence of weapons, where you state "If you were to loudly advertise presence of firearms in your house and have...."

While I have a computer (house) which can be broken into, very few individuals provide the DDoS tools on their systems for the benefit of script kiddies. The kiddies are breaking in, using tools/exploits similar to a burglers crowbar or lockpicks, and installing their own malicious code similar to bringing their own shotgun in the original post.

Your "comtributory negligence" is merely another way to make lawyers rich, raise insurance rates, and help criminals avoid responsibility for their own actions (if parents fail to provide real supervision, neglect to train their children to respect other peoples private property, and do not pass on enough common sense to prevent their children from injuring themselves or others, ask yourself whose fault is it really if a kid drowns in a neighbours swimming pool, or brings down Yahoo?)

[ Parent ]

Oops - brain freeze (none / 0) (#26)
by Anonymous Hero on Fri Jun 02, 2000 at 12:35:44 AM EST

The above rant should follow comment #16 titled "Contributory Negligence". Obviously, I need to post more carefully myself. What was that about the splinter in your neighbours eye? Repeat five times:"I am an idiot, I am an idiot....."

Hey Rusty, any chance that you might take pity on an AH and move Posting #25 to follow #16?

Again, my apologies to the above posters.

[ Parent ]

Interesting topic, but the link is ... (1.00 / 2) (#10)
by Luis Casillas on Thu Jun 01, 2000 at 01:21:22 PM EST

Luis Casillas voted -1 on this story.

Interesting topic, but the link is in NY Times (registration required). I'd vote yes if given a link to a different paper.

Re: Interesting topic, but the link is ... (4.50 / 2) (#13)
by rusty on Thu Jun 01, 2000 at 01:44:21 PM EST

Did you check the link? It's to the "partners.nytimes.com" workaround. No registration needed. Enjoy. :-)

____
Not the real rusty
[ Parent ]
A Tortured Analogy (3.00 / 2) (#14)
by Logan on Thu Jun 01, 2000 at 02:07:58 PM EST

So, if I forget to lock my door and someone breaks into my house carrying a shotgun, climbs upstairs, opens a window, and starts shooting passersby, I should be held liable? I don't know, I think it's not a good idea to place the blame for attacks on other victims. Blame the attacker and hold the attacker accountable. It might help in the short-term to increase awareness of security issues, but I don't see how it could help in the long run. Computer security will just become a common insurance policy, but it won't make people more responsible.

logan

Attractive Nuisance (4.00 / 2) (#16)
by kmself on Thu Jun 01, 2000 at 03:10:40 PM EST

There is legal precendent for the theory. If you were to loudly advertise presence of firearms in your house and have it be generally known (or readily apparent) that the premises were unsecured, I could see a plausible case for contributory negligence.

The standard example is of a swimming pool. Attractive nuisance generally deals with real property and hazards to children. If you don't fence off the pool and provide reasonable means for preventing someone from injuring themselves, you can be held liable. Railroads are another instance, with law pointing the other way (no liability) recently in the case of a level grade crossing which had minimum Federally mandated crossing signage, at which one or more injury/fatality accidents had occured (don't recall specifics). This within the past month or so.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.
[ Parent ]

NYT's good examples (3.00 / 1) (#15)
by farlukar on Thu Jun 01, 2000 at 02:37:21 PM EST

The comparison with ATM fraud is not a "good example".
ATMs are are provided by banks as a service to their customers, so they have the responsibility towards those customers that their money is safe.
Nigel Q. Private is using his home internet connection only for his own damn self, in a DDoS case you can't say you're responsible, you shouldn't let yourself be hijacked.

Educating home user on security issues is a good plan and forcing security on them might work against DDoS and the likes, but still: having sprinklers every 12 feet is no guarantee your office won't burn to the ground.
______________________
$ make install not war

Given you LEASE the software.... (2.40 / 5) (#19)
by mr on Thu Jun 01, 2000 at 04:20:33 PM EST

Ever looked at your EULA from Micro$oft?

You don't OWN that software. Micro$oft owns it.

Given that any hardware executes the software, the software is to blame. Given you never own the software, the blame shifts back to Micro$oft. And the licence they have says that you shall hold them harmless.


Neat eh?

So to sue the OWNERS of the system.....that means M$ in my book. Or whomever the owner is.

Liability to lessor (3.00 / 1) (#23)
by kmself on Thu Jun 01, 2000 at 06:54:02 PM EST

IANAL, and I don't know the precise legal doctrine(s) involved, but liabilty to lessors of equipment or property isn't uncommon. A well known example, frequently falling into the "not fair" clause, is that of a property renter's liability for, say, uneven pavement causing a tripping hazard. You might think this is the liability of the landlord, but IIRC, it's generally considered to be the tenant's responsibility. At least that's the way I was taught this.

There is also a doctrine of joint and several liability, and contributory negligence. If a vendor leases defective equipment, then they should carry a portion of the liability for it. However if the lessor uses it in an unsafe manner, this is something which goes beyond the control of the lending party.

The simple answer is that there's no simple answer.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.
[ Parent ]

Absurd to Blame the Tool or the Victim (2.00 / 2) (#20)
by the Epopt on Thu Jun 01, 2000 at 04:26:29 PM EST

Blaming the compromised system and suing its owner for the crime is as absurd as blaming tobacco companies for making cigarettes and suing them for the existence of lung cancer!

Okay, wait a second....

Blaming the compromised system and suing its owner for the crime is as absurd as blaming gun manufacturers and suing them for the existence of murderers!

Wait, wait, wait wait, hang on....

It's as ridiculous as suing MacDonalds for making hot coffee that can spill!

It's as ridiculous as taking Microsoft to court for making popular software!

It's ... it's ... it's just ridiculous, that's all!


-- 
Most people who need to be shot need to be shot soon and a lot.
Very few people need to be shot later or just a little.

K5_Arguing_HOWTO
Re: Absurd to Blame the Tool or the Victim (3.50 / 2) (#22)
by Anonymous Hero on Thu Jun 01, 2000 at 04:59:57 PM EST

If we were suing M$ for making popular software, you'd be right. That's not why they're being sued. I'll note that Cisco is larger, but no one is talking about suing them despite the fact they make a popular router.

[ Parent ]
I'm surprised this hasn't already become an issue (2.67 / 3) (#21)
by Rasputin on Thu Jun 01, 2000 at 04:27:22 PM EST

In most countries, if someone suffers a loss (financial or otherwise) because of your negligence, you can be held liable. I would guess (IANAL) that includes a loss of income because you were negligent in securing your computer and it was used against someone. The only tests that would have to be sorted out in court are what constitutes negligence in that type of case, what represents due diligence to prevent something like this and what constitutes good faith use of a computer attached to the internet.

It doesn't mean if a script kiddy launches a DoS against someone from your system you can be sued. It does mean if you don't take reasonable steps to prevent this, you could be sued and found liable. This strikes me as "A Good Thing" (tm) in principle that will be horrifying in reality. Undoubtedly, this will be abused given the "Love of Litigation" in western democracies.
Even if you win the rat race, you're still a rat.

Are you responcible if you drive a Ford Pinto (2.00 / 1) (#27)
by NZheretic on Fri Jun 02, 2000 at 06:09:37 AM EST

I just posted this a yesterday on alt.comp.virus but IMHO it is worth repeating here.

On Wed, 31 May 2000 08:20:37 -0400, Joe B
<blizzard@thisistheparttotakeout.zmm.com> wrote:
>Try this experiment: Take any automobile manufactured in the last 60 years
>and drive it at its maximum speed into a sturdy tree. Was the vehicle
>damaged? Were you injured?
>

I've a friend who is a Volvo dealer. He could give you a good price on a new
top of the line model with front and back air bags should anybody out there
wish to try this for themselves.

>See, this is a design flaw. What's more, automobile manufacturers tout this
>potentially destructive capability as a feature. The operators manual
>doesn't even mention that going at top speed into a solid object might be
>dangerous. Do they think that everyone is born with some innate knowledge
>of physics?
>

You could take your argument and extend it to include all the safety
components of all equipment. Remove the safety guards from all power
saws ( chain, circular etc ) because everybody can see that touching the
moving blades is going to seriously ruin the rest of your day.

Accidents happen and small mistakes, like crashes at lower speeds and
bumping into the top the circular saw while its running , will happen
to almost everyone, even they do follow all the safety and operating
procedures.

"So the fuel tank of the Ford Pinto was a design feature? So what the hell
was Mr Naider complaining about."

It is when a "small mistake" causes disastrous results that it tends show
up flaws in the design of equipment. If a safety feature can added or
a change to the design can be made, which does not reduce functionality,
then why not make the change.

>Meanwhile, back on Earth:
>Can't you see the parallels in computer security? Windows is merely a tool
>and like any tool it can be dangerous in the hands of an ill-trained or
>irresponsible operator. You can cripple your computer to try and make it
>idiot-proof just as you could limit your car's top speed to, say, 10MPH.
>Still, some knucklehead is going drive off a cliff or type "format c:." I
>believe it was Spider Man's late uncle Ben that said, "With great power
>comes great responsibility."
>

The situation with the new type of "love" VB viruses that can be embedded
within any Office document is different. People in business tend to send
each other attached Microsoft Office documents all the time.

... [cut out description of how the new viruses operate]...

Following everyday normal operating procedure someone makes a small mistake
with disastrous results.

When people started swapping Office documents over the internet, then the
scripting inside the documents became a "Distributed Agent". When browsing
the web you should not expect the web applets in Javascript and Java to
access your files. You should also expect Microsoft to provide a similar
secure environment to view untrusted Office documents.

So would you want to be rear ended in a car designed by Microsoft?



Fatally flawed analogy (none / 0) (#32)
by kmself on Sat Jun 03, 2000 at 05:53:27 PM EST

First, liability is accrued to user, not manufacturer. If you were to ask me whether or not you (or your estate) were responsible for the damage to the tree consequent of your reckless behavior, I'd say absolutely.

The article isn't about holding software manufacturers responsible for flaws in their products (which is an independent discussion, and I see some merit to it), but for holding users, informed or otherwise, responsible for consequences of your behavior.

To counter your argument, is the person who deliberately drives a car at high speed into a crowd of pedestrians responsible for their actions? Yes. The law is with me here (IIRC it was a Las Vegas case).

Is the operator of a construction crane responsible for damage, injuries, and/or deaths which occur should the crane topple from unsafe operation, or adverse weather conditions? Probably.

Is a demolition firm responsible for actions caused if unsecured explosives are removed from its control and used in unlawful or dangerous acts? I would hope so, in the event reasonable safeguards were not followed.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.
[ Parent ]

Do people even realise they have a problem? (4.00 / 1) (#28)
by Anonymous Hero on Fri Jun 02, 2000 at 08:12:33 AM EST

There are a few things to keep in mind here. Firstly, there is the question of whether or not people even understand the possibility that they are causing problems ( point in case - smurf. The fix was available years ago, but the list of unpatched systems is huge ).

Applying the law in this manner is only going to be workable if people are informed. How many system administrators check CERT / Bugtraq / Rootshell / [Insert your favorite advisory site here] on even a weekly basis?

Recently, I was going through my articles data-base and one of the ones that I spotted was from late 1998. A group of people carried out their own Internet audit ( it was posted at the time at "the other site" ), and it made for interesting reading.

Out of several tens of millions of *nix systems ( they didn't bother to run a security scan on anything running Windows ;), they found 420,000+ systems with one or more of a list of 18 well known vulnerabilities.

Since re-reading that article, it seems to me that there is a need for some kind of public organisation to be set up to not only periodically run scans of this type but to automatically forward an email to the system administrator.

If something like this existed, then you might be able to make a case that anyone who ignored such an email alert *was* guilty of ciminal negligence. Until then, I don't think that what's being suggested here would really stand up in most courts ( regardless of the country ).

P.S : last night, I realised why I hate the RIAA even though I don't download mp3's of the Internet. I looked at my CD collection and realised that I have payed the licensing fee for my music *twice*. I payed it once when I bought the vinyl lp and I paid it a second time when I bought the CD because I couldn't get lp player parts any more ( mutter, mutter, grumble, grumble ).

You might be strangling my chicken, but you don't want to know what I'm doing to your hampster.



What security? (3.00 / 1) (#29)
by Anonymous Hero on Fri Jun 02, 2000 at 10:01:44 AM EST

IIRC, the 'net was designed to be as flexible as possible, inherent security wasn't the issue. So I think the folks who have to sqeeze a few virtual dollars out of this environment should be liable for not hiring/training/motivating sysadmins, if they can't secure their systems themselves.

Nothing annoys me more than people who want to make a living using one tool or another, then whine if something bad happens because they didn't feel the need to understand what they do.

If we stop protecting the lusers from their own stupidity, maybe then we can see some good ol' evolution in action. And, admit it, it doesn't hurt as much as in RL...

</rant> Sorry.

Major flaw in the article (3.00 / 1) (#30)
by Marvin on Fri Jun 02, 2000 at 11:13:45 AM EST

> one of the fundamental principles of the economic analysis of
> liability: it should be assigned to the party that can do the best job
> of managing risk.
I think the author has a major point here, but he (like most people discussing these issues) seems to assume it's the user of the system who "can do the best job of managing risks".
At least for attacks like the Melissa and Iloveyou worms this is simply not the case! What would be easier: Make millions of non-expert computer users become security experts or make one company deliver a product that is (fairly) secure by default.
I'm not talking about requiring M$ to make Windows as unbreakable as OpenBSD, I'm just talking about not integrating features that make it piss-easy for a script kiddie to mess up millions of computers. Of course M$ claims that these features were only added because their consumers want them. Now tell me: when was the last time you received a useful VBScript in an Email-attachment and thought "That's neat, I click on the attachment without even knowing it's a script and it suddenly does stuff for me! Cool!".
All the scripts in EMail attachments that I have come across have been worms or virii. And still M$ doesn't turn off scripting in Emails by default (because that would be against their long-term strategy of making the internet another M$ application).

Of course, what I said here only applies to exploits on client (desktop) PCs. Securing servers (to prevent DDoS attacks, for example) is a different issue.

Re: Major flaw in the article (3.00 / 1) (#31)
by Anonymous Hero on Sat Jun 03, 2000 at 02:38:58 AM EST

I'm just talking about not integrating features that make it piss-easy for a script kiddie to mess up millions of computers.

Microsoft wouldn't even need to do that much. All they would need to do is to make the installation default for these options to be "off" so that the luser's would need to make the explicet descision to turn them on.

M$ doesn't want to play the game that way though. While a lot of people in this industry have a pretty low opinion of the typical end user ( myself included ), M$'s opinion of them is even lower. Point in case - unverified connections to a server so that the poor lusers don't even have to remember a password in Win95/98 before they can get a LAN connection. Sheesh!

Every luser starts out ignorant. It's just part of being a newbie. Some people ( and M$ isn't the only one in this regard ) seem to be very determined to keep them that way.

You might be strangling my chicken, but you don't want to know what I'm doing to your hampster.



[ Parent ]

Who is liable for internet security? | 32 comments (32 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!