Computer liabilities

[Psi Baba]

Prosecutors looking to throw the book at accused computer hackers have come across a legal defense expected to become even more widespread in an era of hijacked PCs and laptops that threatens to blur the lines of personal responsibility: the computer did it.

Hacker's defense: the computer did it

This is becoming a serious issue and one that I think merits discussion. I am very interested in reading other forum members' thoughts on this. How responsible should we be assumed to be if a hack is traced back to our computers? How can that be considered proof of the assailant in a cybercrime? I would like to hear from our legal-eagle members the answer to this question: If someone breaks into your house, steals your gun and kills someone with it, are you as guity of murder as if you pulled the trigger yourself? If someone steals your car and runs over someone with it, are you as guilty as if you were behind the wheel yourself? It seems to me the same reasoning should apply to computers. I don't think the answer is "Make sure you keep yourself protected from viruses and spyware." Yes, that's good advice, but it's not reasonable to expect every computer user to do that. I would bet that most users are wide open. No doubt many older people and young kids are using computers with no kind of protection whatsoever. Downloading security patches from Microsoft, for example, is not as straightforward as they would like you to think. I'm sure a lot of people have never even heard of spyware or malware. Should someone's 69 year-old grandmother go to prison because her computer became infected with a trojan horse and/or a script that ultimately resuted in a hack or a dealing with child porn that gets traced back to her computer? It seems to me, like with any crime, that real proof should be required to establish guilt. It can't just end with the conclusion, "Your computer--your culpability."

Thoughts?

Edited to replace some missing words and letters that were hacked out of my post.

 

[shanek]

It is entirely possible for a hack attack to be launched from a computer and the hacker responsible not to have come anywhere within 1000 miles of it. Any even halfway decent script kiddie will compromise a random computer and launch the attack from there. These are usually home computers and others where people don't really understand or care about security.

So, a hacker might compromise a computer in a net cafe in the Phillippines and put on a remote trojan such as NetBus. From there he'll take out someone's home computer in Brazil, and from there the computer in some little small family business in Norway. And actually launch the attack from there. As long as there's even one computer in the chain that isn't logging all of the traffic, which is very likely, then it will be difficult if not impossible to track the attack back to the hacker. A skilled hacker will get away clean.

Also, recently viruses have become tools for this. The SoBig virus, for example, allows spam to be sent over the internet without it being traced back to the spammers. A compromised system will trigger its payload, pick a random address as the From: address, and mail it to everyone it finds out about. People are getting returned EMails that they never sent, or complaints about spams they never sent, even when their system hasn't been compromised at all; it's someone else with their EMail address somewhere in the system.

So, yes, this could and should be a valid defense. Otherwise, innocent people will get locked up and the offendor will go free. I don't think anyone wants either situation.

 

[bignickel]

6 months ago I would have said that a person is completely responsible for any computing device they hook to a network: it's completely their responsibility what the machine does, how they maintain the OS, and what packets it's sends.

MY Windows2K box would never have to worry about any attacks; I even told Shanek I wouldn't ever need a firewall.




Then I got hit by MSBlaster.

Goddam Micro$oft!!!

 

[Psi Baba]

6 months ago I would have said that a person is completely responsible for any computing device they hook to a network: it's completely their responsibility what the machine does, how they maintain the OS, and what packets it's sends.

MY Windows2K box would never have to worry about any attacks; I even told Shanek I wouldn't ever need a firewall.




Then I got hit by MSBlaster.

Goddam Micro$oft!!!

Recently, I set up a new computer at home. Well, it was new to me. Someone gave me the CPU because the HD died. I was starting with a brand new hard drive and put W2000 Pro on it. Since I had freshly formatted and had no data on it, I was tinkering around and not worried about precautions. I connected to the internet (with no antivirus, service packs, etc.) and within an hour or so, I had the Welchia worm (discovered upon installing Norton Antivirus). Mind you, this machine did not even have an e-mail reader on it yet, just IE, so that did not come from opening an e-mail attachment, just from being connected.

 

[Attrayant]

Originally posted by bignickel

MY Windows2K box would never have to worry about any attacks; I even told Shanek I wouldn't ever need a firewall.

Then I got hit by MSBlaster.

Goddam Micro$oft!!!

And a few weeks ago somebody sugared my gas tank. Goddam Ford!!!

 

[Skeptoid]

The Welchia worm exploits the same DCOM RPC vulnerability via port 135 as the MSBlaster worm did. An unpatched Win 2K machine is particularly vulnerable because it has no built in firewall like Win XP has to protect you until you install a better firewall and get the patches installed. Running a Windows box without a firewall is just asking for trouble.

 

[garys_2k]

Best hardware solution is a router with NAT. That will keep all of the scans and almost all of the trash from ever being able to find you.

 

[bignickel]

And a few weeks ago somebody sugared my gas tank. Goddam Ford!!!

Are you seriously comparing a gas tank to a messed up operating system that RUNS code sent to a computer thru a network adapter, without me giving it authority to do so, because they felt such a need to crush Netscape that they stupidly connected their internet browser to OS?

Seriously?

 

[jimlintott]

Originally posted by Attrayant
And a few weeks ago somebody sugared my gas tank. Goddam Ford!!!

Obviously a user error. You should have been guarding your gas tank more carefully. Can't rely on the security that came with your car.

Microsoft has done an amazing job at allowing users to be convinced that they cause all their own problems. While I agree that users can cause some of their own problems I have seen users blame themselves for a blue screen.

Some of these users can't even find their own files. How can we expect them to know about firewalls, open ports and malicious code. They view their computer as an appliance. It should just work and it should provide a decent level of security.

 

[bignickel]

Microsoft has done an amazing job at allowing users to be convinced that they cause all their own problems. While I agree that users can cause some of their own problems I have seen users blame themselves for a blue screen.

Oh, it's much worse than that; to have an OS execute code sent to it over a TCP/IP port is, to me, inconceivably stupid.

Gas tank? Ha! That's not even a close metaphor. Putting junk in someone's gas tank is the equivelent of sending them a virus in an email. This is a better metaphor: you're driving down the road in your car, and someone sends it a signal via radio waves to turn it's engine off. Or to make a sudden right turn into into the guard rails. MAKING it do SOMETHING that you don't want it to do, without your permission.

I remember some of the debates I got into with Shanek about the need for firewalls: I would ask how you could force a compute to execute code sent to it thru a TCP/IP port. Thus, I figured, the only thing you had to worry about was the user installing the virus/worm himself.

And then MSBlaster dropped by one day to demonstrate 'proof of concept'. Inconceivable! ("I do not think that word means what you think it means.") An OS that runs code without asking me, sent to it from an unsecure network.

The only reason I haven't switched to Linux yet: 1. lazy 2. WW2Online probably wouldnt' run (well).

 

[jimlintott]

Oh, it's much worse than that; to have an OS execute code sent to it over a TCP/IP port is, to me, inconceivably stupid.

It's not stupid, it's a feature. Makes your computer easier to use.

 

[richardm]

It's not stupid, it's a feature. Makes your computer easier to use.

It certainly does. Easier for other people, that is

 

[Attrayant]

Putting junk in someone's gas tank is the equivelent of sending them a virus in an email.

If you focus at details that are fine enough, nothing is analogous to anything. Your general bitch-n-moan complaint was about security. For this reason, an unlocked gas tank is a fair analogy. Car manufacturers have (for the most part) addressed the vandalism & fuel theft problem by putting locking gas caps on their cars. OS manufacturers have addressed a large number of security issues as well. However, neither MS nor Ford is going to go to the extreem lengths that would be required to stop the truly determined theif or hacker who will stop at nothing to do evil deeds.

...you're driving down the road in your car, and someone sends it a signal via radio waves to turn it's engine off.

This is possible now. Police have a device that can zap your car's CPU as you drive over it. Suppose some criminal gets hold of one of these (or more likely makes one in his basement, there's not that much to it) and uses it on me. Following your example, I should be furious with Honda for not having the sense to enclose their engine & electronics inside a Faraday cage. Of course that would be ridiculous. Your vitriol was directed at the wrong people.

How come it wasn't "Goddam Hackers!!!"?

 

[shanek]

Are you seriously comparing a gas tank to a messed up operating system that RUNS code sent to a computer thru a network adapter, without me giving it authority to do so, because they felt such a need to crush Netscape that they stupidly connected their internet browser to OS?

Seriously?

Yeah, this is more like Ford installing a time bomb under the hood that anyone can open and activate.

 

[Attrayant]

Yeah, this is more like Ford installing a time bomb under the hood that anyone can open and activate.

You're not helping.

 

[bignickel]

If you focus at details that are fine enough, nothing is analogous to anything. Your general bitch-n-moan complaint was about security.

Wrong, boyo. My analogy was a hellova lot more apt then your 1 line sarcastic note. A gas tank is NEEDED on a goddam car, since you need to put gas in it to run it. Why the hell would anyone write an OS that executed code sent to it thru TCP/IP ports? Your example would have great for someone SPIKING the current going to someone's computer to cause the computer to glitch; too bad we're not discussing that such an example. BTW - I wouldn't hold MS responsible for someone doing such an action. Happy?

This is possible now. Police have a device that can zap your car's CPU as you drive over it

Oh really: the police can take control of my car and control it's steering, acceleration, and braking? Because once again: you can't seem to get a grasp on any kind of appropriate analogy here.

Go back and do your homework.

PS At least I got more than one line outta you this time. Now, that wasn't so hard, was it?

 

[Attrayant]

I can only conclude that you are being obtuse on purpose.

Oh really: the police can take control of my car and control it's steering, acceleration, and braking?

I said no such thing. My point is with regard to general security issues (tell me if your gripes are not security-related, perhaps I misunderstand), and only that your bitterness seems to be directed at the wrong people.

I see you have no objection to Shanek's ludicrous alanogy. I suppose you find it appropriate?

You've gotten way too much out of me, as far as I am concerned. My first post should have been all that was necessary to get my point across to most lucid people.

 

[bignickel]

Your one line sarcastic first post with an inappropriate in-analogy? All that was necessary? Obtuse on purpose?

That's the pot calling the kettle a blacker shade of grey, that is.

From what I can tell, evidently you were serious with your analogy. To you, Microsoft bone-headingly melding it's INTERNET browser to the OS is just the same as Ford putting necessary technology (gas tank and cap) on a car. "Well, gee: MS had to crush Netscape: it's necessary for MS software to run properly! That's why it was important for them to do something so mind-boggling stupid that it introduced numerous security holes in their OS that allows it to run unauthorized code!"

Whatever.

You don't like Shanek's analogy? You argue with him. I do find it apt in that it's only a matter of TIME before someone compromises your security due to MS ineptness.

I'm done with you.

 

[Kevin_Lowe]

Best hardware solution is a router with NAT. That will keep all of the scans and almost all of the trash from ever being able to find you.

I respectfully disagree. The best hardware solution is a Macintosh.

 

[richardm]

I respectfully disagree. The best hardware solution is a Macintosh.

Although it's true to say that the majority of viruses and worms attack Windows machines, Macs are not immune.