Good point. How about this analogy? If I own a gun which I leave around where I can anticipate my elementary school age child will find it, am I responsible if he takes it to school and threatens his classmates? True current King County case, in which as I understand it the gun-owning mother has been charged with a crime (don't know what it is). One problem with this analogy is that probably unlike most participants on this list, most computer users don't know the stats showing how quickly unsecured boxes tend to be taken over when put on the net, and don't generally know much about how to keep them from improper use by third parties, while almost everybody (pro- or anti-gun) knows about gun risks and accepts the need to secure them away from kids. Kids tend to be attracted to and sometimes misuse guns; kiddies (and more serious perps) tend to be attracted to and deliberately misuse unsecured boxes; in either case harm may be caused to third parties. Which leads to another problem with this analogy: computers can only harm data and/or other computers - any harm to human life or health can only be consequential, if the harmed data or computer was needed to support functions affecting life and/or health - making the threat much less direct than a gun. Which was the reason for my throwaway comment on SCADA systems before - if you can take reasonable steps to avoid harm, such as not connecting critical applications to the Internet - you should do that before resorting to hack back too. -----Original Message----- From: St. Clair, James [mailto:JStClair@private] Sent: Thursday, June 19, 2003 12:46 PM To: crime@private Subject: RE: CRIME Senator Hatch - Destroy file swappers' computers Good response, but it is not the right analogy: The Hatch concept inherently relies on a sense of identity for the "thievery" that is technically impossible to establish. The guilty party is at the keyboard, not the box involved. Perhaps this analogy: If I use a shopping cart to break a window and rob a store, should the store go after the supermarket? -----Original Message----- From: Christiansen, John (SEA) [mailto:JohnC@private] Sent: Thursday, June 19, 2003 3:36 PM To: crime@private Subject: RE: CRIME Senator Hatch - Destroy file swappers' computers Serious response: In most states the store owner would have the right to use force to prevent harm to property, but the degree of force would have to be in some sense proportionate to the harm to be prevented. Shooting a burglar who's coming at you with a tire iron is probably going to be accepted; shooting a shoplifter in the back is probably way out of bounds (at least in the relatively pacific Northwest, if not everywhere); breaking a thief's fingers with a bat when you are trying to stop him from grabbing the cash drawer probably won't get you prosecuted or subject you to civil liability (though there are some pretty nervy perps out there); burning up the getaway car is probably too potentially dangerous to third parties and yourself, not to mention the thief, to be acceptable. The valid point being that there is precedent out there which might support hack back self-help - the problem being avoidance of seductive but misleading analogies, when all you have to work from is analogy. -----Original Message----- From: Justin Kurynny [mailto:justink@private] Sent: Thursday, June 19, 2003 12:08 PM To: crime@private Subject: RE: CRIME Senator Hatch - Destroy file swappers' computers serious, sarcasm-free questions for the group: if a shop owner catches someone stealing something from her store, should she have the right to destroy the tools of the thief's vocation? in other words, should we grant her the right to break his hands and legs? maybe even amputate them? less drastically and humanly injurious, should she have the right to drop a lit match into the thief's getaway car as a means of destroying it? justin justin kurynny manager of network engineering waggener edstrom, inc. * -----Original Message----- From: Christiansen, John (SEA) [mailto:JohnC@private] Sent: Thursday, June 19, 2003 11:42 AM To: 'Crispin Cowan' Cc: crime@private If the ISP is responsive and the rules of engagement say you don't escalate if the ISP is responsive, then hacking back isn't legit. But that doesn't suggest you should avoid figuring out what the rules should be - seems to me it suggests you should figure out the rules. We didn't have this one before, did we? But now we have a consensus on this point. So all we need to do is make sure sysadmins are appropriately responsive and the rules around escalation become moot. So, following this alternative branch, what are the rules for sysadmin responsiveness? In other words, when can I hold an ISP liable for failing to cut off hostile activity?
This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 13:38:50 PDT