RE: CRIME Senator Hatch - Destroy file swappers' computers

From: Christiansen, John (SEA) (JohnC@private)
Date: Thu Jun 19 2003 - 13:33:39 PDT

  • Next message: Dorning, Kevin E - DI-3: "RE: CRIME Senator Hatch - Destroy file swappers' computers"

    I think it's both - the underlying question being, under what conditions
    might someone be entitled to take potentially damaging action against
    somebody else's computer on a network?
    
    -----Original Message-----
    From: Justin Kurynny [mailto:justink@private]
    Sent: Thursday, June 19, 2003 1:31 PM
    To: Christiansen, John (SEA); crime@private
    Subject: RE: CRIME Senator Hatch - Destroy file swappers' computers
    
    
    i am confused. didn't this start out as a DRM discussion? isn't Orrin
    Hatch's proposal about copyright infringement and countermeasures, and
    not about direct or indirect use of networked computers to hack remote
    systems?
    
    the thread matter appears to have gotten a little mixed, so i just want
    to make sure that we're either talking about Hatch's proposal, talking
    about a theoretical law that allows entities to hack back when hacked
    upon, both, or something else.
    
    thanks,
    justin
    
    
    *
    
    -----Original Message-----
    From: Christiansen, John (SEA) [mailto:JohnC@private] 
    Sent: Thursday, June 19, 2003 1:10 PM
    To: crime@private
    
    Good point. How about this analogy? If I own a gun which I leave around
    where I can anticipate my elementary school age child will find it, am I
    responsible if he takes it to school and threatens his classmates? True
    current King County case, in which as I understand it the gun-owning
    mother has been charged with a crime (don't know what it is). 
    
    One problem with this analogy is that probably unlike most participants
    on this list, most computer users don't know the stats showing how
    quickly unsecured boxes tend to be taken over when put on the net, and
    don't generally know much about how to keep them from improper use by
    third parties, while almost everybody (pro- or anti-gun) knows about gun
    risks and accepts the need to secure them away from kids. Kids tend to
    be attracted to and sometimes misuse guns; kiddies (and more serious
    perps) tend to be attracted to and deliberately misuse unsecured boxes;
    in either case harm may be caused to third parties. 
    
    Which leads to another problem with this analogy: computers can only
    harm data and/or other computers - any harm to human life or health can
    only be consequential, if the harmed data or computer was needed to
    support functions affecting life and/or health - making the threat much
    less direct than a gun. Which was the reason for my throwaway comment on
    SCADA systems before - if you can take reasonable steps to avoid harm,
    such as not connecting critical applications to the Internet - you
    should do that before resorting to hack back too. 
    
    -----Original Message-----
    From: St. Clair, James [mailto:JStClair@private]
    Sent: Thursday, June 19, 2003 12:46 PM
    To: crime@private
    Subject: RE: CRIME Senator Hatch - Destroy file swappers' computers
    
    
    Good response, but it is not the right analogy: The Hatch concept
    inherently relies on a sense of identity for the "thievery" that is
    technically impossible to establish. The guilty party is at the
    keyboard, not the box involved.
    
    Perhaps this analogy: If I use a shopping cart to break a window and rob
    a store, should the store go after the supermarket?
    
    -----Original Message-----
    From: Christiansen, John (SEA) [mailto:JohnC@private]
    Sent: Thursday, June 19, 2003 3:36 PM
    To: crime@private
    Subject: RE: CRIME Senator Hatch - Destroy file swappers' computers
    
    
    Serious response: In most states the store owner would have the right to
    use force to prevent harm to property, but the degree of force would
    have to be in some sense proportionate to the harm to be prevented.
    
    Shooting a burglar who's coming at you with a tire iron is probably
    going to be accepted; shooting a shoplifter in the back is probably way
    out of bounds (at least in the relatively pacific Northwest, if not
    everywhere); breaking a thief's fingers with a bat when you are trying
    to stop him from grabbing the cash drawer probably won't get you
    prosecuted or subject you to civil liability (though there are some
    pretty nervy perps out there); burning up the getaway car is probably
    too potentially dangerous to third parties and yourself, not to mention
    the thief, to be acceptable.  
    
    The valid point being that there is precedent out there which might
    support hack back self-help - the problem being avoidance of seductive
    but misleading analogies, when all you have to work from is analogy. 
    
    -----Original Message-----
    From: Justin Kurynny [mailto:justink@private]
    Sent: Thursday, June 19, 2003 12:08 PM
    To: crime@private
    Subject: RE: CRIME Senator Hatch - Destroy file swappers' computers
    
    
    serious, sarcasm-free questions for the group: if a shop owner catches
    someone stealing something from her store, should she have the right to
    destroy the tools of the thief's vocation? in other words, should we
    grant her the right to break his hands and legs? maybe even amputate
    them? less drastically and humanly injurious, should she have the right
    to drop a lit match into the thief's getaway car as a means of
    destroying it?
    
    justin
    
    justin kurynny
    manager of network engineering
    waggener edstrom, inc.
    
    *
    
    -----Original Message-----
    From: Christiansen, John (SEA) [mailto:JohnC@private]
    Sent: Thursday, June 19, 2003 11:42 AM
    To: 'Crispin Cowan'
    Cc: crime@private
    
    If the ISP is responsive and the rules of engagement say you don't
    escalate if the ISP is responsive, then hacking back isn't legit. But
    that doesn't suggest you should avoid figuring out what the rules should
    be - seems to me it suggests you should figure out the rules. We didn't
    have this one before, did we? But now we have a consensus on this point.
    So all we need to do is make sure sysadmins are appropriately responsive
    and the rules around escalation become moot. So, following this
    alternative branch, what are the rules for sysadmin responsiveness? In
    other words, when can I hold an ISP
    liable for failing to cut off hostile activity?    
    



    This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 13:46:22 PDT