Brian King writes: >>Are owners of long term compromised systems really "innocents"? If >>people have left systems compromised with worms that are attacking other >>networks and reports have been ignored for significant amounts of time, >>then surely the compromised party are guilty of negligence ? > I would say that it depends who is administering the system. I wouldn't > call a clueless personal user negligent, but it is expected that a > network administrator knows how to patch and protect computer systems > under his/her control. To be negligent means that the person could fix > the problem but didn't. This is often true, but not universally true. Another commonly applied standard of negligence compares the costs of prevention versus the costs of remediation. I.e., if an security incident would cost less the recover from than it would cost to prevent, then (by this standard) failing to prevent it would not constitute negligence. Indeed, one could make the case that the -perception- that this is true of the general case is one of the predominant explanations of the state of security on the internet in general. In other words, most organisations can perceive the (immediate) costs of Doing The Right Thing (in security terms), and have an expectation of low (long term) costs of doing nothing and hoping for the best. Whether or not you believe this is a sane (or ethical) way of modelling the problem, it is nevertheless worth noting that some industries can muddle along quite happily this way. Credit card issuers, for example, deal with the absolutely grotesque credit card security model by simply accepting the losses due to credit card theft and fraud as part of the costs of doing business. There are far better authentication schemes available than the know-the-card- number-and-expiry method currently in nearly universal use---they're just more expensive to deploy. Note that I'm not suggesting that I -agree- with this view. In general, I do not. I think that should be some minimum standard for building and deploying networks, just like there's a minimum standard for the construction of buildings and cars (for example). But it is worth noting that this bias is just that---a bias; it isn't built on an well-established legal or ethical standards with are (currently) generally accepted. I think that a fairly strong case could be made for a minimum standard on these terms...but I don't think such standards currently exist in any meaningful form. And, incidentally, I think that building consensus about these sorts of standards will have much more beneficial effects (long term) on overall network security than any scheme involving retribution attacks on compromised systems...no matter how optimistically you model the effects of such actions. -spb
This archive was generated by hypermail 2b30 : Fri May 23 2003 - 11:31:09 PDT