The legalities trail the technical realities here. Consider that if someone starts throwing punches at you, you are generally allowed to throw punches back and are not required merely to attempt to block the punches thrown. We should think about the poor security of platforms out there, the lack of proper administration of many (most?) of them, and realize that we are dealing with attacking engines, not attacking people. Where the attacker is a person, as the law has generally been set up to assume, then response directed at that person only is the appropriate model. Here, the attacker is an autonomous agent. Probably the closest analogue in the non-cyber world is a disease. How do we deal with an epidemic? At least some of the time, massive and compulsory vaccination, and compulsory isolation of the infected, has been done to contain such events. A second analogue would be what happens when some new plant or animal gets introduced where it has no natural enemies, and new predators must be brought in as well to control it. We should consider that this may be a decent model to think about in this case. Yes, the counter-virus invades vulnerable machines. Note that in an epidemic situation, those who have already been treated (or who may have recovered and are naturally immune) are not vaccinated. Note too that in epidemic situations a few folks get the disease from the vaccine. Here we are dealing with something that seems similar to a public health problem, caused by infectious agents, and a population which is overly susceptible to them. What is the best way to deal with such? I would love to see rules in place that imposed costs on the makers of the vulnerabilities where they repeatedly designed in security-reckless ways. Machines don't have the same rights as people: it is not contrary to legal custom to require they be designed safely and that failure to follow safe design and construction practice leads to product liability. Such liability must be crafted so that it takes hold when a program is sold or is represented as ready for mass use; that is where most of the "public health" danger exists. However the population of systems already out there needs to be dealt with. A remedy should be crafted which will, like a vaccine, increase the strength of the system being immunized, and it should not impede later immunization against other problems nor damage too many vulnerable systems with unusual configurations. In medicine, there is a known group of workers who know the subject and can devise vaccines, which works with government agencies which decide when they get released. In computer security, it appears that those able to devise remedies are much more widely scattered and largely self-taught (and often superbly well taught in this way). Government is not well coupled in this space, so that the quiet interaction in the background with expert labs is likely not to be very effective here. I view it as entirely appropriate for someone to come up with a proposal and to have it discussed openly among people who can examine it. I consider it a trial formula for a vaccine or antibiotic, suitable for experimentation in controlled circumstances, and well suited for discussion. A list like this can make a positive contribution by working out design principles for how to deal with issues like this best, starting with some of the basic design principles and proceeding to the details. This is not well served by piling on the initial discussor and telling him "this is illegal". We need to discuss what the law should be and needs to be, illuminated by understanding the technology and what it can and cannot do, and work out some principles under which it may be decided to release a vaccine or a predator which can then be legislated. It may well be that some systems should be preemptively strengthened en masse, given the availability of a well designed strengthener designed and known openly. People like those on this list should be taking part in such decisions, along with the government, and not leaving this work in the hands only of vendors who made the vulnerabilities in the first place and who may not be inclined to do any more than address published holes. Solutions should be general in nature, as much as possible, should be insensitive to details of configuration (to do as little collateral damage as possible) (which will mean using published interfaces in likely practice), and need to be well discussed and well tested before use in the wild. This is enough for one message. Glenn C. Everhart (everhartat_private) -----Original Message----- From: John R. Morris [mailto:jrmorrisat_private] Sent: Thursday, September 06, 2001 9:08 PM To: 'Jay D. Dyson'; 'Vuln-Dev List' Subject: RE: CodeGreen beta release (idq-patcher/antiCodeRed/etc.) I can't believe anyone honestly considers a "counter-attack" worm the same as self-defense. Deadly force, or otherwise normally illegal amounts of force, is justified only in defense of your life, or the lives of others, your physical well-being, or the physical well-being of others. Defense is something done to prevent something from happening, retaliation is something \[...] ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you **********************************************************************
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 11:12:28 PDT