Are owners of botnetted computers culpable? [modified]
-
I agree with the idea of cutting off service as long as: 1. The ISP provides links to all appropriate patches 2. The ISP doesn't charge data costs to download these patches 3. The ISP provides simple instructions on what to do. All these (apart from the not charging bit) should be fairly easy to do if the ISP is able to detect the nature of the infection based on traffic patterns and network sniffing. Which prompts the question: Should an ISP have the right to packet sniff if it suspects an infected machine?
cheers, Chris Maunder
CodeProject.com : C++ MVP
Chris Maunder wrote:
Should an ISP have the right to packet sniff if it suspects an infected machine?
Excellent point. Maybe it should be left at the level of symptoms of a breach and left to the user to rectify. Once you get to the packet level, it becomes a privacy issue that could violate the terms you agreed to with the ISP.
-
I agree with the idea of cutting off service as long as: 1. The ISP provides links to all appropriate patches 2. The ISP doesn't charge data costs to download these patches 3. The ISP provides simple instructions on what to do. All these (apart from the not charging bit) should be fairly easy to do if the ISP is able to detect the nature of the infection based on traffic patterns and network sniffing. Which prompts the question: Should an ISP have the right to packet sniff if it suspects an infected machine?
cheers, Chris Maunder
CodeProject.com : C++ MVP
Hey Chris, see my previous post to Chris Austin. I was replying to your post and it posted the reply on his instead. I used the quote function so I know it's a bug. I had this happen this morning on an article comment reply. At the time I thought I screwed up but now I think there's a bug.
-
Bert delaVega wrote:
You shouldn't punish the innocent. But cutting off their service sounds like a good idea.
So, we should punish them? :confused:
regards, Paul Watson Ireland & South Africa
Fernando A. Gomez F. wrote:
At least he achieved immortality for a few years.
-
El Corazon wrote:
Are the builders of paved roads culpable for the constant proliferation of accidents on the highways.
more like: are people who leave their cars running, unlocked and unwatched responsible when strangers use those cars in illegal activities ? possibly. or, even better: are someone who leaves a loaded gun unsupervised in public responsible if someone else uses that gun in a crime ? yes. at some point, negligence itself becomes a crime.
Chris Losinger wrote:
at some point, negligence itself becomes a crime.
I was waiting for that. Then we are ultimately responsible. Did not we, collectively, as programmers leave the gun in the hands of the user, loaded, unlocked and ready to be used? Did not we, collectively, as programmers thinking ultimately in our power of making idiot proof programs, leave cars always on, always running, always unlocked and ready to be used? You can't take the one step without taking the next. If you want to blame the users for not being as smart as us, perhaps you should blame us for not being smart enough to realize they are NOT as smart as us! Let me see a show of hands who belives there are not idiots in the world? Anyone? Does anyone here actually believe that they do not exist? No. Yet we wrote the software full of holes, hand them to the user without the knowledge of how to lock them up. If you hand a gun to a grown up with the full knowledge of how to use it, you have committed no crime. But have not we, collectively, as programmers handed guns, cars, even mack-trucks to children some who would not even qualify as pre-school in the comparative culture of computer experience? So who ultimately is to blame? these children? us? or the criminals who took advantage of them? Ultimately I think the criminals, but if you want to look around for blame, there is more than enough to share with the users, grab some, there's more than enough to go around. :-D
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
-
No, the people who wrote the trojan or virus that infected the computer are responsible. But, I don't have a problem with an ISP cutting off their connectivity until it is corrected. Also, at least in my part of the world, ISPs seem to be taking a proactive approach and offering free or discounted anti-malware products.
`
Sorry. My reply was meant for Chris. Something's not right. While I'm here, the reason a lot of ISP's are active in thwarting these things is that the risk being cut off at the trunk end which would devastate their business.
-
No, cutting off the service it's not a punishment, it's our self-defence.
-- Jarek Andrzejewski
Still punishment for the innocent.
regards, Paul Watson Ireland & South Africa
Fernando A. Gomez F. wrote:
At least he achieved immortality for a few years.
-
Gunni wrote:
And if granny can't be bothered to learn even the very basics of computer safety she probably shouldn't be using one
she shouldn't have to. That's why there's virus scans, spyblockers, phishing filters, etc that run on auto and tech support to set it up and help when a problem arises. If set up properly a computer will not have these troubles and granny doesn't need to know jack except how to get to her favorite site. That's what I did for my wife.
"I'm not altogether all together."
justfunnin wrote:
That's what I did for my wife.
As have I, for many people. I have taken a pro-active approach, I try to help folks get their machines fixed. A diet-coke here and there in barter for my time. The better way is instead of blaming, help them get the machines fixed. There is more than enough blame to share, so just help solve the problem. :)
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
-
Simon Stevens wrote:
Maybe we need internationally recognised training courses, and a license to operate.
Hogwash, the home computer was made and designed for Joe Consumer not Joe Programmer with a Degree. They have tech support for setting up your computer so it will fend off these annoyances. Granny just wants to go to her favorite site. My wife is the same way, so I make everything work right for her.
"I'm not altogether all together."
justfunnin wrote:
Granny just wants to go to her favorite site.
Darn lots of granny's now. :-D
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
-
But if someone uses your chainsaw to do that without your permission you aren't.
That depends if you leave your chainsaw lying around on the ground where anyone could pick it up when the safety guidelines say it should be locked away when not in use.
Simon
-
Chris Losinger wrote:
at some point, negligence itself becomes a crime.
I was waiting for that. Then we are ultimately responsible. Did not we, collectively, as programmers leave the gun in the hands of the user, loaded, unlocked and ready to be used? Did not we, collectively, as programmers thinking ultimately in our power of making idiot proof programs, leave cars always on, always running, always unlocked and ready to be used? You can't take the one step without taking the next. If you want to blame the users for not being as smart as us, perhaps you should blame us for not being smart enough to realize they are NOT as smart as us! Let me see a show of hands who belives there are not idiots in the world? Anyone? Does anyone here actually believe that they do not exist? No. Yet we wrote the software full of holes, hand them to the user without the knowledge of how to lock them up. If you hand a gun to a grown up with the full knowledge of how to use it, you have committed no crime. But have not we, collectively, as programmers handed guns, cars, even mack-trucks to children some who would not even qualify as pre-school in the comparative culture of computer experience? So who ultimately is to blame? these children? us? or the criminals who took advantage of them? Ultimately I think the criminals, but if you want to look around for blame, there is more than enough to share with the users, grab some, there's more than enough to go around. :-D
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
El Corazon wrote:
You can't take the one step without taking the next. If you want to blame the users for not being as smart as us, perhaps you should blame us for not being smart enough to realize they are NOT as smart as us!
consider it done. likewise, gun manufacturers are too stupid to know that they sell a product designed to put holes in things, easily, and that their products will be used by people who don't know what a gun is, what a gun does, or how (where & when & why) to use a gun. but, that's why there is a whole class of crimes based around the concept of negligence. if you have a gun and know how to use it, but accidentally leave it, loaded, in a playground, you're gonna be charged when one kid uses it to kill another.
-
I thought I might get a reply along those lines so let me clarify. First of all your comparison is not really accurate is it? What you are saying is that we should blame the makers of the computers that are used in botnets. What I'm saying is that the posession of something potentially destructive carries with it a certain responsibility. I'm not saying we should start issuing computer licenses (although I know some service techs who would love that) but if I leave a weapon (or some other dangerous object) lying around where anyone can get to it and that object is used in the commission of a crime should I not be reprimanded or at least given a stern talking to for my negligence? And if granny can't be bothered to learn even the very basics of computer safety she probably shouldn't be using one (identity theft via phishing is a very real problem).
Gunni wrote:
What I'm saying is that the posession of something potentially destructive carries with it a certain responsibility.
okay, then you posses a compiler, are you then not responsible for the negligent actions of its use? Once you head down that road it still leads right back to us.
Gunni wrote:
And if granny can't be bothered to learn even the very basics of computer safety she probably shouldn't be using on
If a programmer can't write secure programs, then he should not be writing for Granny. It still leads back to us. Down this road of negligence, it is we who are ultimately responsible. I still say hold the botnet writers responsible, but you can't blame granny for using something we write, gave to her, told her was easy enough for an idiot, and then slap her in cuffs for not knowing enough to use it. Seems silly when put in that light?
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
-
El Corazon wrote:
You can't take the one step without taking the next. If you want to blame the users for not being as smart as us, perhaps you should blame us for not being smart enough to realize they are NOT as smart as us!
consider it done. likewise, gun manufacturers are too stupid to know that they sell a product designed to put holes in things, easily, and that their products will be used by people who don't know what a gun is, what a gun does, or how (where & when & why) to use a gun. but, that's why there is a whole class of crimes based around the concept of negligence. if you have a gun and know how to use it, but accidentally leave it, loaded, in a playground, you're gonna be charged when one kid uses it to kill another.
Chris Losinger wrote:
but, that's why there is a whole class of crimes based around the concept of negligence. if you have a gun and know how to use it, but accidentally leave it, loaded, in a playground, you're gonna be charged when one kid uses it to kill another.
then is that not exactly what we are complaining about? that we left guns in the hands of children and want to blame the children for our own actions?
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
-
Chris Losinger wrote:
but, that's why there is a whole class of crimes based around the concept of negligence. if you have a gun and know how to use it, but accidentally leave it, loaded, in a playground, you're gonna be charged when one kid uses it to kill another.
then is that not exactly what we are complaining about? that we left guns in the hands of children and want to blame the children for our own actions?
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
i'm saying computer owners who leave their machines open to infiltration, when there are simple and straightforward ways of preventing the bulk of the common attacks (AV software, firewalls, etc), are negligent and should be held responsible for damages caused by their unsecured machines. programmers and hardware manufacturers make powerful products, and it's up to the people who purchase and use those products to ensure that they aren't used for malicious purposes, even accidentally.
-
That depends if you leave your chainsaw lying around on the ground where anyone could pick it up when the safety guidelines say it should be locked away when not in use.
Simon
Simon Stevens wrote:
That depends if you leave your chainsaw lying around on the ground where anyone could pick it up when the safety guidelines say it should be locked away when not in use.
So you are saying because there is a best practices guidelines, we as programmers should all follow them, and because we have not (as evident in the mass problems with UAC, security holes, etc), then we are responsible for the actions. The original comparison says that because we put the chainsaw in the hands of a user who doesn't know anything about its operation, that that person should be responsible for its misuse/abuse by a third party. If you want to look for negligence, the negligence issue jumps the users and comes straight to us as programmers, it does not pass go, and does not collect $200.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
-
i'm saying computer owners who leave their machines open to infiltration, when there are simple and straightforward ways of preventing the bulk of the common attacks (AV software, firewalls, etc), are negligent and should be held responsible for damages caused by their unsecured machines. programmers and hardware manufacturers make powerful products, and it's up to the people who purchase and use those products to ensure that they aren't used for malicious purposes, even accidentally.
Chris Losinger wrote:
i'm saying computer owners who leave their machines open to infiltration, when there are simple and straightforward ways of preventing the bulk of the common attacks (AV software, firewalls, etc), are negligent and should be held responsible for damages caused by their unsecured machines.
computers are sold as TV's, more common in the market place than an LCD flat screen TV, as common as cable, dvd, etc and sold as being as safe as the same. They are not, have never been, but are sold as such... that is the world we live in, fact. You are saying because they are lied to, that they must somehow break through the lie, and learn as much as we do, or they are ultimately responsible for everything that happens with their computer? There are programmers who defend the fact that a computer should always be left without AV, they are even found here. Spyware detectors and AV should either be standard equipment, or we should have licenses for buying computers. Neither is going to happen. AV companies want money, salesment want to sell computers. We as programmers will continue harping on why programming for the best practices to prevent UAC violations should not be done, because we should have the ultimate power to do anything we darn well want to do, and the rest of the world should just learn what we know, or be responsible for the misuse of it? I still say take the perpetrators... but eventually the other road always leads right back to us. We ultimately continue to ignore safety, common practices, secure practices, suggested practices, etc. It doesn't matter how you phrase it, we, collectively as programmers, still as a majority refuse to secure our software products, because we have this grandoise view that we, collectively, have absolutely no responsibility at all in any of this business.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
-
Simon Stevens wrote:
Maybe we need internationally recognised training courses, and a license to operate.
Hogwash, the home computer was made and designed for Joe Consumer not Joe Programmer with a Degree. They have tech support for setting up your computer so it will fend off these annoyances. Granny just wants to go to her favorite site. My wife is the same way, so I make everything work right for her.
"I'm not altogether all together."
justfunnin wrote:
the home computer was made and designed for Joe Consumer not Joe Programmer with a Degree
That's exactly the problem. It hasn't been designed very well for Joe Consumer. They are too complicated, and too easy to mess up. A real 'home computer' should not be so configurable. Don't get me wrong, I don't really think training and operator licenses are the sensible thing to do. What I really think should be done is to make the home computer less configurable, and more user friendly. And to keep the technical people like us happy, a expert mode that requires knowledge to get into. This is kinda of what the idea of using the least privileged user is about I suppose, it just needs to go a bit further, and not make it so easy to drop back to using admin mode (Yes, I think vista's UAC will be a good thing in the long term)
Simon
-
Bert delaVega wrote:
You shouldn't punish the innocent. But cutting off their service sounds like a good idea.
So, we should punish them? :confused:
regards, Paul Watson Ireland & South Africa
Fernando A. Gomez F. wrote:
At least he achieved immortality for a few years.
Okay, so give them a month's credit for being cooperative. :laugh: But seriously, if I lost my connection because my computer had malware installed, I would be more mad at myself than the ISP. In fact, I would be grateful for them pointing it out. But I know what you're saying. I'm being penalized and inconvenienced.
-
Chris Losinger wrote:
i'm saying computer owners who leave their machines open to infiltration, when there are simple and straightforward ways of preventing the bulk of the common attacks (AV software, firewalls, etc), are negligent and should be held responsible for damages caused by their unsecured machines.
computers are sold as TV's, more common in the market place than an LCD flat screen TV, as common as cable, dvd, etc and sold as being as safe as the same. They are not, have never been, but are sold as such... that is the world we live in, fact. You are saying because they are lied to, that they must somehow break through the lie, and learn as much as we do, or they are ultimately responsible for everything that happens with their computer? There are programmers who defend the fact that a computer should always be left without AV, they are even found here. Spyware detectors and AV should either be standard equipment, or we should have licenses for buying computers. Neither is going to happen. AV companies want money, salesment want to sell computers. We as programmers will continue harping on why programming for the best practices to prevent UAC violations should not be done, because we should have the ultimate power to do anything we darn well want to do, and the rest of the world should just learn what we know, or be responsible for the misuse of it? I still say take the perpetrators... but eventually the other road always leads right back to us. We ultimately continue to ignore safety, common practices, secure practices, suggested practices, etc. It doesn't matter how you phrase it, we, collectively as programmers, still as a majority refuse to secure our software products, because we have this grandoise view that we, collectively, have absolutely no responsibility at all in any of this business.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
El Corazon wrote:
You are saying because they are lied to, that they must somehow break through the lie, and learn as much as we do, or they are ultimately responsible for everything that happens with their computer?
no, not "as much as we do" - there's no need for them to know C# - simply enough to protect themselves. and yes, they should be held responsible, just as people are held responsible for not connecting unsafe devices to the phone lines, or the cable jack, gas line, water line, AC outlets, etc.. mess up and take out your local substation or burn your apartment building down, you get fined or sued or lose your service, etc.. a computer that's connected to the internet is a tool with a huge capacity for abuse; and i'm not going to absolve people of their responsibility to see that that tool is secure and un-compromised.
El Corazon wrote:
It doesn't matter how you phrase it, we, collectively as programmers, still as a majority refuse to secure our software products, because we have this grandoise view that we, collectively, have absolutely no responsibility at all in any of this business.
if users aren't responsible for the problem, there's no reason they should choose "secure" software over insecure software, nor is there any reason they should even bother knowing the difference. why choose one program over another on the basis of security, if there's no repercussion or penalty for running an insecure system ?
-
Simon Stevens wrote:
That depends if you leave your chainsaw lying around on the ground where anyone could pick it up when the safety guidelines say it should be locked away when not in use.
So you are saying because there is a best practices guidelines, we as programmers should all follow them, and because we have not (as evident in the mass problems with UAC, security holes, etc), then we are responsible for the actions. The original comparison says that because we put the chainsaw in the hands of a user who doesn't know anything about its operation, that that person should be responsible for its misuse/abuse by a third party. If you want to look for negligence, the negligence issue jumps the users and comes straight to us as programmers, it does not pass go, and does not collect $200.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
No, I'm saying that if you build a chainsaw, it's a dangerous tool, so when you sell it, you stick a big warning on it that says "don't leave this chainsaw in reach of children". If a user buys your chainsaw and ignores your warning, it is their fault, (not the chainsaw maker) if someone gets killed. Computer designers, build computers, which can be dangerous, and include warnings like "This application could be dangerous, only install this application if you know and trust the publisher". If the user chooses to ignore that warning and install some piece a virus infected malicious software even though they don't know and trust the publisher, that's their fault, not the computer/software designers. (Yes, OK, obviously some blame is to be allocated to the designer of the malicious software as well, and I think they are the ones that deserve the real punishment as what they do is intentional designed to cause harm).
Simon
-
Gunni wrote:
And if granny can't be bothered to learn even the very basics of computer safety she probably shouldn't be using one
she shouldn't have to. That's why there's virus scans, spyblockers, phishing filters, etc that run on auto and tech support to set it up and help when a problem arises. If set up properly a computer will not have these troubles and granny doesn't need to know jack except how to get to her favorite site. That's what I did for my wife.
"I'm not altogether all together."