RE: Botnets, IRC servers and firewalls?

["Mike McNutt" <mike.mcnutt () aqssys com>]

You own a car.  Day after day, you drive your car to work and routinely lock your car doors.  One day a thief steals 
your car, crashes it in a hit and run... people are injured.  Do you share blame in the injuries of those people?

Same scenario... only today you didn't lock you car because <insert plausible excuse/reason here>.  Thief steals your 
car that isn't locked, crashes it in a hit and run, people get injured.  Do you share blame in the injuries of those 
people?

Not locking a car *may* be irresponsible, but to my knowledge it isn't illegal.  Making a law that says cars must 
remain locked at all times to thwart car thieves would be oppresive IMO - because now [decent] people could be 
considered criminals that may not lock their car for <insert plausible excuse/reason here> ... How different is it for 
a computer that isn't "locked down"?

It doesn't make sense to me that we should we go down the path of considering people criminals because they do not (or 
cannot) lock down their computers.  I like the energy being expended on fixing the vulnerabilities and finding the 
hackers, but not oppressing normal people for their [lack of] computer knowledge.



-----Original Message-----
From: Marcus J. Ranum [mailto:mjr () ranum com]
Sent: Thursday, February 05, 2004 10:13 AM
To: Gadi Evron; Paul Robertson
Cc: Gadi Evron; mlh () zipworld com au; Matt Bazan;
firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Botnets, IRC servers and firewalls?


Gadi Evron wrote:
> A user that runs an un-protected machine, or anyone for that matter, can be used to DDoS, spam, bounce hackers, commit 
> frauds, etc.
>
> Who should be held liable for actions committed from that machine? Is this "the Trojan horse defense" again?

What I think is confusing this issue is that most people aren't comfortable
with the concept that there's plenty of blame to go around. We want it to
all land on one party. But that might not be the case. Legal philosophers
would talk about this in terms of liability, moral philosophers in terms of
responsibility. The end result is pretty much the same. No, you cannot give
the user 100% of the blame if a hacker uses their unsecured machine to
attack someone else. After all, if the hacker hadn't abused the machine,
nothing bad would have happened. Indeed, blaming the victim is not a
particularly acceptable answer, from a moral standpoint - and in the
example above the user is also a victim. So you may have several parties
who bear some responsibility, and you may have several parties who
suffer varying degrees of damage. Legal systems are pretty used to
dealing with these things - they just take time to catch up.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards