how-to block ads
|
rsschaut
join:2003-10-27
Woodinville, WA
|  The Computer Did It
News items have surfaced about the acquittal of Aaron Caffery in UK courts. He was charged with hacking into computers used to schedule ships in the Port of Houston. His defense was that he didn't actually do the hacking, but that someone else did the hacking via a trojan that ended up on his computer. Here's a link to a recent Reuters story:
»reuters.com/newsArticle.jhtml?ty···=3699875
I'm not all that interested in talking about this defense, either in general or as it applies to this case. Rather, I'm interested in hearing people's opinion regarding negligence. In particular, at what point does one's failure to maintain sufficient security and/or detect the existence of a trojan on one's computer become negligent behavior for which one would be liable for damages occurring as a result? What if you took no steps whatsoever? What if you took some steps, but fell short with respect to other possible steps? What's the minimum level of due diligence required to secure one's computer and keep it secure?
Rick
--
If you put Linux in a set-top box, will it explode? | |
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| In my opinion, very little. That would be diverting major responsibility from the person who actually did the bad thing.
Arguing from analogy, always dangerous: if someone stole my car from my driveway and then used my car for a spot of ram-raiding, I don't see that it's my fault in the slightest. | |
rsschaut
join:2003-10-27
Woodinville, WA
| said by dave  :
Arguing from analogy, always dangerous: if someone stole my car from my driveway and then used my car for a spot of ram-raiding, I don't see that it's my fault in the slightest.
What if you'd left the keys in the car and hadn't locked it?
Rick
--
If you put Linux in a set-top box, will it explode? | |
icup2
join:2002-09-03 | or what if the person stealing the car was a pro? | |
IGGY
No Guru Just Here To Help
Premium,MVM
join:2001-03-30
Chatham, IL
| reply to rsschaut
Related links to the topic can be found here
»www.iggyz.com/WN/102203.html
»www.iggyz.com/WN/101503.html
»www.iggyz.com/book/antivirus.html
There were 2 other ( maybe more ) threads started in relation to this previously.
»U.K. teen acquitted with Trojan defense
»U.K. teen acquitted of hack
A new related ( sort of ) story
IT forensics firm Vogon has explained how its work helped clear a man accused of storing child pornography on his computer by proving his PC was contaminated by Trojan horse infection capable of downloading illicit images onto his machine.
»www.theregister.co.uk/content/55/33636.html
--
Test Your Security
Team Z Member
Cable Modem Diagnostics
InsightBB 3000/384 XP PRO
[text was edited by author 2003-10-30 02:24:19] | |
mens rea
Premium
join:2002-01-31
Canada
 ·Shaw
| reply to rsschaut
Your question is a difficult one to answer. The long answer is as follows (and this is probably way more than you ever wanted to hear  ):
There is a definite distinction between tortious liability for damages and criminal culpability for damages, the most obvious distinction being is that the latter is much more difficult to prove since it may involve degrees of intent as evidenced by the Caffery case. It generally hinges on the violation of a specific statutory provision, where criminal sanctions are imposed.
As far as civil redress is concerned, absent a specific statutory provision, an individuals culpability for tortious acts of negligence are dependant on the presence of a number of elements. Did the affected individual or claimant/plaintiff suffer damage? If so,was it occasioned by the negligent conduct of the defendant? Did the defendant in law, owe a duty of care to the plaintiff, and was he under a legal obligation to avoid this damage? Could the actions of the defendant be said to be the proximate cause of the damage? Finally, was there any conduct on behalf of the plaintiff which might bar or affect his right of recovery. Keeping in mind that there are permutations of each of the above elements as well.
So that being said, and if you are still awake, if it could be shown that an individual who was knowledgeable about computer security was wilfully blind as to what was on his pc, it would most likely found a civil action for damages in negligence. Or for that matter if could be shown that an individual, knew or ought to have known that his computer was compromised, whether knowledgeable or not, it may also found an action in negligence, if the failure to remedy the situation caused damage to another.
The short answer:
Even if the action of the defendant caused damage, the realities of civil litigation, in particular costs, are usually weighed against the potential amount of any recovery. So I would suspect any plaintiff, particularly corporate would pick and choose their battles based on a number of considerations, including the damage suffered, chances of recovery, etc (unless of course they are the RIAA...)which essentially means the duty of care owed by an individual is pretty minimal, unless his actions have much more deliberate overtones.
[text was edited by author 2003-10-30 00:02:13] | |
rsschaut
join:2003-10-27
Woodinville, WA
| Mens,
You've raised three issues: criminal liability, civil liability and practicality. I'll address all three.
Criminal liability most definitely has to stem from some statutory provision. Most jurisdictions have some form of laws regarding a level of negligence that would constitute a willful disregard for public safety, but I doubt you'd find a judge who would be willing to say that a failure to keep one's computer free of trojans would fall into this category.
As for civil liability, you're quite correct. Absent a specific law establishing a duty, the issue boils down to whether or not there is an implicit duty under the circumstances. That question is usually answered in terms of reasonably foreseeable consequences. To take the car keys example, the reasonably foreseeable consequences of leaving the keys in an unlocked car would include the possibility that someone would steal the car but likely don't extend to the level of someone using that car to embark upon on a murderous rampage.
When it comes to your average internet user, the question of reasonably foreseeable consequences is an interesting one, because general knowledge plays a role. In other words, the mere fact that an expert can foresee some seriously harmful consequences doesn't necessarily imply that these consequences are reasonably foreseeable in a strictly legal sense. This might be an interesting question for moot court.
As for practicality, yes, the likelihood that you or I, as individual computer owners, will ever be sued due to some black hat using our computer to attack some other system are next to nil. On the other hand, there are a few entities out there who have deep pockets and systems on the net.
All that said, and it is useful background in which to frame the issues, I'm afraid we still haven't really addressed my original question: what constitutes due diligence? Is it sufficient to regularly run AV software? Do I need to monitor outgoing TCP/IP traffic from my system? If so, do I need to monitor it all the while that I'm connected to the internet, or is it sufficient to periodically run a check for the existence of trojans?
I realise that there's a lot of gray area here, but I think we can still explore some of those shades of gray.
Rick
--
If you put Linux in a set-top box, will it explode? | |
mens rea
Premium
join:2002-01-31
Canada
·Shaw
| Rick, isn't the problem of due diligence complicated by a number of issues? For instance a pc is relatively easy to use and in itself inherently benign. It is not necessary for an average user to understand anything about TCP/IP, programming languages etc. to make functional use of their computer. In fact the whole marketing concept of "user friendly" is to get someone up and "surfing" with absolutely no knowledge of the workings of their pc and the internet. Hence, there is contemplated a relatively low level of understanding in order to participate in internet usage.
The rules governing ones participation in the internet community are few and far between. Unlike the operation of a motor vehicle where failing to follow the rules of the road has dire consequences, the inattention of one user on the net as to what has infected his pc rarely results in the consequences seen in the Caffery case (cough, cough, strong hint to the jury). Furthermore, that lack of due diligence is usually compensated for by others, which is exemplified by the growth of the AV industry. Furthermore successful proliferation of malware is usually predicated on its relative newness and the subsequent ability to avoid detection by AV's and AT's, well beyond the scope of the average user.
So absent a universal standard for internet participation, and the outright promotion of, for want of a better term, naive internet usage, the relatively esoteric nature of viruses and trojans etc., it is difficult to come up with a definition of what would constitute due diligence. Without a duty of care, there is no liability for negligent behaviour. | |
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| reply to rsschaut
said by rsschaut :
What if you'd left the keys in the car and hadn't locked it?
I say it's still not my moral responsibility.
If there are scum in the world that would steal my car, the scum bears 100% of the responsibility for what they do with my car after they've stolen it.
The fact that I'm a trusting individual does not make them any the less responsible for their own scumminess.
Edit: you later said it much better that I, when you talked about foreseeable consequences.
[text was edited by author 2003-10-30 11:23:00] | |
groundling
join:2003-02-08
canada
| reply to mens rea
Interesting mens rea.
I would think that this would be a major sticking point:
"Finally, was there any conduct on behalf of the plaintiff which might bar or affect his right of recovery. "
If the shipping company with all it's presumed resources can get hacked, what chance the poor home user?
They both got hacked. The company did not protect their supposedly more valued system. To say the poor guy( without an IT staff) at the other end should have done a better job is buck passing.
At the least a claim for damages would be mitigated. | |
rsschaut
join:2003-10-27
Woodinville, WA
| reply to mens rea
Mens,
said by mens rea :
Rick, isn't the problem of due diligence complicated by a number of issues?
Yup! On the other hand, we can simplify those issues quite a bit by noting that the only way you can possibly become liable, regardless of legal definitions, is if unwarranted TCP/IP traffic leaves your system. If all that happens is you get infected with a virus or a trojan and it essentially lies dormant to the outside world, then there can be no liability.
It's worth noting that the ease with which one can define a set of filter rules that trap unwarranted outgoing packets is directly proportional to the naivete of the user. For example, if all one does is browse the web and read e-mail, a rule set that allows outgoing traffic to IP port 80 to any outside address and allows POP3, SNMP and IMAP to selected hosts is relatively easy to construct. If you have an internal network, it's also not hard to allow all traffic destined for 192.168.0.1/8 to go unfiltered. If you do VPN, then you can also allow standard VPN connections to a selected set of one or more VPN hosts. These are all well known and understood protocols.
Which leads me to the next thought:
quote:
So absent a universal standard for internet participation [...]
While I think the more accurate term would fall under the rubric of "generally accepted practices" rather than any kind of universal standard, your point is essentially correct. The question then becomes, what needs to happen in the industry for the installation of software capable of monitoring outgoing TCP/IP traffic to become a generally accepted practice?
Suppose, for example, that all ISPs, as part of their standard package, install and maintain software that does what I've described above. Would that establish a generally accepted practice for monitoring one's outgoing TCP/IP traffic?
Rick
--
If you put Linux in a set-top box, will it explode? | |
rsschaut
join:2003-10-27
Woodinville, WA
| reply to dave
said by dave :
you later said it much better that I, when you talked about foreseeable consequences.
Well, one of the reasonably foreseeable consequences of someone stealing your car is that they get into a chase with the police during which the thief strikes and injures an innocent bystander. In most jurisdictions, if you'd left your keys in the car, you would be found at least partially liable for the injuries to that innocent bystander.
Rick
--
If you put Linux in a set-top box, will it explode? | |
rsschaut
join:2003-10-27
Woodinville, WA
| reply to groundling
said by groundling :
Interesting mens rea.
I would think that this would be a major sticking point:
"Finally, was there any conduct on behalf of the plaintiff which might bar or affect his right of recovery. "
Yes. The legal term for this would be "contributory negligence". It's a legitimate positive defense, and the question of who is most responsible and/or how much is often a question that's sorted out either by a jury in the case of a jury trial or by the judge in the case of a bench trial.
It used to be the case that any contributory negligence amounted to a finding for the defendant, but nearly all jurisdictions now allow for the plaintiff to recover a percentage of the damages based on the relative effects of the contributory negligence. There's a specific term for this, but I forget what it is (it's been a while since I've studied tort law).
And you are right that both systems get hacked in this scenario. On the other hand, the one system got hacked in a purely passive sense. The other got hacked in a way that should be fairly easy to detect based on outgoing TCP/IP traffic. Which, I think, leads back to the points I raised in my more recent response to mens rea.
Rick
--
If you put Linux in a set-top box, will it explode? | |
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| reply to rsschaut
My reasonable expectation, around where I live, is that if I leave the keys in the car, when I come back I'll have a car with some keys in it.
I consider a law blaming me for the consequences of a crime committed against me to be quite bizarre.
Why not blame the innocent bystander for innocently by-standing? Did they not have a reasonable expectation that someone somewhere would be stealing a car and trying to escape the law, hence driving recklessly?
OK, that sounds sort of silly, but I trust you see the analogy? | |
rsschaut
join:2003-10-27
Woodinville, WA
| said by dave :
My reasonable expectation, around where I live, is that if I leave the keys in the car, when I come back I'll have a car with some keys in it.
Where I live, leaving the keys in an unlocked car borders on gross negligence. Community standard do play a role, which is way I said that in _some_ jurisdictions you'd be found at least partially liable.
I've heard it said that there's a subtle difference between negligence and gross negligence. If you describe the situation to an expert and the expert says, "Who the hell did that?!" then it's negligence. If the expert says, "Jesus Christ, who the hell did that?!" then it's gross negligence.
Rick
--
If you put Linux in a set-top box, will it explode? | |
mens rea
Premium
join:2002-01-31
Canada
·Shaw
| reply to rsschaut
said by groundling:
If the shipping company with all it's presumed resources can get hacked, what chance the poor home user?
groundling you've hit the proverbial nail on the head. Was the cause of the damage the negligence of Grandpa to properly secure his pc, or the IT staff to protect its companies assets. I am almost certain which way a judge/jury would lean.
said by rsschaut:
While I think the more accurate term would fall under the rubric of "generally accepted practices" rather than any kind of universal standard, your point is essentially correct.
Rick I purposely avoided using a term that may be legally loaded simply because such terminology can in itself imply a particular standard of care, and in itself operate to determine degrees of culpability.
said by rsschaut:
Suppose, for example, that all ISPs, as part of their standard package, install and maintain software that does what I've described above. Would that establish a generally accepted practice for monitoring one's outgoing TCP/IP traffic?
If I was acting as counsel for the ISP, absent a law compelling such an installation, I would advise my client to stay well away from becoming an internet policeman. While your idea has much practical merit, legally it opens a whole new can of worms for the ISP. Whether such software is in place or not, it is not Grandpa that an aggrieved party is going to look to for recovery of damages. Simply put, the ISP has conveniently placed a large bulls eye on its back and bank account by attempting to involve itself in the security foibles of its users. Meanwhile Grandpa trundles along with virtual impunity, a veritable cesspool of malware, because he doesn't understand anything other than e mail and browsing, and absent all the elements I listed above, he can't be found negligent. | |
rsschaut
join:2003-10-27
Woodinville, WA
| said by mens rea :
If I was acting as counsel for the ISP, absent a law compelling such an installation, I would advise my client to stay well away from becoming an internet policeman. While your idea has much practical merit, legally it opens a whole new can of worms for the ISP.
You're jumping ahead of me a bit, but that's probably due to the way I asked the question. I have little doubt that ISPs would work very hard to avoid incurring such a duty. So, as I asked the question, the answer is that it's not likely to ever become a generally accepted practice  .
But, just for the sake of exploring the idea, let's suppose that ISPs did include some kind of software that monitors outgoing TCP/IP traffic along with all the other junk that most of them include in their setups. Now, if Grandma user installs the default system and doesn't try to tweak it, then the ISP would be liable. However, if Joe Cool internet user decides to muck with it, then the ISP isn't liable. Would Joe Cool be liable?
Also, one angle that we've not explored is whether or not there might be a different standard for computer systems that are under the control of a company rather than a single home user. Wouldn't the generally expected practices for an internet company be different than the generally accepted practices for moms and pops?
To answer my own question, possibly, but that might well be a moot issue. Companies have more compelling reasons to stay on top of the security of their systems than the potential for damage caused by a black hat launching an attack from some compromised systems under the company's control.
Anyway, thanks for the chance to kick some ideas around.
Rick
--
If you put Linux in a set-top box, will it explode? | |
mens rea
Premium
join:2002-01-31
Canada
·Shaw
| said by rsschaut:
Wouldn't the generally expected practices for an internet company be different than the generally accepted practices for moms and pops?
The unique thing about the duty of care is that it does distinguish between substandard actors, the proverbial reasonable man and the professional. So if an individual has a professional accreditation then the court will ask not did that individual act as best he possibly could, but did his actions measure up to the standard of a person of average competence engaged in his profession.
So to answer you question yes the standard of the reasonable man would vary in respect to the individual involved, and certainly could contemplate degrees of generally accepted practise.
The problem with Joe Cool does raise some interesting issues. As Joe Cool's attorney, I think his defence might be that the ISP knew of the importance of this particular software, but did not insure that it could not be tampered with. Of course everyone knows that Joe Cool is just an average user and couldn't possibly be expected to understand the complete ramifications of his actions, or that what he did may compromise the efficacy of the software, which was basically insecure anyway....and on it goes.;)
Applying tort principals to a relatively new technology that involves a large cross section of individuals of varying degrees of competence does pose some interesting problems. Enjoyed the thread. Regards | |
|
