Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Bottled Water Plus Squid |
| Verifiable Dismantling of Nuclear Bombs »
July 20, 2009
"Distributed Security: A New Model of Law Enforcement," Susan W. Brenner and Leo L. Clarke.
Cybercrime, which is rapidly increasing in frequency and in severity, requires us to rethink how we should enforce our criminal laws. The current model of reactive, police-based enforcement, with its origins in real-world urbanization, does not and cannot protect society from criminals using computer technology. This article proposes a new model of distributed security that can supplement the traditional model and allow us to deal effectively with cybercrime. The new model employs criminal sanctions, primarily fines, to induce computer users and those who provide access to cyberspace to employ reasonable security measures as deterrents. We argue that criminal sanctions are preferable in this context to civil liability, and we suggest a system of administrative regulation backed by criminal sanctions that will provide the incentives necessary to create a workable deterrent to cybercrime.
It's from 2005, but I've never seen it before.
Posted on July 20, 2009 at 6:43 AM
• 62 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Minority Report with tommycruize, the departement of Pre Crime. Just anylize everyone and instead of a no fly list, just charge them with being precriminal.
The abstract at the journal itself is a bit different:
The abstract you cite seems a bit silly
> to induce computer users and those who provide
> access to cyberspace to employ reasonable security
> measures as deterrents
since it doesn't talk about any liability whatsoever on the part of the the _providers_ of the "reasonable security measures"....
I don't see how a security measure can be "reasonable" if its security is an externality to the provider. OTOH, I'm not exactly mainstream in my judgement of what is reasonable security (and perhaps most readers of this blog aren't, either).
I think the legislative framework around "chip and pin" in the UK is an example of the system proposed by the authors.
Police no longer bother with card fraud:
the primary responsibility for security is passed on to card holders, and system security and initial investigations are undertaken by banks.
For detailed reports of the conflicts of interest that result, see Light Blue Touch Paper:
It's relatively simple, the same thing will happen with internet access as happened with automobile driving. Once the insurance agencies realize they are loosing money pressure will be placed on state and federal law makers. There will be a requirement for all internet users to have insurance, and require certain safety measures "to protect the public" much like break lights, seat belts, and a speed limit has been introduced.
Like any other industry in the world, once the insurance companies can make more money, they will get the laws changed in their favor.
Totally and utter nonsense. This "patrolling cyberspace" and "crime prevention strategy" is in violation of the fundamentals of the internet:
You are responsible for your own data and you have to sanitize everything on the inbound interface.
Once you understand that responsibility, everything else falls in place. The internet was never intended and is utterly unsuited for commercial transactions and if you want to do business over the net, you have to accept the responsibility.
You cannot expect "the net" to treat you nice. If your interfaces are flooded by a DDoS-attack, you will have to employ your providers and their upstream to cope with that. And if you fall victim to phishing, you have no one to blame but yourself.
The result of this is, that you usually can't blame the sender of anything malicious. Because if the the evil IP-packets did damage to your data, business, privacy, or whatever, then you were careless.
Classic: reward the guilty (perps) and punish the innocent (victims).
Blame the Victim?
I hope you don't have a daughter that gets victimized. Or would you just blame her for being played?
Seriously, I have not read what was put forth -- but even the Wild West was eventually tamed and so will the Net. It is just a matter of how and how long.
if she's old enough to be left unattended on the net, then she's old enough that she's responsible for not "being played".
the degree to which bad perverted men are taking advantage of innocent young girls on the internet is grossly exaggerated.
The difference is that on the network, there are ways to guarantee your (personal) safety and there is no way to guarantee that there is no hostile attacker.
The real world situation (including the online predator situation, which is nothing to do with network safety) is almost exactly the opposite.
It's impossible to ensure that you are guaranteed to be safe but we can with some care mitigate the risk very substantially.
Actually, I was referring to real-life, not net life. Just because you do everything to protect yourself doesn't mean you aren't going to wind up being a victim.
I guess all those that went and purchased the Ford Pinto with the exploding gas tank should have just been told: Hey, you bought the car. There's risks and you agreed to it. Tough.
Sorry, I don't buy into the venture that "It's the wild west" and therefore there is no punishment. Even those gang memebers in the wild west were hung when caught.
Oh how I hope Tynk is wrong, the government may rule my life, but i'll be damned if they get my interwebs!
This is classic corporate disavowal of responsibility. The market rules?
"If they didn't WANT to die in a blazing rear end collision they wouldn't have bought the car." The same logic is apply'd to gun fatalities. It's a fallacy but I can't name it ...was it "Post hoc ergo propter hoc"
It assumes perfect knowledge by the consumer and rational behavior. If we were that rational - advertising wouldn't work.
re: the paper...their solution is create deterence.
Are there any studies that demonstrate deterence works?
No AppSec, that IS how it should be, there shouldnt be government regulations in place, you should have to pay if the risks you take in life happen to go wrong, dont place blame on someone else, it is YOUR fault and YOUR responsibility to deal with it.
It reads more like ir was written by a Politico than an LEO.
I guess they read a little to much Tom Clancy "Rainbow 6" and "netforce".
Whilst I agree that geographical "local" has little or no meaning on computer networks and criminals realise that provided they keep below a certain $ value in any one geographical local they will not be bothered by LEO's, I don't think the author has grasped the finer points of security.
I can easily see the law of "unintended consiquences" applying.
For instance criminals will use encrypted tunnels and other techniques to distance themselves from the crimes. If LEO's chomp down on ISP's they will stop SSL / TOR / etc as self protection, and this will actuallly make other types of cyber crime considerably easier...
However from a Politicos position no secrecy in the hands of the public is ideal, they then provide "secrecy services" through a few trusted suppliers.
The upshot is those embarising little reminders and other fopars they commit will stop being picked up and amplified world wide by the ordinary citizen. The trusted organisations will do as they are told simply because the Politicos will be able to apply leverage.
We went through all of this with newspapers etc and the state of blogging is very much like the early "wild west" printing. And as we all know the "free press" got rounded up and sold to the highest bidder just like wild stalions.
@ Petey B,
"No AppSec, that IS how it should be, there shouldnt be government regulations in place,"
Hmm what is the difference between a regulation and a law?
Effectivly name and penalties only. Which means what you are saying is we should have no law, which is the same as saying we should have no society and yup we are back to the wild west...
"you should have to pay if the risks you take in life happen to go wrong,"
That's gambaling saloon reasoning.
People have to take risks to survive, they take this risks due to imperfect knowledge. One of the reasons they have imperfect knowledge is that it is deliberatly withheld from them by the people seaking to sell to them.
In this it is the equivalent of "explotation" if there is no right of redress which requires law which you don't want.
"dont place blame on someone else, it is YOUR fault and YOUR responsibility to deal with it."
Err no that is arguing that having to use a bank because an employer will only pay into your bank account and the bank using your deposited funds on "hedge funds", "naked futures" and other risks deliberatly designed to push the risk back onto the bank is the fault of the customer.
Simply because the customer is forced into that position and the banks exploit it so the bank staff unreasonably speculated with the customers deposits without informed consent, does not imply the customer is neglegent and should take it on the chin whilst the bank executive gets a 1million $ secured pension.
That sort of free market mantra does not wash. It is based on several false assumptions.
That has got to be the most idiotic thing I have read all day.
By the same logic, if you go outside and some guy 2 times your weight decides to break your nose or, heck, decides to kill you, that's perfectly alright, it was your decision to go outside and you accepted the risks. It was also your fault that you failed to protect yourself efectively.
"Oh, no, I was talking about the internets."
But it's exactly the same. You say people should be perfectly aware of the risks of everything that can go wrong and be able to implement measures to mitigate those dangers.
That requires A BIG time investment. It might be fine for you or I to take the time and learn all that since it relates to our field of work or hobby.
But you can't seriously expect every single person that wants to send and receive email or transfer some money online to know how an SQL injection attack works or even even realize the difference between http://www.ebay.co.uk and http://www.ebay.uk.co (for example).
If you think that is reasonable, how about we just demand everyone have martial arts and firearms training?
That way everyone is responsible for his/hers own safety when going outside.
Got killed? Your bad, should have planned your run from cover to cover more carefuly. Better luck next time.
@AppSec: Is there any alternative? When ever you start to "regulate", the very basic advantages of the net are lost.
When they make firewalls and virus scanners mandatory, you can't go online anymore with say a 1992 NEXT box. Or if applications must be insured or inspected, that would be the end of the open source idea.
Folks, if you fall victim to any kind of loss online, you have neglected your own safety. Don't blame anyone else.
Re the history of the "free press", the major difference between that and the Internet is that its way easier for anyone to set up and publish whatever information they want now, at near-zero cost. Computers and the Internet make it super easy for people to get their information out there; now that everyone has had 10+ years taste of this freedom, I doubt they will allow the world's governments and corporations to take it away from them or curtail it too severely. So the "wild west" of the Internet may mellow a bit, but I don't think it will become "tamed" in the sense of its content being completely controlled by govts and corporations and rich corporations.
"Distributed Security" : Another beautiful theory, killed by an ugly set of facts.
I downloaded and read the "Distributed Security" white paper, and, well, the recommendations within it are something that would make the masters of the "Great Firewall of China" (or Iran) beam with approval. Here are some of the most juicy tid-bits :
(1.) All ISPs to be "licensed" by your friendly local government, or they'll be kicked off the Internet. I don't think I need to go much further on this one, it speaks for itself.
(2.) All ISPs, as a condition of their being "licensed", have to filter all Internet traffic in real time, so that "unapproved" traffic cannot propagate down to residential endpoint computers. (Can we say, "happy hunting grounds for the MPAA and RIAA", kids?)
(3.) ISPs must "push" "approved" operating system and other software patches, down to residential endpoints, and customer acceptance of this would be a mandatory condition of being allowed to connect your computer to your ISP, hence the Internet. (Does this sound more than a little like the Chinese "Green Dam" censorship application? You think?) And of course, if your O/S wasn't "approved", then you couldn't connect it. (In other words : "The Micro$oft Permanent Revenue Stream Act Of 2009".)
The bottom line on all of this is, this harebrained scheme pre-supposes that the government is a "trusted" entity that should be empowered to take total control over both personal computers and the ISPs that connect these to the Net. Unfortunately, as 8 years of the Bush Administration make so painfully clear, the government is an utterly UNtrustworthy party.
And it will get control over MY PC, only by prying my cold, dead hands off the keyboard.
"By the same logic, if you go outside and some guy 2 times your weight decides to break your nose or, heck, decides to kill you, that's perfectly alright, it was your decision to go outside and you accepted the risks. It was also your fault that you failed to protect yourself efectively."
that is EXACTLY what i am saying.
We'll agree to disagree then.
"you should have to pay if the risks you take in life happen to go wrong,"
front...if that is true then if your car is stolen and used in a crime, you should be charged as an accessory (same as if you had willing provided the car) because you clearly (by allowing it to be stolen) didn't secure it suffciently. As far as I understand the US justice system, this isn't generally the way things work. I don't see why is should work differently for computers and internet connections. There are accepted techniques that are considered 'sufficient' for securing cars, guns, etc. I would expect the same to apply on the net as most folks can't relaitically afford unbreakable system security any more than they can afford to make their property utterly unstealable...
Since there has been some confluence of wild west and legislative taming, I wonder if we are in a similar internet period to that time when Coca-cola contained actual cocaine? How will our use/abuse of the internet be viewed in 75-100 years?
I've long felt (and occasionally ranted) that there needs to be some way to push responsibility for computer security onto end-users, so in some ways I like this paper. On the other hand, I agree with Telco SecDweeb that putting that kind of control in the hands of law-enforcement is a recipe for a civil rights disaster.
The paper itself attempts to make the case for criminal liability instead of civil liability by asserting, essentially, that individuals are "too small" as targets for civil lawsuits, so the discipline of civil liability can't work. The rest of their conclusions flow from this IMO under-examined assumption.
Here's an example how I imagine a civil liability model could be made to work:
(1) Company A has its webserver DDOS-ed by a botnet. Said company notices that hundreds of hosts on the botnet are connected to the network by well-known broadband/cable tv company B with deep, jingly pockets. Lawyers begin to salivate.
(2) Company A takes ISP B to court, asserting that they failed to diligently enforce some reasonable, responsible TOS requiring their customers not to allow their PCs to be used as sociopathic zombies, requests damages for DDOS attack. Judge throws book, ISP B relieved of a few tens of millions of dollars for its negligence.
(3) ISP B, now alerted to its legal exposure due to poor security practices of its customers, now starts actively monitoring its network for misbehavior, and shutting off the connections of PCs that are DDOS-ing, spamming, or otherwise obviously compromised. Requires posting a $100 bond by its customers, said bond being forfeit when customer PC goes rogue, new bond to be posted for re-connection. Provides security resources -- training, backup, antivirus, cleanup/restore services, etc. to customers. Browadband prices rise some to cover the extra costs.
(4) Customers are alarmed/pissed off, but they can't take it out on ISP B by taking their business elsewhere, because all ISPs are now equally exposed to the same civil liability, so they start demanding actual security from AV vendors, to say nothing of Microsoft, Apple, etc. Some of them do so in court. In addition, PC malware insurance springs up as an industry (to protect those posted bonds, lost work due to disconnection, etc.), and home PC repair, maintenance industry balloons, as many people start to realize that their PCs need inspections and maintenance at least as often as do their cars and window air conditioners (say). People also start to educate themselves about best-practice network computing at least at the same level as they do, say, best-practice automobile operation, because it now costs them something if they don't.
World peace ensues, hunger is banished, everybody gets a pony.
I don't discount the difficutly in balancing the need for innovation with that of protection/regulation. But it needs to exist.
The notion that Darwin's philosphy should drive the internet will lead to a destruction of the 'NET (after all, the only way to remain a non victim is to not do something).
However, as a software developer and someone involved in application security, there is a thought that I have.
1) If you as a corporation put a software package out there which people are going to be paying for, then YOU should be held laible and accountable for the security and the data there in. This includes, websites, print drivers, etc. For some time now people have been away of attacks on devices and yet vendors still put up weakly protected software.
2) Open Source should be treated like the used car.. "as is". *If* a corporation chooses to use it, then they are liable for that decision. The corporation is taking the risk -- if it chooses not to use it for that reason, then maybe there isn't a good enough reason. Odds are someone will take a chance and maybe bring it in house to garner further control.
licensing/regulation does not equal the death to all innovation. Just ask car manufacturers.
So what happens with the distributed denial of service comes as a result of a timed attack from numerous machines out of one ISP?
Sorry, that should be @Carlo...
@AppSec: Civil liability is something completely different from government regulations. The paper we are talking about proposes to deal with insecurity by creating criminal offenses.
If the government makes virus scanners mandatory, building your own device and hanging it on the net will be a criminal offense, because no virus scanner will run on it. That there is only one device of that kind and no evil haxor writes viruses for it, is not a valid defense.
Same for operating systems (obsolete or self hacked) and even apps. Writing an application that introduces a new protocol might become illegal unless it is certified by some CA.
Can you hear Sergey and Steve laughing? No one should write network software who can't afford a few ten thousand dollars for certification.
@Petey B "that is EXACTLY what i am saying."
This neglects the existence and cost effectiveness of common controls.
AND you don't even live in that risk environment (unless you live in Iraq or S. Africa). Do you only venture out armed While doing a slow sneaky peak from cover cover?
Police, military, banking regulations reinforced by bank auditors, commerce rules on what is isn't allowed in the market, and thousands of hours of socialization have reduced the risk of a natural state of nature.
Society, with it's imperfections, exists, controls for risk and you benefit from it.
Civil liability against the ISP might help. It would also completely change the landscape with regard to libraries, coffee shops, and other open wireless locations. Too steep a price.
The best approach is to continue hammering the software vendors about poor security. It seems even Microsoft has been improving. As the signal to noise ratio improves it becomes viable to address illegal activity and the resource limit becomes prosecution, not just detection.
Yep, you hit the nail on the head.
I still go back to the auto industry. The ISPs are simply supplying access to the manufactured communication (ala the Car Dealers providing access to the cars).
The only thing they are responsible for is for selling you the actual car, not the security or parts there of.
Criminal violations can end in soley fines being levied. It doesn't have to be a civil matter.
I just think when you start making individuals responsible for something that vendors make it inherently difficult to (I'm still amazed at the fact products get delivered without GUI interfaces in this day and age) install, it's just a matter of time before whisper down the lane lawsuits happen.
You find that the attack came from user A.. But he was infected from user B... Which was infected from Corporation C.. Which was infected by ISP I... You get the point.
When you put vendors in charge, the issue becomes: Was the infection that was obtained by User A preventable? If so, how? Was their negligence? Etc.
It isn't like there's a set of standards to comply to, there's only basic practices. And then what happens when the vendors product is what causes the DDoS? Do you still blame the end user?
An number of people have nearly touched on the obvious. Just as you are required to have a license to drive a car, so everyone should be required to sit a license and demonstrate competence in basic PC security measures for the O/S of their choice, before being allowed to sign up to an ISP. Proof of license required before a conneciton will be supplied.
Yeah, people'll take _that_ well.
My thought is that your computer being infected, and harming someone thereby (like participating in a DDoS) should be actionable on a civil level, but only for something like 'negligence resulting in harm' or some such. That is, not an especially punitive action, but one that'll make people pay attention. That's just my initial reaction; I don't know much about the issue.
If that guy twice my size waiting out there to kill me tries it, he's going to find out that after a young life terrorized by bullies probably far more skilled than him, that I learned situational awareness, some very fine marital arts, and yes, I'm armed, with what and how many is no one's business until it's too late for them. He loses, his bad, gene pool improved, the way it should be.
It only takes a few like me to make that kind of thing too scary and dangerous for guys like that.
"More guns, Less crime", John Lott
Perhaps we should thank those bullies for the motivation, and not just killing me outright in high school so I'm still around to deter bullies in all forms and at all times.
@ Doug Coulter
Frankly, I'd guess that most of us here believe the effectiveness of your deterrence value is roughly zero. Even when compared to that of law enforcement.
Not to the detriment of your worth as an individual, of course....
"When they make firewalls and virus scanners mandatory, you can't go online anymore with say a 1992 NEXT box. Or if applications must be insured or inspected, that would be the end of the open source idea."
Actually the best way to make s/w secure is to REQUIRE it to be open source and to ban all DRM (which has introduced many security weaknesses by creating "hidden spaces" within the OS or even the hardware). If you were really concerned about security for end users this is what you would do.
There is something in this paper if only it were implemented with the interests of ordinary people in mind - rather than the corporations. Imagine the penalties Sony could have faced for the rootkit!
Doug, if what you have in mind would become reality, you probably WOULD have been killed by those bullies back at school...
Just to add onto the Doug bashing, what makes him think it'll be just one guy?
How many guys is he going to hold his gun(s)/knife(ves)/whatever on before the third guy shoots him?
Criminals don't play by the rules.
I can't believe it's come to this, but I wonder whether Doug, Petey B, et al think pregnant ladies and grandmas have the right to walk down the street without an armed escort. I mean.. surely you are trolling?
If not, I can tell you that your utopia already exists. It's called the jungle. Good luck... those gorillas are pretty tough.
The only thing nice about criminal instead of civil liability for situations like this is that the government (which handles criminal matters) can prosecute in situations where a private individual or company (especially if they've just been clobbered by a DDOS or a zero-day rootkit) would not have the resources to litigate.
But putting the onus on individuals to ensure that the products they buy are safe is just stupid. Applying leverage at the level of suppliers is much more cost-effective. Otherwise you're insisting that everyone test their own baby formula for melamine...
Am I reading correctly? Can no one distinguish between physical violence to persons and undesired electronic packets? Most of you really think that all harebrained real-world analogies readily transfer to networked computers?
If you don't like the packets that some computer is sending your computer, either ignore them (which you can ALWAYS do: it's called pulling the plug) or tell your upstream provider not to pass them along. Sure, that may be inconvenient in the short term, and you may have to pay more to get an ISP that cares about not DOSing you. The advantages are that no new laws are required and the only time the state is involved is when you sue your ISP for not meeting TOS. Also, if neither you nor your ISP are up to the task, you can always hire a fine security professional to help you out, and you can have whatever contractual relationship with him you like. If you find some other security professional that can do a better job, you're free to hire her too.
Marc B. is correct. What your computer does with the packets it receives is entirely your own business. Don't bother us with it.
Not necessarily, I think a decent analogy would be someone throwing bricks at your house:
1) You can ignore them
2) You can hire someone to fortify your house so they don't damage it so much
But overall it would be considered anti-social behaviour and as such would be against the law.
I think, a lot of people here do not get the argument of Petey B. As I understand him, he says: We all decide a lot of things throughout every day. And it is noone's but our own responsibility we made these decisions. So if anything goes wrong (may it be by accident or by malice), we can not put the responsibility for our decision on someone else. We can not say that someone should have protected us from doing so.
But that is what everyone is expecting from the internet: someone should protect us from evil so that we don't have to think about our own decisions. That's like running around naked in the middle of the street at rush-hour while crying for protection against all those evil cars and voyeurs.
So, yeah I am responsible for my decision to leave the house (or, if you like so, to stay inside) - naked or not. The bully outside is responsible for his decision to beat me and therefore is held responsible for doing so by law.
You can only be held reponsible for the actions that you have directly or indirectly caused. You CANNOT be held responsible for someone beating you up, just because you decided to walk around that day. If you walk through a dark alley, knowing about the possible dangers, it is still NOT your fault if you get mugged. Being able to prevent something bad from happening does not mean that you are obliged to do so.
@ Baster: IP-packets are neither bricks nor do they cary knifes. If an IP-packet can do you harm, you have done something wrong.
And "anti social behaviour" is against the law only in police states (UK certainly is already one). In a nation of free citizens only explicitly forbidden actions are crimes. This was true since the romans: nulla poena sine lega scripta. In the UK you can be punished without any definition which actions are legal and which not.
Illegitimate IP packets are produced to cause harm. There is no legitimate purpose for them (apart from penetration testing) and as such producing them should be illegal.
Defending against these packets should be encouraged, but by no means should it be mandatory. Unauthorised attacks on the server can cause serious harm and because of this should be taken seriously.
Anti social behaviour stands closely with the principle used in the US: "You are free to do whatever you wish as long as it does not intefere with the freedom of others."
Anti social behaviour refers to the situations where you ARE interfering with the freedom of others, would you not agree?
so how does anyone except Sender and Receiver know, if an IP packet is "illegitimate"? As you yourself have already mentioned, even packets that are obviously "evil" (if one could distinguish them somehow) could still be a part of a test or something else completely normal to sender and receiver?
By definition, an IP packet is as neutral as a mail packet is. And nobody would ask the local mail-office to scan, unpack and filter any packet passing by - just in case ... would you?
And again: you don't seem to understand my argument on who is responsible for whose decisions: the bully is (to be held) responsible for his decision to beat you up, but you are (to be held) responsible for your decisions as for example to leave home. Or to precise things: if you see the known and sought murderer in that dark edge of the lonely park in the middle of the night and decide to pass by close to him, you may not be responsible for his attempt to kill you, but for putting yourself into danger. And courts (or your insurance-company) will make sure you hold your responsibility!
The same with leaving your house, though the danger you are putting yourself into is at "normal risk of life"-level and therefore courts might not blame you for doing so ... still: if you start crying for someone to have you protected from leaving the house in the first place you might get sent to some nice place where others will take your decisions ... ;-)
Thank you for the comment, I guess I am rather vague in what I mean in the packet example, I think that yes, if my server is online I am taking the risk that it could be bombarded with illegitimate packets and yes, of course each packet cannot be scanned, but I want to know that if it has been proven that an attacker has sent illegitimate packets towards my server with the sole purpose of causing damage, the person who sent the packets is held responsible and has to face prosecution.
There does not seem to be a proactive resolution to this problem, only a reactive one.
We should look for practical solutions. One aspect of practicality is that those who care about "bad" packets have a natural incentive to do something about them, and are well-placed to identify them as "bad". If you care about such packets, you and everyone with whom you do business has such an incentive. You may complain that other entities also have the opportunity to do something about packets that you receive. However, those entities may have no way of knowing what you perceive as good or bad in a packet, and they certainly have less natural incentive to do something about that. In the absence of such knowledge and incentive, they're going to just obey the protocols and pass the packets along.
Many of the "solutions" proposed involve an effort, in my view ill-advised, to create an incentive for third parties where none exists now, while ignoring the incentives I've described that you and your providers already have. By expanding the required chain of trust to numerous third parties (other ISPs, backbone providers, hosting companies, ASPs, police, the courts, other jurisdictions, etc.), such proposals seem doomed to not actually solve the problems that you're having with your network connection. Wouldn't it be easier (and more proactive) just to keep up with your patches? These proposals seem to ignore the knowledge problem, as well.
There is a tendency to think that it would be easier if others solved our problems for us, but that's a pretty shallow analysis. At least now we're talking about electronic communications rather than houses, rocks, bullies, and other physical phenomena.
"So if anything goes wrong (may it be by accident or by malice), we can not put the responsibility for our decision on someone else. We can not say that someone should have protected us from doing so."
Actualy we can and do a large part of tort law is exactly what this is about.
We frequently hear "buyer beware" which has an implicit assumption that the buyer has sufficient knowledge to be able to tell in advance if a "good" that is sold is in a fit codition or not irrespective of if they can inspect it (think tamper proof packaging etc).
One of the reasons the US got lemon laws was due to this exact problem.
Some items are virtually a necesity in life (a roof over your head, transport, communications access to energy and safe food etc). Nobody can be expected to be sufficiently "clued up" to be able to make a fair determination of risk with an unknown vendor across all of these "necessities of life" in the modern world.
In the past those that sold "snake oil" stood a good chance of having a "rope neck tie" or being subject to other forms of direct dibilitating action.
Consumer law etc was brought in not just to protect the consumer but to also protect the vendor as well...
To all those that claim a user is responsable if their machine becomes infected etc.
You are forgetting a basic reality of life,
YOU CANNOT KNOW IN ADVANCE IF A PACKET IS GOOD OR BAD 100% OF THE TIME.
The work of various mathmaticians, logitions and computer scientists have shown (via undecidability) it is not possible even if you 100% know your system.
Therefore it is not possible to 100% prevent a dangerous packet getting onto your computer except by running it in "splendid isolation" which makes it about as usefull as a car with no wheels for most people.
The reality of life is that there is a time period in which a flaw is discovered and exploited to the point in time a preventative solution becomes available.
Therefor pointing the finger at people other than the person responsable for the exploit is only going to benift the already deep pockets of the legal proffesion.
Also the idea of a "drivers licence" fills me with foreboding. In the UK the Government have fielded the idea that taking a driving licence away can be used as a method of coercian for compleatly unrelated activities that arguably are not crimes at all.
I kind of inclined to doubt the mental abilities of people who disagree with the simple statement: "YOU are responsible for protecting yourself from harm". Responsibility is not the same as being guilty if something bad happens - if somebody attacks you, you're not guilty. But when you decide to venture out without taking appropriate protective measures (i.e. going by well-lighted streets, learning some self-defense, taking a gun with you, etc) you are behaving irresponsibly.
The police CANNOT protect anybody from crime. It arrives AFTER the crime, and maybe, maybe they'll catch the perp - so they will house him at your (and my expense) to add insult to injury. In US, the police is NOT legally required to provide protection to anybody, and courts said so, repeatedly. So if you believe the police is here to protect you, you really need to stop watching the tube and start learning how the real world works.
As for the idea of govenrment being in charge of internet security, well, it is nothing more than thinly veiled grab for control of this unruly medium - the security "protection" will turn into political censorship in no time. Like, the "bad" ISPs hosting "hate sites" will discover thet they can't renew licenses, etc.
@averros "The police CANNOT protect anybody from crime"
So you don't accept the concept of deterrence?
Yes police can't be everywhere (though the UAE is trying). That's a good thing. I wouldn't live in a police state no matter how safe my kids were.
But if you deny deterence value ...and if the existence of police isn't enough to deter crime than neither is carrying weapons, pre-emptively attacking people on the possibility that they may/may not eventually attack you, won't deter aggression either. It will likely increase it.
But police do prevent crime. Not all but also not none.
While most of us are spending time fixing vulnerabilities(V) Police seek to reduce the T in R=V * T * I. Every criminal they remand to incarceration is one crime vector taken out of the game.
Every random patrol they make through neighborhoods puts people intent on crime in an uncertain calculation. It increases the get caught variable in their crime equation.
@ Clive Robinson
Evil-doers profiting from your lack of knowledge is not the point I was trying to explain. You are not responsible for someone cheating on you (which is his decision!). You are responsible for choosing the wrong seller/contract-partner/whatever - may that be due to bad luck or due to not knowing any alternative. Still even in this case you cannot blame anybody else for your decision. And even in case of misleading advertisements, if you decide to ignore that scratchy feeling in the back of your head, telling you that this offer is too good to be true, ... (I am not saying that you are "guilty" of being cheated but responsible for not doubting).
To your argument about not knowing 100% of your packets ... well there is nothing 100% safe in this world. That's what we call "life" ;-) (well, uhm, there is one thing, of course, that is 100% safe and that we call "death"). Of course the person writing an malicious exploit should be held responsible for it. But how if not by legal ways? If inspite of myself taking any reasonable protection and precaution someone else harms me, the problem will be solved quite fast in court. And even if I didn't protect myself, of course the blame is still upon the criminal but I may not get any compensation for the damage done (neither from my insurance nor from the criminal).
But "deterrence" has nothing to do with "protection" ... one is: "make it as difficult as nearly impossible" and the other: "prevent it completely"! And the latter cannot be done with people being able to roam the streets and communicate with each other! (I say: put everyone into singular cells and you will see that nobody really wants to be 100% safe - and as a bonus they all will realize that even in such a protective environment they can still stumble and break their neck)
"So you don't accept the concept of deterrence?"
I haven't seen any valid (in scientific sense) evidence that it actually reduces crime and does anything other than shifting it from the places where the police is present to the places where it isn't. I doubt that such evidence exists.
Deterrence absolutely works if you want to protect yourself (locked door prevents opportunistic trespassing, etc).
"But police do prevent crime. Not all but also not none."
Evidence? The police says so?
"It increases the get caught variable in their crime equation."
Not really. It merely sends a signal to the criminals to attack an easier target.
@Clive: "YOU CANNOT KNOW IN ADVANCE IF A PACKET IS GOOD OR BAD 100% OF THE TIME."
Ouch, my ears. First, if this is true at an endpoint, it is much more true at all relaying hosts, and even at the origin. What if the origin is in China or some other jurisdiction that hasn't a care for one's computer? One can't hold the origin responsible in this case. Is one to hold responsible the backbone provider? How on earth is that going to work? And again, is a security system that requires trusting dozens of unrelated entities really better than one that requires trusting oneself and one's vendors?
Second, any particular packet is only good or bad in context. In your own particular context, you may choose to run weak software that falls down and enrolls in a botnet after transmitting your credit card numbers whenever it gets pinged. You may choose instead to run nothing but djb's finest. That's up to you, but it definitely affects what packets end up as good or bad.
Then you can move up a level and run a whitelist-only approved-port-only patch-current firewall, or no network security, or anything in between. If you have weak endpoint software, you probably should opt for stronger network security, or maybe just run a private network and never connect to the public internet. This also affects packet morality. It is also your choice, and that of your provider.
If life can be said to have any "reality", then let us say that life is not safe. Further, it is not made more safe by relying on the kindness of strangers or the effectiveness of the state's enforcement powers. We're not children, and we're not kindly old grandmothers, so let's keep up with our patches.
"First, if this is true at an endpoint, it is much more true at all relaying hosts, and even at the origin. What if the origin is in China or some other jurisdiction that hasn't a care for one's computer?"
Correct this is my point.
To many people are proposing making the receiving end (consumer) responsable even though they clearly are not responsable nor could be. (except by the self interested 20-20 Hindsight sayers).
Ask yourself a simple question,
Are you responsable for objects falling out of the sky onto you, your loved ones or associated property?
Except in certain cases the majority will say no.
And the solution to things falling from the sky is to spend vasts amount of money and live sufficiently far under ground that it cannot effect you...
Only we know there is going to be another "big one" at some point that will do to us what supposadly happened to the previous dominante species...
The problem with blaiming the unfortunate recipient is that politicos will jump on this sort of stupidity as will the practicing legal proffession as in both cases it is in their self interest to do so (and to everybody elses detriment).
This proposal is the equivalent of "killing the messenger", in that it will not stop the problem, and concevably make it considerably worse and thereby damage a countries ability to perform in various world markets which makes it a National Security issue, which should be dealt with in an appropriate not inappropriate manner.
"Second, any particular packet is only good or bad in context."
That is a given, there is (as far as I'm aware) no universall malware. This is due to diversity and not having mono-cultures.
However it is extreamly unwise to say,
"you may choose to run weak software that falls down and enrolls in a botnet after ..."
This is the same as saying "because you do not live under a mountin it's your fault an aircraft droped on your family and house.
For a risk to be appropriatly mitigated it has to be set into context. The first thing being is it possible to protect against the risk 100% and if not to what extent? And this in turn has it's own context to what expense? And so on.
Risk is unavoidable it is a part of life and death. What it requires is correct assessment correct evaluation and appropriate not inappropriate responsess.
The question is what is the trade off between risk and expense. You detail an increasingly more expensive set of countermeasures, none of which are ultimatly going to solve the problem (other than pulling the plug).
The issue of risk is usually evaluated against chance (random) events across a large population whereby an aproximate quantification can take place.
At the end of the day it is a question of how many greens on the roulete wheel of life and who benifits by them (house advantage is punter disadvantage).
Currently we do not have the models to even start quantifying the risks involved due to two things,
1, The malware is from a "directing mind" not blind chance.
2, The malware is "specificaly designed" not the result of natural processes.
Without being nasty those two conditions indicate to a very high level of confidence that there will always be a substantial "pandemic" risk that will occur whenever there is a sufficient incentive for it to do so.
Add in three other factors,
3, It is known that it is impossible to prevent malware.
4, The malware designer can adjust whatever factors within the malware they chose to increase "infection rate" against "detection rate" and therby delay the "response".
5, The transmission vector is "zero cost" to the originator of the malware.
It is this fifth consideration combined with "hybrid vigor" where the most effective control methodology will probably result in both the short and long terms.
By "cost" I'm including the "direct cost" of transmission and the "punative cost" of transmission. The later requires a "no place to hide mentality" from all. Which unfortunatly like terrorism will not happen as long as there is "national interest" involved. (Is cybercrime/warefare the "New Terrorism" (TM)).
As you say,
"If life can be said to have any "reality", then let us say that life is not safe."
Yup that's a given in whatever field of endevor you consider, which aligns with my main point "malware is NOT 100% avoidable EVER".
You go on to say,
"Further, it is not made more safe by relying on the kindness of strangers or the effectiveness of the state's enforcement powers."
Here I have to partialy disagree with you, "the kindness of strangers" usually includes "self interest" and this actually is the predominant moderator of "known malware" infection rates (but not unkown malware, that falls to "hybrid vigor" and chance).
With regards "state's enforcement powers." that can only have "local effect" not "global effect" (no matter what "war hawks" might expound).
Which comes back to the "cost of transmission" in a global market.
As long as that is close to zero for the malware originator then "local legislation" is neutered and those promoting it are effectivly anouncing to those that can see that they are impotent, or that they are going to go down the "splendid issolation" path (which historicaly has always failed).
You go on to say,
"We're not children, and we're not kindly old grandmothers,"
And that is actually the same as "education and experiance" which 99.9...% of ICT users have insufficient of. Nor in this rapidly evolving "online" world is it something they have any hope of ever mastering let alone keeping up with.
Which brings us around to,
"so let's keep up with our patches."
Which can only happen if they exist and are available.
Which brings us around to the real "villains of the argument".
Who is more to blaim, those who release insufficiently tested and reliable software (product liability) or those who chose to exploit the weaknesses that have been sold?
(Please note I am very specifically excluding "freeware" of it's various forms as this realy falls into the "DIY/Self Build/customize" area where you are normaly judged as being responsable for making sound engineering etc choices).
One of the problems with this discussion (or argument / debate ;) is the meanings and weight people attache to individual words.
For instance we talk about "responsability" but also exchange it for "accountability".
Jess above made the statment,
"What if the origin is in China or some other jurisdiction that hasn't a care for one's computer? One can't hold the origin responsible in this case."
From my point of view Jess is talking about "accountability". We can hold the origin "responsable" but due to the issues with jurisdiction we cannot hold the origin accountable. This gives rise to the issue of the "zero cost" of the malware vector from the "punative" asppect.
Likewise your statment,
"You are responsible for choosing the wrong seller/contract-partner/whatever - may that be due to bad luck or due to not knowing any alternative."
Your meaning of "choosing" is open. For instance Taxation goes towards your countries "offensive capability" to commit acts of "murder" called war.
The only real choice you have here is to pay or change your citizenship. There are very few countries that do not have an "offensive capability" and are they likley to accept you as a citizen?
So the asspect of chocie is not realy there except in name only.
Likewise with car insurance it is something you have to have to drive in the majority of jurisdictions. Your choice comes down to which of a cartell of suppliers you pick. Again this is not a free choice. The only choice you realy have is not to drive but then in the majority of cases you are effectivly excluded from many asspects of society.
Which is why governments jealosly hold onto this as a punative measure against those that disagree with them (see the UK Gov and what it has said it is going to do with "absent fathers" and withdrawing their driving licence and passports).
Many many people have absolutly no option but to use the products of certain dominante software companies. Their choice exists only in name.
For instance if the company you work for or the educational establishment you go to uses a particular word processing or presentation application you have little or no choice but to use the same application.
Therefore if the work/educational establishment picks a particular "vulnerable" application you likewise have to use it. The fact that your work/educational establishment has the staff and other resources to mitigate the "vulnerable" application in a timely manner does not of necessity hold true for an individual.
This is the trap of semantics and reality of "choice".
You have to rise above the semantics and see what is realy the situation and why.
And in the case of malware you have,
1, Dominant suppliers of "vulnerable" software.
2, Individuals with no real choice but to use the "vulnerable" software.
3, Dominant suppliers who view the mitigation of their "vulnerable" software as a profit center either for themselves or others.
4, Others who have real choice to take advantage of anyone who has "vulnerable" software.
It is these last two points that are important they both revolve around ethics or the lack there off by the software vendors and the malware developers.
And it should be noted that sometimes there is no distinction between the two (think Sony, and the AV companies hidden choice to ignore the Sony root kit issue...).
As long as "unethical" organisations can convince the "self interested" (politicos and lawyers) to maintain the market such that the user without "choice" is going to pay then there is absolutly no oncentive for the situation to improve. In fact the exact oposit.
This is the dirty secret of the "free market" mantra espoused by those who are "self interested".
There are certain hidden requirments for a free market to work "as espoused by the self interested", they revolve around "accountability", "choice", "ethics", "localisation", "education", "experiance", etc all of which natuaraly give rise to "non free markets" unless there is appropriate legislation to regulate them to ensure a "free market" otherwise it's the first "law of the jungle" "might is right".
My immediate comment above about the "real" freedom of "choice" or lack there of (ie in name only) was ment for André.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.