All We Want Is Whatever's On Your Machine

kubla2000 writes: "A breathless story about how the best defense against [fill in the blank: piracy, virii, hacking] is a good offense at CNet. What struck me most though is that in the midst of the rant from Timothy Mullen (no stranger to hacking the hack as this story from computerworld magazine shows, was a throw-away line justifying the RIAA and MPAA's appeal to Congress to make it legal to do this! It seems the bandwagons have started rolling. Who's next to jump on?"

Blaming the Victims

of a virus attack doesn't sound like good public
policy to me.

This can't be a good thing: just think of
the court cases, and the added burden on the legal system.

Imagine a scenario like this:
Company A, B, and C are infected with viruses.
Company A tells Company B to "santize your systems, and stop infecting us, !". Company B has santizied it's system, and tells Company A to "go pound salt".

Company A, unknowingly infected by Company C but still blaming Company B shuts down Company B's system. Company B is not happy.

Company B manages to bring it's system back up, and shuts down Company A in retribution.

Lawsuits ensue. The courts, which could be ruling on citizen's issues instead, (like, say, overruling the DCMA), become backed up with corporate bickering. The citizens lose. Ugly situation.

And that's not touching on any of the questionable ethics of government sponsored vigilantism. I'll
leave that flamewar to others -- I imagine things will get quite toasty.

BlameGame

[SimplyCosmic]

We've already seen something akin to this, at least on a small scale.

Working as a telephone tech support person for a non-tech sector company, Klez was particularly annoying as we would get angry telephone calls from our own corporate executives about how our server based antivirus program wasn't working, as they were getting angry emails from people at other companies telling them to stop sending them the Klez virus.

All because the damn thing sent false header information and someone outside both companies had been infected, people would continue to blame the wrong parties when their own antivirus program would point them at the wrong culprit, despite all the media stories explaining the damn thing in clear detail.

We had a number of execs refuse to believe us when we told them their machine was clean, as "obviously" we were wrong according to the people at the other company. Even had one high up try to install her own antivirus program because she didn't trust ours and ended up trashing her computer.

I just loved the whole telephone support deal during the peak Klez season. :P

Asking for trouble...

[EdMcMan]

Come on, wake up and smell the coffee/pizza/flowers or whatever you want to smell, but there's no way "self defense" cracking is going to become legal. Without someone drawing the lines, the line between cracking and "self defense" will be very blurred:

"Well, his computer pinged me a few times, so I used a buffer overflow to gain access to his machine, and formatted his harddrive."

As you can see, there are two issues that are left unresolved: what defines an illegal attack, and what defines an appropriate "counter attack".

As for this falling under a self-defense part of the law, I would suggest looking at the goal of self-defense: stopping an attack against you. Self defense does not mean kill someone, does not mean detain someone, or anything else. Although it is possible that those could be necessary in an act of self defense, in most cases they are not.

With all this in mind, take a look at how you can stop the attack on you. The best way would be with a firewall or patching the problem. From there on, you should report the problem to the authorities (ala "real life"), probably being the machine's isp, and possibly the police/fbi.

Vigilanties are not protected by the law, and their best hope is to convince a jury/judge that they were doing the "right thing". Unfortunately, most of them aren't qualified to make that decision :]