Slashdot Mirror
Killing Others' Malicious Processes
Roland Piquepaille writes "This opinion is not mine, but the one of Tim Mullen, from SecurityFocus Online. In this story, he expresses some strong ideas regarding systems infected by worms. "I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network. I've even written code to demonstrate the process. Though the initial news coverage of the concept was grossly inaccurate in conveying my ideas, it has stirred up a constructive dialog. I knew my idea was controversial, but I was wrong about something -- I figured everyone in the security biz would "get it" and that the hard part would be convincing everyone else that if they can't or won't secure their machines, we as the defenders would have the right to terminate the process attacking us. It has turned out to be the opposite." The author then looks at the criticisms about this strikeback idea raised by some security experts -- to dismiss them of course. Check this column for a summary or read the original story for more details."
I agree with this! I work for an ISP, and when we come across a user that we cannot contact to notify of problems, we simple disconnect them untill they can prove they have resolved the problem. Its worked wonders. We see so much less virus activity trying to hit our mail servers, and we've had alot less complains about people having a virus or worm.
Can all fish swim?
"Since the owner of a system has no responsibility for the actions of a worm, or any malicious process, that runs without their knowledge, I submit that they also have no rights to the process. No responsibility means no rights.
So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways. "
That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.
You say you can't afford to pay? Tough. Should have thought of that before you put your insecure system online. You say it's the fault of the manufacturer for selling the insecure system in the first place? Take them to court. Too expensive? Well, if their system is too expensive to use, then people won't use it.
This concept relates to self-defense, and deadly force. Follow along with me...
If a person is in public, and is threatened, that person must make every reasonable effort to avoid the use of deadly force as a means of self defense, prior to useing such force. He must attempt to leave the scene, etc. In short, there is a Duty to Retreat.
If, however, that person is in his home, his own property, that person may use deadly force as a means of self defense without having to exhaust every means of escape or avoidance. On his own property, a person has No Duty to Retreat.
How is the scenario for Cyber-attack any different? Unlike most of the people commenting on this article, I believe you do have the right to take active measures in protecting your property.
Obviously, we're not talking about deadly force... We're simply talking about electronic countermeasures.
If an unsecured system on the Internet has been infected by a malicious program, and is now launching it's own attack against your system, your property, denying you the use of bandwidth or resources that you are paying for, I think you're perfectly within your rights to put the attack down, and if necessary, the offending system.
A person utilizing the Internet has a certain responsibility not to cause harm, either through action, or inaction. Most people on the Internet today seem tragically unaware of this. Without this, the Internet is ripe for a tragedy of the commons situation.
Is it wrong to still believe that with Rights come Responsibilities, or that with Priviledge comes Obligation?
Your rights to swing your arms around recklessly ends at the tip of your fingers, and at the beginning of my nose.
I think Tim Mullen is 100% correct, and I'm surprised there aren't more people that agree with him.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
The idea of writing "strikeback" scripts, as you describe, has been tossed around before. I recall reading a quick-and-dirty script for Apache posted on slashdot some time ago that would detect attacks from machines infected with Code Red, and would then exploit the security holes Code Red had opened on those machines to clean them. I used to support this idea, but I'm afraid after some thought, I've changed my mind.
I'd agree that if a worm is running on someone's machine without their knowledge, then the owner of that machine has no rights to that process (the obvious exception being the person who is spreading the worm, who runs it intentionally on his or her own machine, but we'll ignore him or her for now). In order for you to terminate that process, however, you have to break into their machine, and run your own process. You are, in effect, creating your own worm. Your worm may only run for a short while, and may be "for the greater good", but that doesn't change the fact that you are running code on other poeple's machines without their consent.
Even if we opt to ignore the ethics and look at this from a more practical angle, can you guarantee that your strikeback process is not going to adversely affect the machines it cleanses? What if your strikeback process causes a machine gathering scientific data to reboot, or kills the wrong task? This has the potential to set someone back by several days in their work. What if it reboots a machine monitoring medical equipment? You could end up killing more than just a process, if you catch my meaning, however unlikely that may be.
Since you are intentionally running a process on someone else's machine, you are accountable for it's results. If you cause damage to a machine, or cause data to be lost, even if it is inadvertant, you open yourself up to litigation from the owners of those machines.
I don't think it is a matter of holding everyone responsible for any attack that may come from their machine. It is about holding negligent users responsible for their negligent actions.
For exameple, if someone owns a gun but keeps it locked in a safe in their house and stores the ammo somewhere else, yet some master thief manages to steal their gun and use it in a crime, I doubt anyone would say that is the fault of the gun owner. However, if the same gun owner left the gun loaded and laying around on their front lawn and someone came by, picked it up, and shot somebody, they would be sued and/or arrested for their negligence.
The problem is determining at what point is a computer user negligent. Is your average consumer negligent for connecting their Windows box to a high-speed connection and not using any firewall software? Or is it someone who turns on various services like file sharing without knowing full well what they are getting into? Or is it anyone who takes reasonable precautions, but when they get cracked they don't realize it until their box has had a chance to eat up tons of somebody else's bandwidth?