Slashdot Mirror
Who is Responsible? The Developer? The User?
Anonymous Coward II asks: "I am working on a paper for a computer ethics course, and need to answer the following question:
Who must be held responsible: The person that develops a software
that will (or can) be used to illegal ends (like to break into a computer system, to illegaly monitor other users, a virus, etc), or
the person that use it afterward? I'd like to know what Slashdot users think, and what is the answer according to the law." Software is a tool, just like any other, so when things go wrong I think this then boils down to a question of personal responsibility or negligence. What are your opinions?
Having not thought about this very long
My gut feeling is that if the program has a legitamite use (Like BO2K can be used as a remote admin thing), then the person who misuses it is to blame.
But if there's no legitamite use, then the author should be held to blame.
The only problem is to work out what constitutes legitamite use.
iain
(sorry for the poor spelling)
I don't blame gun manufacturers or knife manufacturers for murders. I don't blame car manufacturers for drunk drivers. And I don't blame developers for writing software that could be used in an illegal way.
"That's Tron. He fights for the Users."
You are to be made responsible if you issue a tool that is potentially dangerous without indicating it. Companies like AOL make internet connection look like a breeze, and therefore are responsible for hapless users unknowingly offering their box as a spam hub.
At least this was the essence of our Lunux User Group's last night's discussion.
Man, I need to figure out how to get Slashdot to do all my research for me......
If one is killed by a hammer (in other persons hand, of course :-) is the hammer manufacturer responsible by this crime? What if the murder was by a gun (pistol, shotgun, ....)? Or a chainsaw? Well, this is a polemical issue. But the truth and justice must be between the opposite sides of the question, I believe the Judge must examine each case separadelly.
If software has a legitimate use, e.g. SATAN then
it is the end user's fault.
However, a program that creates smurf attacks or
a virus would make the developer also a bad guy.
well, if you consider gun makers, and cigarette makers and other such organizations, who produce harmful products, abused by others, its obvious that the law sees the user as being the responcibile party for whichever use the product is put to.
:)
Of course, a virus maker who writes a virus which is infectious, and 'accedentally' leaves it where someone can see it to distribute it would be guilty of at least neglegence... so the producer wouldnt be totally off the hook.
Its like, if I make peanut butter and someone is allergic to peanuts, I shouldnt be held responcible if they eat some unless I mislabeled it and make it not taste like peanut butter. Now if someone hid some of it in the allergic person's food, I dont think that I should be responcible for it at all. Many of the hacking apps are demonstrations of exploits or are legitimate tools to test ones own network... therefor they have legitimate uses too, and are not made expressly to cause trouble
I think alot of it depends on the situation.
A gun manufacturer can not be sued if one of its guns is used to kill someone. They are simply making a 'tool' to be used for personal protection. I think that more and more these days we are seeing exploits coming out that are dis-abled (bad shellcode) or simply print a message ('I h4v3 0wn3d j3w!') while still getting the point across that there is a problem with the software.
--codemonky
--"Karma is justice without the satisfaction"
If the software can be used for legitimate poiposes, then you could argue any illegal usage is the fault of the user
However if the software
- promotes
illegal activities, then the fault lies with the programmer:wq ~ ~ ~ ~ ~
Obviously the one who commits the crime should be held responcible. There is nothing in this world that can not be used in a wrong way.
Cars get you to work....but they can kill
Email can be used for fast reliable communication....Spammers can flood your inbox with garbage.
Scripts can automate frequently used processes....Melissa Virus
In the end the question becomes similar to the statement---Guns don't kill people, people kill people.
Hey what can I say i'm weird
is that it depends on the design of the tool. A gun for example can be used for assualt or self defence, so the responsibilty for it's use comes down to the user. On the other hand, if a company designed and sold an item that only had a negative use eg. car bombs(extreme example I know), then both the company and the user should be held responsable. Just common sense.
Tools never have ethics. People can. Its too bad that so few understand this and are willing to take responsibility for their own actions. As a culture we seem to be moving away from individual responsibilities (and therefore Rights) to State protections. Laws that reduce freedoms in the attempt to prevent irresponsible actions. You've opened a can of worms with this one...
But what about software that has NO legal utilisation ? virus are such things. A gun allows you to defend yourself, not only to attack others. I think for some kind of software, the developer HAS a responsability.
Fetchez la vache !
Look at other tools that are used to break the law:
Tools to break into houses and guns. They can be developed legally and they can be sold legally (possibly with restrictions). Why should software be different?
You can hardly draw a line between software that *can* be used for illegal purposes (almost anything) and software that is built to break into others computers. Look at Back Orifice. First a crackers tool, now a remote administration toolkit. It is much easier to see that automatic guns can only be used for evil purposes (killing people), yet their development and production is normally legal.
- Alex
Didn't Colt decide to get out of the Handgun market because they thought that they could be considered liable for what people did with guns made by Colt.
Seems like the exact same situation.
given that people are suing gun manufacturers left and right for crimes comitted with guns...survey will probably say....everyone is responsible for everything.
long live the legal mafia...etc, etc.
The Hacker News Network has been asking much the same question. Anti Virus companies have been labelling some programs that allow remote undetected monitoring of a computer as virusses (e.g. BO2K) while other products released by "mainstream" software companies,(such as Softeyes) are not scanned for at all.
What makes an anti virus company label one program as a vrius, while another program with similar uses is unlabelled?
HNN ask the question at http://www.hackernews.com/orig/avind ustry.html
A little planning goes a long way...
Any tool can be used for legal or illegal purposes, good or evil if you prefer.
The more powerful the tool, the more potential danger.
My personal favourite example is a car, a gassed up running car is far more dangerous then a loaded gun, just think of driving into a crowd, and shooting into a crowd.
We have to educate people of the importance of proper social behaviour, that stands a much better chance of 'appropriate' usage of stuff then simple restrictions and the blame game
There are so many other variables.
It's all a question of 'intent'.
Ultimately if someone is knowingly using software for illegal things then they are responsible, end of story.
However you can also argue that the people who develop the software can be held accountable for enabling people to perform these illegal actions. In the same way that it is illegal to sell certain guns to people in the UK unless they specifically have an owners license.
Then again, people use windows, linux and all sorts of other things for illegal purposes, visual interdev creates programs that do illegal things all the time (haha - sorry - had to throw that one in).
It's an interesting ethical question, creating software purely for illegal purposes is indeed unethical, but it *can* be a fine fine line.
If I do your homework, will I get your diploma too?
if i produce lock picks for sale to locksmiths and you manage to get hold of a set _and_ get caught possessing them, you can be charged federally. although it's true that gun manufacturers may be held responsible for the damage caused by their weapons, i don't believe that it applies here. if i write a security tool and you use it to violate one or more laws, you should be the one to go to jail.
hehe theres another precedent! UHF
To me, the answer is simple, the consequences should lie with the person who used some software to hurt someone or damage something. Where does the finger-pointing stop? If someone writes an extremely lethal virus and compiles it using gcc is somebody going to try and blame GNU for providing the tools to build the virus? There is a major problem today, in the US at least, of blaming everyone and everything remotely associated with someone bad (think: Doom and Columbine wackos). As much as I personally dislike guns, I believe the same argument holds there as well...guns don't shoot themselves. Blame the responsible person: the one who committed the act!
Zed's dead baby. Zed's dead.
Like pretty much everyone else, I've got to say that it depends on context. In nearly all cases, though, I'd be inclined to blame the user.
I'd like to rephrase the question slightly, though.
Does the fact that a Virus Construction Kit can be used by sysadmins to aid in network defense justify its existence?
While a virus might have no legal use, what about studying it to learn about it? A virus is usually a fairly nice piece of code.
When it comes down to it, it's just a series of 1s and 0s, like and other software. It's up to the user to use it responsibly.
I should presume it is *your* opnion which matters at the assignment, so just do your homework!
I agree with previous poster that the one who actually commits anything should be held responsible; however, how about drug dealers or tobacco companies (still remember those suits?). If a program is designed to be malicious (like a virus) then the author is ultimately responsible. People who run it (like users on infected PCs) are actually victims then.
And then, I never liked ethics lessons.
God did not appoint us to suffer wrath but to receive salvation through our Lord Jesus Christ --1Thes5:9
To get a better feel for the issue consider other products and their users. If a drunk driver kills a pedestrian can we sue GM for making the car? If someone uses a steak knife to kill or maim another person can we sue tramontina for making the knife? If I wrote "rm" can someone sue me when their disk gets wiped?
KK4SFV
Neither of those 2 is repsonsible, I think the people resonsible is the company who leaves security holes to all allow for cyber instrusions
I notice that a lot of posters are using the gun analogy, in that gun manufacturers are not to blame for shootings. But if you look at this link on the BBC it seems that people *are* suing gun manufacturers, or at least makers of assault rifles, as they are not 'self-defense weapons'.
I think we can stretch this to malicious software too - e.g. viruses. But then, what if you were to write viruses for 'educational' purposes? If you write cracking software, I think you'd have to prepared to face some legal action.
Many years ago Dan Farmer authored a paper with a title similar to "Improving Your Computer Security By Breaking Into It". The paper illustrated a number of means of hacking into a system, some of which sadly are still very possible today. His intention wasn't to be the first enabler for script kiddies, it was actually to make the internet a better place by improving security. His thesis was that the best way to counter these attacks was to learn to think like your attacker. He didn't have any hidden motives. It wasn't like a lot of self-proclaimed security experts who say they're producing material to enhance security with a few concealed winks and nods to the script kiddies. He went on to write SATAN later. Apparently educating system administrators and programmers didn't help. Buffer overflows were still rampant, critical security patches weren't applied and the internet itself was rapidly growing. It wasn't just touching the most wired of the geeks anymore but was starting to become part of the general publics experience. SATAN was an automated audit system. Some moron at SGI even fired him over this.
Both of these systems could be exploited and abused and both of them were. Dan's intentions were still honorable though. Yes, it was possible that they could fall into the wrong hands but both items in the right hands could help armour your systems against these attacks. It's a failure of system administrators everywhere that script-kiddies COULD use these tools against them.
The responsibility here is firmly planted on two groups. Foremost are the abusers of the tools. Just because somebody leaves the doors open doesn't give anybody the right to exploit it. The administrators who were compromised by things which were EXPLICITLY EXPLAINED OR AUDITED also bear some responsibility to any users who were effected. Ideally I'd love to see the day where script kiddies are locked away or otherwise punished (I loved somebodies suggestion the other day of forced community service teaching computer skills) and administrators that are proven to have not been dilligent in applying patches were open to financial repurcussions.
Some groups write scripts for the sole use of script kiddies. They may claim they're writing security tools but I find it hard to believe them when comments in the source code proclaim "// n4m3 0f z1t3 t0 b3 0wn3d" so they're liable. They're purposely producing tools to enable computer crimes.
To answer the question -- both author and user should be held responsible, to varying degrees and depending on the circumstances. It should be based in part on the severity of the damage and in part on the intentions of the people involved. Intent to cause harm is hard to prove, however.
Another problem you're going to have is your idea of punishing people for writing programs which cause (or simply are capable of causing) harm. Compilers, interpreters, and even good ole' DOS DEBUG are good examples of programs that can be either very useful, but can also be used for destructive purposes. I think we have to look back again at the overall intent of the person writing or using the program.
---
"Go Metallica. Die RIAA." -- Linus Torvalds
1-you don't need to take a virus to see a nice piece of code. I'm sure some things like demos are also REALLY nice pieces of code 2-when you write a program, you offer somebody the possibility to do something. for a 'normal' program, you give the user the possibility to achieve a certain kind of work. when you write a virus, you give him the opportunity to do nasty things he could not have done without you (well, without you and the others virus authors. but let's forget the "i'm no the only one!" excuse). So YOU are responsible.
Fetchez la vache !
I usually believe that a technology/process/program/etc to be neither good,bad,illegal, or evil. Only what we as users of said technology do with it is good,bad,illegal etc. In fact, this is one of the reasons (basically) why the RIAA's suit against the Diamond Rio failed. The Rio's sole intent was to play MP3s. The human is the one that supplied it with MP3s be they legit or non-legit. This is also the same type of arguement given by the makers of Napster. Napster is a distribution and search method for MP3s. Of course they warn people against releasing copyrighted works. "We are a way for unknown bands to get their mp3s out", the makers of napster have basically said. Unfortunately, how does one do searchs for bands you don't know even existed, if your search fields are artist or song title? This is where I think the RIAA's suit may get them. So it would seem that Napster is primarily a tool for searching and distributing known works...almost all of which are copyrighted.
Diamond Rio is ethical. Napster will probably be found to not be ethical.
"Dogs and cats, living together...it's mass hysteria!"
Okay, I hate to reply to myself, but I just found another reason:
I'm on BUGTRAQ. I have been for quite a few years. Often a security problem is found and a commercial vendor remains unresponsive until someone produces a working exploit. Then, once the world has access to the exploit, the vendor usually begins work on a patch. Sometimes it's the only way to get their attention.
Now, the exploit itself has no legal purpose when you use it. It could be an educational tool to explain about buffer overruns/race conditions/whatever, perhaps. But often someone needs to write it and publish it or the vendor will never do anything about it.
Having virii and exploits should make us all more conscious of security and more prone to check your provider of software, check digital signatures, and more apt to want to see the source code.
The world is not a nice place and people would attempt to break into machines anyway. If having virii and exploits out there increases the level of security in software and systems then I am all for it.
I worked for a contract shop in Florida, and more than once used "hack" tools to get a job done. Occasionally the rules of engagement get you in a bind and you have to work outside those rules to get your job done. We had a source control machine that crashed, dead, inoperable with quite a bit of source code that we needed to retrieve. Without hack tools, etc, we wouldn't have been able to get the data back out by playing the role of script kiddies and using hack s/w to make the drive accessible. A tool is a tool. Without those tools in particular, my company would have had to face a serious financial set back. mike
Off the top of my head, I'd say this is rather like the question of firearms, and I'd say that "guns don't kill people, people kill people" is even more applicable for software than for guns.
Naively making it illegal to produce software capable of being used to break the law would make a lot of vital activity - for instance producing exploits for security flaws - against the law, which would be hugely to everyone's detriment. If that was done, the inabilility of honest law abiding people to effectively investigate security issues was be a massive boost to crackers everywhere.
As far as I can see liability for breaking the law lies with the person whose intent it was to break it. If the that is the author of some software (eg, a program deliberately designed to spread a virus) then so be it, but if the author produces a tool with multiple functions (eg. BO2K) then he's no more guilty than a man who makes a knife.
There are of course some tricky cases. For instance a friend of mine once wrote a virus as an exercise and gave it a slightly nasty payload. He never intended to release it, but unfortunately a copy got loose on his hard drive and infected several other machine before it was wiped out. If that had well and truly escaped, and done serious damage, where would the liability lie for that ? or is it a natural hazard ? Possibly there is no criminal liability in that case, but merely civil negligence by failing to contain the virus ?
IANAL
If I yell 'FIRE' in a crowded theater, and people use my 'product' by accidentally killing by stampede, I would certainly be responsible.
In either case, I personally didn't do the killing, but the line of responsibility clearly falls on different sides. What if I invented and marketed a product that could only be used to kill sleeping people ? What if it had no other uses at all ? Would I be responsible ?
The difference between who's responsible and who's not eventually is determined by the 'official' making the legal decision, and if that person is on the left side of 'center', the line falls more towards the manufacturer. If the person is on the right side of 'center', it falls more towards the user. In the end, that's the difference.
hehe Terrorist, that is a judgemental word, a terrorist generally has a political goal to achieve and just wrongly feels terror is the most effective means to achieve it.
if you agree or not they are just fighting for what they believe in, be it their religious beliefs, money, or democracy.
script kiddies generally have no goals, they just want to cause shit.
of course being a terrorist is a very poor way to achieve your goals anyway.
I think the law has to treat the person who uses a product for illegal means as the "guilty" party. The person who makes it bears no automatic culpability.
This is my general take. Gun manufacturers are not responsible for murders committed with guns. Now, I'm not a gun nut, but I think this is legally right.
The same should hold true for the authors of nmap and queso (to name a couple tools that system crackers might use) and the authors of pgp and gpg (to name a couple tools that criminals or terrorists might use).
Now, if it is a question of ethics, you've opened an entirely different can of worms. Ethically, I think several guns need a closer look. I think teflon tips are something that raise ethical questions. I think nmap has a few grey areas (what legitimate use requires the micro-fragmentation feature? That's there just to avoid string scanning intrusion detection.), but in each of these cases (except maybe those teflon tips) I think the law has to protect the author/maker and hold the user accountable.
If we hold that the maker/author is responsible for all of the ways in which their product/idea is used, then we should have locked up Darwin because his ideas contributed to holocaust. We should lock up the inventor of the circular saw because it has maimed and killed. And so on...
Ethics lies behind law, but the cliched figure of justice that adorns so many government buildings (at least so many American ones) wields a scale, a sword, and she is blindfolded. The sword is two edged as well. It may be a cliche, but it is an apt one. The law is not ethics. The law is the minimum interference to maintain the social order. While many conservatives in this country will argue with me about the law being minimal, it is certainly not the opposite. You can write and buy a book about how to crack safes. That's legal. Crack somebody else's safe, and you've broken the law. It seems absurd, but it isn't. To write a book on how to crack safes (so long as you believe in the idea of private property) is unethical, but I for one would not want to see it made illegal.
Some might say that programs which allow this kind of detection of vulnerability should not be made available, and that they make it far too easy for someone wanting to break into a server to do so with little or no experience. These people would be ignoring the fact that the information is readily available on the internet already, and that these programs only serve to make life easier for people. As long as the systems administrators ensure that they use these programs on their machines, and follow the advice given, they can be in no danger of someone using the software against them. In my opinion, any administrator who fails to do this simple task shouldn't be doing the job. They would also be ignoring the fact that these programs are not generally written to be easy to use. Anyone managing to make use of them must have at least some experience, and therefore would be able to do the same thing (though not as quickly) without the software to help them. On the legal side, I don't know if there is any law against this kind of software. But with the prevalence of these pieces of software in existence, and the fact that I have heard of no court cases relating to the author being sued (I'm sure there are several large corporations who would like to do it), I can only assume that there is no such law, or at least none which is strong enough to bring a court case against anyone.
This is a little bit complicated, but not that complicated that a 5 years old cannot get the gist of it. Software are tools, and like all tools, they sometimes can be used for good or evil. For example, lets look at a gun? Who is responsible the maker or the one who used it to commit a crime? It depends, If the maker of the gun allowed the gun to be obtained by anyone, as far as ethics go he is partially responsible. The same applies with softwares.
In the software world, take a look at BackOrifce. The guys who developed are partially responsible for all the wrong things that is done with it. I am not against them for releasing it or sharing the information, so please don't attack me. Likewise, the users who used backorfice are responsbile.
Now, lets take a look at the latest bind overflow exploit that was released not so long ago. The developers of this code are not responsbile, The exploit was crippled that anyone who has not written or read about bufferoverflows could not use it. Now, if I was to take this exploit and uncripple it, then use it. Then I am to be blamed, not the developers.
So, as you can see, It depends on why/how the software was released and deployed.
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
And an atom bomb is just a bunch of atoms... But that sure doesn't mean it can't wipe out a city.
Just as a virus can destroy a network...
Sticking feathers up your butt does not make you a chicken - Tyler Durden
If you can sue a gun maker for the criminal actions of a third party (which has been allowed in U.S. court), why not allow lawsuits against makers of software such as compilers that allow people to manufacture viruses.
Consider the Chicago example. It is illegal to own guns in Chicago. People who want to own a gun but live in Chicago drive to the 'burbs and buy a handgun from a legal dealer their and then transport the gun back to their Chicago residence.
The city is suing gunmakers and dealers saying the dealers are acting in a negligent manner by selling to people they should know are breaking the law.
The same principles could easily be applied to compilers and other software -- by not making sure that the buyers of the software *aren't* going to use it to create viruses, the dealer and manufacturer are negligent.
Or to put it another way, has anyone in the software industry taken any positive steps to make sure criminals *don't* have access to their software? No, they haven't, and that's exactly the grounds that people are going after gun manufacturers in court.
Now, before I get the torrent of "the internet is not policable" posts and all the rest of the freedom online thing, I have a few more things to say.
I realise that it is much harder to prevent the production of malicious code since it takes only one person using tools that are freely available. Furthermore, recent incidents (deCSS etc) have shown that it is impossble to prevent the circulation of code/binaries on the internet. However, I don't think that difficulty of enforcement is reason enough not to legislate. It would give the law enforcers at least some leverage in certain situation, that they don't have at the moment.
Secondly I realise that the line is very blurred between legitimate usefulness, and malicious, particularly with tools that can be used both maliciously and defensively, like port scanners. Again, I see this as a challenge for the courts and legislators, rather than a reason not to even attempt to legislate.
I think that it is also the responsibility of every developer to think about the potential illegal uses of their code, and the damage that their programs could cause. Since it requires a certain degree of brain power to be a developer in the first place, it shouldn't be too hard for everyone to realise that if they write a virus/scanner/exploit, and release it to the public, it will innevitably wreck someone's day, and cost someone money. Just put yourself in the position where you miss dinner with your family/have to stay up all night fixing a server because of some script-kiddie/have to pospone the family holiday because your data was wiped off your servers, and you miss a contract deadline as a result. It doesn't take long to decide not to release malicious code does it? Just remember that there's always some arsehole who think's it's cool to screw things up, and he might be doing it with your code.
"The new wave is not value-added; it's garbage-subtracted" - Esther Dyson, Dec 1994
I feel that the user is totally to blame. Much of the software out there can have one bad use or another. You can't blame a developer for the software being used in a destructive way no more than you can blame a fork for the user having bad table manners.
HoweverConsider tools/processes that have no legitimate use, such as chemical weapons. I believe i'm correct in thing that development of chemical weapons is illegal (in most civilised contries). Computer viruses should be considered in the same light.
To use an analogy, guns are designed to kill. That is their sole function. They'd make lousy can openers. As such, I feel that the makers have a measure of responsibility if people use guns in that manner.
HOWEVER, a measure is just that. A measure. The gun manufacturers don't -make- people use guns that way, that is the choice of the owner, and nobody else.
I guess my point is that responsibility (as opposed to blame) for anyone involved is, IMHO, never 100% and very rarely 0%. Rather, it's the entire spectrum inbetween.
If a software package has one, and only one, possible function, then the writer or company needs to take some responsibility if people use it that way. After all, that's what it was intended to be used for, and that alone. For the writer or the company to deny any responsibility, on the grounds they didn't actually -use- the program that way, is denial of reality.
MOST programs, though, are multi-purpose. SAINT is an excellent example, being very useful for testing for some of the more blatant security flaws in systems. Yes, it can also be used maliciously, but so can a swiss army knife. Doesn't make either program necessarily malicious in it's own right.
Summary: Where one, and only one, intended use exists in a program, the writer or company should bear some responsibility for people using that function in the manner intended. (NOT blame, just responsibility, and at most 50% of the responsibility.)
Where more than one use exists, the writer or company should bear responsibility no greater than 50% of the fraction of possible uses that are malicious. (The user is never forced to use the program maliciously, so bears at LEAST half of any responsibility, regardless.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If programmers are made liable for others misusing their code, then it's easy to let the argument keep sliding backward. Since programmers provide the tools used for hacking, who provides the tools for programmers? Compiler developers. Who makes compiler development possible? Hardware development. Who makes hardware development possible? Companies combined with some really smart people.
How far back should this line of reasoning be taken?
If you blame the programmers for producing hacking tools, then outlaw programming. However, since there's a programmer whereever there is a compiler, you'll have to outlaw compilers. Since there is a compiler whereever there is hardware, outlaw hardware. Who produces hardware? Companies/corporations such as IBM, Apple, etc. Where did all the hardware ideas start? ENIAC. Why was ENIAC built? The US military wanted it. Why? World War II. Why? Hitler.
Blame all hacking on Hitler. There, now we have identified the responsible party. Someone go convict him.
Bono Vox, bono@vox.org
How many pieces of software could NOT be used in an illegal way?
I could write a ransom note in Word on my Windows 95 machine. I could then send it to you via E-mail. I guess that also implicates my AOL software, sendmail and the copy of Eudora you use to read it. I suppose that means we'd better round up their development teams and cart them off to jail.
Grab the Mozilla team while you're at it... I just looked at some illegal pornography and those developers assisted me.
The user should ALWAYS be held responsible.
Developers are blameless... unless they play another role in the problem (such as misrepresenting their software) "Oh yeah, run this 'internet_worm' program, it's even more fun than Zork!"
If I create an AI lifeform, and it commits a crime, who is at fault?
No legitimate uses for virusses? Being interested in virusses myself, I can tell you that *real* virusses (not the Melissa crap) push the limits of both OSes and underlying architectures. They are fascinating and *VERY* educational.
You sound like one of those idiots who would lock me up for playing with something you don't like. I'm really glad you're not in a position of power to enforce such stupid laws.
On the other hand, intentionally infecting other people's machines brings up the question of ethical use. This is a completely different can of worms. Is it illegal to insert malicious code into other people's systems? I should think so.
Software is a tool and the end user holds full responsibility for how he or she uses that tool.
The best answer to this question I can think of is "How is your disclaimer phrased?"
Diamond warns their customers that the Rio product is intended to be used for legimate uses only, therefore they are not responsible for their customers violating copyright law.
McDonald's did not have anything more specific than "Caution: Hot" on their coffee cups, therefore they were responsible for some woman ordering coffee at a drive-thru and scalding herself with it. They never mentioned that pouring the coffee on yourself was not an intended use, therefore they were liable for her injuries.
VIRII
When I was in first year Computer Engineering, we spent quite a lot of time on this issue. (Note: Laws, etc, pertain to Canada, but I believe that the US is the same).
Currently by law it is the user's responsibility, totally, in every situation. However, there is starting to be significant pressure to make some systems the responsibility of a Professional Engineer, who would have to sign off on a project, and take responsibility for it. The reason for this is not virii, but other systems, such as medical software, navigation/control systems for aircraft, trains, etc.
Numerous people think that someone who develops the software to control the administration of a drug (for example), should have to take responsibility for the safety of their code
I don't have a reference for it, but one of the big examples that we discussed had to do with a machine that administered chemotherapy drugs to patients in the US. There was software controlling the dosage, and a hardware safety check to prevent ODs in the first version. Then in the second version they removed the hardware check and (I think) about 20 people died of ODs because a lazy programmer didn't check whether the dose was allowed or not. In this case, the hospitals were deemed responsible for the deaths, but personally I think that situations like this need the developer to take responsibility for safety.
Of course the problem with the developer's taking responsibility is that most projects depend on numerous other products. For example if a developer writes code that is safe, but is rendered unsafe by the compiler, or by the OS the system is running on, who is really responsible, the developer, or the tool vendor. Which brings me to my final question, if the thrid party vendor is actually an open source project, who takes responsibility for it. As an example, consider this. Some company wants to write a navigation system for a 777. The search freshmeat, and find that there is a really great AVL library that is LGPL'd. They decide to use it rather than roll their own, and some bug in the lib causes the planes to crash. Is the library developer responsible, or the company who made the nav system? I realize that most licenses have a no liability clause in them, but if it becomes a requirement for developers, could this be a major stumbling block in the road to world domination?
Anyway, I think I have rambled long enough, I should probably go write some code now. (Good thing I am a co-op student, so I won't be working here when the code gets released).
>~~~~~~~~~~~~~~~~
>~~~~~~~~~~~~~~~~
Pilchie
With enough inventiveness, a person can put just about anything to use in illegal or immoral ways. Crude explosive devices can be made with common household objects and common chemicals. In the film Casino, a guy is stabbed to death with a fountain pen. Photocopiers or PCs with scanners and printers can be used to forge documents.
You cannot start trying to make the person who produced the item in question, whether it be a piece of software or an object of some kind, responsible for the use to which people put it.
As many people have already pointed out, you can't sue a gunsmith if someone uses one of their guns to commit murder (unless, of course, the intended use of the weapon was made explicitly clear at the time of purchase, but even this is somewhat dodgy ground). In the same way, you can't sue Microsoft because there exists in their software the capacity for people to write Word macro virii.
Ultimate responsibilty must rest with the user; to try to make it any other way would be to start down a very dangerous road indeed. Imagine a world in which you, as the author of a piece of software, is responsible for any use that anyone makes of it, now or at any point in the future. Any piece of software more complex than "Hello World" has the potential for misuse - email clients can be used to send harrassing/defamatory emails (and don't forget the servers that relayed those messages, or the network cabling, routers, etc, etc...).
I would also argue that just because you write a piece of software, the sole purpose of which is, for example, to attempt to expose security holes in a system, does not mean that you are liable for any illegal use to which it is put.
I do not believe that people can be held responsible for the actions of others, particularly when they have never had any contact with them.
Just my two penn'orth.
Tim
It's official. Most of you are morons.
Take a couple of examples: the recent DVD crack, and credit card number generators (the latter generate syntactically valid random credit card numbers). For the purpose of discussion I'll assume that copyright violation is unethical.
In the case of the DVD crack the purpose of the crack was honest: to let Linux users legitimately watch films without having to pay for Windows just to run the DVD drive. This is a perfectly legitimate goal, and there is nothing unethical about doing it. Of course it is possible to use the same software for unethical purposes, but the author of the software is not responsible for such a decision.
On the other hand the author of a credit card number generator has produced a piece of software which exists for only one purpose: to facilitate theft. The author set out to aid theft, and is therefore morally an accessory to the thefts which are carried out using the software.
Of course there is a big grey area in between these to extremes. What do we say about software which has some minor or marginal use, but which is almost entirely used for some bad and foreseeable purpose? Back Orifice might come into this area: it has some legitimate use for remote admin, but its primary purpose is to break Windows NT security.
Here ethics moves away from the legal domain: lawyers are concerned with proof. However ethics is more about formalising matters of conscience (although some ethical codes do carry penalties for gross violation). If you believe that cracking is wrong then it follows that the CDC acted unethically in releasing a tool which had, as its primary purpose, cracking NT.
A program for Linux which was designed to facilitate DVD copying would be an interesting case. It may be ethical to copy a DVD for backup purposes, but the vast majority of copies made would be illegal pirate copies for sale or just given away. Would it be ethical to write such a program?
The classic hardware scenario for this kind of ethical debate is the shopkeeper who sells a knife which is subsequently used in a murder. If the knife is a cooking knife brought in the normal course of business then obviously the shopkeeper shares no guilt. At the other extreme if the customer comes in and says "Give me a knife so I can kill my wife with it" and this statement appears believable then equally obviously the shopkeeper is an accessory to the murder. But in the middle is a large grey area. What about combat knives? They are specifically designed to kill. Any individual purchaser might plead a desire for honest self defence, but the fact remains that most of the time that such knives are used it is not in self defence. The vendors must therefore share to some extent in the guilt of the users of these knives.
Paul.
You are lost in a twisty maze of little standards, all different.
After initially reading the question, I was of two minds, after reading others comments and taking a few minutes to think about it, I'm of single mind on this. Software products are tools, much in the same way a hammer and screwdriver are tools. To hold the developer of a software tool responsible for its use is absurd. I CAN see some exceptions: viruses, BUT, as another poster has noted, viruses tend to be very nice peices of code that can (and IMO, SHOULD) be used for educational purposes.
A good example (used here by others) is the drunk driver. While sober, the driver behaves and uses his car responsibly, however, after a 6 pack of Newcastle Brown he really shouldn't be driving. He gets in his car anyway, and ends up killing somebody in an accident. Who's at fault? Not the car manufacturer. In fact, I can't think of any sane person who would even consider holding the manufacturer responsible. The driver, on the other hand, is completely responsible. He got drunk, drove, and killed someone.
The question still remains wrt software: is the developer responsible? Yes and no. No, because in general, the software created will likely have a multitude of uses, most of them legal. An example would be if we tried to hold Quicken responsible for an organized crime family using their software to manage their books. Yes, they should be held responsible if the developer is knowinglly developing a tool with the goal of it being used for illegal activities (virii, primarily). BO2K is a legitimate product, MS and other companies make similar products that noone has a complaint about. The only reason people bitch about BO2K is that it was NOT developed by a major software house.
Again: Yes, in some cases developers should be held responsible, however, in the general case the users are responsible for their own actions, as the developers have no control over the use of their package once it hits the shelves.
There are two basic types here, software that CAN be used both as good and bad, and software that is made for the sole purpose of destruction. Either way the user of the software is the one who should be made responsible for his actions, the tools cannot do any harm on its own.
:)
Its tempting to compare to a gun or any other weapon but this goes beyond that. By making such tools available it force a reaction to the problem and thereby making the world a better place. If the tools remained unknown to the vendors it would just make technological warfare,
industrial espionage or whatever, so much easier.
In a perfect world it should be enough to notify the vendor of a problem, but this just does not happen. The only way to make sure patches are released, fixes are made, and protocols changed
is to publish the tools needed to take advantage of it.
This is the way bugtraq has operated for quite some time now, and I havent heard of a lawsuit for making a program like that yet, but plenty lawsuits against people who use them
-- gunzip-howto.tar.gz
Guns are not(yet) outlawed.... It's the act of killing someone using a gun that is illegal. Same goes for Knives, Ammonia etc.... I think that it's the user's responsibilty, not the developer... Technology should not be outlawed, but rather the illegal use of technology.... D.
It's Microsoft's fault.
it's the users fault .. all of it really ... this goes for software as well as for example guns. just cause you have it doesn't mean you have to use it and if you do you have to take the consequnces of your actions, no matter if you blow a person or a server away.
Hmm.. first of all, i'd like to say that this would be kind of a good poll.. :)
Secondly, i'd like to put it like this:
I would definately prefer if it was something like this: Describing the tecniques involved in the (randomtask)sofware, should be ok, while distributing compiled forms shouldn't be, since alot of LaYme SKRiPTz0R k1DdiES wreak havoc by acting irresponsible, and get us real geeks in trouble.
Kind Regards / Mark
VIDI , VICI, VENI. (Go figure.. )
The usual gauge of whether someone is culpable for an act is to
consider whether he committed it with full knowledge of what
he was doing, and if he consented to doing it.
If a tool-maker did not know that her tool could be used for bad
ends, she is less blamable if it is used in that way. (I don't
think it arises very often is software development, but if she
were somehow forced to build it against her will, she is
similarly less blamable.) Same argument for if a user does not
know that a tool will have bad consequences, or if the user is
forced to use it.
But if a user knows that use of a tool is wrong and deliberately
uses it anyway, he has responsibility for wrongdoing. If a developer
knows that the net effect of a tool will be wrong, and creates it
anyway, she has responsibility for the wrong done because of it.
(The really hairy question is to ask how the developer judges if
the "net effect" of a tool will be bad. I leave this as your
homework exercise.)
The end user of the software is totally responsible for his or her actions. There is no question about that. Trying to deny the responsibility of one's own actions is morally and ethically unacceptable; even though it is often done in the United States. I cite the example of the woman who sued McDonald's for $1 million after spilling hot coffee in her own lap. Her argument was that the coffee was not appropriately labeled as dangerously hot and therefore her burns were a direct result of McDonald's negligence. Now, we all know that the woman was a moron, but worse still, she skirted her responsibility for her actions. She played ignorant and refused to acknowledge that she was stupid to have put hot coffee between her legs.
Notice, however, that if one embarks on an action that harms others, the authorities are *very* quick to take the correct moral and ethical high ground. If you use a gun to murder someone, you are tried for murder, not the gun manufacturer. If you break into a home using a glass cutter, you will be tried for breaking and entering, not the glass cutter manufacturer. If you use a particular software package to crack a system and damage it, you will be tried for computer trespass, not the software designer.
I guess the real question you are trying to ask is "can the software designer be held responsible for making a tool that is potentially dangerous"? Asking this question is the same as asking "can we hold any designer responsible for the harmful use of their creation"?
I don't know the answer. The closest I can come to an answer for myself is something that is purely relativistic and probably unacceptable. I would say that it really depends on the intent of the creator. For example, if I use a Stanley claw hammer to unrepentantly bash your brains in, I think it is a safe assessment to acknowledge that the Stanley corporation will not be brought to trial for murder in the first degree. However, if Stanely designed and marketed a hammer specifically for the purpose of imploding the skulls of living humans, and I used *that* hammer in my crime, I think the Stanley corporation might find themselves culpable.
So what about gun manufacturers? I don't think anyone can argue to the contrary that hand guns are designed for anything but the purpose of immobilizing and killing human beings. But are gun manufacturers ever brought to trial with the assailant in murder cases? Not that I know of.
That's all I have to say about that.
Nothing can possiblai go wrong. Er...possibly go wrong.
Strange, that's the first thing that's ever gone wrong.
Tyler's words coming out of my mouth.
I can think of 4 different 'levels' of responsibility/blame here, depending on circumstance, and on the application.
1) User bad, programmer good:
A prime example of this would be 'tcpdump'. It is a very very useful tool for finding faults on networks - I only used it the other day. It doesn't just do tcp - it will handle all sort of network protocols. Such a useful little tool.
tcpdump, in short, is a network sniffer/analyser. It listens to all network packets passing by your network card and displays information about them on the screen. You can even save all of these packets to a file for analysis later.
This leads to a problem with it - in the wrong persons hands, this same tool could be used to find non-encrypted password, allowing someone to access a system. It can also trap encrypted password over the wire, save them to a file, and allow someone to crack it.
Of course, it can get even more than just password - emails, credit card details, etc. This is why we need good encryption routines and SSL.
This is a perfect example of where the user is the one at fault. The programmer did everything that was required to make the utility useful for fault finding. He would have known that it could be used for bad things, but it was necessary for the good things too.
2) User bad, Programmer good and bad:
(disclaimer: I'm not giving out about BO2K, just using it as the only example I can think of here. No harm is meant to CodC)
Next, the case of BO2K. This tool was, in some ways, written to allow people to get access to NT systems. It was written with the knowledge of certain security breaches in NT.
The program itself, though, it one of the best admin tools for NT. The guys who wrote it don't use it for gaining entry into NT systems.
Here, if a user maliciously uses the program, then, yes, the user is still at fault. Is the programmer responsible? Well, firstly we need to know if the ability to use it maliciously can be used for a good purpose. Yes, to an extent as it shows that there are security bugs, and that they should be fixed. Next, we need to know if the feature is a necessary feature in order for the program to work. In this case, I don't think it is.
So where does that leave us? Well, the feature was added in order to improve NT security. The feature brings to light the knowledge that the security problem exists. So, for this reason, the programmer was morally correct in adding the feature, if just to ensure that admins (and MS) fix any security holes so the feature can't be used.
At the same time, it was wrong, as not everyone will get the security feature fixed, meaning that the program can be used to gain access to their systems. This is a case of being right and wrong at the same time.
Notice, however, that the user is just wrong for using the feature.
3) User bad, Programmer bad:
Next has to be the case of a program designed to gain entry into a system, but with no other use. Again, a user using such a program would be wrong. If this program has no 'good' use (unlike BO2K), then the programmer would also be wrong.
An example here would be the program 'crack' for cracking Unix password - a tool written exclusively for that purpose.
4) User good, programmer bad:
User blameable, programmer bad:
Lastly would be the case of a virus/trojan. In this case, in most circumstances, the user is not to blame. Naturally, different circumstances can bring blame to the user. If, for example, the user forwards on 'Sophie.EXE' to all the other guys in the office, which is most likely agaist office policy, and it happens to contain a trojan/virus, then this user would be to blame for not checking it, in a moral sense. He may have innoscently sent the attachment, but blame could still be put on him for causing problems within the company.
The programmer of the virus is definately to blame.
In the case of the last 2 here, the difference is the a Virus/Trojan isn't a utility that the user would be using to deliberatly cause harm. In most cases, a user would be unaware of the virus within the program/file. Like, what's the harm in running Sophie.EXE, eh?
The whole moral issue in all of these cases can have exceptions. Take the example of crack - here the police could use this utility to help them gain access to a drug barons computer, helping to convict him. In this case, the use of the product is a good one, and you could say that the programmer's involvement was also good. Everything has exceptions.
"Do not use while sleeping." -- On a hair dryer.
"Do not use in shower." -- On a hair dryer.
"Warning: This product can burn eyes." -- On a curling iron.
"Do not use orally." -- On a toilet bowl cleaning brush.
"Please keep out of children." -- On a butcher knife.
"Wearing of this garment does not enable you to fly." -- On a child sized Superman costume.
"May be harmful if swallowed." -- On a shipment of hammers.
Are you sure you want a warning label on anything that can be potentially dangerous?
Surely an example of good ethics is doing your own homework assignments rather than just posting the questions to "Ask Slashdot"?
[with thanks to hobbit]
Dear Computer Ethics, This is not a case of the Weapon maker being unable to control the use of the weapon after it leaves his establishment. In the case of software you can make a very powerful argument for harmful intent. software can be so designed to do nothing other then it's intended purpose. But when you start adding all kinds of little programs that monitior and survail the user or another user while the software is running amounts to invasion of privacy at the least and up to criminal harmful intent. When programs are written into software for whatever imagined crimes, you are breaking certain unwritten moral codes an probadly laws as well. How you might justify logic of such programming, you are clearly stepping across a line.
The person who should be held responsible for any action, is the person who commited the action. Like so many have already said, the company producing fire-arms can not be held responsible for murders. One gentleman felt that if the developer creates software that can be misused then he should be held responsible, this is the exact same situation as with guns. If AOL tries to make it easy for people to get on the web and in their efforts make it easy to hack into someone's PC. That does not make them the perpetrator. The person who hacks into the PC is wrong. If we support the idea that the developer / producer is wrong it will cause total chaos.
That question is really good and have been debated by many philosophers. (And will continue to be)
For me, as a computer programmer, I try to keep my software bug-free. It is impossible of course to have such a thing as a bug-free software with all the variables taken in account while writing a code.
What I think is up to a legitimate line, a legit software can contain "bugs" and users must accept it so. A company that won't write patches/upgrades or have too many bugs could eventually be attacked in law.
As for purely evil codes (destructive viruses), I think it's both the user and the writer who have the responsability in that case. I wrote many viruses, some pretty destructive. But I never made them leave a particular floppy. I made them basically to learn more about viruses. I take full responsiblity for them since I keep them hidden.
<<In one line, my answer would be: Depends on the intended usage of the software.>>
What I REALLY fear is people creating false usages to protect themselves from their share of responsabilities. More or less like the software patents we have these days.
In SW patents, people will use twisted ways to get their software patented. "A device which permits to (Insert patent here)".
If a virus writer would like to protect himself, he could always say he was doing that particular "piece of software" (and not virus) to help system administrators learn about the different connections between employees of a company and the outside world. Who shares codes, who knows who in competition.
In these cases, it would (again) be the big companies that would be allowed to do anything. The small fry wouldn't use 2000 lawyers to create false pretenses.
There's no way I can justify, in my mind, blaming the author of the software. It's the implementer that is at fault.
In the case of virii: I don't believe there is anything inherently wrong with writing a virus. The author is not to blame until he unleashes it--deliberately or accidentally.
I have yet to find a good reason to hold an author responsible for how their software is used. It would be an evil thing if we could be prosecuted for the way someone may abuse software that we write. This could certainly have a chilling effect on free software.
I don't think any of us will be very happy if the people that can afford to release software are companies that have a full-time legal staff to fend off law suits brought on by misuse of software.
numb
BTW
:^)
If you happen to use ANY of the comments given to this posed question you should give the credit in your bibliography and/or within your paper or that's plagurism and unethical. Thought I would point this out since you are taking an Ethics course.
Me I have two weeks left on my Business ethics course. (sounds like an oxymoron to me...)
Gabriel/TSS!
The Truth is a Virus!!!
...there was a yeast product sold, or so goes the legend, that had a disclaimer on it:
Warning! Mixing this product with (names many beer ingredients) and heating for (instructions) will produce beer, which is a controlled substance under the (prohibition laws).
So it has been _legal_ to sell this stuff. Also note that under Prohibition it wasn't illegal to drink, just to sell.
As another example, look at "head" shops. They sell "drug parephenelia" such as pot pipes, and usually stay in business. The person who uses them could get busted for posession of pot, and the pipe has no use outside of pot use.
In practice you can sell a lot of stuff with no "legal" use.
I'm going to open up a can of worms here and open myself up to a flame war. Moderators, go ahead and mark this down as flamebait, but please realize I'm not trying to advocate a political viewpoint:
Is a gun company responsible for people who get shot?
Some people say "yes". Like Gail Fox, a Brooklyn lady who watched somebody shoot her son. He survived, fortunately, but she felt that action needed to be taken. Not against the person who pulled the trigger. Not against the dealer who illegally sold the gun. Against the gun industry. 15 of the 25 gun companies named in the suit were found liable for the shooting, and for the deaths of 6 other children.
Take this logic and apply it to software. If some company is hit by BO2K, it isn't the fault of the script kiddie who installed it. It isn't the fault of the administrator who didn't take proper precautions to secure the servers.
No, according to the flawed logic detailed above, it's the cDc's fault that the company gets hacked. After all, the cDc distributed something that they knew could be used for illegal purposes! They distributed something that could be easily used by even the most inexperienced person to wreak havoc on the lives of others, right?
In other words, personal responsibility is gone. Nobody prosecutes the people who sell illegal guns-- they prefer to make the CEO of Colt Firearms go in front of a judge and grovel for mercy. Nobody wants to prosecute the script kiddy or toughen up their system-- it's easier to blame the Cult of the Dead Cow and make them pay for the damages. Nobody wants to make a good copy protection scheme for DVD movies-- it's easier to threaten lawsuits against the people who point out how horribly fucked-up the system is.
Responsibility for the use of any technology, be it software or guns, is in the hands of the person who uses it. I don't believe in passing the blame around like so much candy-- my actions are my own, for better or worse. If I'm willing to take the credit for my accomplishments, I should damn well be willing to take the blame for my mistakes and blunders.
A note to the world: don't blame others. It won't do you a damn bit of good. Instead, take a little responsibility for your actions and learn from your mistakes. It's that ninth habit of highly successful people-- they don't pass the buck.
Software is just a tool. Any tool can be subverted for immoral/illegial ends. A tool aparently designed for such purposes can still be used for good things.
If the user uses a tool to commit a crime, then the user should be responcible.
The only situation I can see where the developer should be responcible, is where software is designed to secretly to illegial things behind the users back, and even then the developer should only be responcible if he/she willingly released it on people.
Hi,
I think that the legal (also ethical) responsability is the user of the software.
But the creator of the software is responsible in an ethical manner. That if he wrote the software for study purpose in a controlled environment, it's ok, it's just research. On the other hand, if he wrote the software and made it availlable to everyone without the intent of doing research, the he is responsible for the use of the software (legally what i've just said is worth nothing).
We can make a parallel with nuclear weapons. The intent to create a nuclear weapon is to enable someone to use it to kill people (no, nuclear weapon will not defend anybody... Killing a bunch - a bug one - of civils is not an act of defence). So the manufacturer is responsible for the use of the weapon (ethical). It is unethical for someone to build nuclear weapons because their only purpose is to do something that is unethical.
So writing software that do nasty thing with the only intent of releasing it in the wild is unethical. Writing software that do nasty things to be released in a controlled environment (and at the same time writting counter-measure) is ethical.
Absolutely. Not only hammers and crowbars, but guns, knives, ICBMs and even landmines.
Tools are tools, they're made for a specific purpose. Their misuse, wether intentional or accidental, must not result in the manufacturer being liable.
Furthermore, it is the intent that counts. Consider manslaughter vs vehicular homicide. In either case, a car is the machine used to kill a person, but the intent of doing so makes a difference.
Intentional misuse is what points the finger of blame. If a chemical in a can of hair spray causes harm when used according to design, the manufacturer is to blame. If it is intentionally concentrated and then inhlaed, resulting in Little Johnny becoming a vegetable, it's the kids (or parents?) fault.
Now, in the case of intentional non-disclosure of harmful potential.... Ah, let's just avoid discussing Microsoft's security issues, shall we?
-- What you do today will cost you a day of your life.
Bearing in mind the large number of products that could kill people (hammers, cars, guns, planes, etc.) you can separate these out into two categories based on a simple rule: was the intention of the manufacturer to build a product that is harmfull?
In the case of most things, no. Therefore it is up the user of these products to handle them for their intended use. A hammer is intended to slam nails into wood - if the user chooses to slam someone's head with it instead the manufacturer cannot be held responsible.
If, on the other hand, the manufacturer produces a software product with the intention of permitting unathorised access to priveledged information/facilities, then the manufacturer should be held accountable, and the user prosecuted for actually commiting the crime - remember that the user had to choose to perform the act.
Broadly I believe this is also how the law sees the issue.
James Green
If the software is obviously nothing but harmful and wrong then it's both the software developer's fault and the user's fault.
There are two senarios: (a) Software developed FOR illegal purposes - Developer's Responsibility. (b) Software developed FOR legal purpose - User's Responsibility. (a) If a developer creates a program that would be considered a VIRUS, then the developer should be held responsible. This is because, the only way a "user" gets his hands on a software package from the developer is if the developer distributes it (or otherwise makes it available). Thus, even if the developer does not activate the virus, the developer initiated the start of it's spread by distributing it. Of course, if the user knows it is a virus and actively sends it along, then the user should also share in the responsibility. (b) Other software (non-virus) that is used for illegal purposes need to be considered differently. If the software was written for a legitiment use then the user illegally using it takes the major responsibility. This does not mean that the developer has no responsibility. Just because there is a legal use of the software, was that use really the reason for the software or was it an excuse for the creation of software to be used illegally? It will be for the courts to decide and most likely on a case by case basis.
Unless the item in question can only ever be used for nefarious purposes, common sense dictates that it's the user that's culpable, surely. It's kinda like a kitchen knife: in the wrong hands it becomes a murder weapon.
Isn't that liks saying the people who were suing
gun manafacturers for "Making a dangerous product"
have merit?
If an author writes a program that can crash
windows machines...he has every right to do that.
He has every right to crash every WIndows PC he
owns with it and every one other people own and
give him permission to crash.
Software is a tool. It is a mistake to hold the
maker of a tool responsible for the outright
misuse of the person who USES a tool.
If I buy a lock pick thats fine. If I pick my way
into my house...thats fine. If I decide to use my
lock pick(s) to get into someone elses house..
that is _MY_ fault not the person who made the
lockpicks.
Hell even things like Winnuke HAVE been used
legitimatly. One day I had a windows machine I left on and left some stupid program running
that was doing things on the network I needed
to stop (mostly it was an application whose server
only allowed one session at time)....so...
I winnuked it from a linux box (stupid microsoft mail anyways)
man im glad I don't work with windows antymore.
As far as non-windows stuff....anyone else ever
been faced with a machine you can't easily get
phsyical acess to...hasn't been upgraded in a
while...the owner has LOST the root password...
and needs you to work on the system for him?
Sure...most people id just laugh at and tell to
piss off under those circumstances but...at least
once it happend and I had to try to root the box.
Wasn't sucessfull....but its a legitamite use for
such tools.
"I opened my eyes, and everything went dark again"
If the only purpose of a tool is to cause harm (say an anti-personel landmine) then both the maker and the user must hold responsibility. It is too easy to absolve responsibility claiming that is the users fault alone.
An Eye for an Eye will make the whole world blind - Gandhi
Since I mentioned it...
anyone have a good few program recomendations
for root-ing a Debian install (fairly standard
install..no X) thats about 6 months old...never
been upgraded?
Its my fathers box...I set it up for him and gave
him the root password...all he uses it for is
as a masquerading firewall...however we would like
to setup SAMBA on it as a domain controller.
...and he lost the root password (I let him have
it and told him to keep it safe...forgot to make
myself a uid 0 acount before I left)
"I opened my eyes, and everything went dark again"
So does that mean if I use a Windows 95 box and use telnet or ping, that would implicate Microsoft in the crime?!!! I only wish...
This is the old Blame Game we people are so eager to participate in. The goal of the game is to find a scapegoat as remote from ourselves as we can possibly get. The number of scapegoats should be as few as possible too, just to reduce the complexity to get to a crystal clear "solution".
Remember, Blame is just a human construct, an illusion of the intellectual mind. Just as the conception of "wrongness". It's an ongoing effort to judge Cause and Effect, always changing with the political, religious and common beliefs. Alas, the solution seems always to be amputating unwanted elements as a misguided effort to improve our lives. Utilizing violence to redeem the faults of our society and how we live it as individuals. When do you think this simple strategy will finally have removed all the "bad elements"?
Next thing, they'll probably lock up Software Developers in prisons. Oh, wait, that's done already. Dang!
Fear is prison.
- Steeltoe
http://www.debunkingskeptics.com/
It is both people if: 1) The program was *created* for criminal/harmful intent 2) The program was *used* for criminal/harmful intent Or only one person if only that one person had criminal/harmful intent. Dont look at the external situation as much as the internal motive/intent of the person. The real ethical question is what is criminal/harmful intent ? Jamie Burns.
until someone comes running to you "Help we lost
the root password on our server and we can't
bring it down for maintenance right now! Let
us throw money at you to help!"
"I opened my eyes, and everything went dark again"
I just used a kitchen knife to kill someone. Is the knife manufacturer to be held responsible? Will we need that from now on all knifes will be made of plastic, to avoid injuries? I don't think so.
You give out an excellent tool for monitoring (say, SATAN). Someone will find an evil way to use it. In fact, almost every single piece of software can be held responsible for damages: Sendmail for sending spam, rm for removing files which were not supposed to be removed, Gnome for being the cracker's environment, Linux for being such an allowing operating system that allowed him to put malformed packets in the network... And it could go on and on...
That question is to generic to be properly answered. None-the-less I believe that the majority population would agree that that if no one has committed a crime, then no crime is committed. Even if the tools required to commit the crime are available. Personally I believe that people who take responsibility for their own actions believe that everyone else should take responsibility for their own actions -and- people who do not want to take responsibility for their own actions believe that someone else is always to blame. -TheGuyBehindTheCurtain-
In the US, a similar debateis over guns. Possesion of certain weapons is illegal. For other guns, possesion is legal, while damaging other people with them isn't (obviously).
The same can be applied (in general terms) to software. Harmful virusses and the like have only
limited use: causing damage, for whatever reason. Possession of these could be considered criminal.
OTH, a lot of programs (eg. portscanners) can be used for good or for bad, directly or indirectly. In case of those, it's up to the user to use them ethically.
The problems with legislation are rather similar to the guns debate too. Illegal possesion will occur. How to handle that is off topic here.
----------------------------------------------
the pun is mightier than the sword
Like guns- many uses, some terrible.
Well, i look at it in this light. Do you blame the person who invented and manufactures the gun when someone is killed, or do you blame the person who shot the gun? Just because you make a product that can do harm, doesnt mean the inventor is all bad.... Ok, maybe in this case a software that rips DVD is bad, but it just makes the dvd companies work harder. there is nothing wrong with this. If you bought a car that was put together half ass, and soon the tire fell off on their cars, wouldnt you go back to the dealer/manufacturer and tell them to fix their problem? Each product has rules, some like cars, you cant run people over, and you are not allow to speed, just because you CAN do these things, doesnt make it right, and yet no one will place blame on the inventor.....
The user should be responsible for their actions. A lot of things that IMO shouldn't be illegal have been made illegal though, in computers and everywhere. America is ran by idiots who feel they need to take away basic freedoms to protect us against us. Just review the words to The Unforgiven for a good review of life in America. [Sorry, listening to Metallica.] Other countries I can't give an opinion on since I haven't lived there but I'd assume they are mostly the same in this respect. It is the programmers responsibility to develop programs that poke into security holes they've found. This is how security evolves and it's the responsiblity of the coders to make sure claims that exploits are only theory are proven to be marketing bs so that companies are forced to fix things.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
Off the top of my head, I'd say this is rather like the question of firearms, and I'd say that "guns don't kill people, people kill people" is even more applicable for software than for guns.
Why? When was the last time you saw a gun with virus-like properties?
As far as I can see liability for breaking the law lies with the person whose intent it was to break it. If the that is the author of some software (eg, a program deliberately designed to spread a virus) then so be it, but if the author produces a tool with multiple functions (eg. BO2K) then he's no more guilty than a man who makes a knife.
"a program deliberately designed to spread a virus" - AKA a virus.
There are of course some tricky cases. For instance a friend of mine once wrote a virus as an exercise and gave it a slightly nasty payload. He never intended to release it, but unfortunately a copy got loose on his hard drive and infected several other machine before it was wiped out. If that had well and truly escaped, and done serious damage, where would the liability lie for that ? or is it a natural hazard ? Possibly there is no criminal liability in that case, but merely civil negligence by failing to contain the virus ?
Why anyone would give a virus a 'slightly nasty payload' without malicious intent I have no idea. It isn't much more a 'natural hazard' than a bullet flying toward a crowd is a 'natural hazard'.
Just my tuppence worth (IEIANAL).
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Surely if the developer of the software is to blame, by analogy gun makers are responsible for murders by guns. A simplistic view perhaps. The intention is also important. A knife can be made for food preparation & not the murder it is used for - the same can be said of some software used to commit a crime. However guns could be said to be only meant as killing tools, and again so with some software. Altogether a grey area, which will become greyer. I incline to think that all information should be free & unrestricted ... and software is a complex form of information. However, tools of killing (software designed for warful intent? I know of none) I would hold are better out of society...
*apologies for straying to wider issues*
But if you look at this link on the BBC it seems that people *are* suing gun manufacturers, or at least makers of assault rifles, as they are not 'self-defense weapons'.
Everything I've read about the suits against the firearms manufacturers, including interviews with the legal team behind the suits, has been pretty clear that this has nothing to do with any new legal philosophy regarding firearms. It's entirely about a state-by-state plan to convince the states to sue the firearms industry into bankruptcy. The people behind this strategy were the same people behind the cigarette trials, and they're only trading on their success in that endeavor. Their motivation is, of course, the elimination of personal posession of firearms.
But they get the state governments to do their bidding for them. The states saw that they got a big pile of money from the cigarette companies and now they're eager to get another pile of money from the firearms industry. This has nothing to do with firearms -- the trend over the past ten years has actually been in increase in the number of states that now have "must-issue" concealed-carry laws.
The most annoying thing about the American judicial system is not the system itself, it's the people who cynically manipulate it to accomplish the goals the electorate has rejected time and again in the legislature. Without undermining the judiciary, I don't know how to stop this.
It may seem strange to say it, but the very question of asking who is responsible says a lot about only assigning guilt and blame on selected parties, which is *not* constructive.
Einstein came up with atomic theory, and I think he felt quite guilty for it's main application. But the people who actually turned generic theory to bomb were also to blame, as are the people who still seek to acquire nuclear weapons, and anyone else involved.
All of them were responsible, although it's also up to each individual involved to also make up for it by trying to put a stop to it. Einstein by making public statements, the government by facing up to stuff and stopping production of nukes, and everyone else by doing whatever they can too.
It's the same in this case: everyone who has something to do with it is responsible for things being used in a negative way. And the way to put a stop to it is to realise how much we ourselves are responsible and then create value through what we do.
I don't think it's okay to stop once you have found the person who is legally responsible, and then think, ok, none of my business now. I think if anyone really values the work they are doing on computers nowadays or whatever the hell you are doing, then you will still try to assume as much responsibility as possible, and then try to put things right again!
The key to this argument is that by being responsible for something legally means that you can be punished for it. People shy away from responsiblility precisely because they associate it only with guilt and punishment! But morally and also economically, it means that you are actually one of the people who has what it takes to deal with the problem constructively!
Assuming responsibility for the harmful uses of technology can only benefit technology.
Being the author of one such dual-use software package (the Crack password cracker) - I am astonished that the questioner has missed out one entire class of people, when trying to describe whom should take the blame.
As I see it, there are three classes of people to be pilloried in this potential witch-hunt:
Me, I say it's a poor blaster that points only one way, and all tools (knives, saws, pointed sticks) can be used for good or ill - and so I lay the blame on the users, and also on the people who created the weakness.
perl -nle 'setpwent;crypt($_,$c)eq$c&&print"$u=$_"while($u,
IANAL
Now, you assume that a CC generator has no legal uses. A pseudo random CC generator would be very useful in the case of setting up a Billing system where you have to enter lots of data to test a system, including CC #'s for hundreds of thousands of accounts. This would be a completly legitimate use of the above refrenced software. But I will agree with you that this would be marginal.
As for the DVD copying under liunux. The Supreme Court vs Sony RE: the vcr. They held that there was enough legitimate use of vcr in fair use applications. DVD copying for personal use is completly legitimate. Lets face it the criminals can already copy DVD's if they wanted to. And for quite a while Due to costs, it's cheaper to purchace a new DVD than try and copy one. Between the cost of the burnere and media, whoa. The only way to do it at a resonable cost is to use lossy comression like mpg/asf/...
DVD copying was made into a much bigger story because BIG MEDIA wants us all to believe that copying media is a crime. They have twisted and mangled all intent of copyright. This is a much larger issue that I will not get into right now.
Tools for hacking.
The tools that are released by people that are doing security and those that are interested in hacking are usually clear cut. ( I said usually ) People interested in security give a harmless example as the default, and have a source code mod that will enable the real distructive hack. They also go through proper channels, and release only after disclosure to the vendor, or vendor snubbing them.
The conclusion that everyone should be comming to is that all tools have legitimate use, but the "grey" area tools really have a burden of truth to prove that they have legimate use.
As much as I think the Bo2K designers are 31337 wankers with too much time on their hands I'm a bit tied on the issue. On one hand yes, the gun analogy applies here. Guns don't kill people, people kill people. However gun manufacturers are regulated by government laws. So far 31337 script kiddie distributors are not. Now if we had a "tagging" system in place to keep track of denial of service/cracker offenders and were able to prohibit distributions of such programs to them..that would be something. Of course that's not going to happen any time soon.
How is it wrong?
I think terror *IS* the MOST effective means to
achive political goals. You ever see "The Seige"
ya know...if a few terrorists setup in NYC...
things would go down much like the movie...with
the exception that there would be no quick happy
ending.
Personally I even extend "Terrorism" to describe
the actins of the peopl ein power in the US. Which
is a dirty mix of politicans and media whores.
Whenever there is something that they want to
change...the media naturally focuses on what gets
them ratings...and that is FEAR. They report
whatever stories will most likely tap into peoples
most basic fears. Murders, violence. The more
random the better.
Congress works similarly. They recently have been
working on an "Anti-Date Rape" act...named after
a girl who suposedly died after being slipped a
"Date Rape Drug" GHB.
The real cause of her death was later found to be
quite differnt (I believe it was a previously
unknown congenital heart defect but I do not
remember). However congress keeps harping on.
Forget that Date rape is already illegal...its
not about that. Thats just what they want to use
to scare people with...the only real "Date Rape Drug" is alcohol...and unlike some others...it is
used EVERY DAY.
They just work the media to instill fear in people
because when people are in fear they are irrational
so...then when congress passes a law...they seem
like heros fighting the good fight, when in reality
its usually new legislation that was already
covered by old legislation or it just advances
their own political agenda.
If you ask me...thats a form of terrorism...and
its sickeningly effective.
"I opened my eyes, and everything went dark again"
Ideally the key in this matter should be
disclosure. As long as the author discloses
the capabilites of the software, then the
person who uses it for malicious purposes
should be responsible.
We need to be able to write software to test
security, or to demonstrate how a virus works
so we can fix the problems, without worry about
being help responsible for other people's actions.
Now, if the author knowingly puts evil things
in the software and doesn't tell anybody about
it, then they should be help responsible for
the ill-intent.
let's just give the people that do idiotic things (burning eyes with curling iron) DARWIN AWARDS!!
:)
heh.
A year spent in artificial intelligence is enough to make one believe in God.
Standard disclaimer: IANAL
:-)
Non-standard disclaimer: IANAUSC
There are two totally seperate issues here:
Is the tool user liable for the destructive use of a tool?
Is the tool producer liable for the destructive use of a tool?
In my understanding - lay understanding, not educated or professional understanding - they both turn on two questions:
Did the party know or could be reasonably expected to know the possible results?
Did the party intend the results?
If there was knowledge without intent, then negligance has occured. If there is knowledge with intent then there is full, unmitigated, guilt. I believe this is the (US) legal test, and it is a fair moral test as well.
So, if the user knows the tool can cause harm and uses it with the intent of causing harm (intent without knowledge is pretty much logically impossible), the user is guilty and responsible, providing he or she is fully competent. Acting under duress or compulsion caused by mental incapacity is mitigating, although society has a right to demand restraint and treatment of those who cannot control themselves.
On the other hand, if the tool maker knows or could reasonably be expected to know that the tool is potentially dangerous and does not take reasonable precautions, the tool maker is negligent. Also, if the tool maker intended the tool to be used for mallicious purposes, the tool maker is directly guilty.
One thing should be remembered here: The guilt of one party in no way diminishes the guilt of the other, either morally or criminally. Cicil damages are an exception to this rule - they are split amongst the guilty parties according to degree of responsibility, as assessed by the court. On the other hand if a crime is committed with a standard 1 year prison sentence and the tool maker and tool user are both found guilty, they will both get 1 year, not 6 months each.
So there you have it, the answer is that both are responsible, or neither, or either one, depending on the intent of and knowledge, possesssed by or reasonable expected of, each party. Don't you just love simple answers
It's a fact that most of the crimes are commited by the children that Hillary is constantly promoting. We have children as young as five commiting acts of murder, rape, drug manufacture and distribution and money laundering and terrorism! Even if these crimes are not commited by children, in EVERY CRIMINAL CASE the culprits have one thing in common - they were all children at one time! This scientific observation, aside from shocking, proves that the criminal children can not be rehabilitated. I'll bet that Hillary was once a child! Makes you wonder. You can judge a lot about a charachter by the company he keeps. So, in summary, the children are responsible for the manufacture and use of damaging software but that is the tip of the iceburgh.
I'd argue strongly that anything that can be misused can also be put to good use.
One should also suspect anything that can be used productively as being capable of being misused. The more so with the most flexible and powerful utilities, such as remote control, port scanners and packet sniffing.
That is because good or evil is determined by the intent of the user and the effect on the people around him. This is intrinsically outside the realm of technical specifications and capabilities. Even a computer virus, like a gun, could be created for moral purposes. If the third reich was as dependent upon computer technology as we are today, few people would view it as immoral to disrupt the coordination of the Holocaust. For that matter, developing and releasing a virus into your own network for research purposes is also moral. It's the initial act of releasing the virus into the "wild" that's immoral -- and demonstrates the intent of the developer was malicious.
So, while in most cases a software developer should not be held responsible for how his software is used, if he himself uses it immorally he may be doubly culpable. Also, if he colludes with his clients to use his software in an immoral fashion he's also culpable.
Consider a program that logs keystrokes and other events. This could be highly useful in debugging software and system problems, since users seldom can provide detailed answers. On the other hand, it could be used to spy on subordinates or even coworkers or competitors. If a developer markets the software for these purposes or encourages its use in these ways, then the developer is morally culpable.
In this way, I find cDc to be morally ambiguous. There is kind of an anarchic, certainly ironic spirit to this group, which normally I applaud. The act of developing BO and BO2K is not in itself right or wrong, but I cannot help but suspect that cDc intends harm to Microsoft. Even this in itself is not necessarily bad, since it generally accepted our society to harm competitors by discrediting them. However, implicit in this is the possibility of harming third parties -- Microsoft's customers. Unfortunately, nobody but cDc can know whether they are good or evil -- the key is locked up within their sardonic personalities. They may merely intend the existence of BO to discredit Microsoft and the values it represents, or they may be mere chaosmongers.
So, to conclude, I think that developers should never be held responsible for any technical capability their software has, but they should be responsible for how they use their software and how they promote their software to be used.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I think Melissa gave the world a wake-up call on how vunerable Microsoft is security wise. I know quite a few people who gave up using MS brand programs (Outlook, IE, etcetcetc.) Because of the dangers exposed by Melissa. I think it was a good thing that the virus was released (Although I DID have to kill my mail servers) Because it showed a VERY big security hole.
Objects in the blog are closer then they ap
--- is that it depends on the design of the tool. A gun for example can be used for assualt or self defence, so the responsibilty for it's use comes down to the user. On the other hand, if a company designed and sold an item that only had a negative use eg. car bombs(extreme example I know), then both the company and the user should be held responsable. Just common sense. --- If a gun can be used for defence so can a car bomb. How do you use a gun for defence? The only way I can think of is the threat to use it for assault. You can do that with bombs too (shoot me and I'll blow you up). You wouldn't attack me if you knew I had my hand on the trigger of a bomb. If a sword was designed for defence it would look like a shield, if a gun was designed for protection it would look like a bulletproof vest. Guns were designed to kill or maim, not protect. To claim anything else is naive/stupid/a lie, take a pick.
Would you blame someone like Remington or Smith & Wesson for the people who were killed by their products?
orlando...
-= This is a self-referential sig =-
The responsibility is of the user who uses the program. If I give you a car, and you run around with it and kill people with it, it's not my fault. It's your fault. What you do with things is your responsibility. (Unless, of course, it involved leasing then leaking the Windows NT source code =])
--
colombo - http://jukebox.dhs.org/colombo
get paid to surf the web - http://freemoney.n3.net
colombo - http://jukebox.dhs.org/colombo
get paid to surf the web -
While I can see how people may be tempted to make the connection, relating hacking software to guns and drunk driving is not a valid connection.
Saying that the coder of a hacking tool is no more responsible than the manufacturer of a gun is utterly false, for one simple reason: A hacking tool is created for one purpose - to hack software or systems. A gun, once manufactured, may be used for law enforcement, personal defense, armed robbery, drug wars, target practice, &c. Using a neutral tool in an evil fashion does not reflect on the creator of the tool. Using an evil tool in the fashion in which it is intended to be used -does- reflect on the creator (please understand that I'm using "neutral" and "evil" purely as convenient labels - seek-and-replace with whatever terms you prefer).
The way I see it - the user is always responsible. Even if someone walks up and hands you a 93-page list of root passwords, it's your decision whether or not to go run and maliciously change the MotD. => Whether the developer is responsible as well depends on the purpose and intent of the software - legitamate software that -could- be used for hacking is not the developer's fault, unless he specifically distributes it with illegal intent in mind. Software created for the sole purpose of illegal activities is illegal if it's distributed, but harmless if it's only developed as a "let's-see-if-I-can-do-it" excercise, then trashed. In a nutshell: Way too many conditions to make a sweeping declaration.
--- "No matter who or what, a box of flowers is better than a smack in the belly with a wet fish." --RAH
How dare you imply that the users of the tools are responsible in any way for their actions? I hear that people can read books that teach you how to do many illegal things. Just yesterday I saw a book on airbrush art. Next thing you know people will be buying spray cans and defacing public property with that..that.. GRAFFITI! These publishers should be brought in line before they cause more grievous harm to our subways and walls.
And that freaking Apache group. I've also heard that many people use their software for, get this, PORN SITES! Their software is directly responsible for the decline of morality. They should be banned from releasing anything ever again.
The answer is rather obvious.
1. If you knowingly use some software illegally, you're guilty.
2. If you're using the software in a legal manner but it's doing something illegal as a result of an honest programming error, nobody is guilty.
3. If someone codes a program that can be used both legally and illegally, programmer is not guilty as long as the illegal part naturally follows from functionality that can be used legally. IE, if you modified bo2k in a way that would make it impossible to use it illegally, this change would also prevent you from using it legally.
4. If someone codes a program that can only be used illegally or that has some illegal functionality that could be removed without affecting the rest of the program, programmer is guilty. For instance, if there was a text editor that had a menu item "DoS attack this ip: ".
On a related note, I think that Slashdot is running to many stories lately. It seems like we get 2-3 worthwhile ones per day, why not just post them and nothing else?
-- ATTENTION: do not read this sig. It doesn't say much.
i mean, c'mon here people, it's not like you can get into anything too secured here (now i said: too secured, not too important... there are always those morons out there who still thing that not having an IDS/honeypot/whatever is ok)
Just my 2
*insert pithy sig here*
..if I give you a knife, and you choose to stab someone with it - am I to be blamed?
www.6502asm.com - Code 6502 assembly or.. DIE!!
What makes an anti virus company label one program as a vrius, while another program with similar uses is unlabelled?
Simple - one has an install kit that runs in plain sight, reports what it is, requires you to accept an EULA, allows you to configure and restrict remote access, and even has an un-install option.
The other is BO2K.
This sig left unintentionally blank.
This is basically the same question as Gun Control. It's the dilemma of whether a toolmaker can be held responsible for the uses the tool can be put to.
I think the most common result of such discussions is that the question is meaningless. In theory the toolmaker cannot be held accountable, but in practice we place limitations on toolmakers that regulate what they may and may not produce; or how, where and to whome they distribute it once made.
Take books for example. If a book -- not necessarily even a book on any "dangerous" subject! -- is the tool I use to start a mental process that will eventually lead me to start a political movement that in the short term overthrows the current government to replace it with a better system, but which in the long term will pretty much destroy my country; is the book to blame? How about the author?
Put another way, should we punish Karl Marx for writing the Communist Manifesto because he brought about the current state of what used to be the Soviet Union?
Of course, in reality we need to put restraints on certain kinds of tools, but in principle we cannot blame the toolmaker for the use the tool is put to.
Then again, in the case of Melissa and Back Orifice, the toolmaker is often the one who puts the "tool" to use and in such a way as to make the issue pretty much clear cut. :-)
We cannot (yet) solve the atom bomb problem by hacking into reality and creating a fix for it (and we would be a little worried about putting out the sun if we did). We need to have laws to make up for gods little system oversites.
The same is not true for computer systems. A virus spreads because the system is broken, and because the system is broken only.
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
In the case of programming hacking tools, the real responsibility must lie with the programmer of the expoitable software. And everyone related to them: the boss who set early deadlines, the stock holders of the corporation who make money from buggy systems, etc. And to a lesser extent, the admin who fails to upgrade when a problem is found.
The real problem is people placing trust in security that does not exist. Situation: I tell you that I can take your diary and protect it from anyone who wants to look, then I mumble the words of a magick spell (a mysterious, powerful spell involving chicken blood, hair from an infant tiger, and the right eyes of 3 different newts), and accept your 50 dollars.
If you now feel its safe to leave your diary on the shelf of a public library, there's really only 2 people to blame when some punk reads it. Me for lying to you, and you for believing me.
It is a matter of intent. If you write a program intended to allow users to recover forgotton passwords and someone uses it to steal information, you are not at fault. If you write a programs with intent to do harm you are at least partially at fault.
If someone writes a virus and they don't control
the virus (such as, posting the virus to a script-baby site), I would assume that they intended to do harm. Beyond that it would be very difficult if not impossible (short of an incriminating email or the like) to prove that the intent was to do harm.
The real grey area is where the developer is conciously aware of the good and evil uses of his software. BO2K is a good example. The developers are fully aware that it could be used as a usefull utility and as a devastating attack. Are the authors liable if someone uses it to do harm? To a very small extent, yes. But if I were a juror in a cival trial I would assign less than 1% of the actual damages to the authors, the rest being up to the person who used the software.
As many people have noted guns do not kill people, people kill people. While this may be simplistic in illustrates the point. Technology (science), in any form, is not moral or unmoral. It is amoral. The application of techonology (science) is what we should be worried about.
Guns, or weapons of any kind, a not a really a good example as they have a focused useage that riases questions. Genetics (or for that matter darwinism as others have mentioned) is a better example. Genetics has the potential to revolutionilize the application of medicines. Imagine a treatment tailored to fit your physiology. No more sideo effects. On the other hand genetics can be used to discriminate against. So do we stop all research into genetics because it can be possible be used in 'the wrong way' or inmorally?
I repeat technology is amoral (despite what some would have you believe. A gun lying on the floor is NOT going to kill anyone.). It is, and will always be, the APPLICATION of technology that we will have to debate and moralize over.
Basically, no one should be vilafied for creating a technology. It is how we use a technology that needs to be examined.
Simon.
As many people have noted guns do not kill people, people kill people. While this may be simplistic it illustrates the point. Technology (science), in any form, is not moral or unmoral. It is amoral. The application of techonology (science) is what we should be worried about.
Guns, or weapons of any kind, a not a really a good example as they have a focused useage that riases questions. Genetics (or for that matter darwinism as others have mentioned) is a better example. Genetics has the potential to revolutionilize the application of medicines. Imagine a treatment tailored to fit your physiology. No more sideo effects. On the other hand genetics can be used to discriminate against. So do we stop all research into genetics because it can be possible be used in 'the wrong way' or inmorally?
I repeat technology is amoral (despite what some would have you believe. A gun lying on the floor is NOT going to kill anyone.). It is, and will always be, the APPLICATION of technology that we will have to debate and moralize over.
Basically, no one should be vilafied for creating a technology. It is how we use a technology that needs to be examined.
Simon.
Hello People. We can see both actions (writing the bad soft and using it) as two steps in a common process. We could go on splitting the process of "doing bad thing on a computer" in more pieces (who build the computer ? who produce the electricity ? who clean the room ? who feeds the programmer ?) and that way share more and more the responsability of the final crime. Installing the software and running it is not very different from changing some #define, or patching the source, or writing the source. Here we have a continuum. In my opinion the only way to get out of this is to modelize the purpose of the various actors. Several scenarii can be considered, the four basic ones would be : 1/ Neither the author of the soft or the user wanted to do bad things, but bad things happened (I install a new soft, which has a bug, and destroy 8 days of work in my lab) 2/ The author is a bad guy, the user a nice one (backdoors) 3/ The author is nice, the user a jerk (ping -f) 4/ both are bad people (back-orifice) I think that all those cases have to be treated separately. And for sure the author can be responsible (so are the gun makers, drug makers and bad food makers). F.
As many people have noted guns do not kill people, people kill people. While this may be simplistic it illustrates the point. Technology (science), in any form, is not moral or unmoral. It is amoral. The application of techonology (science) is what we should be worried about.
Guns, or weapons of any kind, a not a really a good example as they have a focused useage that riases questions. Genetics (or for that matter darwinism as others have mentioned) is a better example. Genetics has the potential to revolutionilize the application of medicines. Imagine a treatment tailored to fit your physiology. No more sideo effects. On the other hand genetics can be used to discriminate against. So do we stop all research into genetics because it can be possible be used in 'the wrong way' or inmorally?
I repeat technology is amoral (despite what some would have you believe. A gun lying on the floor is NOT going to kill anyone.). It is, and will always be, the APPLICATION of technology that we will have to debate and moralize over.
Basically, no one should be vilafied for creating a technology. It is how we use a technology that needs to be examined.
Simon.
When you write viruses for 'educational' purposes you will not spread them, at least not intentionally. I think the one who should be held responsible for damage done by such viruses is the person who actually "let the virus out of it's cage", e.g. compiled and ran it/sent it to someone. I can well imagine a student prankster trying to use a sample virus written by a teacher to tease a fellow student, not realizing that the virus might also infect every other system in the universe! However, a student can also set a virus free with the intent to destroy the world.
A person is always responsible for the damage his/her actions cause, whether he/she intended it or not. However, this only affects the amount they (or their insurance providers) have to pay in damages. For the criminal justice system there is a completely different thing: I think there is a ratio involved, the intended amount of damage compared to the actual amount of damage done. In general, you cannot punish someone for something he/she didn't intend to do and could not be expected to have known to be doing.
This is all very well, theoretically speaking, but it does not address the big problems:
* How do you find out who set something free?
* How do you find out reliably what he/she intended?
So, in the end, probably the writers of the virus will be punished instead of the people who caused the virus to be set free. Just because it's much easier to find them and because there's much more "hard" evidence. Just like it's easier to find out who manufactured the bullet than who pulled the trigger. Sigh.
IANAL, but I've been involved in legal matters and talked to lawyers a bit. There's a very difficult distinction involved here that I'll try to clarify a little. The law doesn't recognize actual intent or state of mind, rightly holding these things to be unknowable in any specific instance. However, the law does recognize that the maker of a tool or provider of a service "should have known" how that tool/service might be used. It's very similar to the standard of diligence applied in many other areas. For example, libel/slander cases often hinge not on whether the accused did know that a statement was false, but on whether they should have known and failed to exercise due diligence in checking their facts. Ignorance is not necessarily a permissible excuse under the law, especially when the claim of ignorance is either facile or tantamount to professional malpractice.
With respect to software, I think the application of this principle is pretty obvious. The person who uses a software tool illegally always bears some responsibility; the question is whether the software author is responsible as well as - not instead of - the user. This can pretty much only be true when the maker of software "should have known" that their software would be used in such a manner, that such use could have been prevented without undue burden or compromise of other functionality, and that the author nonetheless did nothing to prevent it. The phrase "should have known" is of course vague, but I think people who work in a field generally have a pretty strong consensus on what's common knowledge and what's not. What one person in the field should have known, is what the majority of practitioners do know or could figure out in a jiffy.
This definition obviously does not indict word processors or other common types of software. It's not even clear that it indicts something like SATAN, which the author deliberately tried to present to system administrators and such as a way to improve security. I think the line gets crossed with something like Back Orifice, which was very obviously pushed primarily as a way to hack systems; any claims about it being a remote administration tool are obviously accompanied by a smirk and a wink, which would only piss off judges and juries. Even if the tool's primary purpose was legal and positive, it's pretty bleeding obvious that it can also be used illegally and negatively. Some announcement of its presence on a system would discourage the latter use while in no way interfering with the first, and the absence of such announcement could readily be construed as an indication of the author's lack of professional diligence (remember, we can't impute malice because that comes down to a matter of concrete intent).
Slashdot - News for Herds. Stuff that Splatters.
The phone company is responsible for all the viruses transmitted over the net!
No your honor, it was the grain store owner! He sold the seed to the farmer who grew the corn and sold it to the moonshiner who made the liquor who sold it to the pub who sold it to the drunk who crashed his car and killed the victims! He's your culprit!
You are leaving out two very important aspects: intent and knowledge. Was it the author's *intent* that the tool be used for a particular purpose? Did the author *know* that the tool could be used for a particular purpose?
Applying these to your examples:
You state in your example the the person "knowingly" sells it to a totalitarian ruler. This implies that the seller has knowledge that it can be used to commit murder, and that under a totalitarian government, such a use is probable. Thus the seller is culpable for participation in the murders.
This question cannot be answered without more information. When you handed the ingredients over, did you know they were nerve gas ingredients? Did you know it was Saddam Hussein who was receiving them?
Did you know what the toxin's effects were when you sold it? If so, then you would be guilty of whatever crimes were committed with its use.
I find the case for the virus particularly Interesting
Where does the responsibility lie?
It's either the user or the developer. The user, though, can claim ignorance, not knowing that the virus was present on his diskette or system. The developer can claim that the code was only written for a closed environment and never meant for the wild.
Proof by analogy is fraud.
... it needs to be run on
Proof by anecdote is urban legend.
I find it interesting that nearly every post I have read has made use
of an analogy between guns and dangerous software, and nearly all
seem to consider it a perfect analogy.
A gun is rather difficult to duplicate and/or manufacture.
Software is necessarily trivial to copy.
If you wish to own a gun, you must find seller (easy), spend the money
(easy - hard), comply with / evade the gun restrictions in your area
(easy - very hard). If you want multiple guns, you must repeat this
process for every gun. At some point, the money part starts to add
up.
If you want dangerous software, you just download it. (trivial -
easy). If you want multiple copies of said dangerous software, cp
will do the trick (trivial).
I think dangerous software can become far, far easier to distribute
or obtain than guns. (Guns don't replicate themselves.)
Guns do direct, physical damage.
Software cannot do physical harm so directly
a machine that will cause physical harm as a result of the software
being run. It is worth pointing out that relatively little physical
harm is done by software.
It is difficult to use a gun without being aware of it. Accidents do
happen, but the majority of people who make such mistakes are at
least *aware* that they mis-handled a gun.
It can be much more difficult to be aware of all the software one is
using, however. How many of us can, with a high degree of
certainty, list every piece of software we have used? If you have
made such a list, does it include GNU readline? If bash is your
login shell, you have used GNU readline, as bash includes it.
Unawareness of the user is one of the fundamental principles of virus
design, and *the* principle of Trojan horse design. If some user
downloads a Trojan horse, and it later runs, killing someone, is the
user guilty of murder? of manslaughter? Or is this merely a
terrible accident?
Given the differences between guns and dangerous software, I claim
that drawing analogies between them is highly suspect.
I *do* feel that primary responsibility for damage done should rest
with the user, assuming the user actually knows what he/she is
using. However, I am unwilling to accept arguments to this effect
which are based on the 'guns are like dangerous software' analogy.
I also believe that the idea of 'sole responsibility' is one of the
biggest loads of BS Americans regularly subscribe to... but that is
a topic for another post.
fscking slashdot doesn't know how to preserve decent indenting.
Using that analogy, you would be the one responsible if someone shot you and you weren't wearing your Kevlar bulletproof vest.
And we all know who created the weakness? could it be.... SATAN!!!!
So far this country (the U.S.) has set a precedent for controlled, uncontrolled and illegal materials. Some examples are... Controlled Some Guns, some drugs, Certain chemicals (uranium), Encryption (!?), State ID's, Police ID's, etc... Illegal Certain drugs, Missles, bombs, nuclear weapons, chemical weapons, etc... Informally controlled Lock picks, slim jims, police light bars (equipment etc...), Mace(!?) etc... Uncontrolled The rest of the drugs, chemicals, Pepper spray...etc... If software was only made by a few people it would be relativly easy to decide on which software is dangerous and shouldn't be in the general publics hands. But unfortunately, software can be made by anyone, used by anyone, and copied anywhere. If you use the weapon analogy then as long as a piece of software has a non-lethal purpose then it should be legal. But should/could it be a controlled substance? Should certain software be only used by security personal? But what if software has only malicious purpose like a large caliber chain fed fully automatic rifle? Then is it a controlled substance or should it be made completely illegal? Drugs and weapons seem to fall into all categories...should software? Personally I think that because of how difficult it is to control software design, distribution, etc...it should all be on the intent of the user.
Well, since this is 1999, it's INTUITIVELY OBVIOUS that the coder, the person/organization that prompted him/her to write the code, the distributor and or "seller", the advertizing agencies, if any, that promulgated this horrific piece of DANGEROUS software on the unsuspecting public, and everyone who uses said software without mishap (they create a totally false feeling of safety).
In other times, and other places, the asshole who mis-uses the software, tool, or "thing", is the culprit.
When the police arrive on the scene of a drive by shooting, they don't arrest the people who got shot because their skin was too weak to withstand the bullets. You idiot.
That's like asking: "If a weapon is used in an illegal activity, who is responsible? The company who made the weapon or the person who broke the law?"
Of course, if you make a program that can be used illegaly and *encourage* people to use it illegaly, it's another thing.
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
- The user takes responsibility.
- The creator takes responsibility.
- Society takes responsibility.
Obviously, from the free market and libertarian standpoints, option one is the "winner", but by no means is this a foregone conclusion.Many here have made the comparison of software to guns. I think this comparison is false in two ways. First, it is always taken as a foregone conclusion that the user of a gun is both ethically and legally responsible, but this is actually an unsupported assertion. Second, the fundamental purpose of guns is very different from that of software. Software is not a single purpose tool. A gun has as its primary purpose to kill animals, and in some cases, specifically to kill humans. That is what they are designed for. On the other hand, software's primary purpose is to push bits around on a computer.
That leaves us in a funny spot: software is used at a level of abstraction above its primary purpose. And that level of abstraction is intended. If I were to use/create software for the purpose of designing biological weapons, I am both ethically and legally in the wrong regardless - because I am intending an illegal/unethical purpose.
I guess the main point I would like to make is that in both the act of creation and the use of something, purpose is manifested. As a society we have legally established a system where the act of creation is protected. There are very real benefits to this system, but there are also very real disadvantages. Most here could wax eloquent on the advantages, but I would like to point out one disadvantage: ideas, technologies, whatever, cannot be evaluated at creation time. Think of it as the difference between compile-time syntax and semantic checking versus run-time checking!
One possible rebuttle is that our "system" is set up one the survival of the fittest model and it works pretty good. But personally, I don't think anyone has given a really good try at designing an evalation system - a compile-time ethics checker :) This would be a solution along the lines of option three above - society takes some responsibility for its own ethical standpoint.
Helping with organizational effectiveness is our job.
I've seen the comparative crime rates. I've heard all of the explanations for the differences ad nauseum. "Why is violent crime so low in Switzerland? Why is it so high in the U.S? Why is the suicide rate so high in Japan?"
:) ) in the U.S. culture that makes certain people in our country do incredibly selfish, harmful, irresponsible things. To be more specific, immaturity is perhaps too acceptable in U.S. culture.
My current feeling -- based on formal study of political science, criminal justice, and just common-sense observation -- is that these sorts of comparisons between different nations and cultures are useless. At best, they should be taken with a large grain of salt.
There is something fundamentally goofy (scholarly term
By "immaturity", I mean selfishness, shirking responsibility, and acting out without regard to consequences. "Immaturity" is the most descriptive word I can find for this.
To a large extent, I think the U.S. glamorizes an immature mindset. Our sports heroes tend to behave like spoiled brats. Our business heroes get kudos for being ruthless. We wink at CEOs who throw telephones against their walls during temper tantrums. We like stories about music stars who commit felonies. We love catch phrases like, "Show me the money."
And, like a bunch of kids, we love to play with the things that we're not supposed to touch. Drinking makes us feel like grown-ups, so we go out and get plastered as soon as we're legal. Guns are dangerous and scary, so we make sure that our movies and television shows have lots of gunpoint standoffs, shootings, and heroes who carry Berettas in their waistbands underneath their $500 jackets.
I suspect the Swiss obligatory service laws take away a lot of the childish fascination with guns. Perhaps your culture also values maturity more than the U.S. Maybe it's time for the U.S. to take a few days off from suing and legislating each other and just GROW UP.
(Puts away soapbox)
Save the whales. Feed the hungry. Free the mallocs.
Don't confuse law and ethics together. Although many of their functions overlap, these are completely separate beasts. Laws are in place to protect individuals' rights as defined by their society. Ethics are derived from fundamental morals. Morals are shared by all people. Everybody knows it is wrong to kill another person. Everybody knows it is wrong to cause deliberate harm to another. (The insanity plea was something lawyers came up with so they could make money defending guilty parties.)
People have the right to live. Does this mean that weapons manufacturors/vendors shouldn't make or sell items that could be used for this purpose? Staying strictly with ethics, my answer is No. It means that it is wrong for me to use such a product to do harm. In the eyes of the law, however, it is seen as Yes, because these items, regardless of their intentions, are used primarily for promoting violence.
The same can be said about computer software. Linux has numerous legitament uses. On the other hand, it serves as an ideal platform for cracking and developing harmful software. Ethically, it is the user's responsibility to avoid causing harm with the product. In this case, the law agrees, since the majority of Linux use is not malicious. Viruses would be a better contrasting example. A computer virus is a program, like any other. As long as the user does not use it to inflict damage on others, a virus is harmless. The law, however, would find viruses illegal because their most widespread use is malevolent.
Ethically, the end-user is responsible for any actions taken. The requirement here is that the end-user is knowledgable and responsible enough to do what is right. Because people, in general, are ignorant and irresponsible, the law has to step in where it may be contrary to ethical beliefs. Because time has proven that people will use guns primarily for violence, there are laws in place to restrict ownership/usage. Because statistics show that the majority of Napster users will abuse the product to violate copyright laws, the law will rule Napster as illegal.
I, for one, would like a society where the law doesn't have to step in like this to maintain order. People, as of now, are unable to create and maintain such a society, and the current one is the best compromise developed thus far.
It's pretty simple, (At least the legal part is)
If you believe (and I think that many of you do) that openly published source code should be protected speech, then you cannot hold someone criminally liable for distributing source code. That person may, however, be held legally responsible in a civil, and ordered to pay restitution by a jury of your peers, *but* it still doesn't make them a criminal.
Writing a book on how to make a silencer, or an automatic machine gun, is not illegal. But actually owning either of those weapons is a federal crime. Distributing the book to a group of people you know that have legally-shady motives may make you liable in a court of law.
There have been people who have replied that the distribution needs to be controlled. I would like to point out that this would not make you criminally negligent as there is no law currently requiring that you do control distribution. It's only good legal advice because the tool you create might be one that takes down sun.com.
Notice that I've only been talking about the legal aspects, for good reason. They are easy. The ethical dillemnas can get pretty hairy as already mentioned.
Of all the ethical examples out there, there is a real-life case that happened about 4 years ago. Some of you may still remember this.
Dan Farmer was an SGI Sysadmin, he released SATAN to the general public. After that, he was fired, by SGI. He wasn't sued, or put in jail -- just held ethically responsible for releasing a "dangerous" utility onto the internet, and subsequently canned. But Farmer's motives for releasing it, were very ethical. By releasing this tool, systems connected on the internet will have better protection from crackers.
Both SGI and Farmer had equally valid points, it was just that SGI didn't share Farmer's view. SGI took, in their view, the proper action by the ethical violation that Farmer had done.
So really, the answer to who should be held ethically responsible, depends upon the ethical view that you hold.
BTW, in case you're planning on using this for your paper, I just want to share one more thing with you.
(C) 1999 by author. May not be reprinted outside of the domain slashdot.org without the author's permission.
;^) There. Now you can't copy/paste it into your assignment and stay legally and ethically correct.
I think the law has to treat the person who uses a product for illegal means as the "guilty" party. The person who makes it bears no automatic culpability.
This is my general take. Gun manufacturers are not responsible for murders committed with guns. Now, I'm not a gun nut, but I think this is legally right.
a)class action lawsuits are now under way against several gun manufacturers.
b)cigarette manufacturers
c)LAW is a seperate issue from responsibility. I think in any crime, there may be people who bear responsibility for the crime whom the law should not pursue.
d) Responsibility is a renewable resource. An individual is 100% responsible for his actions; that doesn't mean other people can't be responsible too.
I see your point, however I don't think it makes much difference. If someone develops a program with the intent to cause damage, they should be held responsible... but who's to say what their intentions were?
Saying that because a system is broken makes it ok to wreak havok on it with viruses and such, is the same as saying that since the lock on my door is broken it's ok to walk in and steel from my home...
Sticking feathers up your butt does not make you a chicken - Tyler Durden
I don't want to be cracked. I don't want to burglarized. And there is worse, as well, I would prefer to avoid. But I want a society where people have to prove their willingness to commit a crime before they are thrown in jail. That does not mean comitting the crime. I am not objecting to conspiracy laws. But simply possesing information and tools, which, by the way, are irretrievably blurred together when it comes to software, should not be a crime because it leads to making unprovable projections of what someone is thinking. It leads to people getting arrested for their presumed thoughts. Places where that happens are not free places.
Much has been made of the link between software tools and guns. This link is made explicit in laws banning the export of crypto tools as if they are munitions. However, this link, in terms of the intentions of the gun owner, has not been sufficiently explored.
Guns do have a defensive purpose. The most reviled guns - the ones that look like they are for shooting people - are in fact the most beneficial in the hands of owners intending to defend themselves. Mistaking the evil look of a military gun for evil intent in the owner is the worst possible error in connecting the tool to the owner's intentions. Shooting Bambi with a beautiful muzzle-loader might well be more reprehesible in than shooting a home invader with a nasty looking piece of metal with a laser sight and loaded with particularly deadly ammunition.
In all cases, software or guns or cars or books, knowing the intention of the owner and inscribing that presumption into law is dangerous. You may be next to fall under suspicion, or under arrest, for what someone thinks you are thinking.
I wrote parts of this stuff
I agree. From m-w.com> assault rifle: any of various automatic or semiautomatic rifles designed for military use with large capacity magazines. If you were attacking me in my home, which would deter you better, my bolt-action .22, or my AK-47 with bayonnet? If your answer was the AK, then I have just demonstrated a way to use an 'assault rifle' for defense. If it was the bolt action .22, you should get out more, maybe go visit a gun show or something.
1) Creator of a bug-exploit-GUI or
2) User of this bug-exploit-GUI.
BUT: IMNSHO the creators of the security-bugs are at least partially responsable.
All totalitarian govs do this, for the good reason it gives them infinite leverage on individuals. Terrified groups are easier to control than individuals.
Nobody should accept a proposed system of ethics which is impossible for them to live by. I have zip control over the use of the programs I write. We know our products are being used by pornographers, for instance. Two steps away in the distribution chain.
Brain dead question -- computer ethics isn't any different than any other ethics: honesty, positive-sum-game (all the info needed for the other person to make a good decision, with feedback to know they understood it), no intentional harm.
More than that, nobody can be responsible for in a chaotic world.
"The Constitution, the WHOLE Constitution, and nothing but the CONSTITUTION."
I am intentionally ignoring legal issues.
.. but!! the question then becomes, is the act necessarily reprehensible. Consider password recovery. Any tool for recovering lost passwords is obviously a tool that compromises security merely by existing, so to that extent the manufacturer is ethically liable. Use is a separate issue. I can use that tool to recover passwords that a user has lost. This is ethical. I could also use it to recover passwords for my own ammusement. This is suspect, borderline unethical. I could also use it to scan data secretly. This is usually unethical. But what if the data is about me, or someone who has requested that I perform this service for them? Is it still unethical? I don't know. It is likely to be illegal (separate issue, really separate!). For example, consider a person's personnel file. If I can intrude and see my own records, then I am a threat to the privacy of everyone else's records. But this threat exists as soon as the tool exists. If I, actually, don't look at anyones else's records, or let anyone know that I can, then no one will feel threatened. Is it more ethical to examine my own records, or the let folk know that I could look at theirs?
1) The person who uses a tool for an unethical operation bears the full responsibility.
This doesn't mean that the manufacturer is blameless, more than one party can bear full responsibility.
2) Tools come in many forms. If a tool is designed to do just one job, then the manufacturer of the tool is ethically responsible
In practice, one would be wise to avoid the appearance of unethical behavior. And, unfortunately, given human nature warning folk of danger is frequently perceived as being oneself threatening. If there is an ethical way through this, that is also not percieved as threatening (by, e.g., management) then I don't know it. (Of course, management gives itself the right to threaten those "under its authority", which, in practice, means those that it has the power to threaten).
I think we've pushed this "anyone can grow up to be president" thing too far.
Hey, quit bashing South Africans, would you? Geez, if people on /. bashed Americans like this there'd be flame wars like you wouldn't believe and Rob would have his mail box full of whining emails.
I used to think that way, too. Poor, poor Nelson Mandela, locked away by the evil Afrikaans, those wicked racist pigs, the poor underpriveleged kids with their spaniel eyes and empty bellies...
All on the TV news piped into my safe and warm front room; hell, I'm glad we're imposing sanctions on those evil scum, destroy apartheid by economic means. Easy, and we can all sleep safe in our beds because we're doing our bit to end racism.
Then I talked to a few South Africans. My girlfriend who grew up with black children as equal playmates - something I'd have said was impossible, after viewing all those TV specials about the evil of the governmental regime. About how she spoke Kosa(sp?), the native black language of the region she lived in better than Afrikaans. And more that I won't bore you with right now.
I'm not trying to defend apartheid, or racism in any way. But the whole situation there has never been as clear cut as your TV would lead you to believe; getting the story from the horses mouth (so to speak - don't tell my GF!) certainly opened my eyes to the slant that the media put on it. And what else has TV "educated" you about?
Scared me so much, I quit reading the news or watching TV - don't believe all that you hear until you've spoken to the people that were there.
Strong data typing is for those with weak minds.
There appears to be a concensus that someone who wrongs is responsible regardless of the instrument they are using. The more difficult question is the degree of responsibility of the designer and manufacturer of the instrument.
Capitalism provides an excellent way to assess the responsibility of manufacturers. A manufacturer can be taxed for wrongs in which their product is instrumental. To use everyone's favorite example (the gun industry), a gun manufacturer could required to yield one hundredth of its yearly profits to the social security program for every crime in which one of their products was instrumental. Patent holders could have their royalties taxed in a similar manner. This doesn't answer the question of ultimate responsibility but it does address the profit that businesses are realizing at the expense of the society.
The larger question is fascinating but I have to go play frisbee so I'll just recommend a few books that provide insights into the question: "A Canticle for Leibowitz" by Walter Miller; "The Cassini Division" by Ken MacLeod; and "Cat's Cradle" by Kurt Vonnegut. The title track of Ani Difranco's new album, "To the Teeth" is also relevant.
I can use paper to make counterfit currency, does that make the paper maker negligent? I can use a rope to hang someone and that would be a crime, is the rope maker negligent? Is it a crime to manufacture a sword or a guiliotine ? No. Now if you made a software and called it the "Ultimate Criminals Tool To Break In To Banks and Stral Other People's Money" and it worked as advertised, I'd bet the cops would pay you a visit... But is anyone that stupid? Did Doc Kevorkian manufacture a do it yourself suicide kit and market it? Well maybe he did but look where he is today! As far as the ethics of things go, I am sure that if you make something very attractive to criminals to use in the pursit of their enterprise and you have a moral fibre in your body, you would feel an extreme guilt.
Compare software to dynamite.
Revolutionary, changed the way things were done. Caused a great deal of harm criminally too.
You can never blame the maker, only the user.
Something our (US) goverment should really remember.
Also reminds me how useful college is.
There is a big difference between "...that will be used to illegal ends.... and "...or can be used to illegal ends..." The first condition implies an explicit knowledge of and participation in an illegal act. This is clearly wrong. In the second case the user is responsible. The software developer is simply not in a position to enforce useage compliance. For example - accounting software developers cannot make accountants issue correct financial reports.
I'm also taking a course in Professional Computer Ethics right now. We've been talking about the new(?) ACM/IEEE Software Engineering Code of Ethics and Professional Practice. There's a lot of info there about who they think is responsible (Principle 1.01 says all public Software engineers should "accept full responsibility for their own work"). It also talks about SEs only approving software that "does not diminish quality of life or privacy or harm the environment" and that the "ultimate effect of the work should be to the public good".
/. login, call me Anonymous Coward for a day)
If anybody else wants to check it out, the URL is http://www.computer.org/tab/seprof/code.htm. I'm not trying to say that the ACM and the IEEE are completely right about Software engineers and their responsibilities (the code isn't perfect). But if someday SEs are required to be licensed across the nation (I believe they already are in Texas due to incidents like the Therac-25) then something like this code of ethics may be what we are expected to abide by and be held accountable by.
Ryan (I forgot my
Definitely the user!
Making the software only proves a break-in can be done or that a security risk is at hand. If programmers were held responsible we would never see what cracking and break-in software is around. We would be lulled into a false sense of security.
Those who really want to break-in will get the software they need and probably have the expertise to program themselves.If programmers are not held responsible security risks can be analyzed openly in a public way.
I hold this standpoint because of the negative consequences of holding the programmer responsible.
Probably not a popular view in this forum, but...
You don't blame gun manufacturers because their product is performing within specification. The act of shooting a gun is not inherently bad, nor is shooting someone (self defense...), but who you should and why that matters.
With a virus, the victims are indescriminate and almost never justified. As a result, the creator of a virus is intentionally doing harm. I believe this is the key distinction.
With hacking tools, it depends on the tool. Scripts that are exploits that can only serve to to a DoS attack or otherwise endanger a computer are clearly destructive. Tools that can be used effectively but can be dangerous when misused are like guns, the creator isn't responsible, the user is.
Creating a tool with no constructive purpose, only destructive, is obviously morally wrong. You are intentionally causing indirect harm.
If you create a tool with a useful purpose that can be abused, you are not in the wrong, the person misusing the tool is.
If you create a tool with malevolent purposes in mind but create a quasi-true benevolent purpose (BO2K, I'm sorry, but it was NEVER intended for remote administration), you are at least in the morally questionable area.
Intention matters. Possible uses matter. Something with only destructive purposes is obviously NOT kosher... even with a warning label that says "Use will kill random innocent people."
Alex
In general, the author should not be held responsible, but you have to take into account intent.
Lets look at exploit scripts. Some guy makes a script (small program of whatever nature) that allows the exploitation of some security bug in an OS. Do we blame him because people use it? NO!
We blame the person who used it.
Unless the author is encouraging abuse, there should be no crime committed. If he *is* encouraging the abuse of his code, then his crime is one of conspiracy to commit crime. Software is just software.
I have no sympathy for those who yell "punish the writers of cracker tools". disrupting other people's computers is certainly punishable, but it's ridiculous to even compare it to a crime (unless it's a hospital's computers or something like that), yet people apparently get sent to jail for months, for a simple web defacing.
and, putting it all together, I think it's been more than proved by practice (and by BUGTRAQ) that full disclosure is good for the whole of the industry.
I'd have to argue that the cDc would never be at the recieving end of a lawsuit like this - they simply aren't worth it. There is no money to be won from the cDc, or at least, not enough to make it worth the effort of suing them. More and more often, responsibility isn't the issues - compensation is. The wronged party much more interested in being compensated for the wrongs done to them than they are in seeing the person responsible brought to justice.
A more correct analogy would be someone putting together a class action lawsuit against MS for producing an OS that permits an application like BackOrifice to work. Yes, I know that's a ridiculous assertion - take some time, dress it up however you want to make it sound more reasonable, even if it's still incorrect. Now you have a chance, and probably a pretty decent chance at that, of convincing some judge and jury somewhere that MS should give you a pile of money in damages - much more than you could ever get off of the cDc, or someone who abused and misused their software.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
From the phrasing of your question, it is clear that the meaning of "responsibility" is being abused in this question. Is CDC responsible for writing BackOrifice? Of course. Are they responsible for what a user does with it? Of course, they designed it that way. Are they liable, guilty, or should they be punished for harm that occurs because of what a user does? OF COURSE NOT.
What??? you say. But they are responsible for what a user does with the software... Yes, they are. BackOrifice was designed with an express purpose and focus. It enables a user to do something that couldn't be done before. It gives the user a power that they didn't have before.
And that, my friends, is the dividing line. CDC is responsible for creating the power to do something, and giving it to everyone. They are not responsible for what use that power is put to. They can argue for responsible use of that power, but ultimately the liability, the responsibility, for the USE of the power lies squarely upon the user -- and, due to CDC's methods, the victim as well. This applies both to "benign" applications being abused, and "malicious" applications such as viruses.
Of course, the argument now would be: "if they didn't provide the power, it wouldn't be abused!" However, the potential for the power existed, indeed probably the power itself existed before CDC released BackOrifice. What CDC did (and incidentally, what BugTraq does) was level the playing field. If CDC had not done what they did, someone might have discovered the vulnerability and used it as a tool to really cause harm. But because they took the action they did, there is now a way to stop that gap, to block that vulnerability. Microsoft would not listen, so CDC proved it could be done. It could not be ignored any more -- they were essentially forcing a response as a desperate measure to prevent a larger catastrophe.
Thus, the "if the power doesn't exist, you can't abuse it" argument is a fallacy. The potential for the power existed -- it was only a matter of time before the power became available. You can't undo what has been done, you can't unknow what someone knows. So the question now becomes: would you rather the power be used by someone with ... slightly different morals than CDC? Who would you give that power to?
The obvious answer to some, these days, is the government. I would say that we have already demonstrated in the US and other countries that giving power to the government is a mistake -- it should have the power to do the basic necessities, a necessary evil, nothing more. So the government is out. Do we deliver it to some trustworthy group or person to protect it and keep others from having it? A pleasant thought, but impossible -- how do you determine trustworthiness? And what if the power is needed by someone? (I hate to use the movie Independence Day as an example, but I can't think of anything else.) Would the group or person see the need to protect the power or be able to decide when it could be used?
Ok, can we destroy it? Well, in the particular case of BackOrifice, yes. Microsoft could take the steps to fix their operating system so that it is no longer possible to do what Back Orifice does. But in a larger sense, destroying the power to create viruses and malicious programs is just impossible. Code is so complex, there are so many variables, that there is no way to have a 100% bug-free program -- just like you can't have a bug-free life. It would foolish to try to either stamp out code problems entirely (an asymptotic progression of effort), so by corollary you can't entirely stop people from exploiting problems in the code. The only thing you can do is continually try to make things better. How do you do that?
Well, you have two choices: You can keep the power for yourself, develop it yourself, and use it to gain advantage over others, to control them, to bend them to your will and desire. Doing so may be justified, especially in the case where others may have an advantage over you already, or are threatening your survival. That is a decision for a person, town, state, and country to make on their own. This is the way that things have been done for a long time. The problem with this way is that people are human, and tend to be unwilling to give up the power, even after its usefulness is long past.
The second choice is the one espoused by the Free Software Foundation, BugTraq, CDC, and many others. That is the conscious decision to give that power to everyone. This places the responsibility for the use of the power squarely and equally on both the user and the victim. (You knew about it, the information was freely available, why didn't you do anything about it?) If everyone is in the same boat, the power theoretically cannot be used for advantage -- everyone is equally capable of using the power and preventing it from being used on them, if only by threat of retaliation (MAD, anyone?).
The issue some people have with this is that they don't want that responsibility. To that I can only say, Grow Up! Being an adult is about assuming the responsibilities of that state. This is not a perfect world. The second choice invariably results in some abuse and misuse of the power, since those who are unwilling to shoulder the responsibility for the power are at the mercy of those who would use the power to gain advantage. But there is nothing the Developer can do about that -- he is choosing the best course of action he can from host of perilous courses.
This second choice also allows something that is almost unique in history -- everyone can participate in the development and use of the power. All can see who is using it, abusing it, developing it, and defending against it, and all can use these actions and developments to further everyone's power and protection. Is this a better way than the old way of hoarding all your powers to use against others? I think so, and so do others. I think the damage created by releasing to everyone is much less than the chaos that could and will result from not distributing such power.
We'll find out soon enough, when our watchfulness weakens or fails -- or is legislated out of existence.
b) I can see, but not a). Cigarettes, IMO, have no redeeming value at all. All they're going to do (given enough of them) is kill you (statistically speaking). Guns have other users besides killing people, like hunting and deterring criminals.
If we take away guns, what's next? Class-action suits against Ginsu? "Your knives were used to kill my boy!" People will always find a means to hurt one another if they want to, be it guns or knives or rocks or snowballs.
Besides, if you take away our guns, how will we protect ourselves from tyrannous gov't? :) 1776
CT
Constitutionally Correct
Cars, because people sometimes use them to run each other over
Money, because it often causes itself to be stolen
Shoes, because many people wear them when running away from the police
Pencils and pens... you could get poked in the eye, you know
Taking it a step farther, I think the software author should never be held responsible for someone else's actions.
See, the judge would have to decide if the software was "dangerous" or not, and this is not something I want them to do (as much as I trust our technically adept government here in the US).
And for the government to ban a certain technology (e.g. like The Digital Millenium Copyright Act does) is just as bad. What if they banned viruses, and then suddenly classified the software you had written as a virus, whether it was or not?
Also, how would you like it if you developed a network security tool and later someone misuses it, and the judge holds you at fault! Insane! And yet whenever you give a piece of the government power to make these kinds of judgements, they always eventually misuse that power, and innocent law-abiding citizens will pay the price.
Of course, the side effect of this is that you have people who can create purely malicious software and not be punished when someone else uses it. Such are the prices of liberty! Deal with it!
Suppose this: a person finds a new DoS exploit similar to a nuke and releases the source to a program that implements the attack. Now it will be used to attack someone, but there is also the other side: without an availible exploit to test against, how can such a vulnerability be patched?
A gun is a tool. Just like any other tool it can be used for one of it's intended purposes, or wrongfully.
A hammer is used correctly when it is used to hammer a nail into a board, but not when it is used to hammer a nail into someone's skull.
A gun is used correctly when it is used to hammer a bullet into an attacker, but now when it is sued to hammer a bullet into an innocent's skull.
"..a civilized nation will have full gun registration. Our streets safer, our police more efficient, the world will foll
If there were no viruses, alot of the people @ Symantec, McAfee and Norton would be out of a job. Viruses are a neccesary evil. They teach about security flaws in applications that can be taken advantage of. Viruses may not have legal utilization, but they are important to the development of computer science.
Execute? [Y/N] _
There was a poll on the television the other night that said 98% of people think it would be alright for someone to use their celluar telephone after a car crash, but 2% said it would *still* be wrong for people to use it then.
Who the hell in their right mind would hate celluar phones so much that they would say it is wrong for people to use it even after a terrible accident?
The poll was total BS! They never polled anyone, they just pull that stuff right out of where the sun don't shine and use it to back up their BS.
"..a civilized nation will have full gun registration. Our streets safer, our police more efficient, the world will foll
You might as well ask yourself, "Which came first, the chicken or the egg?"
There's no true answer to this one. In all truth, in today's society, we don't blame the maker, we blame the user. It's how it is. When Alfred Nobel invented dynamite, he saw a great tool... a stable compound that could be used for blowing up rock in order for creation and innovation. He never invisioned anyone using it to kill. Clearly in this case, the problem lies with the user.
Another good example: the atomic bomb. On the other end of the spectrum, here lies a weapon which was intended to be used to threat and kill. The nuclear arms race's only goal was to see who would have the power to kill millions first. Yet the person credited with giving us the power of the atom, Alfred Einstein, doesn't go down at all in the history books as a killer, but instead as another innovator, for by unleashing the power of the atom, he unleashed a whole new branch of science!
Yet, let's bring in another great, prime example: cigarettes. Cigarette manufacturers are making products that they know will do harm, but turn their backs at and deny the true harm cigarettes do. In this case, we said they should have to pay for their ignorance.
But, even so, it all boils down to this: if someone invents something to be used to do harm, intended it to do harm, and knows it will be used for harm, should he be responsible for inventing it?
Moral answer: they should.
Reality answer: they don't.
Software is a tool, nothing more, nothing less.
Therefore, the person (or people) who designed and
implemented the software is (or are) not
responsible for how it is used. They are only
responsible if the product fails to perform as
promised (ie it has bugs). A very good analogy
would be a car or a gun. Just because someone is
stupid enough to hurt themselves (or someone else) with it doesn't
mean it is the designer or manufacturer's fault.
Should a hammer be looked at as a malicious tool? As you stated, software is a tool. If someone wants to use it for more than it was supposed to be used for then they should take all the responsibility for their actions. It gets harder to draw the line though when you talk about things like Viruses. There is no legitimate reason to write that program, so the author should be to blame (but not in whole). It is still a tool, and chances are, the user's going to know what the tool can be used for. So, even in the case of a computer virus, the user should take most of the blame...
A virus is simple a program that can install itself. A self-extracting archive. It often installs itself into key areas of the system, to maintain a state of high availability. The same technique is used by anti-viral software to bypass normal operation for the purpose of verifying certain software actions.
Some viruses are badly written, like M$Word, and internet explorer, and netscape. They corrupt files, exhaust disk space, and have a pernicious habit of reinstalling themselves.
Some viruses have easter eggs or are trojan horses. M$Word for instance fingerprints files, Netscape v4.x (yes all of them) publishes every file it can find on the net so that any web page writer can receive your files in return. RealAudio publishes your playlists, sun's c compiler emailed SUN your compiling habits. Most people do not consider these features, and yet is netscape or microsoft culpable? (Real and Sun have fixed these problems).
There are malicious programs, I firmly believe NT SP6 was designed to destroy microsofts competition by creating incompatiblities where none existed before. The NT install process oft times corrupts BSD or linux partitions, and always overwrites the boot sector. Standard malicious viral behavior.
A virus however can be completely harmless, legal, and useful. A virus by the name of AutoDoubler(tm) significantly helped out Mac users when hard disks were measured in tens of megabytes. It surreptiously installed itself into EVERY application on the machine. It would even alter files, and instaled itself into system memory. I believe one version even infected the system software itself (most likely just fonts and whatnot).
Autodoubler would not have been useful if it did not act in a viral manner. It's ease of use was due solely to the fact that it worked in the background. Whenever an applciation was run, it would intercept that system call and check to see if the binary was UNcompressed (not infected) if so it would add it to a compress list, and wait for the first call to GetNextEvent to comrpess it. Remember you naysayers that in those days MacOS was completely "cooperative" multitasking, if a process wanted to be multitasking it had to depend on every other running process to explicity give up time. Also remember disk seeks and recursive directory scans of an 80mb disk could take an hour. Indeed the previous product "DiskDoubler" died since it normally took up to 6 hours to compress about 80 megs.
Autodoubler did not noticabnly affect system performance because it used its viral like properties to infect only those files the user actually used, or when the user was idle. It subverted many system calls, altered virtually every file on the system (after about a week of keeping it installed), and ran WITHOUT your explicit permission. Once you installed the "init" as they are called, it did the rest.
Other harmless viruses might be integrity checkers, the virus installs itself into applications (slowly, quietly, so as not to grind the disk away, and not to degrade performance, and not to have a weird process "INTRUDER_DETECT -R" running for the next several hours as it scans the 10 gig disks. It would simply install checksum code into the initialastion code. It would store a secure hash of the original binary, and code to check it. It would also infect the kernel and wait for about a week, then it would start logging whenever a binary was launched without the checksum, or with an incorrect checksum. Note that intially the administrator would consent to its installation, but the viruses use lies specifically in the fact that he need not worry about it after that, AND that the programs action is completely unnoticed and hidden.
Another harmless useful virus might be a patch installer, it is initially loaded with a domain name, company.com, and then spreads itself about using worm techniques to update all versions of the software it can find. Why not just do it manually? The whole point is ease of use, and transparency. Also in a large corporation many computers get "lost" and their whereabouts are not always remembered, network-wise or physically. Also new computers sometimes spring up that are from another department, or the purchaser let the new temp fill out the forms, and he forgot to do the paper work on one, etc. If the software is an internal release (say a proprietary database interface used at many data-entry companies) where old versions might be harmful to the database, the preferred infection method would be on connection to the database server. What if the database is distributed, where each client maintains a certain section of the database? Then whenever two clients communicate the patch should have a chance to spread.
That sort of update would also be helpful for seti@home, distrbuted.net, napster, icq, and lots of other distributed products where old versions don't interact as well with new versions. Of course in those cases the program should have an option "Prompt me before accepting a viral update".
At any rate, it always irritates me to see virus == malicious software. t4 is a real life virus that is permaps most responsible for our knowledge of genetics at the dna level. It is the virus used to infect E.Coli and give them new genes. Plasmids themselves are really just viruses that bacteria have grown to love. Mitochondria are suspected to be basically co-depenedent mutualistic parasites. They are just barely above the virus level.
The viral technique is simply a pardigm for writing software. Just like a GUI or an operating system. Its a way of viewing "How is this software going to be used?" Viruses are supposed to run without (further) user interaction, and to withstand attempts to prove their existence or remove them (except when the person removing them makes a concerted effort, an effort that a hacker could not mount, but the original sysadmin or owner could). Just like a tatoo, some people WANT permanent software. The viral paradigm tries to make software as permenent as possible (by distrubting copies in multiple places). It simply backs itself up. Amanda and most disk backups programs are viruses that infect backup tapes with copies of themselves even without the users epxlicit permission.
I always thought it would be kind of cool (although dangerous) to use virus-like distribution mechanisms to distribute small binary bug patches :)
It is too bad how the U.S. has degenerated so much, to the point where people may sue others without logical reason or out of greed. Other countries have adapted much more secure and intelligent methods where the attacking party is fined and prosecuted when failing to successfully prosecute so that the party that is hurt can be reimbursed for the insane costs of defending itself.
The government is the one responsible in this case, those that are purchasing guns outside of Chicago are the ones ultimately doing the wrong.
If the city of Chicago were to illegalize hammers within it's city limits and someone were to drive out to a Wal-Mart and purchase a hammer outside the city limits and then drive back to the city to do whatever it is they planned on doing with it, then would Wal-Mart, or the manufacturers of Hammer's be held accountable?
It may sound silly, but that is exactly what is occuring. Both are tools, both have good and bad uses. What someones does with either is up to their conscience.
"..a civilized nation will have full gun registration. Our streets safer, our police more efficient, the world will foll
I didn't read all the comments on this thread, but it seems that our economists didn't state their ideas.
I'm not into the field of law and economics, but I know that one principle we may consider is, the responsibility is assigned in the way that the outcome is efficient.
Say, it's extremely easy for the manufacturer to implement measures to prevent bad use, but it's costful to monitor users' usage, the natural conclusion is the manufacturer has the responsibility.
On the other hand, it's difficult to have the manufacturer to implement preventive measures, maybe technologically impossible, then it's the users' responsibility.
Say, why we don't blame the knife manufacturer if someone kill someone else using a knife? There's simply no cheap technologically possible measure to prevent this usage. In many countries outside US, gun is forbidded because this is the cheapest (including the opportunity cost of not using them) way to prevent bad use. Maybe American don't think their lives are valuable to forbid guns or maybe they think their normal uses are very valuable.
A sig is redundant.
The point that Alecm was making here was NOT that people are to blame because of a weaknesses that they were born with, but rather that people are to blame because of a lack of effort. For example, if a store's window was broken with a rock that was thrown by a vandal, Then the store owner is to blame for the vandalism because he........ Wait... that's stupid! Your right, this guy IS an idiot. -TheGuyBehindTheCurtan-
Blame, blame, blame. "Who do we point the finger at?" "Who do we sue?"
That seems to be the main thing on the minds of managerial types when faced with the choice of competing technologies, once of which is free and reliable yet "cursed" with not having a legal "blame me" label attached to it.
Well, we need to make them see that that is a mentality for the incompetent, that blame is a concept for those that have no other weapon at their disposal. But if they choose wisely then they *do* give themselves additional weapons, and powerful ones, namely the ability of technically competent people to fix things that are open, to modify them to suit the requirement instead of relying on external parties.
So, I reject the premise on which this thread is based, ie. that party A or B is responsible for the end result. We each make our own nests, and if we choose our building materials unwisely and then seek to blame others, that just shows the height of our incompetence. If you're technically clued up but your advice is ignored, well that's their loss. Go where your skills are valued, and leave them to their problem and to their focus on who to blame for their own lack of skill.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
The user should be the one who is responsible for the crimes committed with software if it is the user who uses the software for illegitemate uses.
In essence, if dangerous code has been written, it doesn't go around executing itself or targetting people on its own. Someone activates it for that purpose. Just like a gun, a knife, a needle, poison, or bombs. They just sit there on their own until someone comes around and decides they can do something bad with it.
Where the programmer themselves write the code and use it in harmful ways, then they are the ones who are responsible.
There are the cases where the user uses the software without knowing the results or effects that the software will create. Ie, trojans. In that case, the user is the victom and the person who used the technology of trojans to modify the program to do harm is the one to blame.
Basically, tools are just tools. They may have been made with ill intent and for dark purposes. But they need a user who will carry out that purpose. Guns are made to kill, but until someone uses one, they will not kill. Just as with software, until someone uses it to harm others, it will do no harm.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
In my opinion it is the duty of every person to take responsibility for their actions. This means that if you create and distribute software for the express purpose of damaging computer systems then you need to be responsible enough to accept that the results are to some degree your fault. The argument that if you didn't someone else will is the equivalent of a 2 year old shouting "well he did it first". The question is not whether the act would have been done or not the question is whether the act was ethical. This is not to say that the person who is using your software is not responsible either, each person had a part in commiting the act and each person needs to be accountable for what they did.
One example of this that comes to mind is the Napster software that was recently featured on Slashdot. For those who missed the article or are unaware of what it does, it basically establishes a "dedicated MP3 network" of users who connect into central servers and share their MP3 collections with all other users who are connected. If you want to find (for example) Billy Idol's "Rebel Yell", you enter the song and artist name into a search dialog, and it presents you with a list of dozens of users who are "sharing" that file, along with their connection speed and ping times. Then you pick who you want to download it from, initiate the transfer, and that's it.
:-)
Naturally, the Napster web site and welcome message prominently display warnings about copyright law and piracy, and they strongly stress that the software is only to be used to trade non-copyrighted MP3 music. But nobody is actually naive enough to believe that that's what people use the software for. The Napster developers know damn well that people are going to use the software to trade copyrighted music with each other. You only have to log in once to see that this is the case; a search for any song that is or was once even remotely popular will invariably produce many matches.
A couple of months ago or so, I bought a Creative CD-RW drive, and on the box it states that the included software will allow you to "share the latest independent MP3 music files with your friends." Here, again, Creative isn't fooling anybody. They know that there's huge demand for the ability to download music from the Internet and then burn it to CD where it can be played on a Discman, in a car, in the home stereo, or anywhere else. And guess what? Most of that music can't exactly be called "independent."
So are the Napster folks a party to piracy? What about Creative Labs? I think the answer to these questions is "yes"; it's kind of hard to argue that MP3 location software and CD burners have not contributed to copyright violations related to digital music. But (at least in my mind) there is a difference between being a party to piracy and being a sponsor of it. By placing obligatory warning messages on their products ("Thou shalt not pirate") and by essentially saying "Hey look, we're not responsible for what people do with this", the Napster and Creative Labs folks may have absolved themselves of legal responsibilty for what their users do (or have they? IANAL.)
In the end, I think it's clear that the user is responsible. There are certainly legitimate uses for an MP3 distribution network; it's a great way for garage bands across the world to get quick and cheap recognition for their work. And of course there are tons of legitimate uses for a CD burner! Since the technology is so neat, and since the providers of these technologies have no way to prevent people from misusing them, I don't see how we can place the responsibility on them.
Anyway, it isn't my intent to either condone or condemn music piracy. It is my intent, however, to illustrate an example of the sort of "moral dilemma" that some software and hardware makers face, instead of falling back on some lame gun analogy.
We're going down, in a spiral to the ground
It's my oppinion, that whatever the program is designed to do it will always be the user who's responsible for the actual use of a program.
It can't be right that, as a programmer, I can be held responsible for what a user does with my software.
Even if I developed a program that had no use appart from a crimminal one, I believe that it would still be the user whos responsibel, for the very simple reason that I did not force the user to use the program.
Even tools developed to crack passwords and breaking into systems can be put to good use; like checking your sites security.
Any tool can be mis-used regardless of its intentional use, so dont blame the person who created the tool, blame the person who used the tool to do wrong!
- Just my humble oppinion
Jesper Juhl aka Wisdom Seeker
Who is to blame, software developers or users?
Who is to blame, gun manufacturers or users?
Who is to blame, tobacco product manufacturers or smokers?
Who is to blame, TV or parents?
Lawyers know that they can get more money out of the developers/manufacturers than from individuals.
- is the intent of the manufacturer to inflict pain? if yes, then is that infliction justifiable (self defense or a shooting spree in a day care center)?
once we "establish" a manufacturer's or developer's, intent then we can proceed by holding or not holding the manufacturer responsible for the products negative externalities.if the manufacturer is indeed found guilty of bad intent it still does not void ethical responsibility from the person who was actually responsible for setting off the chain of events. e.g. if a computer virus was designed to clean out innnocent recipients then not only is the coder responsible but also the person who knowingly distributed the virus along the pipe-line. however, if a virus (like some email viruses) passes itself along then only the coder should be held responsible.
human beings (and we know there are exceptions) have a basic inteligence quotient, and general moral and ethical reasoning levels. sometimes those levels are hard to define but other times they can be crystallized into a litmus test of percieved gain or loss by the one performing the action (the actor). if that perception of gain and loss is based upon malice and harm to others, and gain to the actor then the actor is responsible.
the responsibilty of ill-fates resulting from an action should always have the possibility of lying on both; the one producing the tool/weapon (which is essentially the same mass of quantifiable matter used for two distinct purposes) until it is proven that one or both parties utilized it with intent to cause harm. by objectively earmarking a particlular item or practice as a tool or weapon we take out the very core of human intelligence which i believe can turn a "weapon" into a tool.
likewise, by objectively earmarking a potential "tool" as a "weapon" we undermine the same creative impulses. and by bastardizing certain practices we not only ignore their positive attributes but hinder their progress, thus hindering our own.
as a ju-jitsu player i know that the art of ju-jitsu can be a lot of fun, can be aesthetically and atheletically appealing. but at the same token it can be deadly. but i have to chose to use it in a deadly fashion. to say that ju-jitsu should be banned because it is a deadly art would be ludicrous. all ju-jitsu players are not killers. and even if they were, there are other efficient ways to inflict pain and injury. in this casse the responsibility lies on the individual practitioner and not on the teacher who taught the art.
as long as the individual has some basic level of intelligence he or she can be held responsible for the actions. and since both the manufacturer/coder of a product and the user of the product on this planet are both human beings (as far as we know) then the ultimate responsibilty lies on both people based on their intent on the usage of the product.
"i may not agree with your position but i will defend to death your right to do so."
for what is consciousness?
In my vicinity, there is currently a trial underway in which someone is alleged to have murdered someone (a willful act) utilizing a motor vehicle as the weapon.
If anyone were to suggest suing the automobile manufacturer in this case, I am sure they would be laughed out of court.
The fact remains, to convict of a crime you must prove certain things.
Was the act committed, was it committed by the accused, what was the intent of the accused, and ... who made the device used??? ... No, certainly the latter is irrelevant.
So too in this setting. Reflect before responding. This truly is the meat of the issue.
Let's stop selling cars because you might run some kid over with them. Let's stop making planes because pilots could steal one and crash it into a building. Jesus Christ people!
__
__
nothin' says lovin' like an open source penguin.
Cincinnati and other cities have tried sueing gun manufacturers to hold them responsible for gun related crime. The Supreme Court shot it down.
So to speak....
The problem with the question that you ask is that there is a hidden question buried deep inside.
That question is, "What are the limits to speech?"
As far as I am concerned a computer program is someones expression of speech.
In the US the right to freedom of speech is quaranteed, but you can still be charged with inciting a riot if you tell a crowd to destroy private propery.
But the subject becomes much more difficult to seperate when the topic of hate speech that doesn't advocate violence comes up. As far as I know you can print and say anything about any group of people in the US as long as you don't incite violence against those other people.
Most security alerts come with a little program that demonstrates how to actually exploit the security problem. This is to be used as a tool for developers so that they can make changes and test their products to ensure that the exploit is fixed. But these programs are also used by so called script kiddies to break into other peoples computers.
The developers need to have the exploit program to test with, but cannot get the program without also sharing it with the bad guys...
Based on the above arguments you should say that computer programming is speech and should have the same limits as any speech. But that going onto other peoples computers with out their permission, or directly assisting others to do so is a crime, at the very least criminal tresspass, or even vandalism.
So I would say that writing any computer program shouldn't be considered a crime. But advocating the breaking of laws is a crime and should be punished as such.
When it comes to electronics the law was set so that you can develop and create just about anything that you want to, but you cannot use the electronics to do certain things that are illegal. They did not want to hinder innovation. This has proved to work over time. I see little differences between computer hardware and software other than the ease of distribution of the software.
Now, this might change and be different if the electronic industry started working like the gun and firearms industry -- they were asking to be slapped down. The legal system has started to attack the manufactures of firearms and not just the irresponsible users. I think of guns and knives as just another tool with appropriate and inappropriate usage. I doubt that these kinds of problems with software will be so severe. The primary reason why this is all addressed is fear that the technically uninclined have against the word "hacker." It is the unknown fear thing. Look at Satan. It is a great tool for sysadmins! Do not take it away just because a few people misuse it; if intelligent enough to use it at all.
It's not illegle to break into your own computer when it gets so hosed that it won't allow a login.
It's not illegle to monitor your employes use of the computers.
It is not illegle to infest your own computers with a computer virus. That way if someone steals your programs you can track them down.
justa quicky observation ... most of the people who are intelligent to be slash dotting (and i think that's intelligent) are also intelligent enough to have a healthy skepticism of the way the national media intends to influence public opinion and awareness ... impassioned letters like yours are also important ... we do have some intelligent media also ... that serves the purpose that you intended in your letter ... the sad thing is that there's this mainstream/majority mind thing that may be truly formed by national media stories ... seems the decentralization of networks is good but then again, if the same folks own all the media, o well ... skepticism and finding out for ourselves is the only way ...
The NRA says, "Guns don't kill people, people kill people."
It is interesting to note that People without guns kill a lot less people.
Think of cracking DVD encryption. People can pirate DVDs by directly bit copying from one disc to another. However, it's made a lot easier by cracking the encryption.
If you make a program to check security (satan, nmap), there are those who will miss use it.
The point I'm trying to make is, technology is neutral. If you use it for good, it'd good. If you use it for evil, it's bad. Technology that make some bad things easier should have a counter-technology or deployment to offset the effects (criminals get guns, so officers get guns, etc).
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
This falls into the same category as anything that can be used 'for good or for evil,' as it's said. I'm sure there are entire well thought out books on the use of tools such as lockpicks (more on this in a second), knives (some legal, some illegal), guns (some legal, some illegal), rope (legal), etc.
After some discussion, I'm going to have to revert to the whole lock/locksmith, security/security tools metaphor, which I know we all hate, but it kind of works here. It legal to own lockpicks if you are a locksmith or have a legitimate use for them, but they are fairly easy to come by. But they are also not a very powerful tool in most people's hands. However, there are automated lockpicking machines (usually for specific types of locks, from what I understand) which are a) very expensive and b) require a license to purchase. These are extremely hard to come by, and hard to get - but the point is that the restriction is in the distribution, not in the use of the product. Once you attain one, it is assumed that you are entitled to use it, and you have no restrictions. If you were caught using one and you were not a locksmith, it would in fact be illegal. Could one still be stolen? Absolutely. Could one be resold by an unscrupulous locksmith? Yep.
A counter example is the redbox, a modified dtmf dialer we're all aware of. It's a single purpose
device, built to defraud the telephone system, and is thus illegal. It is not seen as having any legitimate purpose, as opposed to a lockpick.
In essence, I don't think it's *necessarily* the responsibility of the maker of the product to ensure it's not used for evil. There is no way to prevent people from doing bad things. (Heh, and imo, when the US govt. realizes this, maybe some of the idiotic lawmaking can stop and we can try to actually improve quality of life for people... but that's a whole other fricking rant). The maker of the product has a responsibility to make the best product they can, ensure it is will not *accidentally* cause harm (ie, safety lighters, etc), and in cases where there is a specific audience for a dangerous product, try to distribute it only to that audience. This currently is nearly impossible, as anyone with a 386 in their back room is a system administrator, and anyone who puts the title on their business card is a security consultant. This makes limitation of distribution a pretty unfeasable option.
Essentially, I think any product can be misused, and while manufacturers should attempt to curtail accidental misuse, the mechanisms for keeping software from being used for harm are not in place. Limitation of distribution is one of the only models I see working for this, and it is unlikely (imo) to occur soon.
But the tougher question would be the fault of the developer. If the primary use isn't immoral (modem driver) then up to a little fault can be assigned(could they have prevented this?), the author has generally done good, their product is being abused.
The other extreme is a program that grants immoral access to a computer. the problem is this can be used for evil with no benefits to education, public knowledge, law enforcement or anything else positive. BO2K lands somewhere in the middle. This is a grey area and while some blame comes about it is not as great as that of the user, though the devs are not comletely blameless. Personally, I'd recommend advocating a modified utilitarianism stance here. (see John Stuart Mill, he discusses mod. util., the idea of good for a society versus harm done within the confines of basic rights)
That's easy, both are responsible. While the purpose of the developers of some of these hacking programs may be well meaning, making them available to the general public is irresponsible. There are always going to be people out their who are malicious enough to deliberately cause damage. To use your analogy even if tool was invented to prove a point that it can be done it does not absolve you of responsibility if someone else causes damage with it. If they didnt make it available no one could misuse it.
there are shades of guilt or innocence in all things.
was the goal to break the entire net? or was it a local test that leaked out? who leaked it? or was it stolen?
in the ideal world, the punishment should fit the crime. this is not an ideal world. a legitimate justice system tries to medel the ideal world, however.
this article was looking for absolutes. you won't get any from me, i reccommend taking the shades of gray approach to you papers, with three sections, past cases, current cases, possible future scenarios.
get an A on that paper so we can take credit for it!
Holding a developer responsible for actions performed with his/her application is such a horrendous idea, I can't believe it was even mentioned. When joe q. criminal goes out and shoots someone, does the FBI knock down the front doors to Smith-Wesson? Nope. Just like guns, every piece of software has some legitimate and legal use to someone-- quite often times, specifically to the developer that created it. Not only would something like this disrupt or ruin the lives of innocent developers, but would also put unnecessary extra strain on commercial development companies and undoubtedly stifle the amount of software coming from OSS developers.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
What we have here is an MIT alumnis who writes compellingly (dare I say elegantly?) on matters of technological ethics. For One Million Dollars, who could this be?
Wait, don't tell me! Hold on minute!
Wait, sir!
I'm cool like a fool in a swimming p-p-pfft-pool
I was just in the shower and remembered that the guy I was thinking about was a Harvard student who worked at a certain MIT lab. And I thought I was onto something. :-)
Still, hey!, damn fine writing.
This pisses me off. I just previewed my correction, submitted it, and it came through as Anonymous Coward! The script should remember that I typed in my nick and password (as the preview correctly had my nick in its header. But it's a feature, right? p.s. The guy I was thinking of was a Harvard student who worked at a certain MIT lab. Damn fine writing in any case, citizen hey! (Score:5 in my book). -- submitting without previewing --
I'm cool like a fool in a swimming p-p-pfft-pool
Just my $0.02 on the subject:
Responsibility for action stays with the person performing the action.
Depending upon how reprehensible the application is, everyone can jump up and down, shaking fingers and getting red-faced at the developer. If it's a particularly noxious piece of work, I'd probably join in.
Certainly there's a case to be made that, if a product is likely to be used in an 'unethical' manner (and I won't open that can of worms - determining what is and isn't 'ethical' is left as an exercise for the student) it is unethical to make the product more easily available (cf. the H-bomb). However, having a gun available in the house, an H-bomb in your armory, or a malicious piece of hardware/software at one's disposal doesn't negate the user's responsibility for using the thing.
If I make kitchen knives, I'm not responsible for domestic violence which employs them. If I'm a gunsmith, I'm not responsible for the mis-use of the guns I make (assuming, of course, that 'proper' use of guns can be said to be 'personal protection' and hunting for food). With items such as H-bombs, cigarettes (carcinogenic in their 'proper' use), or applications having no potential use other than malice (viruses, &c.), it gets a bit stickier.
Nonetheless, the fact that one is capable of using a thing does not relieve the individual from responsibility for using (or not using) the thing. If if did, we're in an endless-loop, trying to distribute the blame (The person(s) who first tamed fire would be responsible for all malicious uses of fire since, but the ones _they_ taught the techniques to would be responsible for passing them on and refining them, and so one has an endless chain of responsibility leading down to the arsonist who just torched your Uncle Jake's barn. After all, if fire hadn't been available in the first place, he couldn't've burned the thing, right?
No. Responsibility for an action lies with the person performing the action, IMO. I can sit at home and write trojans all day (I don't), but actually putting one to use is a different matter.
Same if I'm a script-kiddie, scanning RR, @Home, &c. using a prepackaged script. I may've wrote the thing, but you're responsible for how you use it.
Naturally, YMMV. HTH. HAND.
"Who should be held accontable, the person who posts his homework to the net, or the people who answer it for him?"
First of all, one should understand that the legality of this depends on the country or state. If you are addressing legal issues in your work, anything you say depends on the jurisdiction. As an example, I will take a recent Finnish government bill (which as a good example, because it will be quite unambiguous on this). Soon, it will be illegal to "With an intent to harm information processing or the functionality an information processing or a telecommunications system, produce, offer or distribute a computer program or series of commands which is designed to endanger [such systems] or to damage data in [such systems], or offer or distribute instructions of how to implement such a program." Potential punishment will be fines or up to two years in jail. For those who speak Finnish, the draft is available here.
As well as giving the would-be "music pirate" the chance to find free music, they are an ecellent tool in the hands of the record companies.
Could you think of an easyer way to get a list of all sites who are hosting copyrighted material than to use lycos et al?
Point being: The ethical creator should worry more about *who* is using the program (or gun or whatever) than what it might be used for in the "wrong" hands.
All opinions are my own - until criticized
Blush to admit it, but I get my Deeper Wisdom on gun lawsuits from a "Law & Order" episode.
In it, the gun, for no other technical reason, had been designed to be child's play to alter from legal status to full-auto. The company knew this going in, and promoted the design to make some sales. It was taken pretty much as a given that the altered gun had no legal applications, i.e. useless for hunting and massive overkill for home defense.
The poster who pointed out that many malign software tools can have administrative applications breaks that argument.
But if there's a case out there where there are ZERO "civilian applications" (tough to prove, I bet...) and the writer knew they were empowering the malign or foolish to cause damage, then I think there's some culpability.
Ok, if I in the UK manufactured a gun, I would be prosecuted. Guns here are illegal. Obviously cars are not illegal. If you manafacture something which is outlawed in your particular area then you will be prosecuted. Now the next step is to decide what software is illegal to manafacture. Any software that cannot have a legitimate use should be prosecuted. An example. I have yet to see a virus that has benefitted me. Any programs that have a sole purpose of opening a well known security hole should be prosecuted. Admin tools that may do the same but have other uses or are sanctioned by companys for the sole purpose of testing their own security systems should be exempt (and hard to obtain). The user should always be prosecuted. You simply dont hack sites by accident in this day and age. If your hacking a site with ANY software, then youve made a decision to partake in an illegal act . If your hacking as part of security measures then your company would have full knowledge of this of course. If they dont they should prosecute you for trying a sly one... Brad
I can build it nothing illegal. You use it very illegal. I gave you the knowledge to do it, now I am an accomplice. The person committing the crime is guilty of that crime. But since he could not have committed the crime without your help, you are his accomplice. Remember Charlie Manson? He didn't kill anyone. A book publisher called Paladin Press got busted in a scenario like this. Read how the courts got them.
I have a big bag full of two cents and I'm coming your way.
The developer made a decision to give people the tools to commit illegal acts. You would only do that if you wanted someone to use it. BAD BAD man. But our government allows us to do these kind of things so no crime so far. Someone took his tool and made a decision to commit an illegal act. He is responsible for that act. You will come to a forked road in your life and you must choose the path you want to travel. The developer should have to fix the wrongs that were committed against the victim, be it paying for new equipment or fixing the problems. 2nd guy is the criminal and needs jail. So if you give someone the tools to do wrong you should have to clean it up and make everything right when the crime is committed. I believe that could be a very BIG deterrent.
I have a big bag full of two cents and I'm coming your way.
When I said that in the original post I guess it
wasn't carried over to my request.
I have recieved several emails about it.
YES I know how to reboot with rw init=/bin/sh
(and even how to shutdown properly with it)
however...
I can't acess the console...basically...there
is no monitor and I was too lazy to hook one
up.
I supose I will fix that one day... but its in
an awkward area...
"I opened my eyes, and everything went dark again"
for gene therapy, the best method by far is virus therapy. insert genetically altered viruses that spread what you want to have spread. the latest invention against cancer goes in that direction... there's a gene found in HIV that is actually responsible for killing a cell. all that needs to be done now is to find a virus that targets only specific cancerous cells, which you could build that one HIV gene into to get a 100% effective weapon against that specific cancer version.
)O(
the Gods have a sense of humour,
Never underestimate the power of stupidity
To err is human, to moo bovine
I was a freshman in college. Talking to fellow freshmen, the subject wandered to computer security. So I said that breaking security would be easy: Just install a login-trojan. Of 1600 students, most were not computer literate. Many would fall for it.
My friend then challanged me by saying: "YOU can't write a trojan. You're not good enough".
So I proved it to him. HE then goes to the computer center and tries to run it over there, trying to trick the computer center guys. HE gets caught red-handed. (*)
I never ever ran the program. I KNOW that a random "foreign language" or even a "physics" student will fall for it. I also suspect that it is a bit harder to fool the sysops at the Computer Centre.
So they told me and my friend not to use the program. I had never used it. Two weeks later, they "still" found the source in my homedir, and got mad at me for this. (extra restrictions on my account)
A few weeks later I found that the intial passwords that they assigned to ME was just a juggle of a few letters of my account name. If you did the juggle on another name, you had a 20% chance of hitting the assigned password.
2000 accounts. 400 used, 1600 never used. 320 free accounts....
Later I found that they had the file with the assigned intial passwords online. World readable. (in a non-readable directory). Bingo. 1600 accounts. Never used them though. Just to verify that what I'd found was indeed the material that I THOUGHT I had found.
Roger.
(*) Pretty obvious: You had to stay "logged in" to be able to run a program. The system printed "xxx logged out" when you logged out. So the trojan sent the "wedge terminal" code before logging out, but they had different terminals at the CC.
Yes, someone breaking into your home is a disgusting affront. Armed with a knife (for example) it is equally revolting for you to send them to the morgue.
Open Source. Closed Minds. We are Slashdot.