Sasser Author Arrested

**leftism** · 05-09-2004, 05:54 PM

Originally posted by J'Pol+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (J'Pol)</td></tr><tr><td id='QUOTE'>The point is that the punishments should be more severe to

a, take offenders out of the system for a protracted period.

b, deter others from following suit.

As long as the victims are being partially blamed for the crime then this is used in mitigation. The defence of - if he had taken sensible precautions then my crime would not have worked.

It is time to put all on the blame on the perpetrators and leave the victims alone. What happened to them was not in any way shape or form their fault.

No-one is suggesting that people should not lock their car. The suggestion is that we should have the expectation that our property will not be attacked. When it is we have the right to expect that the law will prosecute them and punish them in an appropriate matter. The suggestion is that we Should be able to leave our property unlocked, not that we can.

Oh and are you suggesting that someone's data being destroyed by a virus or worm is not a cause of stress. Your use of "hand wringing" and such phrases does not make the point made any less true.[/b]

You are speaking exclusively from a legal view point. I am talking about a practical viewpoint.

The administrator of a computer system has taken on a job and agreed that in return for money he will protect our infrastructure. He is not your average victim of crime. His failure to do his job has no bearing on the responsibility or guilt of the offender, but it does have a serious bearing on how much damage these inevitable attacks cause.

Recognising that an administrator is incompetent does not detract from the offenders guilt or provide the offender with any defence. To my mind the two issues are completely separate. If the legal system cannot grasp that, then that is the legal systems problem. I don't see why we should have to ignore an important issue that needs to be dealt with, because the legal system lacks common sense on this issue.

What if the perpetrator was not a civilian, what if it was a foreign Gvt or terrorists? What good will the niceties and principles of the legal system do us then? By ignoring these rogue administrators completely, as we have done for far too long, we are putting critical systems at risk. You cannot deny that is the case.

You seem to be arguing that we should focus on one area of the problem alone, out of principle. I'm saying that we need to tackle both these problems to come up with a practical solution.

Putting "all the blame on the perpetrators" as the sole solution will get us nowhere fast in terms of practical solutions although it might make us feel all warm and fuzzy...

If you have incompetent and grossly negligent security guards you sack them and get decent ones. Why on Earth should cyberspace be any different to real life in this respect? Why does the latter break some important principle when the former does not?

PS

My "hand wringing" phrase referred to the fact that some individuals will label land mines and slavery as "puppy dog and kittens" issues and then promptly get all serious about malicious code. People need to put things in perspective.

<!--QuoteBegin-JP Fugley

see, i come from the E.U. where we have a human rights thing. it says that all people are entitled to enjoy their privacy and their property and that other people can't take it away from them. so if somebody does it is a bad thing.

so when someone takes my things away, they are 100% to blame no matter what precautions i did, or did not take.

this is a principle rather than a practicality.

the law and punishment should reflect that and not apportion the blame between the perpetrator and the victim. that sounds like ooer missus you were wearing a sexy frock, you were asking for it a wee bit. [/quote]

Sacking an incompetent security guard or administrator who cannot do the job they're paid for is nothing like blaming a rape victim for the way she is dressed.

Sacking an incompetent security guard or administrator who cannot do the job they're paid for does not remove guilt from the offender or weaken the principle that people are entitled to enjoy their privacy and their property.

Sacking an incompetent security guard or administrator who cannot do the job they're paid for will lessen the impact of these inevitable attacks and will increase security.

What is the problem?

**J'Pol** · 05-09-2004, 06:20 PM

The prosecution and punishment of offenders should be based on the ideal world, that is the point. If they breach my rights then what precautions I put in place are irrelevant. They are the guilty party.

This does not relate to negligent security guards, who have failed to carry out their alloted duties, however I see you wish to cling to this inappropriate analogy, you must like it. I forgot that this is something you do often, choose an analogy which suits your side of the debate than stick to repeating it. No matter how irrelevant it is.

It relates to people who have done nothing wrong and simply wish to go about their daily business. This includes private individuals, small companies running their own networks etc. they all have the right to be unmolested by this type of thing.

The issue of appropriate security in the real world is an entirely separate one.

**j2k4** · 05-09-2004, 07:16 PM

Ah, there you are, J'Pol-

Tend to your PMs, would you?

Your receivables are mounting.

**J'Pol** · 05-09-2004, 08:07 PM

Originally posted by j2k4@9 May 2004 - 20:24
Ah, there you are, J'Pol-

Tend to your PMs, would you?

Your receivables are mounting.

Sorry, willdo skip.

**leftism** · 05-09-2004, 10:05 PM

Originally posted by J'Pol+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (J'Pol)</td></tr><tr><td id='QUOTE'>The prosecution and punishment of offenders should be based on the ideal world, that is the point. If they breach my rights then what precautions I put in place are irrelevant. They are the guilty party.

This does not relate to negligent security guards, who have failed to carry out their alloted duties, however I see you wish to cling to this inappropriate analogy, you must like it. I forgot that this is something you do often, choose an analogy which suits your side of the debate than stick to repeating it. No matter how irrelevant it is.

It relates to people who have done nothing wrong and simply wish to go about their daily business. This includes private individuals, small companies running their own networks etc. they all have the right to be unmolested by this type of thing.[/b]

The protection of vital infrastructure is based on the real world, not an ideal world. Your argument is that we should ignore 50% of the problem (incompetent admins) because to address this problem will somehow detract from the offenders guilt. That will not solve the problem in the real world. This flawed approach is why we are repeating the same mistakes again and again.

The security guard analogy is perfectly appropriate. The protection of the network is a major part of an administrators job. It is their daily business. If they are incompetent and leave their networks unprotected they have done something wrong, in the same way that a security guard who leaves a building unlocked has done something wrong. If you do not understand this and truly believe it is an irrelevant analogy then you do not understand the issue you are debating.

<!--QuoteBegin-J'Pol

The issue of appropriate security in the real world is an entirely separate one[/quote]

I told you from the start that I am talking about "the damage done to important systems.".

The legal system has had 20 years to "limit the damage done to important systems" and has failed miserably. I'm simply suggesting we get real and accept the fact that prosecuting offenders is only 50% of the solution.

**J'Pol** · 05-09-2004, 10:41 PM

Do you ever read what other people post, or do you just have difficulty in understanding.

1, We should prosecute offenders on the basis that they are wholly to blame for the offence they committed. The victim is blameless, whether they took precautions or not.

2, We should deal with protecting our systems from them, as an entirely separate issue. You even quoted me posting that.

They are not mutually exclusive. That is what I said, that is what my argument is.

You accuse me of not understanding the point which I am debating, you however do not read (or more worryingly understand) simple concepts which other people put forward.

**3RA1N1AC** · 05-10-2004, 12:59 AM

Originally posted by J'Pol@9 May 2004 - 08:55
As long as the victims are being partially blamed for the crime then this is used in mitigation. The defence of - if he had taken sensible precautions then my crime would not have worked.

those computers were promiscuous tarts. they were asking to be infected.

**leftism** · 05-10-2004, 02:42 AM

Originally posted by J'Pol+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (J'Pol)</td></tr><tr><td id='QUOTE'>Do you ever read what other people post, or do you just have difficulty in understanding[/b]

It appears that you are the one having difficulty understanding me. Your objection to my position on this subject is neither coherent nor realistic. I can only assume that this is the result of you not understanding it or the subject matter.

Originally posted by J'Pol+--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (J'Pol)</td></tr><tr><td id='QUOTE'>
1, We should prosecute offenders on the basis that they are wholly to blame for the offence they committed. The victim is blameless, whether they took precautions or not.
[/b]

Yes we should prosecute them on that basis. I've never contradicted that statement.

However as I have explained to you time and time and time again the "victim" (overpaid administrator who's job it is to secure the network) is not responsible for the attack but is partly responsible for the level of needless damage caused.

Is this what we're arguing about here? We shouldn't hold admins responsible for insecure networks in case a worm author uses that defence in court? The lack of common sense among the legal community on this subject should not stop the rest of us doing what needs to be done to make worms non-issues.

Hmm that sounds similar to something I said earlier.. not that you would fail to read or understand someone elses post of course......

Your argument is that admins should shoulder no responsibility whatsoever for the level of damage caused.

Originally posted by J'Pol
However to my mind it does not detract from the fact that the author of the worm is totally responsible for the damage it causes.

It is this position, this belief that incompetent administrators are not part of the problem, that has led us to this point, where what should be a non-issue turns into a major issue.

Originally posted by J'Pol

2, We should deal with protecting our systems from them, as an entirely separate issue. You even quoted me posting that.

Your position has always been that placing responsibility on the admins is the wrong thing to do. You are opposed to this on the grounds that it does not reflect an "ideal (courtroom) world". This means that you oppose the most speedy and effective way to "protect our systems from them".

<!--QuoteBegin-J'Pol@
You accuse me of not understanding the point which I am debating, you however do not read (or more worryingly understand) simple concepts which other people put forward.[/quote]

It is you who does not understand.

You do not understand the nature of the job of the administrator as shown by your opposition to the security guard analogy, you do not understand how easy it would be to turn these worms into non-issues, you do not understand how appallingly negligent an administrator has to be to get caught out by these things and most importantly you do not understand that your "ideal world" courtroom approach to a real world problem is completely inappropriate and ineffective.

You are concerned with ivory tower legal arguments.

<!--QuoteBegin-J'Pol

As long as the victims are being partially blamed for the crime then this is used in mitigation. The defence of - if he had taken sensible precautions then my crime would not have worked. [/quote]

I am concerned with practical solutions to real life problems.

the real world

It's as simple as that.

**J'Pol** · 05-10-2004, 08:02 AM

The problem is that you (as you often also do with others) state what you believe my position to be. Almost invariably you get it wrong, or post your interpretation in such a manner as to twist the meaning.

If it were only me I would question whether it was perhaps my explanation which were incorrect or inaccurate. However as it is also with others, whose posts appear perfectly clear to me I have to come to the conclusion that it is the one soldier who is out of step and not the rest of the army.

The victim is not the administrator, the victim is the owner of the system, whether it is a personal computer or a network (of whatever size). To use your own analogy - the victim is not the security guard, it is the owner of the building.

**Barbarossa** · 05-10-2004, 10:01 AM

Originally posted by Mr JP Fugley@9 May 2004 - 11:39

if i leave my car door open it does not give someone the right to steal from me. if they do they are 100% to blame, i am not to blame at all. the fact that i did not take precautions against being the victim of a crime is entirely irrelevant.

Tell that to your insurance company..

My point of view is that the guy who wrote the virus is entirely responsible for his own actions, and therefore should be held entirely accountable for the damage he has done.

More than likely he'll get recruited by a cyber-security company to aid in preventing this sort of thing in the future..

However, as other people have also said, people really have to take precautions to avoid getting infected by worms and viruses. It's not difficult, it just requires a bit of common sense and a bit of awareness on what exactly is going on under the desk.

This vulnerability was widely reported long before the actual outbreak, and so could easily have been avoided. Ignorance shouldn't be a defence..

Thread: Sasser Author Arrested

Thread Tools

Bookmarks

Bookmarks

Posting Permissions