Tuesday, December 05, 2006

Ps - late egoboo:)

I was in New Scientist a few weeks back , rather curtailedly extolling my theories-in-progress of how a security commons might be created to reduce the insecurity currently caused by zombified home computers. As many of you know, zombies or "bot networks", computers emslaved by viruses unknown to their owners, are the leading cause of everything from spam, phishing and spyware to keylogging, ID theft, click-fraud and probably, dandruff. In particular almost all denial of service attacks are now carried out as distributed attacks via enslaved bot networks. By a"security commons", I meant joint action and joint responsibility by all p[artioes involved in a safer Internet: users, software writers, hosts and ISPs.

Illness intervened in my reporting (cof, cof) but here is the link for you my loyal readers :) Unfortunately New Scientist printed only the smallest part of what I told them over the phone (sigh) so it looked like I was suggesting that ISPs ONLY should be liable where a denial of service attack is carried out. Whereas in fact I continue to advocate that ISPs should take a positive role in (a) identifying zombified machines, not necessarily by deep packet inspection, as NS reported, but possibly only by external changes in patterns of traffic or congestion analysis (b) making available secured ISP services to consumers as well as businesses - as some companies like Nildram do already, thus protecting customers who don't know a firewall from a firelighter; and (c) where necessary, isolating identified zombies until they can be cleaned out.

ISPs would not necessarily be "held legally liable" if they failed to provide these services; they could be provided as competitive market price services, with users held liable if they did not avail themselves of them. Other methods such as compulsory "home computer user insurance" (like motor insurance) could be employed to reach the same reult.

Rather gratifyingly, there has already been a hostile response (always nice to know someone's listening.) David Utter suggests that if I had my way, ISPs might be held liable for hosting sites like Slashdot, which post links which often bring down sites by their sheer popularity. I was not in any way suggesting simple vicarious liability for ISPs hosting sites responsible for DOS attacks - for a start, the EU E Commerce Directive would currently probably forbid that. I have my own concerns about how the CMA amendments in the Police and Justice Act deal with inadvertent "slashdots" - given the late amendment to s 3 to allow recklessness as sufficient for "intention to impair the operation of a computer", it seems quite possible that innocent slashdotting is now prosecutable as denial of service in the UK. (Of course from a sysop point of view, whether a server goes down because of malice or carelessness is irrelevant - so maybe this was deliberate?) But it won't be the ISP that carries the can, even if this is true.

More interesting points are raised by a George Scriban on a blog called Global Nerdy

"Surely the ISPs of the world aren't the most responsible party in a DDoS attack? What of the companies who provide vulnerable operating systems? The customers who misuse, misconfigure, or undermaintain those systems, making them ideal zombie targets? ISVs whose software defects render systems vulnerable? And, of course, we have the criminals conspiring to commit these crimes themselves. There's enough blame to go around that it seems strange to focus the blunt instrument of government regulation on ISPs in particular."

But the whole point is that we're looking at here isn't moral retribution - ie, allocation of blame. What's the good of tinkering with the criminal law to punish DoSers when they're usually tidily hidden away in Moldova, Estonia or similar hi tech law enforcement havens? Or untraceable , because they've worked through a network of a million bots, enslaved via a Trojan virus sent by a third party? Or have their assets stashed in still another country?

Better to try to actually secure the Internet so it doesn't fall over, taking our hospitals and air traffic controllers with it - and worry about wreaking punishment on the guilty afterwards. The people the police forces (or civil courts, or insurance companies) of the US, EU and the rest of the developed world can usually get to are the users - you and me- and the ISPs. Regulation that would persuade the Microsofts of this world to produce less buggy software would also be good. Creating a safe Internet has to be done , right now, either by building it differently from scratch - which may have catastrophic effects for generativity, innovation and privacy and will take decades - or by regulating those three sets of people. Forget the Russian mafiosi, for every one you catch you will tie up the UK's entire National Hi Tech Crime Unit-as-was for months if not years . We need to move from blame to gain.


David Utter said...

Hi Lilian,

I apologize, I really was not trying to be hostile! Being in a litiguous society in the US, it's easy to see how someone would try to turn your stance into a money grab.

There are no neighbors any longer, just potential defendants. EU directives may bring the pointy boot down hard on such an action, but here there will certainly be someone who would pursue such a case if possible.

Aaron said...


i read your recent article in the cardozo arts and entertainment law journal and although i agree with this three-pronged strategy for stemming the tide, i am curious as to what sort of advice you would give the serious and organised crime agency or the national infrastructure protection center about that russian mafiosi, given the current and likely future state of the computer misuse act.