Go Back  DVD Talk Forum > General Discussions > Other Talk
Reload this Page >

Hacking victims may face legal threat?

Other Talk "Otterville" plus Religion and Politics

Hacking victims may face legal threat?

Old 02-18-05, 02:57 AM
  #1  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 38,102
Likes: 0
Received 16 Likes on 11 Posts
Hacking victims may face legal threat?

http://www.vnunet.com/news/1161275

Hacking victims face legal threat
Or is it an insurance sales pitch?
Iain Thomson at the RSA Conference in San Francisco, vnunet.com 16 Feb 2005

Home computer users could be sued if they allow their computers to be taken over and used by hackers, legal representatives speaking at the RSA Conference in San Francisco have claimed.

A panel looking at the usefulness of insurance against cyber-crime discussed the likelihood of home users being sued if their computers were used to perform distributed denial of service (DDoS) attacks.

Home PCs infected by malicious code are often used in such attacks, sometimes by criminal gangs seeking to extort money from online retailers.

"The real driving force has been the ugliness on the internet with organised extortion and data theft," said Jon Stanley, who runs a private law practice specialising in cyber-crime.

"If a housewife in Tulsa takes part unwittingly in a DDoS attack, eventually someone is going to go after her. The model is the Recording Industry Association of America: it was told that it was useless going after individuals, but it proved the doubters wrong."

Some members of the panel predicted that this could lead to forms of computer insurance to protect against potential lawsuits. While companies often take out insurance against computer crime, there is no home market for such policies.

"It is like an inverse class action," said David Navetta, assistant general counsel at legal firm AIG eBusiness Risk Solutions Group.

"Recent shifts in events are implying that, if individual citizens' computers are used to attack a business, it may result in litigation being filed. But this is not established in law as yet.

Navetta pointed out that the biggest market for computer insurance would remain the corporate sector for the time being. However, some members of the panel believe that consumer computer insurance may become as commonplace as car insurance today.
I recall having a discussion with some co-workers on this very subject a couple of years ago. Ultimately, the owners of systems bear the brunt of the responsibility to ensure that their Internet-connected PCs are protected with some basic security precautions (up-to-date AV, desktop firewall, etc.). As of yet, there is no legal precedence to hold people accountable for damages resulting from their "negligence" if they fail to do so. It is not inconceivable that this may change.

Of course, for any of this to happen, legal standards for due care and due diligence for securing home computers would have to be established. However, this may not be so far-fetched in the forseeable future.

Last edited by jfoobar; 02-18-05 at 03:01 AM.
Old 02-18-05, 07:20 AM
  #2  
DVD Talk Hero
 
Josh-da-man's Avatar
 
Join Date: Sep 2000
Location: The Bible Belt
Posts: 32,760
Received 119 Likes on 92 Posts
MIght as well blame Microsoft too. It's their buggy, insecure software that facilitates viruses and malware.

I'm not sure that, this day and age, "basic security precautions" are enough. Viruses, trojans, and malware have to be released before something can be done about them, and that's more than enough time to do their damage.
Old 02-18-05, 08:02 AM
  #3  
DVD Talk Platinum Edition
 
Join Date: Jan 2001
Location: Virginia Beach, VA USA
Posts: 3,582
Likes: 0
Received 0 Likes on 0 Posts
The inital responsibility falls to the OS maker. It should be secure and safe out of the box without the user having to buy a bunch of extra software. Ford can't sell you a new car with no brakes and then say 'You have to get those from somewhere else'.

D
Old 02-18-05, 08:32 AM
  #4  
DVD Talk Legend
 
Mopower's Avatar
 
Join Date: Nov 2001
Location: The Janitor's closet in Kinnick Stadium
Posts: 15,726
Likes: 0
Received 1 Like on 1 Post
I doubt the majority of home PC owners know what basic security precautions are or even what denial of service attacks are.
Old 02-18-05, 08:42 AM
  #5  
DVD Talk God
 
twikoff's Avatar
 
Join Date: Feb 2000
Location: Right Behind You!!!
Posts: 79,495
Likes: 0
Received 1 Like on 1 Post
blame al gore for inventing the internet!

there will NEVER be a such thing as completely secure software.. so as long as you hook up to the internet, there is a risk of getting *hacked*
Old 02-18-05, 12:17 PM
  #6  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 38,102
Likes: 0
Received 16 Likes on 11 Posts
Originally Posted by twikoff
blame al gore for inventing the internet!

there will NEVER be a such thing as completely secure software.. so as long as you hook up to the internet, there is a risk of getting *hacked*
Sure, but I don't think that is the issue being described here.

Let's put it this way. If amazon.com is DoS-ed off the Net for two days by 3 thousand Trojaned Internet-connected PCs, they should theoretically be able to hold culpable the owners of these systems if a small amount of due care would have prevented it. If a home user's system took part in the attack and it was determined that his box was compromised by some SdBot variant after he opened some miscellaneous email attachment from a stranger and was not running AV at all or running AV that he hadn't bothered to renew the license for for two years, shouldn't he be held partially liable for the attack?

In reality, not likely to happen...yet. When the lawsuits do start coming, I suspect they will start with corporatations who allowed through inaction their Internet-connected systems to become compromised. These lawsuits may ultimately establish the legal due care and diligence standards
that will lead to lawsuits against John and Mary Homeowner as well.
Old 02-18-05, 12:41 PM
  #7  
Uber Member
 
Join Date: Mar 1999
Location: Overlooking Pearl Harbor
Posts: 16,232
Likes: 0
Received 1 Like on 1 Post
I can see your corporate example coming true, but I'm of the opinion that average computer protection knowledge is too low to be able to hold people legally liable for not using it. Too many people out there who just plug it in and use it and don't want to or care to figure out how things work and what they need to protect against, coupled with all the different problems these casual users can run into using personal firewalls and A/V programs.

I think it's more likely they'll go after the OS creators to put the basics in their operating systems software (as microsoft is already doing)...and the browser companies too.

Interesting thought though.

And was I the only one who thought, "what? they're going to sue people who've been stabbed for...being stabbed? wtf?"

Last edited by Blade; 02-18-05 at 12:43 PM.
Old 02-18-05, 01:07 PM
  #8  
DVD Talk Hall of Fame
 
Duran's Avatar
 
Join Date: Jul 1999
Location: Columbia, MD
Posts: 8,173
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by JustinS
Sure, but I don't think that is the issue being described here.

Let's put it this way. If amazon.com is DoS-ed off the Net for two days by 3 thousand Trojaned Internet-connected PCs, they should theoretically be able to hold culpable the owners of these systems if a small amount of due care would have prevented it. If a home user's system took part in the attack and it was determined that his box was compromised by some SdBot variant after he opened some miscellaneous email attachment from a stranger and was not running AV at all or running AV that he hadn't bothered to renew the license for for two years, shouldn't he be held partially liable for the attack?
Practically speaking, however, if you count the number of computers that would be involved and the fact that the person actually responsible for the DoS attack takes most of the blame, wouldn't it just not be worth it to sue individual computer owners?
Old 02-18-05, 01:48 PM
  #9  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,727
Received 4 Likes on 3 Posts
negligent hacking-cide?
Old 02-18-05, 01:59 PM
  #10  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 38,102
Likes: 0
Received 16 Likes on 11 Posts
Originally Posted by Duran
Practically speaking, however, if you count the number of computers that would be involved and the fact that the person actually responsible for the DoS attack takes most of the blame, wouldn't it just not be worth it to sue individual computer owners?
When the actual perp will probably never be caught or, if he/she is, ends up being a Canadian high school student with no assets (do a Google for "mafiaboy")?

A two-day outage at Amazon represents millions in practical losses. Granted, going after 1000 individuals in court is a very expensive proposition...
Old 02-18-05, 02:20 PM
  #11  
DVD Talk Hall of Fame
 
Cusm's Avatar
 
Join Date: Jan 2000
Location: Moore, OK
Posts: 7,573
Received 1 Like on 1 Post
Originally Posted by Blade
And was I the only one who thought, "what? they're going to sue people who've been stabbed for...being stabbed? wtf?"


I thought they were going to sue the person gettting stabbed because they got blood everywhere as a result of being stabbed.
Old 02-18-05, 02:25 PM
  #12  
Video Gamer Reviewers
 
Join Date: May 2000
Posts: 4,161
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by Blade
I can see your corporate example coming true
It did happen. In Feb 2000 a major DDoS attack was launched against Yahoo, eBay, Amazon, and some other folks. I can't remember.
Old 02-18-05, 02:25 PM
  #13  
DVD Talk Hall of Fame
 
Duran's Avatar
 
Join Date: Jul 1999
Location: Columbia, MD
Posts: 8,173
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by JustinS
When the actual perp will probably never be caught or, if he/she is, ends up being a Canadian high school student with no assets (do a Google for "mafiaboy")?

A two-day outage at Amazon represents millions in practical losses. Granted, going after 1000 individuals in court is a very expensive proposition...
Amazon made $600 million last year. A 2 day outage would be approximately $3.3 million. The 3,000 individuals as a whole couldn't be considered more than 50% of the cause, since I would think the actual perpetrator would have to shoulder that blame. Multiply by 50%, divide by 3,000 individuals - that's $550/individual. That's not worth the legal fees.
Old 02-18-05, 02:37 PM
  #14  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 38,102
Likes: 0
Received 16 Likes on 11 Posts
Originally Posted by Duran
Amazon made $600 million last year. A 2 day outage would be approximately $3.3 million. The 3,000 individuals as a whole couldn't be considered more than 50% of the cause, since I would think the actual perpetrator would have to shoulder that blame. Multiply by 50%, divide by 3,000 individuals - that's $550/individual. That's not worth the legal fees.
Well, unless you're the RIAA.
Old 02-18-05, 02:48 PM
  #15  
DVD Talk God
 
kvrdave's Avatar
 
Join Date: Aug 1999
Location: Pacific NW
Posts: 86,189
Likes: 0
Received 2 Likes on 2 Posts
Originally Posted by Derrich
The inital responsibility falls to the OS maker. It should be secure and safe out of the box without the user having to buy a bunch of extra software. Ford can't sell you a new car with no brakes and then say 'You have to get those from somewhere else'.

D
But if you are an OS maker and bundle extra software, we'll get you as well, because you are being predatory.
Old 02-18-05, 03:30 PM
  #16  
DVD Talk Hero
 
Join Date: Aug 2001
Location: in da cloud
Posts: 26,193
Likes: 0
Received 1 Like on 1 Post
Originally Posted by Derrich
The inital responsibility falls to the OS maker. It should be secure and safe out of the box without the user having to buy a bunch of extra software. Ford can't sell you a new car with no brakes and then say 'You have to get those from somewhere else'.

D
you can count out most linux distros then

a default install of fedora needs like 80MB in updates and a bunch of manual steps to be taken to secure your box
Old 02-18-05, 05:00 PM
  #17  
DVD Talk Legend
 
Join Date: Jan 2000
Posts: 16,171
Likes: 0
Received 1 Like on 1 Post
"Hacking victims face legal threat"

Damn!! There goes my excuse in court for why all those songs and movies came from my IP address
Old 02-18-05, 07:01 PM
  #18  
DVD Talk Hall of Fame
 
Duran's Avatar
 
Join Date: Jul 1999
Location: Columbia, MD
Posts: 8,173
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by JustinS
Well, unless you're the RIAA.
Except the RIAA has a statuatory remedy of thousands of dollars per instance of copyright violation. That makes it orders of magnitude greater than what could reasonably be claimed from a DoS, since they typically only went after what they saw as large violations.
Old 02-18-05, 07:06 PM
  #19  
DVD Talk Legend
 
matome's Avatar
 
Join Date: Oct 1999
Location: NY
Posts: 12,304
Likes: 0
Received 1 Like on 1 Post
Originally Posted by kvrdave
But if you are an OS maker and bundle extra software, we'll get you as well, because you are being predatory.
Yep. It's a lose/lose situation for MS.
Old 02-19-05, 10:31 AM
  #20  
Banned
 
Join Date: May 2000
Location: Wheaton MD
Posts: 16,214
Likes: 0
Received 1 Like on 1 Post
It may not be that costly... if a lawfirm can sue just a few people for not having the necessary anti-virus / firewall / insurance / os updates for their system, millions of other computer owners will line up for all of that. I'm sure McAfee or Norton can foot a few hundred thousand for those initial law suits if it means millions in anti virus sales.
Old 02-19-05, 10:59 AM
  #21  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 38,102
Likes: 0
Received 16 Likes on 11 Posts
Originally Posted by al_bundy
you can count out most linux distros then

a default install of fedora needs like 80MB in updates and a bunch of manual steps to be taken to secure your box
That's the reality of the OS market, and it wouldn't be fair to hold MS to a higher standard. It is basic knowledge that any OS needs to be patched before it is placed in a position of vulnerability (i.e. connected to the Internet). The fact that so many home users (and a shameful number of business users) don't seem to possess this basic knowledge is not something that can be pinned on MS or Red Hat.

The underlying issue here is that we have gone on far too long without people acting in a responsible manner when it comes to protecting their PCs. This is not an issue because anyone really gives a rat's ass if Jimbob's PC gets 0wn3d, they give a rat's ass because Jimbob's 0wn3d PC can be used as a launching pad for attacks against others, be it as a slave in a DoS attack, a repository for malcode, or even as a spam relay.

At some point, the world is going to have to start holding Jimbob responsible for not taking basic steps to protect his PC. The future of the Internet (at least as we know it now) somewhat depends on this, IMHO. One way for this sort of shift in culpability to begin is with some lawsuits, first targeting businesses/educational institutions/etc. and then later targetting home users.

I use the word "somewhat" above because the focus may shift elsewhere. Quoting from a whitepaper I myself wrote on a similar subject years ago:

"In considering tort liability, numerous courts have adopted an economic analysis known as “best cost avoider.” This analysis says that legal liability should rest on the “best cost avoider” for the harm, or the actor who is in the best position to know the risk and take precautions against it. Being in the “best position” means the actor situated such that it can develop the information about the risk and implement the precautions most cheaply."

The focus may shift instead to ISPs. Most ISPs are not at all staffed to take any level of responsibility for their clients. Maintaining a fully staffed and well-trained CIRT (computer incident response team), not to mention the scads of technology required to support such an effort, is mucho $$$$. If they are forced to do this to protect themselves against lawsuits, the savings will be passed onto the customers, even those that are already exercising due care. In other words, you may ultimately be punished financially for the inaction of your fellow ISP subscribers.

Looking into the Internet crystal ball, another possibility is that the Internet as we know it will cease to exist for many people in another decade or so. A move to secured sub-networks may occur with all content coming in from the nasty outside world being heavily filtered and validated. Think of how providers like AOL and Prodigy used to be and you'll get a little bit of a sense of what I am talking about. So long as customers can still IM and trade emails with friends who are on competing networks and they can still pull up websites from major, validated vendors/organizations, the hoi polloi may gladly pay for this if it protects them against most malware, most spam, and keeps their children from surfing porn sites, getting them sued for downloading off of P2P networks, etc. The rest of the Internet will start to be viewed as a decaying wasteland the way many people look at Usenet now.

Last edited by jfoobar; 02-19-05 at 11:05 AM.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.