Killing Others' Malicious Processes

Roland Piquepaille writes "This opinion is not mine, but the one of Tim Mullen, from SecurityFocus Online. In this story, he expresses some strong ideas regarding systems infected by worms. "I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network. I've even written code to demonstrate the process. Though the initial news coverage of the concept was grossly inaccurate in conveying my ideas, it has stirred up a constructive dialog. I knew my idea was controversial, but I was wrong about something -- I figured everyone in the security biz would "get it" and that the hard part would be convincing everyone else that if they can't or won't secure their machines, we as the defenders would have the right to terminate the process attacking us. It has turned out to be the opposite." The author then looks at the criticisms about this strikeback idea raised by some security experts -- to dismiss them of course. Check this column for a summary or read the original story for more details."

Killing Others' Malicious Processes

RIAA : Great. Now, who's running Kazaa ?

Re:Killing Others' Malicious Processes

When I wrote [slashdot.org] a proposal for keeping system administrators accountable - ensuring tht if someone puts a machine on the Internet, they take the necessary steps to secure it, it generated howls of outrage from people who clearly felt that there is no onus on admins to keep their machines secured and that blaming them in any way for the damage they cause is wrong.

Jokes about the RIAA aside, which has indeed asked for laws to allow it to do exactly what you deem jokeworthy, the fact is that most people consider their PCs their own property but not their own responsibility. The view appears to be that it's ok for someone to leave a machine on the Internet available for anyone to take over, that the person who puts it there has no responsibility, and that anyone who complains, tries to get it fixed, etc, is in the wrong.

Friends, I know that we all consider those who crack computers to be the ultimate culprits in any situation where a computer is damaged, but that doesn't mean that people shouldn't take responsibility their own parts in allowing this to happen. Someone who quite blatently leaves his or her keys in their car and parks outside bars would not be viewed by most people as completely blameless in the event that a drunk staggers out, takes the car, and drives it into a shop window.

Leaving a machine unsecured and unmonitored on the Internet is a sure-fire way of ensuring it is hacked and used to attack other machines. We know this. Yet people continue to do it. They do not secure their machines once hacked, and they allow their own machines to attack others once hacked. This is negligence, pure and simple.

This quagmire of negligent sysadmins not securing their machines, not allowing their machines to be shut down by victims yet not willing to consider the consequences of their failure to secure their machines and to turn off machines that attack others will not disappear by itself. Unless people are prepared to actually act, not just talk about it on Slashdot, nothing will ever get done. Apathy is not an option.

You can help by getting off your rear and writing to your congressman [house.gov] or senator [senate.gov]. Tell them that negligent sysadmins who are happy to keep their computers connected to the Internet all of the time but aren't willing to take basic, simple, security precautions to ensure they play with others are a danger to the security of the Internet, a menace to other 'net users, and cause billions of dollars of damage every year. Tell them that you appreciate the work being done by groups like Security Focus, BugTraq, and even the efforts made by Microsoft to secure their systems and provide easy ways of keeping their products secure, but that if those responsible for computers that are on the Internet do not make use of the tools and features made available to them, you will be forced to use less and less secure and intelligently designed alternatives. Let them know that SMP may make or break whether you can efficiently deploy OpenBSD on your workstations and servers. Explain the concerns you have about freedom, openness, and choice, and how incompetent system administration harms all three. Let them know that this is an issue that effects YOU directly, that YOU vote, and that your vote will be influenced, indeed dependent, on whether or not they are willing to propose laws that provide proper deterents to poor system administratorship and allow those attacked by poorly managed machines to fight back.

You CAN make a difference. Don't treat voting as a right, treat it as a duty. Keep informed, keep your political representatives informed on how you feel. And, most importantly of all, vote.

Legalised hacking..

yet again under another pretense.

This will be abused like all the other technology laws.

Re:Simple fix

Seems to solve 99% of my problems

Yours, yes. Lots of people, and almost all companies, pay for their internet access, often by traffic. Blocking the crap at the firewall doesn't take care of that problem. In many cases, it makes it worse (due to retries).

Re:Legalised hacking..

it's not a law. This is an international problem for which a law will most likely never come into being.

Imagine I am your next door neighbour and I have a dead animal on my porch, the stench and health hazard is more than an annoyance to you. You can take action against that by removing the dead animal from my space but you would enter my premises doing so. Instead you can call the police or any other agency that might take the trouble to show up and deal with it.

On the internet there is no 911. There is an uplink admin that might take action but the uplink might have a legal obligation to keep the link up. If the attacks take up a significant portion of your bandwidth you are seriously compromised, you are probably paying for the bandwidth the attacker is using while trying to compromise your system.

Taking out the worm on the attacking system is what one could call a "surgical strike", you deal with it.

It could be illegal to do so and for this you take responsibility.

But is it immoral? Those here who seem to argue from a moral perspective saying it's wrong to try to stop worm attacks by entering and killing the worm on the attacking machine apparently are not server admins themselves. When you are under attack all you want is for it to stop.

Re:Legalised hacking..

The way I see this is akin to a self defense plea when you are charged with murder. If someone is coming at you with a gun, you have the right to stop him/her with any available force. However, if you are charged with murder, the burden of proof is on you to show that you were acting in self-defense. The same should go for an attack on the internet. If some computer is attacking you, you should be able to react with reasonable force. But the burden of proof should again be on you to show that you were acting with reasonable force.

Leave them alone !?

You should not interact with other's machines :
Let them fix their worm problems themselves or they may not appreciate it.
It is normal and nice to tell them they have a problem but your work stops here !

Re:Leave them alone !?

I agree with this! I work for an ISP, and when we come across a user that we cannot contact to notify of problems, we simple disconnect them untill they can prove they have resolved the problem. Its worked wonders. We see so much less virus activity trying to hit our mail servers, and we've had alot less complains about people having a virus or worm.

Re:Leave them alone !?

Um, and what about the guy who has to wait for days, his network being hammered, piling up and network usage charges, while you take you sweet time in the disconnect process? Do you cut your customers off if you can't reach them in 10 minutes or do you give them a while?

Of course then you also have ISP's that are so backlogged that they don't respond to a security issue for days to begin with, or the ISP's in China that can't read english so just ignore you.

Though rose-colored glasses this is fine. In the real world it fails.

A good example was code-red. It wasn't just one server once in a while trying to infect your server, it was HUNDREDS. Simultaniously. How the fuck do you handle that though notification? How long are you willing to let your business be offline?

Code-red was just another wake-up call. The next worm might be MUCH more malicious and do MUCH more harm to the internet.

Re:Leave them alone !?

DancingSword said: "Dropping the packets isn't going to save me from paying for the bandwidth, or unclog my connection ( this IS assault, we're talking about ), and no matter how I makebelieve that they aren't touching my machine, therefore I have no right to touch theirs, it isn't that clear/simple ( they are obliterating my resources, for starters ):"

Yes, but the correct approach is to complain to your ISP and have them firewall the offending packets off upstream, without making you pay for them. If you're a business customer this shouldn't be a problem for the ISP.

Then he said: "If A PROCESS among their machine is attacking me & costing me, then have I the right to kill that process's action..?"

No; you're not killing an action by firewalling their traffic. You are blocking it, just as you have the right to put a lock on your front door to block a thief from entering your house. You're not tying the thief to a telephone pole; he still has his liberty -- you're just keeping him out of YOUR house, which is YOUR right. See? Your rights end where the thief's rights begin, and vice versa.

Then he said: "If not, then assaulting/damaging others' ( by losing them their ISP/connection, or costing them thousands of dollars in bandwidth, or obliterating their livelihood's function ) is a right, and neither one's-own-resources, nor defensive-action is *equal* a right."

Now, you're using a non sequitur. You cannot proceed from the other proposition to this conclusion; it just doesn't work. Here is what I think the "rights" situation is (just to be clear):

I have the right to take action on MY OWN MACHINE, to prevent your machine from interfering with me. Thus, I can firewall your machine off from me, and I can ask my ISP to put in an upstream firewall to protect my business. This only affects MY machine, so it doesn't impact any legitimate rights of the attacker.

Even if an attacker is DOS'ing your server, you do not have the right to attempt to counter-hack him. Your rights end where his begin, you see: he has the right to expect privacy and noninterference on his system just as YOU do on yours.

The only appropriate action is to involve your ISP and the authorities. They can then take LEGAL action against the source of the attacks.

No Duty to Retreat...

There is a concept in law called "No Duty to Retreat," and I see no reason why it cannot be applied in much the same way to cases like this.

This concept relates to self-defense, and deadly force. Follow along with me...

If a person is in public, and is threatened, that person must make every reasonable effort to avoid the use of deadly force as a means of self defense, prior to useing such force. He must attempt to leave the scene, etc. In short, there is a Duty to Retreat.

If, however, that person is in his home, his own property, that person may use deadly force as a means of self defense without having to exhaust every means of escape or avoidance. On his own property, a person has No Duty to Retreat.

How is the scenario for Cyber-attack any different? Unlike most of the people commenting on this article, I believe you do have the right to take active measures in protecting your property.

Obviously, we're not talking about deadly force... We're simply talking about electronic countermeasures.

If an unsecured system on the Internet has been infected by a malicious program, and is now launching it's own attack against your system, your property, denying you the use of bandwidth or resources that you are paying for, I think you're perfectly within your rights to put the attack down, and if necessary, the offending system.

A person utilizing the Internet has a certain responsibility not to cause harm, either through action, or inaction. Most people on the Internet today seem tragically unaware of this. Without this, the Internet is ripe for a tragedy of the commons situation.

Is it wrong to still believe that with Rights come Responsibilities, or that with Priviledge comes Obligation?

Your rights to swing your arms around recklessly ends at the tip of your fingers, and at the beginning of my nose.

I think Tim Mullen is 100% correct, and I'm surprised there aren't more people that agree with him.

Re:No Duty to Retreat...

But the situation is not exactly analogous. Imagine two neighbors, each armed with guns. A theif breaks into neighbor 1's house, and the theif and neighbor 1, start shooting at each other. The theif shoots a bullet that travels into your house. Thinking that you are under attack in your own house, you start shootin at neighbor 1's house. Maybe, you even relise that there is a theif in neighbor 1's house and you are trying to shoot the theif, but instead you shoot neighbor 1, killing neighbor 1. I don't think that you can claim self defense in the murder of neighbor 1.

This situation is a much closer analogy.

Re:No Duty to Retreat...

"No Duty to Retreat" is also generally called the "Castle Doctrine" as in, Your home is your castle.

It is very much a state-specific concept. For instance, Florida has Castle Doctine in it's law, you have no duty to retreat from your home if someone is attacking you. New York has no such law, and actually specifically states that you must retreat if you have any possible option to do so. If you get trapped in your basement by a home invader, and you have a 16"x16" window in your basement that you might possibly be able to squeeze through to get away, you *must* try to get out through that window before you may legally use deadly force to defend yourself.

Also note that, for businesses and private individuals, there is nothing resembing Castle Doctrine for a place of business, only for a personal residence. Physical security forces are a special case, as they are nearly quasi-governmental.

But this proposal raises several other interesting problems. One of the neat statistics that 2nd Amendment supporters love is the accidental shooting statistics comparison between police and people that legally carry a concealed weapon. Police are much more likely to shoot an "innocent bystander" or similar than someone with a CCW permit. The reason for this, if you look into things, is that a CWW permit holder is usually involved in the assualt/crime from the beginning and knows exactly who the bad guys are. The CCW holder is usually the one *being* assualted, and can see the assaulter right in front of them. The cops come in in the middle of things, and have to figure out who the bad guys are in mid-stream, sometimes under extreme time pressures.

This relates to the Strikeback proposal rather directly. How many DDOS attacks use IP spoofing? Will you know who is attacking your system with certainty? How many systems are you allowed to incorrectly strike back at before you are legally liable?

Which incompetent admins that can't secure their own systems are you going to let decide who to strike back at???

Think of this in terms of the sniper attacks in the DC area last year. How much worse would it have been if 10 people nearby had pulled out guns and started randomly shooting at nearby vehicles that looked like they might be able to hide someone with a rifle? Thankfully, most people that carry a concealed weapon have more sense than to shoot at targets they are unsure of. I don't believe that of BOFHs on the internet.

Re:No Duty to Retreat...

No, I don't really think you want to go out shooting anyone that pings your system. I do think most people that want this law want to have their systems running reliably, and don't really care what damage they have to cause to other people's systems for that to happen.

Your comparison of Nimda to a brake recall on a car is actually rather interesting. It allows us to consider a lot of things that might actually make sense here, and some that don't make much sense.

First, your comparison to a brake recall would make more sense if the people driving the vehicle didn't know their vehicle *had* brakes. Many (not most, I believe, but a large minority) of the people that were running non-patched systems when Nimda became a problem didn't know they were running IIS. This is one of the reasons MS switched to services off by default.

Second, the manufacturer found the problem, but didn't actually send out notices, just put a note on a web site somewhere where most people don't even know to look. Unless you make a specific effort to become aware of security issues, you won't know. You either join a mailing list and wade through way too much traffic for people that have real work to do also, or regularly visit a website and, again, read through too much traffic. Yes, I'm assuming these are not dedicated sysadmins, which is the case for most small and medium-sized businesses and homes.

Third, for people that get regular service done at a dealer service center, the driver may not know or care about recall work, the dealer does it for them. That's supposed to be one of the reasons you get regular maintenance done by the dealer. Not just because you like paying horrible prices for an oil change. :)

This is actually worth thinking about from the point of view of computer services companies. If IBM Global Services has a support contract with your company to maintain computers, and doesn't supply a patch, they are probably negligent. If IGS doesn't do it, is the company that owns the computers negligent, if they though IGS would? (No, I don't work for IBM, they are just a convenient example.)

Does a home user have a requirement to have their computer serviced regularly by a professional? How about a small business owner?

If a small business buys a microwave oven for the break room and that microwave is subject to a recall because it causes fires... If the business never hears about this (never sent in their warranty card so they don't get notices, and they don't check an online recall site) and doesn't replace it, if someone dies in a fire caused by that microwave oven, is the business liable for not exercising due dilligence?

Frankly, I don't know. I just know this is more complicated than we'd like to pretend it is. I'm looking for a quote here, something along the lines of "For every complicated problem, there is a solution that is simple, easy, and wrong."

Re:No Duty to Retreat...

Pii said:
There is a concept in law called "No Duty to Retreat," and I see no reason why it cannot be applied in much the same way to cases like this. This concept relates to self-defense, and deadly force. [....] If, however, that person is in his home, his own property, that person may use deadly force as a means of self defense without having to exhaust every means of escape or avoidance.

On his own property, a person has No Duty to Retreat.

What you say is correct in many, but not all jurisdictions in the USA. For example, in Florida [directedfire.com], your statement would be correct, since they allow the use of deadly force to protect any of your property. In contrast, Massachusetts [geocities.com] residents may not use deadly force to protect their property, although they can use it in self defense. Specifically:

If you are in your own home, there is no duty to retreat, but you may use deadly force only to repel an intruder's deadly force attack against you or your family [geocities.com]

According to what I just googled [nwmissouri.edu], Kentucky, Massachusetts, Maryland, Missouri, Ohio, South Carolina, Virginia, Washington, Wisconsin and Wyoming don't even allow the use of deadly force to protect a dwelling. Surprisingly, it looks as though Maryland [direct-action.org] actually allows more latitude in the use of deadly force to protect your business than it does to protect your home. (If someone in one of those jurisdictions has better info, feel free to correct me.)

Anyway, the short version here is that jurisdictions differ widely in a) what you are allowed to defend, and b) what means you are allowed to use in defense.

How is the scenario for Cyber-attack any different?

First off, this idea is a defense of property. It is not a matter of defending you or your family against death or bodily injury. All states allow the use of deadly force in to protect you and your family, but they differ widely in what *else* they let you protect with deadly force; i.e. you may not be allowed to use deadly force to protect your property.

Obviously, we're not talking about deadly force... We're simply talking about electronic countermeasures

You correctly noted that computer strikeback is not the same as the use of deadly force, but you failed to note that the states have similar disparities in computer laws. For example, the Oklahoma Computer Crimes Act of 1984 makes it a felony to

"willfully and without authorization disrupt or cause the disruption of computer services or deny or cause the denial of access or other computer services to an authorized user of a computer, computer system, or computer network." [netlux.org]

Why strikeback is a bad idea.

What is legal in your jurisdiction may not be legal in your targets jurisdiction, or in the jurisdictions of the computers, switches and routers that your attack travels through enroute to the the target

It may not be effective in eliminating the problems your network is having from the target site - if you strike back against a machine and accidently harm it, you could find yourself in a protracted feud with the owner of that system (a la "hatfields vs. mccoys") which ends up being more of a bother to you

If you cause collateral damage, you could be liable for it - e.g. someone is flooding you with easily spoofable ICMP and UDP packets and you foolishly DoS the machine whose IP address appears in the header, thus shutting down a small business owner's website. There's a good chance you'll get sued if they know what happened.

it may not be cost effective to accurately trace and identify the machine that is attacking you.

Re:actually

I seem to remember such a thing for unix/linux systems a while back, a search on google would probably find it.

I'm pretty sure no one liked it.(I think the creator got bashed for it actually.) Mainly for the reason that changing something to fix a worm might break another process running on your machine if not done the correct way.

If you are so worried about another machine trying to break into your own, I'd be securing yours better so you wouldn't have to worry...

Vigilante justice?

Exactly who decides what constitutes "relentlessly attacking your network"?
A simple NMAP scan? What about Netbios scans? @Home scans for open NNTP servers... etc etc..

More discussion at Counterpane

Bruce Schneier has more discussion of this in the latest Crypto-Gram [counterpane.com] issue, both in the main section and in the letters (including a letter from Tim Mullen).

There is a good justification in Mullen's letter as to why this proposal is different from the RIAA's proposed attacks on computers that they suspect of hosting unauthorised copyrighted material.

Re:More discussion at Counterpane

"Since the owner of a system has no responsibility for the actions of a worm, or any malicious process, that runs without their knowledge, I submit that they also have no rights to the process. No responsibility means no rights.

So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways. "

That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.

You say you can't afford to pay? Tough. Should have thought of that before you put your insecure system online. You say it's the fault of the manufacturer for selling the insecure system in the first place? Take them to court. Too expensive? Well, if their system is too expensive to use, then people won't use it.

Re:Computers are not Cars, but even so . . .

I don't think it is a matter of holding everyone responsible for any attack that may come from their machine. It is about holding negligent users responsible for their negligent actions.

For exameple, if someone owns a gun but keeps it locked in a safe in their house and stores the ammo somewhere else, yet some master thief manages to steal their gun and use it in a crime, I doubt anyone would say that is the fault of the gun owner. However, if the same gun owner left the gun loaded and laying around on their front lawn and someone came by, picked it up, and shot somebody, they would be sued and/or arrested for their negligence.

The problem is determining at what point is a computer user negligent. Is your average consumer negligent for connecting their Windows box to a high-speed connection and not using any firewall software? Or is it someone who turns on various services like file sharing without knowing full well what they are getting into? Or is it anyone who takes reasonable precautions, but when they get cracked they don't realize it until their box has had a chance to eat up tons of somebody else's bandwidth?

Duty of care

It could be argued that people who hook up to a public network owe a duty of care to other users of said netwotk-

At some point, being stupid becomes negligent.

Re:Well

Security guys are some of the most paranoid on the planet, were talking about guys that wont run LIDS cause they don't trust it. Why would they be for someone remotely screwing w/ their machine.

Because they're being arrogant enough to assume that it would be them screwing with your machine, not the other way round.

Obviously, security experts are perfect and would never have malicious processes running on their machine. Whereas you little people are obviously weak and fallible, and need the demi-gods to come in and hack you. In your best interests of course. And they won't ever make mistakes whilst they're there, promise.

I'm entirely against this proposal. If there's a problem with particular machines, it should be dealt with at the ISP level. Now eforcable rules and remedies there I'm completely in favour of.

Cheers,
Ian

I don't think he's misunderstood....

...I think he's a pompous ass.

Let's check this quote from his page:

I think the main reason for the knee-jerk criticism from the likes of Schultz is that they work largely in a theoretical rose-colored world of security, where all problems are solved after a cup of coffee and a bit of pontification. Those who actually work in the operational end of network and system security see things as they really are.

In other words, "if you don't agree with me, you're not a real security guy".

I, personally, feel that breaking into someone else's machine without permission is an ethical violation. But, according to this schmuck, that's not valid because I don't see things "as they really are".

Re:I don't think he's misunderstood....

"Things as they really are" is that the guy stuck in the server room when a DDOS happens is blamed for the downtime by the people around him, but he has zero power to make it stop. This is a problem for your average power-tripped server admin, who's used to being root and having nobody get in his way.

The fact is, there's nothing a DDOS victim can directly do to stop the attack. They have to call their ISP to plant a firewall upstream of their wire so that useless data doesn't clog the connection. Maybe it'd be better to automate that in the router protcols, something along the lines of "xxx.xxx.xxx.xxx has requested that trafic being sent to it by yyy.yyy.yyy.yyy be routed to the bit bucket for the next 6 hours." That'd effectively make the attackers disappear from the attackee, and could be sent out as soon as the attack is realized.

Re:I don't think he's misunderstood....

Anyone who believes that vigilante justice is either legal, or ethical needs a wakeup call. I hope this guy actually tries it and gets himself landed in court for his trouble.

Here's an interesting distinction (found in the letters on Crypto-Gram): If you reverse-attack a machine that's attacking you, is it vigilante justice or is it self-defense? Vigilante justice is when you hunt somebody down after the fact, self-defense is when you stop somebody during the act. Both have significant case law, and self-defense is quite justifiable under certain circumstances (action was done to avert a threat of immediate, significant harm, harm caused by the action was not disproportionate to the harm avoided, etc). I think a strong case for self-defense can be made here.

Re:I don't think he's misunderstood....

Except that self-defense applies to people, not inanimate objects which happen to be in your care.

Self-defense does not apply only to people. It also applies to things, animals, and pretty much any noun that threatens you.

What you say is DEFINITELY true here, though:

There are a variety of metaphors with which to distort this issue.

Heh, let's confuse the metaphors even more :)

Computers, to me, seem to be particularly analogous to working animals. Although a computer is not sentient, in many respects this machine is much like a domesticated animal. We can play with it, we can use it for useful tasks, and if we wish to domesticate it we must take care of it in certain ways. Unfortunately, many people don't realize their duties as a computer owner, and let their system be infected by virulence which threatens the neighboring herds with the same. We could deal with just that, but the virulence causes their animals to attack mine. I am within my rights to kill an animal attacking my animals. The confusion comes because we need to chase these animals across "property lines". It's like they own a monkey that stands on their side of the fence and chucks rocks at the windows of my house. The authorities think it's kind of funny and don't know what to do about it, I have broken windows, and building a bigger fence just entertains the monkey.

I say, shoot the monkey. Problem solved, and if the monkey's owner gets upset about it, they can deal with me, and I can counter-sue for all my broken glass.

There's a guy next door

Well, he singing one song quite loudly during the day time and it keeps me awake. (i'm a night worker)

Tomorow I'm going to pin the fucker down and cut out the bit of his brain that makes him sing that horrible song over and over again.

loss of business

The only problem with this strikeback thing is what if the machine which is infected is business-critical?

If you're going to take it on yourself to fix other people's machines, what if this causes them loss of business? And there's also varying definitions of what "strikeback" or "fixing" could mean. What if someone decides to "fix" your database server by shutting it down? Shouldn't they be held liable for the damages caused, just as someone who does that maliciously can be held liable?

There's just too many holes in this strikeback philosophy. It opens the door to tons of abuse too: "I only broke into this machine to fix it, I swear, gov'nor!"

I think it would also result in pretty dire situations when a machine equipped for strikeback mistakenly decides another machine (also strike-back-enabled) needs to be "fixed", and starts attempting to hack into it - and then the other one detects it as well, and they start concurrently trying to hack into each other... probably saturating the network with crap on the way...

Daniel

ISP can sorta do this

At least they can act to contain the spread of a virus, but not by killing processes on customer PCs. they can, however, disable service, whether it be a cable, *dsl, or dialup modem account. Shutting off service and forcing customers to take measures to clean their infected computers is allows by the acceptable use, terms of service, and other policies which protect the ISPs rights to take action.

The rights of the many and the few

If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one.

This is an interesting point, because it shows the essential flaw in this logic. In all of these examples, who is acting? "The authorities", namely, the government. In this absurb "strikeback" proposal, who is acting? Vigilante sysadmins. If anything, his examples prove that we need a national cybersecurity enforcement agency, which is responsible for taking machines offline when they get virus-infected. Clearly, this is a bad idea, and that's why strikeback will never work.

All your process are now belong to us...

He send us the bomb!

Next you will be telling us that it's ok for government A to overthrow government B if it thinks B is destabilizing to it.

HHOS

The money quote

Since the owner of a system has no responsibility for the actions of a worm, or any malicious process, that runs without their knowledge, I submit that they also have no rights to the process. No responsibility means no rights.

So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways.

That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.

You say you can't afford to pay? Tough. Should have thought of that before you put your insecure system online. You say it's the fault of the manufacturer for selling the insecure system in the first place? Take them to court. Too expensive? Well, if their system is too expensive to use, then people won't use it.

Re:The money quote

I think you make a very good point, but I don't believe it follows the right course. The best way to attack a problem is at its root. As much as we would all like to have 100% of online computers running completely securely, we cannot expect such a large user base to do this.

If your car is stolen because you left it unlocked in a parking lot and used in a hit-and-run accident, the car owner should not be held responsible. Yes, it is his fault that he didn't lock his car, but it shouldn't be illegal for him to leave his car unlocked. The crime committed here was by the thief.

Likewise, if your computer is used in a DDoS attack on a commercial website, you should not be held responsible unless you intentionally left it vulnerable specifically for use in an attack. The insecure computer has done nothing wrong, the blame is in the hands of the person who used the computer for a malicious attack.

Blaming the owner of the insecure computer is simply cutting one head off of a hydra.

Re:The money quote

If your car is stolen because you left it unlocked in a parking lot and used in a hit-and-run accident, the car owner should not be held responsible. Yes, it is his fault that he didn't lock his car, but it shouldn't be illegal for him to leave his car unlocked. The crime committed here was by the thief.

Likewise, if your computer is used in a DDoS attack on a commercial website, you should not be held responsible unless you intentionally left it vulnerable specifically for use in an attack. The insecure computer has done nothing wrong, the blame is in the hands of the person who used the computer for a malicious attack.

Just to pick a nit, the difference is that, in the case of a DDOS attack, once the owner of the system becomes aware of the problem, he has the power, and therefore the responsibility, to correct it. If someone allows his system to continue attacking someone elses, even if he didn't cause the problem, he should be held responsible.

Once the car is stolen, the car is no longer under the owner's control. Once the system is compromised, the sysadmin can still control it, even if it means pulling the plug.

That said, I still don't think it gives the victim of an attack the right to go in and muck about in someone else's machine.