Why I should have the right to kill a malicious process on your machine.
Schneier's reasoning ignores fundamental differences -- opposites, really -- between the RIAA proposal and what my strikeback technology does.
To refresh, I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network. I've even written code to demonstrate the process. Though the initial news coverage of the concept was grossly inaccurate in conveying my ideas, it has stirred up a constructive dialog.
I knew my idea was controversial, but I was wrong about something-- I figured everyone in the security biz would "get it" and that the hard part would be convincing everyone else that if they can't or won't secure their machines, we as the defenders would have the right to terminate the process attacking us.
It has turned out to be the opposite.
TechTV's Cybercrime news magazine
It has been the "security experts" who have grouped as the opposition, some even with a level of condescension. For instance, Eugene Schultz of U.C. Berkeley's Lawrence Berkeley National Laboratory wrote in an
To the contrary, I am dead serious -- because we need
I think the main reason for the knee-jerk criticism from the likes of Schultz is that they work largely in a theoretical rose-colored world of security, where all problems are solved after a cup of coffee and a bit of pontification. Those who actually work in the operational end of network and system security see things as they really are. The men and women who work the trenches of system administration know that fast spreading worms like Nimda are a real problem that must be addressed, and are willing to work for a solution.
No Accountability, No Rights
I was surprised to see Bruce Schneier try to draw a bit of the red, red krovvy by
I'm not sure of the relevancy of a document the French National Assembly drafted 200 years ago, but let's ignore that for now. If anyone's rights are at issue here, it's yours and mine -- the people whose systems are being attacked by worms and viruses running rampant on negligently unprotected machines.
Schneier's reasoning ignores fundamental differences -- opposites, really -- between the RIAA proposal and what my strikeback technology does. Under the Berman bill, the RIAA could legally hack only people infringing their copyrights -- people the RIAA already have ample legal remedies against.
In contrast, my strikeback technique is aimed at an attacking worm-infected box whose owners have no legal responsibility, and to whom justice turns two blind eyes. We have no legal recourse against these people. Maybe in the distant future we can prove that every owner of a system connected to the Internet has a duty to perform due diligence in securing their assets, but today proving such a duty would be quite difficult, even in instances of the most grievous neglect.
Logic dictates that anyone who opposes a bill allowing corporate entities to attack our systems should support a technique to stop worm-ridden systems from doing the same.
As the debate continues, I'd like to suggest a new way of thinking about the parties involved in a strikeback scenario.
Since the owner of a system has no responsibility for the actions of a worm, or any malicious process, that runs without their knowledge, I submit that they also have no rights to the process. No responsibility means no rights.
So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways.
If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one.
And that is the way it should be.