[svlug] worms -n stuffy - vague

Rick Moen rick at linuxmafia.com
Tue Jun 5 00:36:01 PDT 2001


begin Rafael quotation:

> Agree here but the final responsibility still goes to the perpetrator.
> Just because you have door to the backyard it doesn't mean anybody can
> walk in there and do whatever they want.

There's an interesting topic of discussion, there, concerning varying
perceptions of negligence by victims vs. culpability of intruders -- and
it happens to have been addressed in a feedback letter to Bruce
Schneier's Cryptogram newsletter, this month.  See:
http://www.counterpane.com/crypto-gram-0105.html#9 , the third letter
down (from "Gerard Joseph" <gerard at au1.ibm.com>).

Hmm, tell you what.  It's reasonably short, so I'll just quote it:

From: "Gerard Joseph" <gerard at au1.ibm.com>
Subject: Military History and Computer Security

I keep thinking about the apportionment of blame between the innocent
defender and the guilty attacker.  Presumably, a bank robber would still
be charged and found guilty even if one night the bank completely forgot
to lock its doors or set its alarms.  But in that case I'm sure the bank
would be held partly responsible for the attack.  If someone takes a
shot at me while I'm ambling on the street, then he will always be
guilty, even though I might have been negligent in walking on that
particular street at that particular time.  It seems that in all cases
there develops, over time and in accordance with local norms and
experience, a state of equilibrium between the rate of crime and the
level of defenses that are customarily implemented to thwart criminal
acts.  Ideally, this state represents an optimal balance between the
level of crime and the cost of relevant defensive measures.  A criminal
who succeeds in spite of those defenses is more readily seen to be
guilty, while a victim who falls short in implementing accepted levels
of defense is less readily seen to be innocent.  But in no case does the
victim's negligence excuse or justify the crime, nor does the criminal's
ability to overcome your defenses excuse or justify their absence.

I think as far as the Internet is concerned, we are groping towards the
defining equilibrium between crime and defense.  Right now, there is a
set of protective measures whose omission would certainly represent
culpability on the part of a defender, and there is a set of attacks
whose commission would certainly represent a crime (whether legally
recognized or not) on the part of the attacker.  But in between there is
a grey area of defenses and attacks that lack categorical
classification.  To date, though, I think we've been too lenient on both
complacent defenders and aggressive attackers.  That must and surely
will change.  A starting point would be for the media to stop
interviewing hackers as if they were just ordinary community-minded
citizens.





More information about the svlug mailing list