Paid Advertising
web application security lab

Prosecute Victims - Worst Idea Ever?

I ran across this article today discussing how people should be criminally prosecuted or at least have internet privileges taken away for propagating malware. I really have no idea if this guy is supposed to be an expert or really has no clue how malware works, but frankly this means almost every man woman and child should be in jail or at least be unable to use the Internet. That means 1MM users who got hit with Samy and another 1MM or so from worm should be off the net forever (some might actually agree those users aren’t doing much for the progress of the Internet, but I disagree).

While, lots of the garbage of the Internet seems to stem around social networking sites, and people who do nothing but visit pr0n and war3z sites all day, it does not mean that that is entirely true. There are lots of otherwise hard working, smart and honest people who get hit by viruses all the time. They just know zero about security. And even if they did, in this day and age with JavaScript malware all you have to do is visit a site to get infected anyway, allowing the remote attacker to use your browser to hack into other machines, send spam or any number of other bad things.

I’m not sure why people still think killing off the dumb will change security on the Internet. It’s not the dumb people that are causing these issues, it’s the security of the websites and the browsers that us smart people are in charge of! Granted, we are less likely to propagate those viruses, and we are quicker to shut them down, but we have to stop blaming our consumers for our own inability to solve complex computer security problems. I just really don’t see putting victims behind bars or fining them solving the issue. That’s like putting a burglar in jail but keeping your window open. How does that solve your problem of the fact your house is still trivial to get into? Anyway, I’ll get off my soap-box now.

17 Responses to “Prosecute Victims - Worst Idea Ever?”

  1. Chris_B Says:

    Sorry, but flawed logic here. You assume there is a difference between server admins and users, or rather that everyone who setsup a server on the public network is competent or even morally upstanding. The dumb knows no limits and has no bias about race, gender, nationality or creed.

  2. RSnake Says:

    So should everyone go to jail for installing a service that later turns out to be exploitable?

  3. Dean Brettle Says:

    You said, “That’s like putting a burglar in jail but keeping your window open.” Actually, I think it’s more like putting a car theft victim in jail because they left their car unlocked and it was subsequently used as a getaway car.

    I wonder how long it will be before someone posts a comment to his blog that contains an XSS attack…


  4. Jordan Says:

    This was a dumb idea when we were arguing with some other security folks earlier this year about it, and it’s a dumb idea now. In fact, earlier today I was relating that exact story to a student on campus here.

    We hold people responsible when they’re driving a car, because there’s a set of basic steps we can tell people to “do the right thing” and they generally don’t change very much over the years, or even lifetimes.

    When the “right thing” changes constantly in security (at least if you want 100% protection), how in the world can we expect average users to keep up?

    So grandma who knows nothing about computers should have to:

    Be able to recognize a phish email from legitimate bank notices

    Read mail headers to identify a real email sent from a relative versus a virus

    Learn how to surf with javascript disabled using only noscript when necessary

    Maintain anti-virus as well as a firewall and understand what it means when the firewall pops up requests to access the network

    Be able to read and understand the requests for elevated users privledges that pop up in all modern operating systems when you want to execute some system function. Extra credit for those able to recognize real popups for credentials with ones from already running local malware trying to escalate.

    I could go on. While there are a few basic precautions it’d be nice if users would take, this is not the method to do it. And don’t tell me that we should just pass the law and let judges sort out those who deserve to be punished from those who don’t because that’s (Julie Amero) obviously not going to work.

    Some of the suggestions I made above are doable to teach grandma, but if you’ve ever tried to teach someone to do /one/ of these things when they didn’t know computers you know the impossibility of teaching them to do it all. And that’s assuming there are even those who can teach them. Oh yeah, and that the threats and technology don’t change beyond what these cover.

  5. Jordan Says:

    Oh yeah. BTW, definitely /not/ supposed to be an expert:

    College journalism student. If I hadn’t heard some actual security people espouse the same idea, I’d be tempted to just ignore it without a response at this point, but sadly, some others who should know better appear to be suckered into thinking this is a good idea too.

  6. Tony Says:

    I actually run unsafe machines so I can get to check out what people are doing and the fancy tricks they are using to see if I can exploit those tricks.

  7. hackathology Says:

    @Tony: You are running a Honeypot i guess? Thats a smart way of seeing tricks the hackers use.

    @Dean: Its not hard to detect an XSS on a comment especially when you already know it yourself.

  8. valdis Says:


    I’ve heard actual security people advocate it too. And sometimes they were even serious. But I’m suspecting/hoping that most weren’t *really* serious. You have to keep in mind that some of us have been doing this for a long time, and we’re approaching burnout. I’ve had security as at least part of a job description for a quarter century now, and if you had told me in 1982 that 25 years later, Vint Cerf was estimating 140 *million* compromised machines, I would have asked you for the name of your dealer, because you got hold of some mean shit weed. ;)

    And overall, things Just Aren’t Getting Better. It’s still next to impossible to configure a Windows box so Joe Sixpack doesn’t get pwned, and still not fun to try to move Joe onto some safer (for now) platform. For a while, I thought XP SP2 was going to actually make a difference - but all it did wasn discourage packets directed at services, and more email/web based attacks.

    And the real problem is that given a choice between “security” and “click this to see underdressed celebrities with dancing hamsters”, security will lose. Every Time. Guaranteed. And unfortunately, 90% of the population is now brainwashed into thinking that buttons that promise them celebrities and hamsters are a Good Thing, and if you try to take it away because it’s not safe for them, they’ll just go find somebody who can turn it on for them.

    I’m not holding out much hope for the younger users - they’re too busy doing the whole Youtoob/Myspace thing to care.

    On the flip side, I can think about the fact that retirement is still some 20 or 30 years out, and I have job security until then….

  9. bodil Says:

    Omg what a amazingly retarded idea. Yes lets kill the victims, so there will be no more crime… Genius

  10. SW Says:

    Malware shouldn’t be considered crime anyways.

  11. Kassad Says:

    I think the idea was a desperate one rather then a serious proposition.

    Though the problem is real we must not forget that the whole “web thing” is only ten and some years old. There is still no real “internet jurisdiction” and it is still far from being a matured medium.

    Here is an interesting situation as - imho - there are “old people” who cannot understand this new phenomenon and try to apply “old rules” to it and also, there are “new people” who do not really know what rules to apply to it.

    It may be a solution perhaps to sell computers with OEM security just as most machines are sold with OEM OS.

    Common people cannot be held responsible for problems created by faulty softwares and faulty security. It should be the responsibility of software engineers, vendors and the service providers.

    Also, I think time is coming to think about the “future” with regard security and regulations preventing the above mentioned “old peoples, old rules” syndrome.

  12. Jordan Says:

    @Valdis: I definitely think the situation needs to be changed and understand how folks could be frustrated, but this just isn’t the solution.

    I’m not sure I know what is yet, but the justice system is definitely not the place for a fix. We as technologists (or whatever we geeks that make this stuff run should be called) caused the problem for users, we need to fix it for users. Not by taking control of their machines away from them (Vista), but by building environments where there is actually a 1:1 correlation between users doing the obviously wrong thing and their machines doing bad things. /Then/ we can hold them responsible for their actions. But right now that’s just not reasonable given the technology we’re equipping them with and how the environment is constantly playing catchup to the threats.

  13. Chris_B Says:

    I’m waiting for someone to suggest sharia law type responses to distribution of malware with intent to defraud. Damn hard to code another bit of suckerware with your hands chopped off.

  14. Andy Says:

    I’m not sure I completely agree with the car analogy. If you hit someone with your car - you are liable. If it turns out it was due to a manufacturer flaw, then you aren’t liable and they are. Its really a basic principle of Torts.

    You are responsible for what you do with your machine. There is downstream liability. We just haven’t had any good case law yet that says grandma’s machine hacked Citbank but she wasn’t negligent, MS or Novell or whoever was because the machine didn’t adequately do its job/fulfill its purpose.

    The law would currently hold Grandma responsible - she’d have to claim that her OS provider had a duty to her that it didn’t meet.

    We’re not looking to change the law - just get some case law that says vulnerable systems aren’t the end-user’s fault - but the vendor’s.

    There is a difference between criminal and civil law here but I’ll leave that for another time.

  15. SW Says:

    It is perfect how it is. Regulation is never the answer to anything. Keep stupid laws/rules out of the internet. And what is wrong with spreading malware? Tricking someone into using it? Is lying/decieving to be illegal now? Or is it wrong because it does damage? People can harm themselves if they please — I am not directly harming them and their systems were the ones that accepted and ran the malware.

  16. Chris_B Says:

  17. DeadOnArrival Says:

    This reminds me of Julie Amero, and I totally agree. This is a really stupid suggestion.