> Much as I hate to say it, this seems to be one area where industry
> self-regulation has utterly failed. I don't know what would be a better
> solution; I hate to suggest government regulation. But I'm at a loss
here.
Civil liability?
Possibly. I don't know of anyone who's tried suing over a smurf attack.
If I could afford the lawyer and the court time I'd do it myself.
All we really need is one or two good cases to establish some case law;
then the rest of us can have some legal precedent to point to and say
"If you don't fix your networks, you're screwed."
Criminal. DOS attacks are covered by 18 USC 1030. And I think there
might even be smurf included in the Kevin Mitnick case, but I'm not sure
about that.
--Dean
On Tue, Jan 12, 1999 at 03:06:58PM -0500, Dean Anderson put this into my mailbox:
Criminal. DOS attacks are covered by 18 USC 1030. And I think there
might even be smurf included in the Kevin Mitnick case, but I'm not sure
about that.
Right; that stuff applies to *directly causing* the attack though (e.g.
hacking root on a colocated linux box and typing ./smurf victimhost.com).
I'm talking about filing some sort of legal action against the intermediaries
(smurf relays) who get used by the cracker during the smurf; IANAL, but
I would presume if you could show negligence in not being vigilant about
security, and then do something showing that they indirectly caused you
damage, you could get some sort of action taken against the relays.
Right now there's no consequence for ignoring hacked boxes and/or
misconfigured routers (smurf relays); every now and then when I mail the
contacts one person or other sends me mail back threatening to sue me for
threatening them and all sorts of other cruft (fortunately, this has been
a reasonably uninvolved person who was on one of the contact addresses, and
the person who actually fixed the routers was happy to do so and did so at
my request.). It would be nice to be able to explain to this person with
certainty that if it came to a court battle, I would have a better case than
he did and be able to cite precedents. In that case, I would also most
likely be able to talk to this person's legal department and they would
taking care of the situation (including the mis-clued person who thinks I'm
in the wrong).
-dalvenjah
The (direct) analogy is landlords who are sued after their tenants
notify them about dangerous conditions, which they fail to fix in a
workmanlike and expeditious fashion.
There's _endless_ case law on this, and even though IANAL, I have some
cites available somewhere.
Cheers,
-- jra