Replies

MS will get a better insight as to the flaws in their product and how people will exploit them during this one conference than they would in a whole year looking at it themselves. Passing this up would be plain stupid.

I am all for you when it comes to legally going after people who exploit without permission the systems of others (no matter what their supposed motivation). But doing internal security research and then saying 'hey I found out there is this big error in IE7' should never be illegal. I would not go about it quite that way (I would always give the vendor a heads up but if the problem is not addressed I would feel obligated to let the public know)

Well, they certainly have the laws in place already if they ever decide to make it a top priority. These days, given the laws on the books, hackers, if caught and prosecuted, will do more time than someone convicted of physically assaulting someone, or someone convicted of rape.

I think society in general will have to be a little bit more serious in a proactive sense about computer security. When people understand the risks and dangers of computer crime better, perhaps we'll see a better effort made at actually prosecuting computer crime.

I think one reason that you don't see it now, is that for many people, even if they use computers regularly, a computer is an unknowable black box. The same is much the case today with automobiles, but we've been around them longer and society has a more developed sense about law and order surrounding them, and in fact had originally carried many of the traditions surrounding the horse and buggy era that preceeded the wide use of automobiles. Most people know to get the oil, tires, and brakes checked on a more or less regular basis, but haven't a clue about much more than that. There are exceptions to this, obviously or there wouldn't be mechanic or backyard tinkerers, but they are exceptions rather than the general rule.

Much the same thing could be said about people and computers today. The problem is, that not enough people have learned the computer equivalent of oil changes and break/tire checks. In the interconnected world we live in today, this puts everyone at risk. I am affected by the bozo with a cablemodem who's computer is p0wned by a hacker ring running out of russia that is using his computer to generate spam that I have to deal with, both on my mailservers, and in my inbox. Its the cyber-equivalent to the bozo driving down the street on bald tires and no breaks who is a direct physical danger to everyone around him. Perhaps a better analogy would be the guy driving down the street belching smoke that practically suffocates you if you are unfortunately to be driving behind him.

I suspect that eventually there will be laws and other regulations about computing whereby the user will be held liable to some degree for leaving his system wide open to attackers, in much the same way that you can be fined for leaving the keys in your ignition in many Amerian jurisdictions. There is a specific legal term for this, that escapes me at the moment, (I'm sure someone will remember for me.), but it is similar in a way to the concept of 'enticement'.

I think it is going to take a while for us to catch up to some of he new threats and responsibilities that come from being a networked, computing society.