Home page logo
/

basics logo Security Basics mailing list archives

Re: Botmasters/Victims and DMCA
From: Viva Colombia <vivacolombia2005 () gmail com>
Date: Tue, 22 Sep 2009 14:06:43 -0400

Shailesh, just to make one thing clear: prosecuted under criminal law,
tried under civil law; prosecuted for having commited a crime, tried
for causing damage or harm to a third party.

Although it would indeed be funny to find a botmaster that would aim
at being eligible for DMCA's safe harbor provisions, it still is an
interesting starting point for further legal analyses.

And my paper is being at first drafted in Spanish, hopefuly I'll have
the time to translate it and send it over in English...


Carlos Alvarez


On Fri, Sep 18, 2009 at 11:36 AM, Shailesh Rangari
<shailesh.sf () gmail com> wrote:
Hmm that was a real eye opener for me. I personally was completely unaware
about this fact that one could still be prosecuted under civil law, if not
criminal law.

This is more of an after thought and I'm not sure if you would find this
interesting or relevant. But anyways I'll still mention it.
In Information Security per se, 'Externalities' play a significant role in
how risks are assessed, how policies are formulated and how violations are
dealt with. For example, the practice of being a 'good netizen' on the WWW
still remains somewhat under appreciated. As a thumb rule most individuals
would put their antivirus on an autopilot mode and would never bother to
check its logs until the unthinkable happens. So if they were an vector for
infection to their WWW neighbor's it is an irrelevant, insignificant and at
times a trivial detail to them. In the classical economist perspective this
behavior is often attributed to 'Externalities'.
Though I'll leave it for the attorneys to interpret and the courts to decide
whether or not Botmasters can be categorized as service providers, I
personally opine that they can be termed as ISP's as per Sec. 512(a),(b) and
maybe even Sec. 512(c) of DMCA.
And pertaining to the safe harbor provisions, Botmasters do follow a written
& published policy and nor do they inform their victims of their terms of
service. So I can see at least one reason (thankfully) why Botmasters cannot
invoke the safe harbor provision(s). Think you can see the irony in this
statement.
Your paper seems to have quite an interesting scope. Because I'm also a
Graduate Student in Information Security, I would be interested in knowing
how this spans out.
Regards,
Shailesh
On Wed, Sep 16, 2009 at 3:01 PM, Viva Colombia <vivacolombia2005 () gmail com>
wrote:

Regarding what Shailesh kindly replied, I believe I must note here
that in civil law countries (as opposite to case law countries such as
the US), the owner of a computer that has been compromised in a botnet
might be held liable for the damages that his lack of diligence or his
negligence (that are two different concepts) cause to third parties
when it results in him not securing his machine as others in his same
circumstances would have reasonably done so: if that person is a
"pater familias" (a home user) then he should protect his home
computer in the same way a caring father would, in order to truly
protect the privacy of those he loves the most and to protect his
other valuable assets, such as his financial information and the like.
And, if that person was any one of you, security experts, then he
would have had to secure his computer according to widely accepted
standards of security. That person could theoricaly, at least, be
bound to repay third parties affected due to the activities conducted
through his/her computer thanks to his/her lack of diligence or
negligence.

It would not be a crime thus this person would not be prosecuted. It
would be a civil matter.

The case I'm pointing out here is one in which the botmaster is
accused of piracy committed through the botnet, among other crimes;
and theoricaly imagining if it would be possible to try legal action
against any person if, for example, it was one of you who did not
secure its network appropriately, according to widely accepted
standards (or according to your employer's policies, if given).

So far, I think I can conclude that the botmaster could indeed be
taken for a service provider; still it would be funny to think of a
botmaster fulfiling the requirements service providers must comply
with in order to be eligible to the safe harbor provisions within the
DMCA. But this is a good starting point for other theorical scenarios.
And with regards to the victim, as soon as I find an answer or further
develop my conclusions I'd let you know!

If there are any further opinions I'd be more than glad to receive them...
:)



On Tue, Sep 15, 2009 at 9:15 PM, Lane Christiansen <lanec42 () gmail com>
wrote:
On Tuesday 15 September 2009 10:09:40 am Viva Colombia wrote:
Hi all, my question (for a legal paper that I'm writing) is whether a
botmaster and a person whose computer has been recruited in a botnet
can be considered as service providers, according to the broader
definition of service provider provided by 17 USC§512(k)(A-B). I've
found court decisions and some opinions, but none refer to botmasters,
they would only allow me to conclude that if theirs is an IRC botnet
and they provide, for example, chatting services through their command
& control bots, then they would indeed be service providers as per the
DMCA; but I found nothing related to whether peers in P2P botnets or
networks can be taken as service providers, bearing in mind that they
are used as storing devices and communications or transmittal nodes.

I'm trying to analyze whether they could be held liable for violations
of the Copyright Act when said violations take place through and
thanks to the botnets and thanks to the negligence of the owner of the
infected machine (who did not protect it appropriately), and if they
two could successfully use the safe harbor provisions on their behalf.

I hope I'm not too confusing...

Thx!
I can't comment on this (IANAL), but I'd be very interested in reading
your
paper - it'd be awesome if you could post it here when you're finished!


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]