decoration decoration
Stories

GROKLAW
When you want to know more... 		decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.

You won't find me on Facebook

Donate

Donate Paypal

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments

Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Expert Appointed to Advise EU Commission on MS Compliance
Wednesday, October 05 2005 @ 01:46 AM EDT

The EU Commission has chosen a Professor Neil Barrett to act as the Trustee in the Microsoft antitrust matter. Barrett's assignment is to advise the Commission on how well Microsoft is complying, and he is an expert in the field of computer security and cyber crime. I note that the press release says he was chosen from a list provided by Microsoft:
In accordance with the terms of the Decision, Microsoft submitted several candidates for the position of Monitoring Trustee. The Commission carefully examined all candidates in terms of their expertise and impartiality, and determined that Professor Barrett was the most qualified to carry out the Monitoring Trustee function.

So, Microsoft got to suggest its own watchdog. Certainly, if Microsoft merely pretends to comply, he should be able to spot it. However, since the Commission already let Microsoft exempt FOSS as far as interoperability is concerned, pending its appeal, I find it hard to care too deeply and anticipate he'll report Microsoft is doing fine.

What does Microsoft care, as long as FOSS is not allowed to compete on a level playing field? That may be overstating it, but allowing Microsoft to open up to everyone but its chief competition sticks in my craw.

The EU Commission press release doesn't identify him except by name, but I think I've found the right Professor Neil Barrett. If you'd like to read something he's written, here you go. The blurb on the cover page describes him like this:

Academic, author and frequent computer expert witness for the prosecution, Neil Barrett brings an in-depth, 'big picture' perspective to the wild world of IT security and computer crime

He does have a sense of humor, as you can see in the opening paragraphs of an article on the need for better, clearer laws to deal with cyber crime. He begins by listing some ridiculous laws still on the books around the world:

Some of these laws are plainly silly; others simple haven't been repealed; and others... well, who can tell where and how they arose?

In Switzerland, for example, it is illegal for a man to relieve himself standing up after 22:00 local time - reasonable, I would assume, in a block of flats where the noise might disturb. In New York, the penalty for jumping off a building is death - a bit harsh, though I would suspect that with skyscrapers there's seldom a need for the courts to impose the sentence. In Scotland, it is illegal to be drunk in charge of a cow; in Iowa, one-armed pianists must perform for free; in Florida, having sexual relations with a porcupine is an offence; in Tampa Bay, it is illegal to eat cottage cheese after 18:00 local time; and in New Orleans, a woman can only drive a car if her husband waves a warning flag in front of it.

No wonder it was hard to evacuate New Orleans. Joke. Joke.

Maybe it's too soon to joke about that. I'll never forget those images. I've been haunted by one in particular. On Fox News, there was one young mother, whose adorable blond toddler hadn't had sufficient water and the distraught mom said he was becoming sluggish and it was getting hard to wake him up. I'll never forget her or her words. She said, "This isn't about rich people or poor people. This is about *people*." I burst into tears, seeing her distress. Does anyone know what happened to that mom and her son? Did they make it? If so, could you let me know? I can't stop thinking about them.

But getting back to Barrett, his suggestion regarding computer security laws is a bit frightening, when I think about my poor clueless mother, or all my nongeek friends and relatives.

He writes about a UK case, Rylands v. Fletcher, where Fletcher had built an inadequate reservoir on his land, and it flooded Rylands' mine next door. Fletcher was held responsible, the court ruling that "anyone who brings or collects and keeps on his [sic] land anything likely to do mischief if it escapes must keep it at his peril and if he does not do so is prima-facie strictly liable for all that damage which is the natural consequence of its escape". Barrett extrapolates that ruling to computers:

Rylands v Fletcher establishes the principle for responsibility in cases of negligence - and arguably, though it makes no reference to computers, can be applied in the world of networks. This computer is on my land and can be thought of as having 'escaped' if I were to lose control of it - that is, if it were controlled remotely by a hacker using a Trojan or similar. And if it does indeed 'escape', it can do 'mischief' in the sense of being a part of a zombie army used in a distributed denial of service attack or similar.

The ruling in Rylands v Fletcher says that I keep this computer 'at my peril'; it is my responsibility to take measures to ensure that it does not 'escape' - that is, it is my responsibility to secure my own computer against use by hackers, or suffer liability for any damage resulting in its escape.

Could such a ruling be applied in practice? I know of no situation in which Rylands v Fletcher has been applied in cases of supposed computer negligence but it would be nice to believe that those people operating unsecured computers used by hackers to attack third parties have at least some responsibility for the damage arising from their negligence.

And it would be nice to have at least some legal tool with which to encourage improved security.

I have a better idea. How about, if we are going to write new laws on computer security (not that I personally am encouraging it) as Professor Barrett gets to know Microsoft better, he think along the lines of holding Microsoft responsible for selling people like my mom software that she is totally unable to control? Really, Professor Barrett, is there any way known to man to actually secure a Windows 98 computer? Millions of people still use them, you know. Seriously. Add firewall and antivirus and antispyware, and you're still a sitting duck, in my experience, anyway.

Microsoft is the computer expert, after all, not my mom. Microsoft sold her software with so many flaws, built-in vulnerabilities, and easy ways for the bad guys to take control of her computer, the poor old thing doesn't have a chance. Wouldn't that be a more efficient method? She uses XP Home, by the way, just so you don't suggest we outlaw Windows 98 and think you've solved the problem. Or, she did use XP, until I bought her a PowerBook, so my life would get easier. I'm tech support.

And if you passed a law saying all computer owners are required to purchase and keep up-to-date antivirus software or whatever, could you first stop and think about the nonWindows world? We are here, you know. And we are not contributing to the problem, so why should we be forced to take steps that really apply to Windows users? Some of us stopped using Microsoft software in part because we got sick of all that aggravation. Remember when Darl McBride visited Harvard and he joked with a guy in the audience, suggesting that maybe his was one of the computers taken over by the MyDoom virus that was then blasting SCO's website? The audience member truthfully answered that his computer ran Linux, and MyDoom only ran on Windows, so he was sure his computer wasn't involved. When was the last time you heard about a virus incident involving Apple or GNU/Linux? Just something to consider, if our goal is writing better, clearer laws.

Barrett writes a regular column, Criminal IT, so you can read his articles to get the measure of the man. Here's an article he wrote on why computers are insecure by nature:

In the language of mathematics, a computer program is a Turing Machine and a computer - a device able to run any Turing Machine - is called a 'Universal Turing Machine', a mathematical model able to interpret any mathematical model. One feature of Turing's work, though, was to show that there are programs which cannot be run to completion - programs which are the analogues of 'this statement is false' and cannot therefore be decided.

What does this mean for information security? In essence, we want to know in advance whether a given sequence of changes to data - a program - is going to be 'harmful' or not. Unfortunately, in 1986, Fred Cohen managed to prove that the problem of determining whether a piece of program was a virus was indeed an un-decidable problem. A Turing Machine to run the analysis would never halt; the only way to determine the effect of the program was actually to run it and see.

This is an enormously important result. It means the task of the antivirus program is mathematically impossible. By extension, the task of determining in advance whether any program will have a harmful effect is equally impossible. The only way of establishing what a program will in fact do is to allow it to execute and then to look at the state of the computer's memory. If the task of information security is to predict whether a given program will have a harmful effect on the data state, then this is impossible.

The implication is that the mathematical model of computation has insecurity implicit within it because we know that we cannot know ahead of time whether something will or will not be damaging. To borrow a phrase from my colleague Stephen Castell, computers are "ontologically insecure" - whether they are built on the von Neumann or any other architectural model.

If insecurity is implicit, then writing laws, holding anyone responsible for unintended insecurity results seems a bit Alice in Wonderland, but I'm not a professor and Barrett is, so I may have overlooked some piece of logic. You'll notice at the end of the article, there is a brief bio:

Neil Barrett is visiting professor in the Centre for Forensic Computing at the Royal Military College of Science, Cranfield University, and the author of several books, papers and articles covering computer crime. A frequent computer expert witness for the prosecution, he has given evidence in cases of hacking, paedophilia, fraud and even murder.

Fraud, eh? Hmm. My mind floods with thoughts of Get the Facts. Only kidding. Sorta. Barrett has written some books on computer security as well. Clearly he is qualified to advise the Commission on technical matters, and Microsoft will have to actually comply if he is, in fact, as impartial as the Commission hopes.

Perhaps the marketplace will accomplish what the regulators so far have been unable to do. Here's an article I came across looking for information about Barrett, which indicates Microsoft's recent changes to its Software Assurance program are causing some to look to FOSS as a remedy for their anger at Microsoft:

UK IT chiefs have slammed Microsoft over the cost of signing up to the Software Assurance (SA) licensing model, and accused the Redmond giant of wanting to "have its cake and eat it and charge customers to watch". In the biggest shake-up of the subscription-based SA in the four years it has been running, Microsoft has added technical support, training, desktop deployment planning services and other side benefits in an attempt to placate angry customers. . . .

One IT director who did not wish to be named simply said open source "looks more and more tempting" while Paul Broome, IT director at 192.com, said he plans to migrate off Windows server and SQL server as soon as he can. . . .

Microsoft's customer relations appear to have taken a severe knock from SA and John Odell, group IT director at the BBA Group, said: "Microsoft's business objectives are not aligned with its customers' and it will stay that way while Microsoft has a near monopoly in this market."

Here's the EU press release.

************************

Competition: Commission appoints Trustee to advise on Microsoft’s compliance with 2004 Decision

Reference: IP/05/1215 Date: 05/10/2005

IP/05/1215

Brussels, 5th October 2005
Competition: Commission appoints Trustee to advise on Microsoft’s compliance with 2004 Decision

The European Commission has appointed Professor Neil Barrett, a computer scientist, as the Trustee who will provide technical advice to the Commission on issues relating to Microsoft’s compliance with the Commission’s 2004 Decision (see IP/04/382). Professor Barrett will begin his mandate immediately.

The Commission decided in March 2004 that Microsoft Corporation broke the EC Treaty’s ban on abuse of monopoly power (Article 82) by leveraging its near monopoly in the market for PC operating systems onto the markets for work group server operating systems and for media players. The Commission’s Decision imposed a fine of €497 million on Microsoft and required the company to implement remedies as regards both work group server operating systems and media players.

The Decision foresees a Monitoring Trustee to assist the Commission in monitoring Microsoft’s compliance with the Decision. The Decision requires that the Monitoring Trustee must be independent of Microsoft, must possess the necessary qualifications to carry out his mandate, and have the possibility to hire expert advisors to assist him in carrying out tasks within his mandate.

The exclusive responsibility for ensuring that Microsoft complies in full with the 2004 Decision rests with the Commission. The Monitoring Trustee’s role is to provide impartial expert advice to the Commission on compliance issues. For example, as regards the interoperability remedy, where Microsoft is required to disclose complete and accurate interface documentation which would allow non-Microsoft work group servers to achieve full interoperability with Windows PCs and servers, his expertise might be used in assessing whether Microsoft’s protocol disclosures are complete and accurate, and whether the terms under which Microsoft makes the protocol specifications available are reasonable and non-discriminatory. On tying, the Trustee might be asked to examine whether Microsoft has properly implemented the requirement to offer to PC manufacturers a version of its Windows client PC operating system without Windows Media Player.

In accordance with the terms of the Decision, Microsoft submitted several candidates for the position of Monitoring Trustee. The Commission carefully examined all candidates in terms of their expertise and impartiality, and determined that Professor Barrett was the most qualified to carry out the Monitoring Trustee function.

  


Expert Appointed to Advise EU Commission on MS Compliance | 274 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Corrections here please
Authored by: capt.Hij on Wednesday, October 05 2005 @ 01:54 PM EDT
Please list corrections here.

[ Reply to This | # ]

Off topic here please
Authored by: capt.Hij on Wednesday, October 05 2005 @ 01:56 PM EDT
Please put off topic threads here.

[ Reply to This | # ]

Don't know much about that mom.
Authored by: Mecha on Wednesday, October 05 2005 @ 02:00 PM EDT
That image haunted me too. I got a little girl and can easily understand what
she was going through. I am not sure, but I believe I saw a later report from
the NOCC and the mom was feeding the baby (it appeared to have been after relief
arrived, but I cannot be for certain if that was her).

---
************************************************************

I am not clever enough to write a good signature. So this will have to do.

*****************

[ Reply to This | # ]

Expert Appointed to Advise EU Commission on MS Compliance
Authored by: Chris Lingard on Wednesday, October 05 2005 @ 02:44 PM EDT

Here is a better description of Professor Neil Barrett

As far as I know the Commission have not accepted any preconditions. I refer to:

However, since the Commission already let Microsoft exempt FOSS as far as interoperability is concerned, pending its appeal, I find it hard to care too deeply and anticipate he'll report Microsoft is doing fine.
To quote the Commission:
Microsoft's proposals will now be market tested in order to enable the Commission to make a final assessment. In this context, the Trustee foreseen by the Decision will, as part of its mandate in assisting the Commission in monitoring Microsoft's compliance, provide technical advice to the Commission. This will include evaluating the innovative character of the protocols at stake, and identifying appropriate comparables to verify whether the remuneration that Microsoft proposes to charge is reasonable.

So we are now at this stage. Is it reasonable to pay $50000 for the protocols? This is what Microsoft were wanting. Can a start up company make and market a software application? What about the "one man band" type of company, are these excluded.

But the original Microsoft proposal was impossible; with their right to audit and inspect the code; and their imposition of the $50000 "right to use" tax.

I am hoping that Professor Neil Barrett will consider the proposals from a start up companies viewpoint. Can we compete, or are all future developments locked down to major companies. As to releasing the protocols as open source, I can see Microsoft's point of view; as why would we pay $50000, when we can read the source.

[ Reply to This | # ]

Laws and Computers
Authored by: JJ on Wednesday, October 05 2005 @ 02:48 PM EDT
He writes about a UK case, Rylands v. Fletcher, where Fletcher had built an inadequate reservoir on his land, and it flooded Rylands' mine next door.

Maybe so, but I wonder were some malcontent, say Mike Rosopht, to come along with explosives and destroy Fletcher's reservior containment walls, then would Fletcher still be liable? Similarly, if Mike were a reservior builder and led Fletcher to believe that the offered walls were suitable for use as reservior containment walls, should Fletcher be responsible?

The implication is that the mathematical model of computation has insecurity implicit within it because we know that we cannot know ahead of time whether something will or will not be damaging. To borrow a phrase from my colleague Stephen Castell, computers are "ontologically insecure" - whether they are built on the von Neumann or any other architectural model.

I think the point is that it's impossible to write a generalized program that is able to determine whether another program will halt. Even so, it's possible to run the inputted program on a wide set of input data and see how long it takes to stop on many of them. It's even possible to take statistical measures, and gain a feel for how well it does. In the case of reservior containment walls, it's possible to build reserviors and see how well, say, one-metre-thick walls survive, and similarly for 600mm walls, and five metre walls, and so on. In the case of operating systems, it's possible to hook them to the internet and see how long before it's compromised.

-JJ

[ Reply to This | # ]

A fitting antitrust punishment ...
Authored by: Anonymous on Wednesday, October 05 2005 @ 03:03 PM EDT

... would have been to force M$ to produce a security pack (not patch, a full-on
half-rewrite) to bring every version of Windows since WFWG up to the same level
of security as WinXP SP2?

Since they've used their monopoly and antitrust tactics to bring the world so
many zombified PCs it would, IMHO, be a relevant order.

And the EU commissioners would have finally shown that they're some benefit to
the world.

BTW - Yes, "same level of security as WinXP" is worthy of a few
sniggers. But to be fair SP2 does just about deserve the word
"adequate" - or "barely adequate" if you prefer.

[ Reply to This | # ]

Expert Appointed to Advise EU Commission on MS Compliance
Authored by: kawabago on Wednesday, October 05 2005 @ 03:04 PM EDT
It's looking more and more like Microsoft is going to bring out it's new Windows
version and new Office version to a worldwide yawn. The only people who will
buy it are those that don't know any better. That's not a good business plan
and is certainly a recipe for failure in the marketplace. That will be
catastrophic for Microsoft, but great for everyone else.

---
TTFN

[ Reply to This | # ]

Not very hopeful
Authored by: Anonymous on Wednesday, October 05 2005 @ 03:04 PM EDT
PJ, don't overlook the larger thrust of his comments; his trying to connect
"Rylands v. Fletcher" to computers is simply another case of
'framing' the issue in terminology favorable to a specific outcome.

Its part of the overall framing of trade secrets, patents and copyrights into a
single category of 'intellectual property', or more specifically, just
'property'.

Following his logic on out would be a goldmine for lawyers, as every virus or
trojan propagated by an infected computer would become the 'property' of the
owners of those computers. Millions of users suing each other.

He looks to be another advocate of 'property' and 'protection' and solving the
world's IT problems through litigation. I can't really anticipate him being
anyone M$ is going to find worrisome.

[ Reply to This | # ]

Rylands v Fletcher
Authored by: kaltekar on Wednesday, October 05 2005 @ 03:09 PM EDT
Using Barrett 's interprtation in Rylands v Fletcher for a home PC the same
rational can be used against Microsoft. The major difference is substiute Real

property for Intellectual Property. If Microsoft loses control of their
'property' (read MS Windows) and it escapes their control, via hacker, virus,
malware or even starts to fuction in a manner not designed by Microsoft.
Would Microsoft be held liable for any damage, real or implied, that their
operating system causes. Even though there EULA doesn't hold them liable for
such, this ruling could easily be applied and litigated. But IANAL and it is
just
one mans opinion.

---
Through all the noise the Silence must be heard.

[ Reply to This | # ]

Does Barrett want to punish the victims?
Authored by: Anonymous on Wednesday, October 05 2005 @ 03:10 PM EDT
I seriously wonder about the reasoning behind appointing a Microsoft monitor who
seems to want to blame computer owners for all security breaches. It sounds
like a win for MS and the standard industry "no warrant of merchantability
or fitness for any particular purpose" EULA to me.

The reservoir metaphor, as a previous poster pointed out, is heavily flawed.
Barrett's use of it doesn't give me a lot of confidence in his understanding of
the (in-)security situation. So he's been an expert witness in court trials --
so what? Lots of idiots have been in court, some of them as expert witnesses.

I'm also worried about the fact that he doesn't seem to understand the
difference between Turing machines and real computers, but that is probably
beside the point...

[ Reply to This | # ]

Computer Security vs. Cryptology?
Authored by: fb on Wednesday, October 05 2005 @ 03:29 PM EDT

I'm a little confused by what Professor Barrett is saying about computer security. The remarks cited here seem to imply that computer security is based on different principles from infosec or comsec.

You don't need the Halting Theorem in cryptology. The only provably secure cryptosystem is a one-time pad, properly used. Everything else is based on the assumption that a cryptosystem can and will be broken. The only pertinent issues are (1) what would be the cost to us if our data were compromised, versus (2) what will it cost the other guy to get our data? Most crypto is thus, at heart, an actuarial computation that gets translated into numbers of CPU cycles.

Professor Barrett, on the other hand, seems to be saying that computer security depends at heart on total certainty. What I don't understand is why something like Bayes Risk isn't key to that discipline as well. If it were, then the simple prior probabilities of compromise to Microsoft systems would have to disqualify them immediately. :-)

[ Reply to This | # ]

Under English law
Authored by: lunarship on Wednesday, October 05 2005 @ 04:15 PM EDT
For some strange reason, under English law, the male pronoun refers to both men
and women. The female pronoun refers to women only. Meaning that when
referring to a man, you need to qualify it with an adjective. You can tell
lawyers used to get paid by the word over here, can't you... <sigh>

[ Reply to This | # ]

Expert Appointed to Advise EU Commission on MS Compliance
Authored by: Carlo Graziani on Wednesday, October 05 2005 @ 04:16 PM EDT
If insecurity is implicit, then writing laws, holding anyone responsible for unintended insecurity results seems a bit Alice in Wonderland, but I'm not a professor and Barrett is, so I may have overlooked some piece of logic.

Well, in a society like ours, where so much public policy is made through litigation, perhaps this is not a completely stupid position.

At the moment, if some small business gets their website DDOS-ed by some hacker's botnet, they have no recourse whatsoever. They bear the entire cost of a situation they did nothing to create, even if their site is secure.

If they were allowed to hold liable the ISPs hosting computers that participated in the attack, if those ISPs did nothing to detect and thwart it, then those ISPs would start serious malware activity-detection programs, and would automatically disconnect from the net any computer that suddenly started sending thousands of e-mail messages per hour, or started indiscriminately portscanning entire Class-B networks, or triggered any one of a dozen other "misbehavior" criteria.

Then, when your Mom (or mine, for that matter) complained to her ISP that her "Internet doesn't work any more" and was told of the reason, and informed that there's a clean reinstall of the OS in her future, and a bond to be posted that will be forfeit on the next offense, she'd get mad at whoever sold her her software. Possibly legally mad. Multiply that by Millions of Moms (OK, Dads too), and suddenly you have a serious and urgent reason for software vendors to get serious about security.

[ Reply to This | # ]

Expert Appointed to Advise EU Commission on MS Compliance
Authored by: Anonymous on Wednesday, October 05 2005 @ 04:19 PM EDT
On 'security', you would be best to start with traditional crimes. Stealing someone's money, for example, which is 'fraud'.

Copyright infringement is not a traditional crime; except for prerelease movies, not a crime at all. It is a civil matter; you will be ordered to pay someone some money. You will not be put in prison. And there are arbitrary numbers in the copyright thing; '90 years' is a choice we make as a society. We could revise it up or down.

Anti-trust, likewise. I know as a consumer when I am being abused monopolistically; but that is not to say that I should have a right to break up the monopolist. Again it is a matter of society's choice whether to have such a law and how to apply it.

All the 'newfangled' crimes are a matter of opinion. 600 million people on a network, with mutually-incompatible agendas. What do you expect ?

One man's security breach is another man's plaything.

One man's theft of money is a theft of money in every court in the land. Catch that and punish it with traditional laws.

[ Reply to This | # ]

MS picked the candidates???
Authored by: PSaltyDS on Wednesday, October 05 2005 @ 04:19 PM EDT
"In accordance with the terms of the Decision, Microsoft submitted several candidates for the position of Monitoring Trustee."

Huh? Microsoft got to pick the candidates for trustee? Is that normal in Europe, to put the convicted Corp. in charge of finding someone to monitor their own compliance with the sanctions?

---

"Any technology distinguishable from magic is insuficiently advanced." - Geek's Corrolary to Clarke's Law

[ Reply to This | # ]

Expert Appointed to Advise EU Commission on MS Compliance
Authored by: Anonymous on Wednesday, October 05 2005 @ 04:32 PM EDT
I do stuff with computers. I expect I will need them to design the fusion reactor in the south of France, that will make the electricity when the oil runs out.

There is this radiotelescope, http://www.lofar.org/ , 350 kilometre in diameter virtual 'dish', fastest computer in Europe at the middle. It gets through 500 DVDs worth of data per second. That's how it works.

We forecast the weather, using other fast computers. We do not take responsibility for the weather; but we do our best. And on average, farmers' crops are better for it.

So, make the laws for your mum and her PC. But those laws have to apply equally to me. I mistype an IP address on the radiotelescope, you get 500 DVDs per second of networking. Your computer stops. But it is an honest mistake, and I will try not to do it again.

Honest, I will not steal your mum's money. Or intimidate her in any way --- at least if I do, I will apologise, and offer a tour of the radiotelescope in recompense.

But don't put me in prison, don't threaten it. It's very easy to stop the fusion reactor from being developed, very easy to stop anyone seeing whatever the radiotelescope sees.

I want to do stuff. I want to help you guys and gals; I will teach your kids if you let me.

[ Reply to This | # ]

Reasonable Care and Attention
Authored by: davcefai on Wednesday, October 05 2005 @ 04:42 PM EDT
Surely "reasonable care and attention" (I think you call it "due
diligence" in the US) applies in the case of computers as in so many other
cases.

If you don't run a firewall and a virus scanner and can be shown not to check
for spyware then you are not exercising due care and diligence in operating your
computer.

You're supposed to check the hydraulic fluid in your car's braking system, top
up the windscreen washer etc. Failure to do this constitutes criminal
carelessness.

Surely, in this wired world, where your computer can cause harm to others it is
not an unreasonable onus that you should take reasonable means to avoid causing
damage.

[ Reply to This | # ]

So much for a professor
Authored by: Anonymous on Wednesday, October 05 2005 @ 04:55 PM EDT
"Fred Cohen managed to prove that the problem of determining whether a
piece of program was a virus was indeed an un-decidable problem. A Turing
Machine to run the analysis would never halt; the only way to determine the
effect of the program was actually to run it and see"

This professor Barret, despite his merits on security, or politics, doesn't
know much about math.

A problem being undecidable means, in informal terms, that if you write an
algorithm to solve the problem in question, then you can find an infinite
sequence of examples of the problem, such that your algorithm wont halt in at
least one of the examples.

The infinite sequence is unspecified, and is ad hoc designed after, and only
after, you devise your algorithm; then the mathematical fact is that in one of
the examples of this sequence (the first, the one million-th, the 10^567-th, you
cannot know in advance which one), your algorithm will fail.

Now, when one has a suspect malicious program, of course, one can examine this
program either by hand, or writing an ad hoc analizer program for this very
suspect, and of course, one eventually decides if this program is what one
thinks it is, or not. And this analizer written for this ocasion, will work in
many other suspects.

Then 'undecidable' for a problem means that one cannot devise a single
computerized strategy for all the possible instances of the problem. It is not
that we are doomed and should be terrified as this professor (maliciously)
suggests.

[ Reply to This | # ]

Expert Appointed to Advise EU Commission on MS Compliance
Authored by: Anonymous on Wednesday, October 05 2005 @ 05:11 PM EDT
I think ... and correct me if I am wrong ... that IBM eventually changed of its own volition, figuring that the anti-trust behaviour of which it stood accused was not good for the future of IBM. It did not enhance the brand image; it did nothing for the children who would be the future IBMers and future customers.

'Monopoly' is a bit like 'Invading Iraq'. Sure you can do it; but wise counsel would figure out how to get out of it, before going in.

How long until Microsoft see the light, too ?

[ Reply to This | # ]

Hopeless task
Authored by: philc on Wednesday, October 05 2005 @ 06:29 PM EDT
Why is the EU wasting everyones time? They could have just given MS a writing
assignment and a delay and saved some money. The professor doesn't stand a
chance. Do you think for one minute that the professor will ever get anywhere
near what is really going on? When was the last time you spotted MS being honest
about anything? People that have absolutely no sense of the truth can be very
convincing.


Computer security when viewed from the absolutes of mathematics and science is
hopeless. However, when you take a more pragmatic view, security measures can be
quite effective. Today on the internet, the first order security problem is MS
software. This problem is so large that it masks the important and real security
problems that currently exist.


It is not all that hard to design software that doesn't have the obvious
security flaws that plague MS products. It takes time and effort and careful
attention to details but it is overall not all that hard. Look at the Linux
kernel. For the millions of lines of code that change every year the number of
flaws appears to be decreasing. Its not magic. Its careful engineering and
attention to security issues.

[ Reply to This | # ]

This is another Gun lawsuit in the making
Authored by: Anonymous on Wednesday, October 05 2005 @ 06:40 PM EDT
While I own guns, I am not a gun nut (amazing how we have to make a statement up
front so others don't classify us as nutjobs, wierdos, etc).

Remember that lawsuit against the firearm manufacturers just a while ago? If
this professor has his way then it won't just be the firearm manufacturers. It
will be ANY person who writes ANY code.

Use Front Page to create your web site? Someone uses it for something illegal,
you are liable. Not only you but so would MS be held liable.

Ditto for any car manufacturer, computer maker, MPEG player creator (when it
explodes and gets gunk on you), and the list gets too long to comprehend.

Yes, massive SARCASM is implied in this posting. But, others have tried these
types of lawsuits. And if lawsuits don't work, pass a law. Just ask smokers
about where they have been relegated (I smoked too, but quit 20 years ago). If
they can do it in one place, it will be done in others.

Just another 2c into the pot.

Russell G.

[ Reply to This | # ]

not exactly like a virus
Authored by: Anonymous on Wednesday, October 05 2005 @ 06:45 PM EDT

"...where Fletcher had built an inadequate reservoir on his land, and it
flooded Rylands' mine next door."

This can hardly be compared to a virus or a trojan horse. These are examples
where a third party intentionally cause damage. Who would have been liable if a
terrorist group had blown up the reservoir? I think it's the terrorists.

[ Reply to This | # ]

The software (and peril) belong to Microsoft
Authored by: darkonc on Wednesday, October 05 2005 @ 06:59 PM EDT
Microsoft claims that you didn't buy the software on your computer, if you have MS Windows installed. The software belongs to them. You do not own it, you do not have more than very limited rights to modify or examine it. You don't even have the right to refuse updates from Microsoft. You are only recieving the right to use it, in a very limited manner.

In those circumstances, if your computer 'gets free' and stomps on my box, or my network, then it would be Microsoft that is primarily responsible for the damage, since the agent is (by their own claim) their chattel.

---
Powerful, committed communication. Touching the jewel within each person and bringing it to life..

[ Reply to This | # ]

I wonder if Professor Barrett reads Groklaw?
Authored by: The Mad Hatter r on Wednesday, October 05 2005 @ 07:02 PM EDT


If he does, I suspect many of the comments here may make him think about the
position he is about to assume...



---
Wayne

telnet hatter.twgs.org

[ Reply to This | # ]

Windows ... 98?
Authored by: Anonymous on Wednesday, October 05 2005 @ 09:12 PM EDT
> Really, Professor Barrett, is there any way known to man to actually secure
a Windows 98 computer? Millions of people still use them, you know. Seriously.
Add firewall and antivirus and antispyware, and you're still a sitting duck, in
my experience, anyway.

Yes. As a matter of fact, after browsing through any number of
"hacker" sites, downloading all manner of things (including malicious
code deliberately for study) and having used it, well, until this very day, my
old Win 98 SE box remains uncompromised.

Granted, I'm somewhat atypical--I put up port monitoring programs and such to
watch for people trying to exploit my computer (and in at least one case,
someone was grateful for my report--the largest customer of that ISP had had
someone illicitly using their network, and this helped them catch the kid doing
it). As for the exploit code, I wasn't dumb enough to *run* it, I merely
studied it. Other binaries I was far more careful about, although I did put a
few trojans on my machine (password protected and under *my* control) to see how
they behaved, only to remove them later. I've never used anything that could
rightfully be called a firewall, however.

And I never updated it because, well, Win XP was *worse* in terms of
security--the reason XP is dead without a firewall is because you have about 30
services or something silly running by default (or used to, they've turned a
number of them off now, so that they only start on demand). Because I'm
offering basically no services to the network, there really isn't anything *to*
exploit--you can probe my computer as much as you like, but there's nothing
listening there, so my computer will ignore you.

Although I did have to add all the patches to the TCP/IP stack due to mostly
forgotten DoS attacks.

Oh, and I don't use Outlook or IE. Netscape and later Mozilla were my browsers
of choice, and most of my software is Free (i.e. libre). As for the exploits,
they no longer target me--everyone targets Windows XP now and no one appears to
cares if there are remaining exploits in 98 SE. That's not enough to protect
you against skilled hackers targeting one particular machine, but those attacks
are rare. Most hackers seem to want botnets or high bandwidth machines from
which to launch their attacks. The kidiots can't do anything unless there's a
script for it. And I won't ever be upgrading to XP because I hate its EULA even
more than the 98 SE one I'm already stuck with (I had little idea what it all
meant at that time, so I clicked "OK" to it). Although I have to use
XP (and Outlook) at work...

Perhaps I complain too much--the majority of people probably wouldn't be able to
manage what I have--but I'd caution against calling anything
"impossible." As we should know, a skilled administrator can defend
even a computer with minimal security, whereas a poor one can compromise
whatever security was already in place.

But it *is* possible. Not *easy* and perhaps even beyond the reach of most, but
*possible*

And you're right--Linux is much better.

[ Reply to This | # ]

Expert Appointed to Advise EU Commission on MS Compliance
Authored by: Anonymous on Thursday, October 06 2005 @ 07:27 AM EDT
Rylands v Fletcher wouldn't be applicable though. A computer virus isn't like
the water in the test case. There is nothing dangerous on my computer until a
third party infects it and then it is that third party the is both the dangerous
"substance" and the means of transport.

If we wanted to compare the virus and virus writer to the physical entities in
Rylands v Fletcher then it would be thus:
I have some land (a PC) and a gate insufficient to stop trespassers (Windows).
One of these trespassers dumps dangerous materials on my land and then causes
those materials to spill onto my neighbours land. No court in the world would
find me guilty. The two guilty parties are the trespassers (virus writer) and it
could be argued the manufacturer of the gate for a product not fit for purpose.

To get back to a computing scenerio, we know (or should know ) there are an
unlimited number of trespassers trying to dump stuff on us and we should be
buying better gates, no matter how pretty the one Bill sells us look or how
convienient the remote gate opener we simply couldn't live without.

[ Reply to This | # ]

Undecidability and Antivirus
Authored by: iscjonm on Thursday, October 06 2005 @ 08:37 AM EDT
As an earlier poster pointed out, Professor Barrett is a little fast and loose
with his Undecidability claims.

The undecidability result he cites, that you can't tell whether a program will
be malicious or not, only means that you can't write a *single* antivirus
program that will be able to determine, for any arbitrary piece of code, whether
it is a virus.

All this means is that the antivirus vendors will continue to be in business for
a long time, because no one will ever be able to write, what is in essence, the
killer antivirus app that not only recognizes all known viruses but all future
ones as well.

For a given program, it is certainly possible to construct a proof one way or
another that it is malicious or not; it just requires human interaction and
analysis, and the proof may or may not be hard to find.

[ Reply to This | # ]

Security for Dummies (TM)
Authored by: Anonymous on Thursday, October 06 2005 @ 09:02 AM EDT
Let us assume that what the good professor says is correct - that it is in fact
impossible to write a program that can automatically determine if a given binary
string, when executed, will have harmful effects. A reasonable assumption, the
problem seems to be AI complete at least.

From the point of view of a security practitioner the answer is simple: don't
execute it. If you can't guarantee that it isn't going to hurt you, don't assume
that it won't. Assume it will and deny it execution. If the user decides to
override that and execute it anyway, that's their responsibility. If on the
other hand the OS provides a mechanism for automatic execution of untrusted
code, that's the OS's fault.

Default Deny, it's a simple concept. You can't keep an up-to-the-second list of
all the bad things in the world. The idea is silly considering the number of
applications a given user actually uses. Keep a list of the things you want to
be able to run, deny everything else by default.

[ Reply to This | # ]

Expert(?) Appointed
Authored by: Anonymous on Thursday, October 06 2005 @ 11:02 AM EDT
Clearly he is qualified to advise the Commission on technical matters, and Microsoft will have to actually comply if he is, in fact, as impartial as the Commission hopes.

PJ - I dont agree. This person is someone who has academic credentials, but lacks the technical knowledge about the subject. I have seen this numerous times in the Academic world, where a person has the titles but lacks the experience to apply what they know to a problem. When I read his writings, I am reminded of many professors I have encountered over the years. Everything he writes about is in the "theory" stages - It holds very little value in practical terms.

Its a lot like the discussions the Linus had with Tanenbaum over the "mono-kernel vrs micro-kernel" in design. Tanenbaum spoke from the Academic point of view, Linus was testing these theories in the real world. We know who won this discussion - Tanenbaum's micro-kernel design has been a non-starter in the real world.

So I guess we just watch how this plays out ......

[ Reply to This | # ]
Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details ) 		Site layout based on Woodlands theme by Bryan Bell.
Groklaw logo by John Crowley.
News Picks logo by Ted Thompson.
Powered By GeekLog
Created this page in 0.05 seconds