RAHIM CONGERS

Monday 28 May 2012

the crippling blow.

in our last post, we had see how Trojan and Malware-Embedded Software operates in glimpse.

This post we'll talk on how the laws of Malaysia protects the users threaten by these malicious ware.

Like what have been stated before, we will have a look on The Computer Crimes Act 1997;

under the act we can safely note section 3 of the act,

Section 3-

(1) A person shall be guilty of an offence if -

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorized; and

(2) The intent a person has to have to commit an offence under this section need not be directed at -

(a) any particular program or data;

(b) a program or data of any particular kind; or

(3) A person guilty of an offence under this section shall on conviction be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding five years or to both

******************************************

after looking at this section we can see that the actual words that note Trojan and Malware-Embedded Software are not in use. however, the legislators had turn the other way round by stating the actual workings of the Malicious wares. that fall under sub section (1).

it stated that to be executed, the person doing that offense must have caused the computer to perform to his needs while gaining access, access here meaning that it is obtained but unauthorized and lastly, he knew that the performance of the computer is on for his own purpose- what ever it is intended to.

when we talk about what the person intend to do by his his evil mind, sub section (2) crossed several direction so for to widen the scope of this section.

and in return for the offense, the person behind this Malicious ware can be sanctioned by no greater than Rm50,000.00 or imprisonment up to five years. or both.

in this post, we can see that Malaysia takes matters seriously in order to create a safe environment in the computerized world, it should be noted that no matter in what form the offenders used for attacks, the laws ensures that justice will prevail.

for more insight you can refer to this site right over here,

no, i mean here.

wait wait. here it is!

-faris aka mikki-

modus operandi.

now in our previous post we had explained one of the main act to made any Trojans and Malware- Embedded Software eligible for an offense.
that is, under the Computer Crimes Act 1997.

specifically speaking, we can refer to Part II of the act; which discuss on Offences.

Section 3- deals with unauthorized access to computer materials
Section 4- Unauthorized access with intent to commit or facilitate commission of further offence.
Section 5- Unauthorized modification of the contents of any computer.
Section 6- Wrongful Communication
Section 7- Abetments and attempts punishable as offences
Section 8- Presumption

To make a legal issue out of Trojan and Malware-Embedded Software, we must first establish:
1) how will the two activated
2) and once activated, how do they operate that may cause harm to a computer system.
3) and to what extend will the harm caused may affect a computer.

1) after some studies done before this post, it has been found that to activate the Trojan and Malware-Embedded is operational either right after installing or even once a folder to the program is accessed or run.
itt has been shown that these two malice is like land mine waiting to be stepped on.

2) their operation may cause disruption on the overall perfomance of a system, you can see that the computer might be running slow as usual, crashes, in some heavy cases- the cause of blue screen and to serious effect causes the operational of a computer to halt.

3) to one extend, it may cause a heavy damage to the computer, and a huge loss of money to repair or even to buy a new computer.

A legal note, for serious offenders.

After getting some description on what is Hardware Trojans and Malware-Embedded Software.
we will now move on to the legal part of the issue.

That is, to what extend will we put our offender who dispicably speaking had done such things.
and what Laws will Malaysia use in order to control such activities from happening.

to start, Malaysia has enacted the laws related to cyber crime, under the Computer Crimes Act 1997.
any misuse of computer or even cyber-related activities that causes issues can be made actionable under this act.
This act is comprised of three parts, 'Preliminary', 'Offences' and 'Ancillary and General Provisions'

more from this part will right up next.
for now, to have an over-look on what the Computer Crimes Act 1997.

you can refer to this link, RIGHT HERE

- Faris @ Mikki-

THE TORT OF NEGLIGENT ENABLEMENT OF CYBERCRIME

In reference to Izzat Al Faris's post titled 'The Food', I would like to further elaborate on one of the ways to solve this problem, which is through the proposed tort of negligent enablement of cybercrime. Firstly, let me correct him. It's actually a 60 page article by two prominent Professors namely; Michael L. Rustad and Thomas H. Koenig. It is not a case between them. They propose a new tort of negligent enablement which will hold software vendors accountable for defective products and services that pave the way for third party cybercriminals who exploit known vulnerabilities. In the present situation, the software industry has externalized the costs of making code safe for its intended environment of use onto its end users through one-sided mass market agreements. Moreover, computer users have no meaningful remedies for injuries such as the theft of personal data, computer viruses, or internet fraud enabled by software failure. The proposed negligent enablement tort fills the void left by the failure of contract law to give meaningful remedies for the unacceptably high levels of risk of computer intrusions due to defective software.

The public policy rationale for imposing secondary tort liability on software publishers who aid and abet cybercriminals is to reduce the rate of cybercrime. The proposed negligent enablement tort draws upon well established principles of the Uniform Commercial Code (UCC) Article 2. Article 2 > warranties, premises liability, and negligence-based product liability to construct a modified duty of care to produce safe software suitable for its environment of use.

This Article examines the elements of duty, breach, causation, and damages for the proposed negligent enablement tort as well as defenses, procedure, and possible policy-based objections. The number of detected software vulnerabilities has increased rapidly over the past decade.

In addition, the Federal Trade Commission estimated in 2003 that personal data from approximately ten million Americans was stolen that year, resulting in direct losses of $5 billion to consumers and another $48 billion in losses to the business community. This proposed way argues that a software vendor should be secondarily liable to consumers and other third parties for a new tort(the tort of negligent enablement of cybercrime)

Furthermore, courts should recognize a modified duty of care on the part of software licensors to incorporate reasonable security into their products and services. A claim of negligent enablement requires proof of the following elements:

(1) a duty of care owed by the software vendor to its customer;

(2) conduct below the applicable standard of care that amounts to a breach of that duty;

(3) an injury or loss;

(4) cause in fact; and

(5) proximate or legal cause.

Once the software publisher owes the licensee a legal obligation to conform to a reasonable standard of conduct, the question is whether the duty has been breached. Software vendors are the “cheapest cost avoider” because they have superior information about known or developing vulnerabilities in their products or services. The rapid pace of technological change has exposed a fundamental weakness in the civil justice system. With cybercrimes skyrocketing and an ever-increasing amount of sensitive information being exchanged on the internet, the development of robust and trustworthy computer systems is a necessity.

Thus, the new tort of negligent enablement brings good sense to software law for the millennium.

Hardware: Defined as "Goods"

As we purchased any hardware in the market, we are exposed to the probability of having an unoriginal hardware in such a way that its functionality is altered to become a hardware that is out of our expectation and needs. This process of altering hardware specification is called Hardware Trojan horses (HTHs). HTH are the malicious altering of hardware specification or implementation in such a way that its functionality is altered under a set of conditions defined by the attacker.

It is quite difficult to find a proper case in our legal system as a reference for legal issues related to Hardware Trojans Horse. However, it might be relevant to refer to Consumer Protection Act 1999 and Sale of Goods Act 1957. This is due to the fact that hardware is purchased and acquired in a tangible and physical state.

This is in accordance with definition of “goods” under Section 2 of Sale of Goods Act 1957 which reads:

“goods” means every kind of movable property other than actionable claims and money; and includes stock and shares, growing crops, grass and things attached to or forming part of the land which are agreed to be severed before sale or under the contract of sale;

Then, we also can refer to the Section 3(1) of the Consumer Protection Act 1999 which reads:

"goods" means goods which are primarily purchased, used or consumed for personal, domestic or household purposes, and includes –

(a) goods attached to, or incorporated in, any real or personal property;

(b) animals, including fish;

(d) UTILITIES; and

(e) trees, plants and crops whether on, under or attached to land or not,

but does not include choses in action, including negotiable instruments, shares, debentures and money.

Then, for a clearer definition, we can refer to the St Albans City and District Council v International Computers Ltd, where Sir Iain Glidewell has ruled that:

In both the Section 61 of Sale of Goods Act 1979 and Section 18 of the Supply of Goods and Services Act 1982 the definition of "goods" is "includes all personal chattels other than things in action and money ...." Clearly a disc is within this definition. Equally clearly, a program, of itself, is not.

Thus, from the above definition, we can conclude that hardware is included in the definition of “goods”. Next, we refer to the Section 32 of Consumer Protection Act 1999 for the implied guarantee as to acceptable quality.

Section 32. Implied guarantee as to acceptable quality

(1) Where goods are supplied to a consumer there shall be implied a guarantee that the goods are of acceptable quality.

(2) For the purposes of subsection (1), goods shall be deemed to be of acceptable quality -

(a) if they are -

(i) fit for all the purposes for which goods of the type in question are commonly supplied;

(ii) acceptable in appearance and finish;

(iii) FREE FROM MINOR DEFECTS;

(iv) safe; and

(v) durable; and

(b) a reasonable consumer fully acquainted with the state and condition of the goods, including ANY HIDDEN DEFECTS, would regard the goods as acceptable having regard to -

(i) the nature of the goods;

(ii) the price;

(iii) any statements made about the goods on any packaging or label on the goods;

(iv) any representation made about the goods by the supplier or the manufacturer; and

(v) all other relevant circumstances of the supply of the goods.

(3) Where any defects in the goods have been specifically drawn to the consumer's attention before he agrees to the supply, then, the goods shall not be deemed to have failed to comply with the implied guarantee as to acceptable quality by reason only of those defects.

(4) Where goods are displayed for sale or hire, the defects that are to be treated as having been specifically drawn to the consumer's attention for the purposes of subsection (3) shall be defects disclosed on a written notice displayed with the goods.

(5) Goods shall not be deemed to have failed to comply with the implied guarantee as to acceptable quality if

(a) the goods have been used in a manner or to an extent which is inconsistent with the manner or extent

of use that a reasonable consumer would expect to obtain from the goods; and

(b) the goods would have complied with the implied guarantee as to acceptable quality if they had not

been used in that manner or to that extent.

(6) A reference in subsections (3) and (4) to a defect is a reference to any failure of the goods to comply with the implied guarantee as to acceptable quality.

Therefore, as a remedy, the consumer can refer to Part VI of Consumer Protection Act 1999:

Part VI - Rights Against Suppliers In Respect Of Guarantees In The Supply Of Goods

Section 39. Consumer's right of redress against suppliers

This Part gives a consumer a right of redress against a supplier of goods where the goods fail to comply with any of the implied guarantees under sections 31 to 37.

Legal Liabilities on the Creator of Trojan Horse Virus and Malware

Nowawadays, we live in a world that depends on the Internet 100%, thus there can be always people that take advantages on such dependence on the internet,this is because criminals now are able to commit more high-technology crimes too and its becoming more and more complex as they never ceases finding ways to bypasses different computer security system. Terrorists are using the net to plan attacks against the United States and with the aid of encryption, these messages are likely to be transmitted without being able to be tracked. This makes it more difficult for law enforcement officials as the Internet allows for instant and anonymous communications. Cyber crime can take many forms including the release of a virus which may cause the destruction of a computer system.

We have seen the ability of terrorists' attacks in the September 11 episode that led to mass killings of innocent civilians in a developed country. We have seen how the creation of the 'I Love You Bug', 'Melissa Virus' and the 'Bugbear' caused the destruction of data and loss of protected information across the world and in various industries with the facilitation of the Internet. We have seen and heard of the dangers of information being stolen by company employees that led to the downfall of giant multinationals across the globe resulting in damages totalling billions of dollars. Consider these different aspects of technology related crime and we can see that they all have an element in common which is for the compromise or destruction of computer data.(Ravin Vello, 2006) This is the list 10 top among more of dangerous and popular viruses that once had spread world-wide. (10_deadly_computer_viruses_that_shook_the_world)

Do take note that Viruses on Microcomputers such as Trojan Horses, bugs and worms are merely a method or technique in which hackers are using to gain an unauthorized access on other people's computer system and crackers would then made malicious modifications on the data secured by them through such viruses and worms. Thus, this post would discuss on the legal liabilities on the hackers involved behind viruses of Trojan Horses and malware on two perspectives based on Computer Crimes Act 1997 which is unauthorized access and modifications.

An advocate & solicitor, Sulaiman Azmil on CRIMES ON THE ELECTRONIC FRONTIER -- SOME THOUGHTS ON THE COMPUTER CRIMES ACT 1997 ([1997] 3 MLJ lix), mentions about unauthorized access offence or "hacking" with distinction of "cracking" where based on SE Miller which the author cited, distinguish between the two terms based on the intention of the hackers. It was believed that hackers are more noble than crackers as hackers may not necessarily have a malicious intention on other people computer system or informations and those with such intentions are actually the "crackers". Competitions are also formally and widely made in universities and schools throughout the world based on "Hacking" ability as they are recognized to identify and also helps in improving computer system. This was emphasized by Mr Lim Kit Siang MP that argues of amendments on the Computer Crimes act to insert a clause of distinction between the two but was disagreed by AG's Chambers as an act of unauthorized access whether by a hacker or a cracker, is still an act to be the same as 'entering someone's house without permission'. ((raised by Mr Lim Kit Siang during a cyberlaw briefing organized by the Parliamentary Inter-Party Committee for Information Technology on 25 April 1997. In proposing the lowering of the fines to be imposed on hackers convicted of the offences under the Bill (as it then was), Mr Lim noted that the very high penalties (in the Bill) would stifle creativity of computer experts -- creativity which was important to boost IT development in Malaysia. Computer experts, it was argued, broke into systems to experiment, learn or demonstrate the low security of different systems: New Straits Times, 26 April 1997))

Thus, unauthorized access offence is set out in s 3(1) of Computer Crimes Act 1997. The provision states that a person shall be guilty of an offence if:

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorized; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.

The intent a person has to have to commit an offence under this section need not be directed at any particular program or data, a program or data of any particular kind or a program or data held in any particular computer.

Under s 2(2), a person is said to secure access to any program or data held in a computer if, by causing a computer to perform any function, he:

(a) alters or erases the program or data;

(b) copies or moves it to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held;

(c) uses it; or

(d) causes it to be output from the computer in which it is held whether by having it displayed or in any other manner, and references to access to a program or data and to an intent to secure such access shall be construed accordingly.

For the purposes of the Act, access of any kind by any person to any program or data held in a computer is unauthorized if:

(a) he is not himself entitled to control access of the kind in question to the program or data; and

(b) he does not have consent or exceeds any right or consent to access by him of the kind in question to the program or data from any person who is so entitled.

Thus, based on (Sulaiman Azmil, 1997) ,he explains based on two divided criminal elements. actus reus of unauthorized access he said that it must be when the accused specifically "Causes a computer to perform any action". Thus any action on reality such as the reading of computer printout, the reading of data
displayed on the CRT monitor and 'computer eavesdropping' are out of the said section.

However, on the mens rea, it consists of two limbs,

1) there must be intent on the part of the defendant to secure access to any program or data held in any computer.

2) the defendant must know at the time when he causes the computer to perform the function that the access which he intends to secure is unauthorized.

Which both are neither specifically explained in the Computer Crime Act or the Penal Code. Intentions are observed as important by the author as reckless or negligent conduct in accessing any program or data cannot be charged under this act. Knowledge however are said to be difficut to prove as claiming someone to access an unsecured site may not necessarily be known by him that it was not authorized.

Thus, the prosecution may have to figure out the answers for the questions that need to be asked:

1) whether the access is authorized;

2) whether the party obtaining or seeking to obtain access to any programs or data had knowledge that this was not authorized; and

3) whether there was intention to commit the offence

Besides that, another issue to be looked at was on the phrase of 'any program or data held in any computer' in para (a) of s 3(1) which is explained in s 2(6) to include a reference to any program or data held in any removable storage medium that was inside the computer. It seems that the commission of offence under this act may only occur when the medium ( e.g disc, diskette, pen-drive, etc) was inside the computer. Thus, any other means of destruction or editing of the removable storage medium that was done to it outside the computer does not apply to this act.

In a UK case that we can consider is on the case of Attorney-General's Reference (No 1 of 1991) [1994] 1 QB 547, the defendant was an employee of a wholesale locksmith. After he finished his duty for the day, he returned to the premise wanting to purchase an item of equipment. Details of the sales transaction were entered into a computer terminal. The defendant, previously a sales assistant in the organization, had knowledge with the use of the system and, taking advantage of a moment when the terminal was left unattended, entered a code into the system. This resulted in the computer giving a 70% discount on the sale. The invoice which was subsequently generated hence charged the sum of £204.76 instead of the normal price of £710.96. The defendant was charged with an offence under the UK Computer Misuse Act 1990. At trial, the judge dismissed the charge, holding that the phrase in s 1(1)(a)63 referring to obtaining access to 'any program or data held in any computer' required that one computer should be used to obtain access to a program or data held on another computer.

Therefore, either techniques of hacking by writing trojan horse virus and malware, this two ways among many more can be viewed as techniques on gaining unauthorized access to other people computer system as they does not ask for the permission of the computer users first , to jeorpadized the computer system with the trojan horse virus or spied on the informations and datas inside any computer from the malware placed.

The second issue in which are vital to the topic is on the unauthorized modification offence which is an activity involved in damaging computers that ranges from unauthorized deletion of data to to denial of access (DoS) to authorized users. These activity are based on creating viruses, worms, logic bombs, malware and any other disabling programs. The very first famous viral infections was on 1988 which was called Brain.a. This virus which was written into software spreads to computer networks around the world and in the united states alone, it infected over 100,000 MS-DOS computers and disks.

Section 5(1) provides that a person shall be guilty of an offence if he does any act which he know will cause unauthorized modifications on the content of any computer.

For the purposes of the Act, a modification of the contents of any computer takes place if, by the operation of any function of the computer concerned or any other computer:

(a) any program or data held in the computer concerned is altered or erased;

(b) any program or data is introduced or added to its contents; or

(c) any event occurs which impairs the normal operation of any computer, and any act that contributes towards causing such a modification shall be regarded as causing it.

Under s 2(8), any modification referred to in sub-s (7) is unauthorized if:

(a) the person whose act causes it is not himself entitled to determine whether the modification should be made; and

(b) he does not have consent to the modification from any person who is so entitled.

At the simplest level, any deletion or addition of data can amount to modification. As previously noted, for the purposes of constituting the offence, there must be knowledge on the part of the perpetrator that the act performed will cause unauthorized modification of the contents of any computer.

Under s 5(4), a person guilty of an offence under this section shall, on conviction, be liable to a fine not exceeding RM100,000 or to imprisonment for a term not exceeding seven years or to both; or be liable to a fine not exceeding RM150,000 or to imprisonment for a term not exceeding ten years or to both, if the act is done with the intention of causing injury as defined under the Penal Code.

Therefore, whenever modifications made by a trojan horse virus which it was programmed to do so, the cracker behind such virus should be tracked down to held them responsible for the damages brought by such modifications made by their trojan horse viruses.

THE FOOD

From the last post, I had gave you a set of problems. So in this post, I will give you the main idea to solve all of these problems.

Firstly, we could see that from problem 1 and 3, the problem caused when the new software been installed. When inspected, it is true that the software itself contains malware.

For both of these problems, the ones that liable for the damages is the producer for the software. The producer of the software may be the company or the programmer himself.

It is not a problem to trace the producer for problem 1, as the software bought is a tangible item. It is easy to seek remedies as you have the proof that cause the damages. However, for the problem 3, it is quite hard to proof as it is an intangible product.

In Malaysia, the definition of software itself is still open for discussion. However, some of the Acts had define the goods as:

Electronics Commerce Act 2006
This act does not define "good" for the purpose of electronic commerce transition. The act caters to software available through ESD (electronic software download) as opposed to bundle software.

Consumer Protection Act
...transaction now can be use by means of electronic..

Sale of Good Act
They define goods as every kind of "movable property". Therefore it is illogical to put software under this act definition of "goods"

Because of this, the remedies for the damages happened in the matter of software is hard to gain.
This is true as stated in the case of Gammasonics Institute for Medical Research v Comrad Medical (an Australian case), the court itself not reluctant to stretch the inclusive nature of the definition of goods. Here we can see that the court wanted to force the legislature body to give the new definition of goods that include software as one of its. On of the best example that Malaysia can follow is from the New Zealand as in their Consumer Guarantees Act, to avoid doubt, they definition of goods include the computer software.

Move on to the problem 2, it is quiet easy to gain an answer for that as surely the producer of the hardware, ZBOX will be held liable as they are also the owner for the online operating system of ZBOX. In the problem 2 it is not hard to proof the liability as it consist of something tangible, which is the console.

I think I should also stated here the remedies for the damages on the hardware or the software.

There are three types of remedies can be gained which is:

Contractual civil remedies which are derived from the law of contract.
Stand alone civil remedies which do not rely on statutory provisions, but still can be enforced and;
Civil and criminal prosecutions

We should know that when the software we bought is embedded with Malware, the contract for purchasing the software is voidable. We can this matter clearly in the case of ProCD, Inc. v. Zeidenberg. In this case, the enforceability of "shrink wrap license" are being questioned. The court held that Zeidenberg did accept the offer by clicking through. The court noted, "He had no choice, because the software splashed the license on the screen and would not let him proceed without indicating acceptance." The court stated that Zeidenberg could have rejected the terms of the contract and returned the software. This is the reason why the EULA (End User License Agreement) contract is a voidable contract if there is a Malware embedded in it.

We as the consumer is well protected by the law. The law put the liability to the producer of the software as it is stated in the case of Rustad v Koenig.

Even though in Malaysia there still no ruckus happen because of all these matters (as lot of problems settled quietly), we should educate ourselves with these matter to become a good consumer for ourselves.