North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Open, anonymous services and dealing with abuse

  • From: JC Dill
  • Date: Tue Feb 17 21:06:43 2004

At 12:43 PM 2/17/2004, John Palmer wrote:

I hate to see government get involved in anything, but perhaps
some law holding PC owners responsible for SPAM that comes
from their unpatched machines AS LONG AS there is ample
notification to that user that their machine is compromised.
We don't need more new laws. There is already a law - in most parts of the world you can be charged with "contributory negligence" for failing to secure an "attractive nuisance" and then a third party is injured or damaged due to your negligence. In any part of the world that doesn't have such a law, a "new law" in another part of the world wouldn't matter anyway.

What is needed is for someone to CARE enough to bother to investigate and prosecute. And yes, it's going to cost "more than it's worth" to prosecute, at least the first few times. Someone has to decide that the long-term good is worth the price of being the leader in this charge.

IMHO, you should sue both the owner of the PC (for negligently failing to properly secure their computer, or to fix it when notified), and sue Microsoft (for neglegently producing and selling software that was so easily compromised) as they are both responsible for the hardware/software that was used to damage your servers/network etc. Microsoft's EULA doesn't apply to you as a third party who is damaged by their faulty software. You should also consider an offer to settle with the PC owner if they agree to jointly sue Microsoft on your behalf. You are not held to the EULA, but they are, but since Microsoft's software is *negligent* it's possible that the EULA doesn't penetrate their inherent liability to not produce a product that causes harm. (A EULA won't protect a ladder maker from negligently building and selling a ladder on which people get hurt when they use it for its intended purpose.) But we won't know until someone digs down into their pockets and funds a lawsuit to try it out.

Sorry about the lack of operational content in this post, but sometimes you have to consider the costs and benefits of both operational solutions and other solutions (e.g. legal solution) in order to determine which solution is the best one for your network, both in the short term and in the long term.

jc



--

p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.