North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Are ISP's responsible for worms and viruses

  • From: Owen DeLong
  • Date: Fri Oct 21 02:21:23 2005



--On October 20, 2005 9:32:44 PM +0100 Freminlins <[email protected]> wrote:

Owen DeLong wrote:

If companies that made
vulnerable OSs were held liable for the damage caused
by those vulnerabilities, you would rapidly see $$
make a BIG difference in the security quality of
OS Software.
How would that work for free/open source OSs/software? Who exactly would
be held liable? The contributors? Free OSs are just as capable of sending
out malware/virus infected emails, etc. as commercial systems.

That depends:

Free closed source:  I would presume the closed source provider or no one.
	Hard to assign liability when money did not change hands.
	No money, no duty to care in most cases.  Product liability
	is pretty much limited to products that are sold.

Open Source: I would expect no liability exists because...
	1.	No money changes hands, no duty to care.
	2.	End user has full access to source, so, has at least
		shared responsibility for fitness to purpose.
	3.	Full access to source means end user cannot claim
		that vulnerability was hidden from end user.
	4.	Full access to source means end user has ability
		to correct vulnerability as soon as identified.

Finally, while your statement is theoretically true, in practice,
resolutions to vulnerabilities in open source software tend to be
delivered much faster than in closed source software.  Even allowing
for the difference in market share, the percentage of open source
based systems which are owned and acting as spambots is much lower
than the percentage of closed-source systems which are doing so.
(note:  in this, although it is hybrid closed/open, I'll even count
MacOS X in the open source for this purpose).

Owen



Attachment: pgp00045.pgp
Description: PGP signature