North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Compromised machines liable for damage?

  • From: Barrett G.Lyon
  • Date: Mon Dec 26 12:29:59 2005


If the gun seller is selling guns to people he knows are murders, or is told to stop selling guns to known murders, then what would you say? I would say the gun seller is negligent. Likewise, if an ISP is told about a problem machine/user then (as much as the ISP folks here would hate to admit it) the ISP is negligent. I think it would be a pretty easy case to prove negligence if you have legally recorded phone calls to the ISP reporting the bot, email history of conversations reporting the bot, and proof of the bot attacking you.

-Barrett

On Dec 26, 2005, at 4:58 AM, Gadi Evron wrote:

On Sun, 25 Dec 2005, Dave Pooser wrote:

This should be another thread completely, but I am wondering about
the liability of the individual's who have owned machines that are
attacking me/my clients.
As a practical matter, I'd expect it to be difficult to try. Convincing a
jury that running a PHP version that's three months out of date constitutes
gross negligence because you should have read about the vulnerability on the
Web might be... tricky. Especially when you have to explain to the jury what
PHP is. Dueling expert witnesses arguing about best practice, poor confused
webmaster/Amway distributor looking bewildered at all this technical talk
("I figgered I just buy Plesk and I was good to go. I dunno nothin' about
PHP. Isn't that a drug?") Not to mention working out what percentage of the
damages you suffered should come from each host.

But yeah, I'd like to see it tried. Lawyering up is one of our core
competencies here in the USA; maybe we could use it for good instead of
evil.
I'd like to bring some conclusions from past discussions on this issue to
the table.

First, holding a person liable while he had no way of knowing he is doing
something wrong is not right. Still, you know what they say about not
knowing the law and punishment.

There are two somewhat interesting metaphopres that explain contradicting
views:
1. The gun owner:
If you own a gun, it is your duty to keep it safe. If it is stolen, you
will be punished to differing degrees depending on country. From never
owning a gun again or maybe a slap on the wrist... to going to jail.

If your gun is used in a crime such as say, murder, you can be held liable
for not keeping your gun safe or maybe even confused for the actual
criminal. You may also be the criminal (anyone remembers the Trojan horse
defense? "I was hacked! It wasn't me who did that from my computer!").

2.
Some believe that equating a gun to a computer is just wrong. Another
metaphore might be a stolen car, or some completely different ones.

Still, today people do not have a quick and eay way of protecting their
computers... and before anyone can start talking about ISP's and other
organizations, one would be forced to talk about STANDARTISATION for the
ISP industry, and so on.

Banks today don't follow standards, they follow regulations. If they fail
to, they are liable. Same for the insurance industry in some countries.

I am not really sure what the best solution is here or what will cause
more harm than good... but I am sure that from the complete lack of care
that involved compromised computers to the complete kill-future when
kiddie porn is involved, a solution can be found.

One has to remember though that law enforcement is limited in resources,
and millions on millions of compromised machines just are not a priority
on rape or murder.

Gadi.