North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Compromised machines liable for damage?
- From: Barrett G.Lyon
- Date: Mon Dec 26 12:29:59 2005
If the gun seller is selling guns to people he knows are murders, or
is told to stop selling guns to known murders, then what would you
say? I would say the gun seller is negligent. Likewise, if an ISP
is told about a problem machine/user then (as much as the ISP folks
here would hate to admit it) the ISP is negligent. I think it would
be a pretty easy case to prove negligence if you have legally
recorded phone calls to the ISP reporting the bot, email history of
conversations reporting the bot, and proof of the bot attacking you.
-Barrett
On Dec 26, 2005, at 4:58 AM, Gadi Evron wrote:
On Sun, 25 Dec 2005, Dave Pooser wrote:
This should be another thread completely, but I am wondering about
the liability of the individual's who have owned machines that are
attacking me/my clients.
As a practical matter, I'd expect it to be difficult to try.
Convincing a
jury that running a PHP version that's three months out of date
constitutes
gross negligence because you should have read about the
vulnerability on the
Web might be... tricky. Especially when you have to explain to the
jury what
PHP is. Dueling expert witnesses arguing about best practice, poor
confused
webmaster/Amway distributor looking bewildered at all this
technical talk
("I figgered I just buy Plesk and I was good to go. I dunno
nothin' about
PHP. Isn't that a drug?") Not to mention working out what
percentage of the
damages you suffered should come from each host.
But yeah, I'd like to see it tried. Lawyering up is one of our core
competencies here in the USA; maybe we could use it for good
instead of
evil.
I'd like to bring some conclusions from past discussions on this
issue to
the table.
First, holding a person liable while he had no way of knowing he is
doing
something wrong is not right. Still, you know what they say about not
knowing the law and punishment.
There are two somewhat interesting metaphopres that explain
contradicting
views:
1. The gun owner:
If you own a gun, it is your duty to keep it safe. If it is stolen,
you
will be punished to differing degrees depending on country. From never
owning a gun again or maybe a slap on the wrist... to going to jail.
If your gun is used in a crime such as say, murder, you can be held
liable
for not keeping your gun safe or maybe even confused for the actual
criminal. You may also be the criminal (anyone remembers the Trojan
horse
defense? "I was hacked! It wasn't me who did that from my computer!").
2.
Some believe that equating a gun to a computer is just wrong. Another
metaphore might be a stolen car, or some completely different ones.
Still, today people do not have a quick and eay way of protecting
their
computers... and before anyone can start talking about ISP's and other
organizations, one would be forced to talk about STANDARTISATION
for the
ISP industry, and so on.
Banks today don't follow standards, they follow regulations. If
they fail
to, they are liable. Same for the insurance industry in some
countries.
I am not really sure what the best solution is here or what will cause
more harm than good... but I am sure that from the complete lack of
care
that involved compromised computers to the complete kill-future when
kiddie porn is involved, a solution can be found.
One has to remember though that law enforcement is limited in
resources,
and millions on millions of compromised machines just are not a
priority
on rape or murder.
Gadi.
|