North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Compromised machines liable for damage?

  • From: Jason Frisvold
  • Date: Tue Dec 27 10:40:55 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta;; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=p8OpdwvbgUHTC/MgLGCOdtarTjq6Rhp3OPkaRDhm6ICkSe3YSMIF1siClrbTESloiE/qoI4veUw5swFePh6jGU+qUAnjmRCMu4UszV6p/2ihnWhXgLqP8narm4Pdn/cwkPKAYrF07qEV//X8AxOSjHqZ3xzjNDPI7CYlziD4vmk=

On 12/27/05, Marshall Eubanks <[email protected]> wrote:
> There was a lot of discussion about this in the music / technology /
> legal community
> at the time of  the Sony root exploit CD's - which
> I and others thought fully opened  Sony for liability for 2nd party
> attacks. (I.e., if a hacker uses the Sony
> root kit to exploit your machine, then Sony is probably liable,
> regardless of the EULA. They put
> it in there; they made the attack possible.) IANAL, but I believe
> that if a vendor has even a
> partial liability, they can be liable for the whole.

But, what constitutes an exploit severe enough to warrant liability of
this type?  For instance, let's look at some scripts ...  formmail is
a perfect example.  First, there was no "real" EULA.  I'm definitely
not a laywer, but I would think that would open up the writer to all
sorts of liability...  Anyways, the script was, obviously, flawed. 
Spammers took notice and used that script to spam all over the place. 
This hurt the hoster of the script, the people who were spammed, and
probably the ISPs that wasted the bandwidth carrying the spam.

So, should the writer of the script be sued for this?  Is he liable
for damages?  If that's the case, then I'm gonna hang up my
programming hat and go hide in a closet somewhere.  I'm far from
perfect and, while I'm relatively sure there are none, exploitable
bugs *might* exist in my software.  Or, perhaps, the exploit exists in
a library I used.  I've written a lot of PHP code, perhaps PHP has the
flaw..  Am I still liable, or is PHP now liable?

This has scary consequences if it becomes a blanket argument. 
Alternatively, if the programmer is made aware of the problem and does
nothing, then perhaps they should be held accountable.  But, then,
what happens to "old" software that is no longer maintained?

> I suspect that eventually EULA's will prove to be weak reeds, in much
> the same way that manufacturers may be
> liable when bad things happen, even if the product is being grossly
> misused. My intuition says that
> unfortunately somebody is going to have to die to establish this, as
> part of a wrongful death suit.
> With the explosion in VOIP use, this is probably only a matter of time.

Personally, I feel that is a person "grossly misuses" a product and is
hurt as a result, they deserve it.  Within some acceptable reason, of
course.  One expects that if you place a cup of coffee in your lap,
that you just purchased, I might add, that it may burn you if it
spills.  Or, if you puncture a can of hair spray near an open fire,
you may experience a slight burning sensation a few seconds later.

People, use your brains.  Next we'll have someone suing craftsman when
they chop their leg off because there was no label on the saw that
said "don't place running saw in lap" ...  Come on, how stupid can you
be?  I apparently wouldn't make a good judge because I'd laugh most of
these cases right out of the courtroom!  Reasonable precaution should
be expected of all people.

> Regards
> Marshall Eubanks

Jason 'XenoPhage' Frisvold
[email protected]