North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Compromised machines liable for damage?

  • From: JC Dill
  • Date: Tue Dec 27 16:27:55 2005

Jason Frisvold wrote:
On 12/27/05, Marshall Eubanks <[email protected]> wrote:

There was a lot of discussion about this in the music / technology /
legal community
at the time of  the Sony root exploit CD's - which
I and others thought fully opened  Sony for liability for 2nd party
attacks. (I.e., if a hacker uses the Sony
root kit to exploit your machine, then Sony is probably liable,
regardless of the EULA. They put
it in there; they made the attack possible.) IANAL, but I believe
that if a vendor has even a
partial liability, they can be liable for the whole.
But, what constitutes an exploit severe enough to warrant liability of
this type? For instance, let's look at some scripts ... formmail is
a perfect example. First, there was no "real" EULA. I'm definitely
not a laywer, but I would think that would open up the writer to all
sorts of liability... Anyways, the script was, obviously, flawed. Spammers took notice and used that script to spam all over the place. This hurt the hoster of the script, the people who were spammed, and
probably the ISPs that wasted the bandwidth carrying the spam.

So, should the writer of the script be sued for this? Is he liable
for damages?
I am not a lawyer, but I believe there is a significant difference in the liability that ensues from knowingly selling a defective product, and from giving something away for free. Matt gave away FormMail for free. When Matt wrote FormMail open relays were common on the internet. His Perl scripts were similar in security and utility to other software at the time. Once it became known how this type of software could be abused, *then* he had an obligation (moral obligation if not strictly legal obligation) to stop distributing the old insecure scripts, which is what he did.

(Researching FormMail history, I found a page that suggested fixing the FormMail problem by replacing the FormMail scripts with PhP scripts. :-)

Personally, I feel that is a person "grossly misuses" a product and is
hurt as a result, they deserve it. Within some acceptable reason, of
course. One expects that if you place a cup of coffee in your lap,
that you just purchased, I might add, that it may burn you if it
If you tell someone "be careful, that coffee is hot and may burn you" most people will equate "burn" with "might cause some temporary pain or perhaps a minor blister" and not with "I will spend 2 weeks in the hospital with 3rd degree burns and require skin grafts and have over $20k in medical bills". Stella assumed the coffee she was served was served was at a normal hot coffee temperature, hot enough to perhaps hurt a bit if spilled but NOT so hot as to cause severe and disfiguring burns. See:



McDonalds also said during discovery that, based on a consultants
advice, it held its coffee at between 180 and 190 degrees fahrenheit to
maintain optimum taste. He admitted that he had not evaluated the
safety ramifications at this temperature. Other establishments sell
coffee at substantially lower temperatures, and coffee served at home is
generally 135 to 140 degrees."


McDonalds intentionally served the coffee hotter than was safe, hotter than was safe for *drinking* (the purpose of the product) and ignored the dangers this presented and the prior cases of damage it caused.

Back to the topic of computers and software that damages other computers over the network:

Most people expect that their operating system and browser will work securely, not that it will let intruders steal their data, compromise their privacy, and inflict damage on others. Just as McDonalds was held liable for repeatedly intentionally selling coffee they knew was being served too hot and capable of causing much greater harm than the buyer was aware of, IMHO so should a software company be held liable for repeatedly knowingly selling defective software, especially when that software causes damage to 3rd parties who have not agreed to the EULA.