|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Compromised machines liable for damage?
On 12/27/05, JC Dill <[email protected]> wrote: > I am not a lawyer, but I believe there is a significant difference in > the liability that ensues from knowingly selling a defective product, > and from giving something away for free. Matt gave away FormMail for > free. When Matt wrote FormMail open relays were common on the internet. > His Perl scripts were similar in security and utility to other > software at the time. Once it became known how this type of software > could be abused, *then* he had an obligation (moral obligation if not > strictly legal obligation) to stop distributing the old insecure > scripts, which is what he did. And I would agree with this reasoning. If the software is defective, fix it or stop selling it. However, I don't think all software developers have "control" over the selling of the software after it's sent to the publisher. (I'm by no means intimate with how all this works) So, for instance, if developer A creates product A+, publisher P deals with packaging it up, distributing it, etc. A few months later, developer A goes out of business for some insane reason. Publisher P continues to sell the software in which a security hole is discovered a month later. There's no way for developer A to fix the hole, they don't exist. And publisher P isn't near smart enough to fix it. So they just continue selling it. Life goes on, it eventually falls into the bargain bin where publisher P continues to package it, but in recycled fish wrap instead of the pristine new boxes it used to. So is developer A still liable? Is publisher P liable? Should they be? > If you tell someone "be careful, that coffee is hot and may burn you" > most people will equate "burn" with "might cause some temporary pain or > perhaps a minor blister" and not with "I will spend 2 weeks in the > hospital with 3rd degree burns and require skin grafts and have over > $20k in medical bills". Stella assumed the coffee she was served was > served was at a normal hot coffee temperature, hot enough to perhaps > hurt a bit if spilled but NOT so hot as to cause severe and disfiguring > burns. See: Still, a little common sense... Hot coffee of any type, between the legs, in a moving car? Umm.. even "normal" coffee still causes a jump of pain. That jump of pain could easily cause a car accident. So who do I sue? McDonalds for selling the coffee? Or the driver who put it between his/her legs? > Most people expect that their operating system and browser will work > securely, not that it will let intruders steal their data, compromise > their privacy, and inflict damage on others. Just as McDonalds was held > liable for repeatedly intentionally selling coffee they knew was being > served too hot and capable of causing much greater harm than the buyer > was aware of, IMHO so should a software company be held liable for > repeatedly knowingly selling defective software, especially when that > software causes damage to 3rd parties who have not agreed to the EULA. If it's a known issue and the developer continues to ignore it, then yeah, they should probably be held accountable. But, there's still the issue of what is bad and what isn't. Madden 2006 for the PSP reboots when I end a franchise mode game. It destroys the data I just spent 30 minutes generating while playing the game. Is that bad enough that the company should be held liable for it? (Yes, I'm aware they're replacing the discs now. Excellent move on EA's part) There's another form mailer out there that I dealt with, and wrote a large post on Bugtraq about, that continues to allow relaying even after a complete bug report with a fix. Should that developer be held liable for damages? It's just spam, it's not really hurting anyone, is it? Then there's something like Internet Explorer. Any one of the dozens of exploits "allows a remote attacker to assume control of the computer" ... That's bad.. That's definitely an issue. I could agree that the developer should be held liable for that ... Maden 2006 I had to pay for. IE came with Windows, so I didn't *really* have to pay for it, depending on how you look at it. The form mailer was free on the internet. Does having to pay for it determine if the developer should be liable? What if Linux had a security hole that was reported and never fixed? Should Linus get sued? Wow.. who would you even sue in that instance? Software confuses things a bit I think.. I can agree that an IE bug, unchecked, should be liable. But a form mailer? It was free to begin with, so just move on to something else... I'm not sure I, personally, could get behind holding software companies liable until some standard was set to determine what the expectations were... And setting those standards is the hard part... > jc -- Jason 'XenoPhage' Frisvold [email protected]
|