North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Compromised machines liable for damage?

  • From: Douglas Otis
  • Date: Wed Dec 28 14:12:49 2005

On Dec 27, 2005, at 5:03 AM, Steven M. Bellovin wrote:


In message <[email protected]n.c
om>, "Hannigan, Martin" writes:


In the general sense, possibly, but where there are lawyers there is =
always discoragement.

Suing people with no money is easy, but it does stop them from =
contributing in most cases. There are always a few who like getting =
sued. RIAA has shown companies will widescale sue so your argument is =
suspect, IMO..

I've spent a *lot* of time talking to lawyers about this. In fact, a few
years ago I (together with an attorney I know) tried to organize a "moot
court" liability trial of a major vendor for a security flaw. (It
ended up being a conference on the issue.)

The reason there have not been any lawsuits against vendors is because
of license agreements -- every software license I've ever read,
including the GPL, disclaims all warranties, liability, etc. It's not
clear to me that that would stand up with a consumer plaintiff, as opposed
to a business; that hasn't been litigated. I tried to get around that
problem for the moot court by looking at third parties who were injured
by a problem in a software package they hadn't licensed -- think
Slammer, for example, which took out the Internet for everyone.
There have been successful cases for pedestrians that used a train trestle as a walk-way, where warnings were clearly displayed, and a fence had been put in place, but the railroad failed to ensure repair of the fence. The warning sign was not considered adequate. Would this relate to trespassers that use an invalid copy of an OS refused patches? Would this be similar to not repairing the fence? Clearly the pedestrians are trespassing, nevertheless the railroad remains responsible for the safety of their enterprise.

-Doug