North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Compromised machines liable for damage?

  • From: Owen DeLong
  • Date: Wed Dec 28 16:13:28 2005

--On December 28, 2005 9:38:11 AM -0500 Jason Frisvold
<[email protected]> wrote:

> On 12/27/05, Owen DeLong <[email protected]> wrote:
>> Look at it another way... If the software is open source, then, there
>> is no requirement for the author to maintain it as any end user has
>> all the tools necessary to develop and deploy a fix.  In the case of
>> closed software, liability may be the only tool society has to
>> protect itself from the negligence of the author(s).  What is the
>> liability situation for, say, a Model T car if it runs over someone?
>> Can Ford still be held liable if he accident turns out to be caused
>> by a known design flaw in the car? (I don't know the answer, but,
>> I suspect that it would be the same for "old" software).
> But can't something similar be said for closed source?  You know
> there's a vulnerability, stop using it...  (I'm aware that this is
> much harder in practice)
Yes... You say that as if I have a problem with people using bad software
being held liable for the damage it does.  I do not.

> <snip dead horse />
>> In general, if the gross act of stupidity was reasonably foreseeable,
>> the manufacturer has a "duty to care" to make some attempt to mitigate
>> or prevent the customer from taking such action.  That's why toasters
>> all come with warnings about unplugging them before you stick a
>> fork in them.  That's why every piece of electronic equipment says
>> "No user serviceable parts inside" and "Warning risk of electric shock".
> So what if Microsoft put a warning label on all copies of Windows that
> said something to the tune of "Not intended for use without firewall
> and anti-virus software installed" ?  :)  Isn't the consumer at least
> partially responsible for reasonable precautions?
Yes.  Again, I have no problem if every user of Windows starts paying
for failing to prevent it from damaging the network (or any other
software that does damage in this context).  Perhaps that will finally
start showing corporate america the true cost of running windows.

>> They feel for the carpenter and the only option they have to help
>> him is to take money from the corporation.
> I'm all for compassion, but sometimes it's a bit much..  :)
No argument.  My point was that it isn't so much the judge as some
aspects of our jury system that are at the root of many of these
> I guess, in a nutshell, I'm trying to understand the liability
> issue...  It seems, based on the arguments, that it generally applies
> to "stuff" that was received due to some monetary transaction.  And
> that the developer/manufacturer/etc is given a chance to repair the
> problem, provided that problem does not exist due to gross negligence
> on the part of the developer/manufacturer/etc ...  Does that about sum
> it up?
Mostly.  Certainly, liability is more certain in those circumstances
than if any of those things are not present.

> [From your other mail]
>> SPAM does a lot of actual harm.  There are relatively high costs
>> associated with SPAM.  Machine time, network bandwidth, and, labor.
> *nod*  I agree..  My point here was that SPAM, when compared to
> something like a virus, is *generally* less harmful.  Granted, SPAM is
> more of a constant problem rather than a single virus that may attack
> for a few days before mitigation is possible.  I spend a great deal of
> time tweaking my mail servers to prevent spam..  :)
The primary output of viruses these days is SPAM.  The primary harm done
by viruses is SPAM.  Sure, there are occasional DOS issues, but, there
is actually more harm done by SPAM than DOS from a monetary perspective.


If it wasn't crypto-signed, it probably didn't come from me.

Attachment: pgp00019.pgp
Description: PGP signature