North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Compromised machines liable for damage?

  • From: Owen DeLong
  • Date: Wed Dec 28 16:25:58 2005 
--On December 28, 2005 11:09:31 AM -0800 Douglas Otis
<[email protected]> wrote:

> 
> 
> On Dec 27, 2005, at 5:03 AM, Steven M. Bellovin wrote:
> 
>> 
>> In message  
>> <[email protected]n.c
>> om>, "Hannigan, Martin" writes:
>> 
>>> 
>>> In the general sense, possibly, but where there are lawyers there  
>>> is =
>>> always discoragement.
>>> 
>>> Suing people with no money is easy, but it does stop them from =
>>> contributing in most cases. There are always a few who like getting =
>>> sued. RIAA has shown companies will widescale sue so your argument  
>>> is =
>>> suspect, IMO..
>>> 
>> 
>> I've spent a *lot* of time talking to lawyers about this.  In fact,  
>> a few
>> years ago I (together with an attorney I know) tried to organize a  
>> "moot
>> court" liability trial of a major vendor for a security flaw.  (It
>> ended up being a conference on the issue.)
>> 
>> The reason there have not been any lawsuits against vendors is because
>> of license agreements -- every software license I've ever read,
>> including the GPL, disclaims all warranties, liability, etc.  It's not
>> clear to me that that would stand up with a consumer plaintiff, as  
>> opposed
>> to a business; that hasn't been litigated.  I tried to get around that
>> problem for the moot court by looking at third parties who were  
>> injured
>> by a problem in a software package they hadn't licensed -- think
>> Slammer, for example, which took out the Internet for everyone.
> 
> There have been successful cases for pedestrians that used a train
> trestle as a walk-way, where warnings were clearly displayed, and a
> fence had been put in place, but the railroad failed to ensure repair  of
> the fence.  The warning sign was not considered adequate.  Would  this
> relate to trespassers that use an invalid copy of an OS refused  patches?
> Would this be similar to not repairing the fence?  Clearly  the
> pedestrians are trespassing, nevertheless the railroad remains
> responsible for the safety of their enterprise.
> 
> -Doug

While I think it is unfair in the case of the railroad, and, burglars that 
injure themselves in peoples stores/houses, it works for me in the case
of software.

Denying patches doesn't tend to injure the trespassing user so much as
it injures the others that get attacked by his compromised machine.
I think that is why many manufacturers release security patches to
anyone openly, while restricting other upgrades to registered users.

Owen


-- 
If it wasn't crypto-signed, it probably didn't come from me.

Attachment: pgp00021.pgp
Description: PGP signature