On Sun, 25 Dec 2005, Dave Pooser wrote:
This should be another thread completely, but I am wondering about
the liability of the individual's who have owned machines that are
attacking me/my clients.
As a practical matter, I'd expect it to be difficult to try. Convincing a
jury that running a PHP version that's three months out of date constitutes
gross negligence because you should have read about the vulnerability on the
Web might be... tricky. Especially when you have to explain to the jury what
PHP is. Dueling expert witnesses arguing about best practice, poor confused
webmaster/Amway distributor looking bewildered at all this technical talk
("I figgered I just buy Plesk and I was good to go. I dunno nothin' about
PHP. Isn't that a drug?") Not to mention working out what percentage of the
damages you suffered should come from each host.
But yeah, I'd like to see it tried. Lawyering up is one of our core
competencies here in the USA; maybe we could use it for good instead of
I'd like to bring some conclusions from past discussions on this issue to
First, holding a person liable while he had no way of knowing he is doing
something wrong is not right. Still, you know what they say about not
knowing the law and punishment.
There are two somewhat interesting metaphopres that explain contradicting
1. The gun owner:
If you own a gun, it is your duty to keep it safe. If it is stolen, you
will be punished to differing degrees depending on country. From never
owning a gun again or maybe a slap on the wrist... to going to jail.
If your gun is used in a crime such as say, murder, you can be held liable
for not keeping your gun safe or maybe even confused for the actual
criminal. You may also be the criminal (anyone remembers the Trojan horse
defense? "I was hacked! It wasn't me who did that from my computer!").
Some believe that equating a gun to a computer is just wrong. Another
metaphore might be a stolen car, or some completely different ones.
Still, today people do not have a quick and eay way of protecting their
computers... and before anyone can start talking about ISP's and other
organizations, one would be forced to talk about STANDARTISATION for the
ISP industry, and so on.
Banks today don't follow standards, they follow regulations. If they fail
to, they are liable. Same for the insurance industry in some countries.
I am not really sure what the best solution is here or what will cause
more harm than good... but I am sure that from the complete lack of care
that involved compromised computers to the complete kill-future when
kiddie porn is involved, a solution can be found.
One has to remember though that law enforcement is limited in resources,
and millions on millions of compromised machines just are not a priority
on rape or murder.