North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Compromised machines liable for damage?
- From: Jason Frisvold
- Date: Tue Dec 27 17:07:32 2005
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pMQE4Nj85TkVJ7kzXEmskxVvEBZfPcZtV8/gS/DdiVD8m5VO6iHIMedDZk5IxzEn9rr/ef8wtAp8Bx3PUSxCur/Uwzola7SsUNOMAPmw5OMUjyF1AZ6OrzW3c45P4ozi8+EyZltORAGrXqXGe+jLWuSUaiFy/jq2VzPCho9o3Es=
On 12/27/05, JC Dill <email@example.com> wrote:
> I am not a lawyer, but I believe there is a significant difference in
> the liability that ensues from knowingly selling a defective product,
> and from giving something away for free. Matt gave away FormMail for
> free. When Matt wrote FormMail open relays were common on the internet.
> His Perl scripts were similar in security and utility to other
> software at the time. Once it became known how this type of software
> could be abused, *then* he had an obligation (moral obligation if not
> strictly legal obligation) to stop distributing the old insecure
> scripts, which is what he did.
And I would agree with this reasoning. If the software is defective,
fix it or stop selling it. However, I don't think all software
developers have "control" over the selling of the software after it's
sent to the publisher. (I'm by no means intimate with how all this
works) So, for instance, if developer A creates product A+, publisher
P deals with packaging it up, distributing it, etc. A few months
later, developer A goes out of business for some insane reason.
Publisher P continues to sell the software in which a security hole is
discovered a month later. There's no way for developer A to fix the
hole, they don't exist. And publisher P isn't near smart enough to
fix it. So they just continue selling it. Life goes on, it
eventually falls into the bargain bin where publisher P continues to
package it, but in recycled fish wrap instead of the pristine new
boxes it used to.
So is developer A still liable? Is publisher P liable? Should they be?
> If you tell someone "be careful, that coffee is hot and may burn you"
> most people will equate "burn" with "might cause some temporary pain or
> perhaps a minor blister" and not with "I will spend 2 weeks in the
> hospital with 3rd degree burns and require skin grafts and have over
> $20k in medical bills". Stella assumed the coffee she was served was
> served was at a normal hot coffee temperature, hot enough to perhaps
> hurt a bit if spilled but NOT so hot as to cause severe and disfiguring
> burns. See:
Still, a little common sense... Hot coffee of any type, between the
legs, in a moving car? Umm.. even "normal" coffee still causes a
jump of pain. That jump of pain could easily cause a car accident.
So who do I sue? McDonalds for selling the coffee? Or the driver who
put it between his/her legs?
> Most people expect that their operating system and browser will work
> securely, not that it will let intruders steal their data, compromise
> their privacy, and inflict damage on others. Just as McDonalds was held
> liable for repeatedly intentionally selling coffee they knew was being
> served too hot and capable of causing much greater harm than the buyer
> was aware of, IMHO so should a software company be held liable for
> repeatedly knowingly selling defective software, especially when that
> software causes damage to 3rd parties who have not agreed to the EULA.
If it's a known issue and the developer continues to ignore it, then
yeah, they should probably be held accountable. But, there's still
the issue of what is bad and what isn't. Madden 2006 for the PSP
reboots when I end a franchise mode game. It destroys the data I just
spent 30 minutes generating while playing the game. Is that bad
enough that the company should be held liable for it? (Yes, I'm aware
they're replacing the discs now. Excellent move on EA's part)
There's another form mailer out there that I dealt with, and wrote a
large post on Bugtraq about, that continues to allow relaying even
after a complete bug report with a fix. Should that developer be held
liable for damages? It's just spam, it's not really hurting anyone,
Then there's something like Internet Explorer. Any one of the dozens
of exploits "allows a remote attacker to assume control of the
computer" ... That's bad.. That's definitely an issue. I could
agree that the developer should be held liable for that ...
Maden 2006 I had to pay for. IE came with Windows, so I didn't
*really* have to pay for it, depending on how you look at it. The
form mailer was free on the internet. Does having to pay for it
determine if the developer should be liable? What if Linux had a
security hole that was reported and never fixed? Should Linus get
sued? Wow.. who would you even sue in that instance?
Software confuses things a bit I think.. I can agree that an IE bug,
unchecked, should be liable. But a form mailer? It was free to begin
with, so just move on to something else...
I'm not sure I, personally, could get behind holding software
companies liable until some standard was set to determine what the
expectations were... And setting those standards is the hard part...
Jason 'XenoPhage' Frisvold