Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Compromised machines liable for damage?

  • From: Owen DeLong
  • Date: Tue Dec 27 22:30:52 2005

--On December 27, 2005 10:39:38 AM -0500 Jason Frisvold
<> wrote:

> On 12/27/05, Marshall Eubanks <> wrote:
>> There was a lot of discussion about this in the music / technology /
>> legal community
>> at the time of  the Sony root exploit CD's - which
>> I and others thought fully opened  Sony for liability for 2nd party
>> attacks. (I.e., if a hacker uses the Sony
>> root kit to exploit your machine, then Sony is probably liable,
>> regardless of the EULA. They put
>> it in there; they made the attack possible.) IANAL, but I believe
>> that if a vendor has even a
>> partial liability, they can be liable for the whole.
> But, what constitutes an exploit severe enough to warrant liability of
> this type?  For instance, let's look at some scripts ...  formmail is
> a perfect example.  First, there was no "real" EULA.  I'm definitely
> not a laywer, but I would think that would open up the writer to all
> sorts of liability...  Anyways, the script was, obviously, flawed. 
> Spammers took notice and used that script to spam all over the place. 
> This hurt the hoster of the script, the people who were spammed, and
> probably the ISPs that wasted the bandwidth carrying the spam.
It's not just about the severity of the exploit.  What did you pay
for formmail?  Did the author have a "duty to care"?  If money
did not change hands, then, liability becomes much more difficult
unless you can show gross negligence.  Further, since formmail
is provided in source form, the server owner could have fully evaluated it
vulnerability prior to deploying it.  Thus, even if there is some
liablity, it primarily falls to the person/organization who
placed the script in use on the server, not the author.

> So, should the writer of the script be sued for this?  Is he liable
> for damages?  If that's the case, then I'm gonna hang up my
> programming hat and go hide in a closet somewhere.  I'm far from
> perfect and, while I'm relatively sure there are none, exploitable
> bugs *might* exist in my software.  Or, perhaps, the exploit exists in
> a library I used.  I've written a lot of PHP code, perhaps PHP has the
> flaw..  Am I still liable, or is PHP now liable?
Again, it all boils down to whether money changed hands or not.
If you didn't get paid for your script, you probably aren't liable.
Since PHP is free (and there's not really a legal entity to sue
for it anyway), PHP probably isn't liable.

> This has scary consequences if it becomes a blanket argument. 
> Alternatively, if the programmer is made aware of the problem and does
> nothing, then perhaps they should be held accountable.  But, then,
> what happens to "old" software that is no longer maintained?
Look at it another way... If the software is open source, then, there
is no requirement for the author to maintain it as any end user has
all the tools necessary to develop and deploy a fix.  In the case of
closed software, liability may be the only tool society has to
protect itself from the negligence of the author(s).  What is the
liability situation for, say, a Model T car if it runs over someone?
Can Ford still be held liable if he accident turns out to be caused
by a known design flaw in the car? (I don't know the answer, but,
I suspect that it would be the same for "old" software).

>> I suspect that eventually EULA's will prove to be weak reeds, in much
>> the same way that manufacturers may be
>> liable when bad things happen, even if the product is being grossly
>> misused. My intuition says that
>> unfortunately somebody is going to have to die to establish this, as
>> part of a wrongful death suit.
>> With the explosion in VOIP use, this is probably only a matter of time.
> Personally, I feel that is a person "grossly misuses" a product and is
> hurt as a result, they deserve it.  Within some acceptable reason, of
> course.  One expects that if you place a cup of coffee in your lap,
> that you just purchased, I might add, that it may burn you if it
> spills.  Or, if you puncture a can of hair spray near an open fire,
> you may experience a slight burning sensation a few seconds later.
The first one here is not your best choice of examples.  It turns out
that in that suit, McDonalds was violating ANSI/ISO standards and
handing out liquids that were hotter than the industry considers
"safe".  There is a major difference in the level of injury that
occurs above a certain temperature (I think it's 180F if memory
serves), and, their coffee was shown to be well above that.  They
had been repeatedly informed of this problem prior to the incident
and had refused to do anything about it.

Yes, you expect to get burned, and, if you keep the coffee below
a serving temperature of 180F, then, there's no liability.  However,
serving it above 180F is not "reasonable and prudent" and that is
why the jury found for the plaintiff.

In general, if the gross act of stupidity was reasonably foreseeable,
the manufacturer has a "duty to care" to make some attempt to mitigate
or prevent the customer from taking such action.  That's why toasters
all come with warnings about unplugging them before you stick a
fork in them.  That's why every piece of electronic equipment says
"No user serviceable parts inside" and "Warning risk of electric shock".

> People, use your brains.  Next we'll have someone suing craftsman when
> they chop their leg off because there was no label on the saw that
> said "don't place running saw in lap" ...  Come on, how stupid can you
> be?  I apparently wouldn't make a good judge because I'd laugh most of
> these cases right out of the courtroom!  Reasonable precaution should
> be expected of all people.
Actually, there are several such warnings on saws for just that reason,
so, that is history, not prediction.  The letter of the law does expect
the plaintiff to have been reasonable and prudent.  Judges are not
really the problem here.  Unfortunately, our cultural tendency to
feel for the underdog leads to a jury pool that often doesn't see
"An idiot who chopped off his leg by sticking the saw in his lap
vs. a company that builds nice saws."  They see "The poor defenseless
carpenter vs. the evil giant corporation profiting from his misery."
They feel for the carpenter and the only option they have to help
him is to take money from the corporation.


If it wasn't crypto-signed, it probably didn't come from me.

Attachment: pgp00017.pgp
Description: PGP signature

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.