North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Compromised machines liable for damage?
- From: Owen DeLong
- Date: Wed Dec 28 16:25:58 2005
--On December 28, 2005 11:09:31 AM -0800 Douglas Otis
> On Dec 27, 2005, at 5:03 AM, Steven M. Bellovin wrote:
>> In message
>> om>, "Hannigan, Martin" writes:
>>> In the general sense, possibly, but where there are lawyers there
>>> is =
>>> always discoragement.
>>> Suing people with no money is easy, but it does stop them from =
>>> contributing in most cases. There are always a few who like getting =
>>> sued. RIAA has shown companies will widescale sue so your argument
>>> is =
>>> suspect, IMO..
>> I've spent a *lot* of time talking to lawyers about this. In fact,
>> a few
>> years ago I (together with an attorney I know) tried to organize a
>> court" liability trial of a major vendor for a security flaw. (It
>> ended up being a conference on the issue.)
>> The reason there have not been any lawsuits against vendors is because
>> of license agreements -- every software license I've ever read,
>> including the GPL, disclaims all warranties, liability, etc. It's not
>> clear to me that that would stand up with a consumer plaintiff, as
>> to a business; that hasn't been litigated. I tried to get around that
>> problem for the moot court by looking at third parties who were
>> by a problem in a software package they hadn't licensed -- think
>> Slammer, for example, which took out the Internet for everyone.
> There have been successful cases for pedestrians that used a train
> trestle as a walk-way, where warnings were clearly displayed, and a
> fence had been put in place, but the railroad failed to ensure repair of
> the fence. The warning sign was not considered adequate. Would this
> relate to trespassers that use an invalid copy of an OS refused patches?
> Would this be similar to not repairing the fence? Clearly the
> pedestrians are trespassing, nevertheless the railroad remains
> responsible for the safety of their enterprise.
While I think it is unfair in the case of the railroad, and, burglars that
injure themselves in peoples stores/houses, it works for me in the case
Denying patches doesn't tend to injure the trespassing user so much as
it injures the others that get attacked by his compromised machine.
I think that is why many manufacturers release security patches to
anyone openly, while restricting other upgrades to registered users.
If it wasn't crypto-signed, it probably didn't come from me.
Description: PGP signature