nanog mailing list archives
Re: Compromised machines liable for damage?
From: Owen DeLong <owen () delong com>
Date: Wed, 28 Dec 2005 13:20:51 -0800
--On December 28, 2005 11:09:31 AM -0800 Douglas Otis <dotis () mail-abuse org> wrote:
On Dec 27, 2005, at 5:03 AM, Steven M. Bellovin wrote:In message <80632326218FE74899BDD48BB836421A03300F () Dul1wnexmb04 vcorp ad vrsn.c om>, "Hannigan, Martin" writes:In the general sense, possibly, but where there are lawyers there is = always discoragement. Suing people with no money is easy, but it does stop them from = contributing in most cases. There are always a few who like getting = sued. RIAA has shown companies will widescale sue so your argument is = suspect, IMO..I've spent a *lot* of time talking to lawyers about this. In fact, a few years ago I (together with an attorney I know) tried to organize a "moot court" liability trial of a major vendor for a security flaw. (It ended up being a conference on the issue.) The reason there have not been any lawsuits against vendors is because of license agreements -- every software license I've ever read, including the GPL, disclaims all warranties, liability, etc. It's not clear to me that that would stand up with a consumer plaintiff, as opposed to a business; that hasn't been litigated. I tried to get around that problem for the moot court by looking at third parties who were injured by a problem in a software package they hadn't licensed -- think Slammer, for example, which took out the Internet for everyone.There have been successful cases for pedestrians that used a train trestle as a walk-way, where warnings were clearly displayed, and a fence had been put in place, but the railroad failed to ensure repair of the fence. The warning sign was not considered adequate. Would this relate to trespassers that use an invalid copy of an OS refused patches? Would this be similar to not repairing the fence? Clearly the pedestrians are trespassing, nevertheless the railroad remains responsible for the safety of their enterprise. -Doug
While I think it is unfair in the case of the railroad, and, burglars that injure themselves in peoples stores/houses, it works for me in the case of software. Denying patches doesn't tend to injure the trespassing user so much as it injures the others that get attacked by his compromised machine. I think that is why many manufacturers release security patches to anyone openly, while restricting other upgrades to registered users. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
Attachment:
_bin
Description:
Current thread:
- Re: Compromised machines liable for damage?, (continued)
- Re: Compromised machines liable for damage? Owen DeLong (Dec 27)
- Re: Compromised machines liable for damage? Per Heldal (Dec 28)
- Re: Compromised machines liable for damage? Barry Shein (Dec 28)
- Re: Compromised machines liable for damage? Richard A Steenbergen (Dec 28)
- Re: Compromised machines liable for damage? Owen DeLong (Dec 27)
- Re: Compromised machines liable for damage? Jason Frisvold (Dec 28)
- Re: Compromised machines liable for damage? Joseph S D Yao (Dec 28)
- Re: Compromised machines liable for damage? Owen DeLong (Dec 28)
- Re: Compromised machines liable for damage? Owen DeLong (Dec 28)
- Re: Compromised machines liable for damage? Douglas Otis (Dec 28)
- Re: Compromised machines liable for damage? Owen DeLong (Dec 28)
- Re: Compromised machines liable for damage? Valdis . Kletnieks (Dec 29)
- Re: Compromised machines liable for damage? Owen DeLong (Dec 29)
- RE: Compromised machines liable for damage? David Schwartz (Dec 28)
- RE: Compromised machines liable for damage? Owen DeLong (Dec 26)