nanog mailing list archives
Re: Compromised machines liable for damage?
From: Marshall Eubanks <tme () multicasttech com>
Date: Tue, 27 Dec 2005 09:19:22 -0500
There was a lot of discussion about this in the music / technology / legal community
at the time of the Sony root exploit CD's - whichI and others thought fully opened Sony for liability for 2nd party attacks. (I.e., if a hacker uses the Sony root kit to exploit your machine, then Sony is probably liable, regardless of the EULA. They put it in there; they made the attack possible.) IANAL, but I believe that if a vendor has even a
partial liability, they can be liable for the whole.I suspect that eventually EULA's will prove to be weak reeds, in much the same way that manufacturers may be liable when bad things happen, even if the product is being grossly misused. My intuition says that unfortunately somebody is going to have to die to establish this, as part of a wrongful death suit.
With the explosion in VOIP use, this is probably only a matter of time. Regards Marshall Eubanks On Dec 27, 2005, at 8:55 AM, Owen DeLong wrote:
The reason there have not been any lawsuits against vendors is becauseYes, I think this is the only way it will work. Plaintiffs that are notof license agreements -- every software license I've ever read,including the GPL, disclaims all warranties, liability, etc. It's not clear to me that that would stand up with a consumer plaintiff, as opposed to a business; that hasn't been litigated. I tried to get around that problem for the moot court by looking at third parties who were injuredby a problem in a software package they hadn't licensed -- think Slammer, for example, which took out the Internet for everyone.subject to the EULA will have to sue the manufacturer of vulnerablesoftware installed on remote systems that attack their site. Otherwise, the liability waivers they signed make it much harder. Of course, interestingly,automobile manufacturers cannot get around having to build cars thatmeet safety standards regardless of waivers customers may sign. Perhapswhat we need first is a consortium to agree on a set of standards for software security followed by someone like Ralph Nader doing the "Unsafe at any clockspeed" campaign.The issue of liability based on operational practices is untested. AsYep... I think that is true. However, unless and until someone steps upI concluded in that book chapter from 1994, I (and the attorneys whohelped me (a lot) with it) felt that there may very well be cause for a lawsuit. However, to the best of my knowledge there have been no courtrulings on this issue. Unless and until that happens, we're justguessing. I'll give two short quotes that illustrate why I'm concerned.This one is from a standard textbook on tort law:and actually does it (and frankly, I think the effective strategy herewould be coordinating a large number of injured parties in small officesand residences to sue in small claims court at roughly the same time), all we'll be able to do is guess.The standard of conduct imposed by the law is an external one,So, does that mean that if most of society is ignorant enough to tolerate insecure buggy software, we must accept that as the standard for software performance? That is an unfortunately low barrier indeed for a profession like software development. In general, professional liability is different from general civil liability. Once money changes hands, you have a much greater "duty to care" about the potential harm caused by your "product"based upon what society demands generally of its members, rather than upon the actor's personal morality or individualsense of right and wrong. A failure to conform to the standardis negligence, therefore, even if it is due to clumsiness, stupidity, forgetfulness, an excitable temperament, or evensheer ignorance. An honest blunder, or a mistaken belief that no damage will result, may absolve the actor from moral blame,but the harm to others is still as great, and the actor's individual standards must give way in this area of the law tothose of the public. In other words, society may require of aperson not to be awkward or a fool.than an individual citizen.For example, a guy that pours gasoline into his gopher holes and lightsit is an idiot. However, as long as everything he blows up is his own and he harms noone else, he's still just an idiot, but, not liable. However, if he packages gas cans and matches together and sells them with instructions as a "Gopher Eradication Kit", he gets to be liable for the damage to all the houses of all the people dumb enough to use his product, and, any neighbors unfortunate enough to live within the blast radii. Let's face it, some software vendors are selling the moral equivalent of a minivan with no seatbelts and no airbags.The second, a quote from a 1932 (U.S.) Court of Appeals opinion, wasfor a case where some barges sank because the tugboat pulling them hadno radio receivers, and hence didn't know the weather forecast: Indeed in most cases reasonable prudence is in face common prudence; but strictly it is never its measure; a whole calling may have unduly lagged in the adoption of new and available devices. It may never set its own tests, however persuasive be its usages. Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission. ... But here there was no custom at all as to receiving sets; some had them, some did not; the most that can be urged is that they had not yet become general. Certainly in such a case we need not pause; when some have thought a device necessary, at least we may say that they were right, and the others too slack. ... We hold [against] the tugs therefore because [if] they had been properly equipped, they would have got the Arlington [weather] reports. The injury was a direct consequence of this unseaworthiness. Again, though, this has never been litigated for ISP-type issues.Those will be interesting cases as well if they are ever tested, but, Ithink they will actually be more complex than injured third parties suing software VENDORS over vulnerable software which later caused harm. Again, I think that the David v. Goliath nature of the majority of injured parties v. software vendors means that a large highly visible class action or high-profile suit is unlikely to meet with much success. However, given the relatively low risks associated with filing in small claims court in most jurisdictions and extremely low filing costs associated, I think it would be very interesting to see a coordinated attack of this nature played out in the small claims courts across the country. Even if the software vendors were able to win each and every case, the costs of fighting them would be impressive and would send a pretty clear message that we, as a society, are fed up and won't take it any more. Owen
Current thread:
- Re: Compromised machines liable for damage?, (continued)
- Re: Compromised machines liable for damage? Paul Vixie (Dec 26)
- Re: Compromised machines liable for damage? Florian Weimer (Dec 27)
- Re: Compromised machines liable for damage? Matthew Sullivan (Dec 27)
- Re: Compromised machines liable for damage? Hannigan, Martin (Dec 25)
- RE: Compromised machines liable for damage? Hannigan, Martin (Dec 26)
- RE: Compromised machines liable for damage? Owen DeLong (Dec 26)
- RE: Compromised machines liable for damage? Hannigan, Martin (Dec 26)
- RE: Compromised machines liable for damage? Owen DeLong (Dec 26)
- Re: Compromised machines liable for damage? Steven M. Bellovin (Dec 27)
- Re: Compromised machines liable for damage? Owen DeLong (Dec 27)
- Re: Compromised machines liable for damage? Marshall Eubanks (Dec 27)
- Re: Compromised machines liable for damage? Jason Frisvold (Dec 27)
- Re: Compromised machines liable for damage? JC Dill (Dec 27)
- Re: Compromised machines liable for damage? Jason Frisvold (Dec 27)
- Re: Compromised machines liable for damage? JC Dill (Dec 27)
- Re: Compromised machines liable for damage? Owen DeLong (Dec 27)
- Re: Compromised machines liable for damage? Per Heldal (Dec 28)
- Re: Compromised machines liable for damage? Barry Shein (Dec 28)
- Re: Compromised machines liable for damage? Richard A Steenbergen (Dec 28)
- Re: Compromised machines liable for damage? Owen DeLong (Dec 27)
- Re: Compromised machines liable for damage? Jason Frisvold (Dec 28)