Compromised machines liable for damage?

Wed Dec 28 19:09:31 UTC 2005

On Dec 27, 2005, at 5:03 AM, Steven M. Bellovin wrote:

>
> In message  
> <80632326218FE74899BDD48BB836421A03300F at Dul1wnexmb04.vcorp.ad.vrsn.c
> om>, "Hannigan, Martin" writes:
>
>>
>> In the general sense, possibly, but where there are lawyers there  
>> is =
>> always discoragement.
>>
>> Suing people with no money is easy, but it does stop them from =
>> contributing in most cases. There are always a few who like getting =
>> sued. RIAA has shown companies will widescale sue so your argument  
>> is =
>> suspect, IMO..
>>
>
> I've spent a *lot* of time talking to lawyers about this.  In fact,  
> a few
> years ago I (together with an attorney I know) tried to organize a  
> "moot
> court" liability trial of a major vendor for a security flaw.  (It
> ended up being a conference on the issue.)
>
> The reason there have not been any lawsuits against vendors is because
> of license agreements -- every software license I've ever read,
> including the GPL, disclaims all warranties, liability, etc.  It's not
> clear to me that that would stand up with a consumer plaintiff, as  
> opposed
> to a business; that hasn't been litigated.  I tried to get around that
> problem for the moot court by looking at third parties who were  
> injured
> by a problem in a software package they hadn't licensed -- think
> Slammer, for example, which took out the Internet for everyone.

There have been successful cases for pedestrians that used a train  
trestle as a walk-way, where warnings were clearly displayed, and a  
fence had been put in place, but the railroad failed to ensure repair  
of the fence.  The warning sign was not considered adequate.  Would  
this relate to trespassers that use an invalid copy of an OS refused  
patches?  Would this be similar to not repairing the fence?  Clearly  
the pedestrians are trespassing, nevertheless the railroad remains  
responsible for the safety of their enterprise.

-Doug