Over a decade of DDOS--any progress yet?

Matthew Petach mpetach at netflight.com
Thu Dec 9 08:37:28 UTC 2010


On Wed, Dec 8, 2010 at 8:02 PM, JC Dill <jcdill.lists at gmail.com> wrote:
>  On 08/12/10 1:38 PM, Valdis.Kletnieks at vt.edu wrote:
>>
>> The second issue is that if you *do* establish a legal precident that
>> software vendors are liable for faults no matter what the contract/EULA
>> says,
>
> It doesn't matter what contract an auto maker makes with someone who
> purchases the car, if the brakes fail and the car hits ME, I can sue the
> auto maker due to the defective brakes.  If they design the car in a way
> that a 3rd party can easily tamper with the brakes, and then the car hits
> me, I can also sue the auto maker.  They are legally required to take due
> care in how they design the car to ensure that innocent bystanders aren't
> injured or killed by a design defect.  IMHO, there's no difference in the
> core responsibility that software makers should be held to, to ensure that
> their software isn't easily compromised and used to attack and injure 3rd
> parties.  The EULA is a red herring, as it only applies to the purchaser
> (who agrees to the EULA when they purchase the computer or software), not to
> 3rd parties who are injured.
>
> If the software doesn't work as designed and the purchaser is unhappy,
> that's between them and the company they bought the software from.  But when
> it injures a 3rd party, that's a whole different ball game.  I truly don't
> understand why ISP's (who bear the brunt of the burden of the fall-out from
> the compromised software, as they fight spam and have to provide customer
> support to users who complain that the "internet is slow" etc.) haven't said
> ENOUGH.
>
> jc

If you look at the national vulnerability database listings, though,
it's really not clear who you'd need to go after:

http://blogs.technet.com/b/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx

Granted, that was two years ago; but it sure seems that just
vilifying Microsoft, satisfying though it might be, would be to
ignore the breadth of the problem.

Matt




More information about the NANOG mailing list