Open, anonymous services and dealing with abuse
JC Dill
nanog at vo.cnchost.com
Wed Feb 18 02:02:43 UTC 2004
At 12:43 PM 2/17/2004, John Palmer wrote:
>I hate to see government get involved in anything, but perhaps
>some law holding PC owners responsible for SPAM that comes
>from their unpatched machines AS LONG AS there is ample
>notification to that user that their machine is compromised.
We don't need more new laws. There is already a law - in most parts of the
world you can be charged with "contributory negligence" for failing to
secure an "attractive nuisance" and then a third party is injured or
damaged due to your negligence. In any part of the world that doesn't have
such a law, a "new law" in another part of the world wouldn't matter anyway.
What is needed is for someone to CARE enough to bother to investigate and
prosecute. And yes, it's going to cost "more than it's worth" to
prosecute, at least the first few times. Someone has to decide that the
long-term good is worth the price of being the leader in this charge.
IMHO, you should sue both the owner of the PC (for negligently failing to
properly secure their computer, or to fix it when notified), and sue
Microsoft (for neglegently producing and selling software that was so
easily compromised) as they are both responsible for the hardware/software
that was used to damage your servers/network etc. Microsoft's EULA doesn't
apply to you as a third party who is damaged by their faulty software. You
should also consider an offer to settle with the PC owner if they agree to
jointly sue Microsoft on your behalf. You are not held to the EULA, but
they are, but since Microsoft's software is *negligent* it's possible that
the EULA doesn't penetrate their inherent liability to not produce a
product that causes harm. (A EULA won't protect a ladder maker from
negligently building and selling a ladder on which people get hurt when
they use it for its intended purpose.) But we won't know until someone
digs down into their pockets and funds a lawsuit to try it out.
Sorry about the lack of operational content in this post, but sometimes you
have to consider the costs and benefits of both operational solutions and
other solutions (e.g. legal solution) in order to determine which solution
is the best one for your network, both in the short term and in the long term.
jc
--
p.s. Please do not cc me on replies to the list. Please reply to the list
only, or to me only (as you prefer) but not to both.
More information about the NANOG
mailing list