Compromised machines liable for damage?

Mon Dec 26 17:28:50 UTC 2005

If the gun seller is selling guns to people he knows are murders, or  
is told to stop selling guns to known murders, then what would you  
say?  I would say the gun seller is negligent.  Likewise, if an ISP  
is told about a problem machine/user then (as much as the ISP folks  
here would hate to admit it) the ISP is negligent.  I think it would  
be a pretty easy case to prove negligence if you have legally  
recorded phone calls to the ISP reporting the bot, email history of  
conversations reporting the bot, and proof of the bot attacking you.

-Barrett

On Dec 26, 2005, at 4:58 AM, Gadi Evron wrote:

>
> On Sun, 25 Dec 2005, Dave Pooser wrote:
>>
>>> This should be another thread completely, but I am wondering about
>>> the liability of the individual's who have owned machines that are
>>> attacking me/my clients.
>>
>> As a practical matter, I'd expect it to be difficult to try.  
>> Convincing a
>> jury that running a PHP version that's three months out of date  
>> constitutes
>> gross negligence because you should have read about the  
>> vulnerability on the
>> Web might be... tricky. Especially when you have to explain to the  
>> jury what
>> PHP is. Dueling expert witnesses arguing about best practice, poor  
>> confused
>> webmaster/Amway distributor looking bewildered at all this  
>> technical talk
>> ("I figgered I just buy Plesk and I was good to go. I dunno  
>> nothin' about
>> PHP. Isn't that a drug?") Not to mention working out what  
>> percentage of the
>> damages you suffered should come from each host.
>>
>> But yeah, I'd like to see it tried. Lawyering up is one of our core
>> competencies here in the USA; maybe we could use it for good  
>> instead of
>> evil.
>
> I'd like to bring some conclusions from past discussions on this  
> issue to
> the table.
>
> First, holding a person liable while he had no way of knowing he is  
> doing
> something wrong is not right. Still, you know what they say about not
> knowing the law and punishment.
>
> There are two somewhat interesting metaphopres that explain  
> contradicting
> views:
> 1. The gun owner:
> If you own a gun, it is your duty to keep it safe. If it is stolen,  
> you
> will be punished to differing degrees depending on country. From never
> owning a gun again or maybe a slap on the wrist... to going to jail.
>
> If your gun is used in a crime such as say, murder, you can be held  
> liable
> for not keeping your gun safe or maybe even confused for the actual
> criminal. You may also be the criminal (anyone remembers the Trojan  
> horse
> defense? "I was hacked! It wasn't me who did that from my computer!").
>
> 2.
> Some believe that equating a gun to a computer is just wrong. Another
> metaphore might be a stolen car, or some completely different ones.
>
> Still, today people do not have a quick and eay way of protecting  
> their
> computers... and before anyone can start talking about ISP's and other
> organizations, one would be forced to talk about STANDARTISATION  
> for the
> ISP industry, and so on.
>
> Banks today don't follow standards, they follow regulations. If  
> they fail
> to, they are liable. Same for the insurance industry in some  
> countries.
>
> I am not really sure what the best solution is here or what will cause
> more harm than good... but I am sure that from the complete lack of  
> care
> that involved compromised computers to the complete kill-future when
> kiddie porn is involved, a solution can be found.
>
> One has to remember though that law enforcement is limited in  
> resources,
> and millions on millions of compromised machines just are not a  
> priority
> on rape or murder.
>
> 	Gadi.
>