Compromised machines liable for damage?

Mon Dec 26 17:59:19 UTC 2005

Gadi Evron wrote:
> On Sun, 25 Dec 2005, Dave Pooser wrote:
> 
>>>This should be another thread completely, but I am wondering about
>>>the liability of the individual's who have owned machines that are
>>>attacking me/my clients.
>>
>>As a practical matter, I'd expect it to be difficult to try. Convincing a
>>jury that running a PHP version that's three months out of date constitutes
>>gross negligence because you should have read about the vulnerability on the
>>Web might be... tricky. Especially when you have to explain to the jury what
>>PHP is. Dueling expert witnesses arguing about best practice, poor confused
>>webmaster/Amway distributor looking bewildered at all this technical talk
>>("I figgered I just buy Plesk and I was good to go. I dunno nothin' about
>>PHP. Isn't that a drug?") Not to mention working out what percentage of the
>>damages you suffered should come from each host.
>>
>>But yeah, I'd like to see it tried. Lawyering up is one of our core
>>competencies here in the USA; maybe we could use it for good instead of
>>evil.
> 
> 
> I'd like to bring some conclusions from past discussions on this issue to
> the table.
> 
> First, holding a person liable while he had no way of knowing he is doing
> something wrong is not right. Still, you know what they say about not
> knowing the law and punishment.
> 
> There are two somewhat interesting metaphopres that explain contradicting
> views:
> 1. The gun owner:
> If you own a gun, it is your duty to keep it safe. If it is stolen, you
> will be punished to differing degrees depending on country. From never
> owning a gun again or maybe a slap on the wrist... to going to jail.
> 
> If your gun is used in a crime such as say, murder, you can be held liable
> for not keeping your gun safe or maybe even confused for the actual
> criminal. You may also be the criminal (anyone remembers the Trojan horse
> defense? "I was hacked! It wasn't me who did that from my computer!").
> 
> 2.
> Some believe that equating a gun to a computer is just wrong. Another
> metaphore might be a stolen car, or some completely different ones.
> 
> Still, today people do not have a quick and eay way of protecting their
> computers... and before anyone can start talking about ISP's and other
> organizations, one would be forced to talk about STANDARTISATION for the
> ISP industry, and so on.
> 
> Banks today don't follow standards, they follow regulations. If they fail
> to, they are liable. Same for the insurance industry in some countries.
> 
> I am not really sure what the best solution is here or what will cause
> more harm than good... but I am sure that from the complete lack of care
> that involved compromised computers to the complete kill-future when
> kiddie porn is involved, a solution can be found.
> 
> One has to remember though that law enforcement is limited in resources,
> and millions on millions of compromised machines just are not a priority
> on rape or murder.
> 
> 	Gadi.
> 

Take a car for example. Somebody is stealing your car. He gets photographed
crossing a red traffic light and there is an accident.

You dont get punished for the read traffic light but you still have to pay
for the accident.

Peter and Karin

-- 
Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/