Compromised machines liable for damage?

Tue Dec 27 21:28:45 UTC 2005

Jason Frisvold wrote:
> On 12/27/05, Marshall Eubanks <tme at multicasttech.com> wrote:
> 
>>There was a lot of discussion about this in the music / technology /
>>legal community
>>at the time of  the Sony root exploit CD's - which
>>I and others thought fully opened  Sony for liability for 2nd party
>>attacks. (I.e., if a hacker uses the Sony
>>root kit to exploit your machine, then Sony is probably liable,
>>regardless of the EULA. They put
>>it in there; they made the attack possible.) IANAL, but I believe
>>that if a vendor has even a
>>partial liability, they can be liable for the whole.
> 
> But, what constitutes an exploit severe enough to warrant liability of
> this type?  For instance, let's look at some scripts ...  formmail is
> a perfect example.  First, there was no "real" EULA.  I'm definitely
> not a laywer, but I would think that would open up the writer to all
> sorts of liability...  Anyways, the script was, obviously, flawed. 
> Spammers took notice and used that script to spam all over the place. 
> This hurt the hoster of the script, the people who were spammed, and
> probably the ISPs that wasted the bandwidth carrying the spam.
> 
> So, should the writer of the script be sued for this?  Is he liable
> for damages? 

I am not a lawyer, but I believe there is a significant difference in 
the liability that ensues from knowingly selling a defective product, 
and from giving something away for free.  Matt gave away FormMail for 
free.  When Matt wrote FormMail open relays were common on the internet. 
  His Perl scripts were similar in security and utility to other 
software at the time.  Once it became known how this type of software 
could be abused, *then* he had an obligation (moral obligation if not 
strictly legal obligation) to stop distributing the old insecure 
scripts, which is what he did.

(Researching FormMail history, I found a page that suggested fixing the 
FormMail problem by replacing the FormMail scripts with PhP scripts. :-)

> Personally, I feel that is a person "grossly misuses" a product and is
> hurt as a result, they deserve it.  Within some acceptable reason, of
> course.  One expects that if you place a cup of coffee in your lap,
> that you just purchased, I might add, that it may burn you if it
> spills.  

If you tell someone "be careful, that coffee is hot and may burn you" 
most people will equate "burn" with "might cause some temporary pain or 
perhaps a minor blister" and not with "I will spend 2 weeks in the 
hospital with 3rd degree burns and require skin grafts and have over 
$20k in medical bills".  Stella assumed the coffee she was served was 
served was at a normal hot coffee temperature, hot enough to perhaps 
hurt a bit if spilled but NOT so hot as to cause severe and disfiguring 
burns.  See:

<http://www.lectlaw.com/files/cur78.htm>

<quote>

McDonalds also said during discovery that, based on a consultants
advice, it held its coffee at between 180 and 190 degrees fahrenheit to
maintain optimum taste.  He admitted that he had not evaluated the
safety ramifications at this temperature.  Other establishments sell
coffee at substantially lower temperatures, and coffee served at home is
generally 135 to 140 degrees."

</quote>

McDonalds intentionally served the coffee hotter than was safe, hotter 
than was safe for *drinking* (the purpose of the product) and ignored 
the dangers this presented and the prior cases of damage it caused.

Back to the topic of computers and software that damages other computers 
over the network:

Most people expect that their operating system and browser will work 
securely, not that it will let intruders steal their data, compromise 
their privacy, and inflict damage on others.  Just as McDonalds was held 
liable for repeatedly intentionally selling coffee they knew was being 
served too hot and capable of causing much greater harm than the buyer 
was aware of, IMHO so should a software company be held liable for 
repeatedly knowingly selling defective software, especially when that 
software causes damage to 3rd parties who have not agreed to the EULA.

jc