Compromised machines liable for damage?

• Previous message (by thread): Compromised machines liable for damage?
• Next message (by thread): Compromised machines liable for damage?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[snip]
> And I would agree with this reasoning.  If the software is defective,
> fix it or stop selling it.  However, I don't think all software
> developers have "control" over the selling of the software after it's
> sent to the publisher.  (I'm by no means intimate with how all this
> works)  So, for instance, if developer A creates product A+, publisher
> P deals with packaging it up, distributing it, etc.  A few months
> later, developer A goes out of business for some insane reason. 
> Publisher P continues to sell the software in which a security hole is
> discovered a month later.  There's no way for developer A to fix the
> hole, they don't exist.  And publisher P isn't near smart enough to
> fix it.  So they just continue selling it.  Life goes on, it
> eventually falls into the bargain bin where publisher P continues to
> package it, but in recycled fish wrap instead of the pristine new
> boxes it used to.
> 
> So is developer A still liable?  Is publisher P liable?  Should they be?
> 
Liability generally ends at death.  Since developer A is essentially dead
(no longer exists), no.

If publisher P is the current copyright owner, then probably yes.

If they have been informed of the defect and continue to sell the defective
product, yes.

> So who do I sue?  McDonalds for selling the coffee?  Or the driver who
> put it between his/her legs?
> 
In the case of an accident and you are the driver she hit, you would
sue the driver.  The driver may then sue McDonalds if the coffee was
"too hot", but, your cause of action is against the direct actor...
The driver, and, the owner of the vehicle that hit you.

> If it's a known issue and the developer continues to ignore it, then
> yeah, they should probably be held accountable.  But, there's still
> the issue of what is bad and what isn't.  Madden 2006 for the PSP
> reboots when I end a franchise mode game.  It destroys the data I just
> spent 30 minutes generating while playing the game.  Is that bad
> enough that the company should be held liable for it?  (Yes, I'm aware
> they're replacing the discs now.  Excellent move on EA's part)
> 
I guess that depends on how much you feel you are harmed by that loss
of data.  However, in that case, you probably accepted an EULA that
says "We aren't liable for the software not functioning."  This is
much more a gray area than what I think is the first issue that should
be addressed.  What if, instead, your PSP was network enabled, and,
at the end of your game, it not only rebooted, but, it wiped out all
data from all PSPs it could find on the network.  Then, the owner
of thoses PSPs should have a cause of action against EA (and possibly
you).  They didn't agree to an EULA allowing EAs software to wipe
their data.  That's the situation of the third parties being harmed
by exploited hosts.

> There's another form mailer out there that I dealt with, and wrote a
> large post on Bugtraq about, that continues to allow relaying even
> after a complete bug report with a fix.  Should that developer be held
> liable for damages?  It's just spam, it's not really hurting anyone,
> is it?
> 
SPAM does a lot of actual harm.  There are relatively high costs associated
with SPAM.  Machine time, network bandwidth, and, labor.

> Then there's something like Internet Explorer.  Any one of the dozens
> of exploits "allows a remote attacker to assume control of the
> computer" ...  That's bad..  That's definitely an issue.  I could
> agree that the developer should be held liable for that ...
> 
Yes.  These are the sorts of things we are really talking about primarily.

> Maden 2006 I had to pay for.  IE came with Windows, so I didn't
> *really* have to pay for it, depending on how you look at it.  The
> form mailer was free on the internet.  Does having to pay for it
> determine if the developer should be liable?  What if Linux had a
> security hole that was reported and never fixed?  Should Linus get
> sued?  Wow..  who would you even sue in that instance?
> 
You did pay for it.  It was part of what you paid for when you bought
Windows.  If Windows came bundled with your machine, you still paid
for it in the form of buying the machine and it was part of what was
included.  In any case, you still paid for IE.

As to Linux, I don't believe Linus ever sold it.  For the most part,
there's nobody to sue because nobody got paid.  Further, since
it is open source, you have the ability and responsibility to fix it
if you are informed your machine is doing harm.  You don't have the
ability to fix IE.  In the case of packages like Red Hat Enterprise
Linux and such, yes, if they are exploited, it is not unlikely that
Red Hat could be sued by injured third parties, and, this is not
inappropriate.

> Software confuses things a bit I think..  I can agree that an IE bug,
> unchecked, should be liable.  But a form mailer?  It was free to begin
> with, so just move on to something else...
> 
Software doesn't confuse things.  Things given away for free are not held
to the same "duty to care" as things sold as a product.  Software fits
into this model nicely.

> I'm not sure I, personally, could get behind holding software
> companies liable until some standard was set to determine what the
> expectations were...  And setting those standards is the hard part...
> 
I agree it would be nice to set some standards.  I think what is needed
is a consortium of software security experts to set some minimum "safety
standards" that can be used as a legal basis.

Something like:

Prudently written software is expected to take the following precautions:

+	Check length on any storage operation to prevent undetected
	buffer overruns.

+	Check all external input for validity and consistency prior to
	placing it into an operation which could result in execution
	or harmful parsing of said input (such as passing it to a shell
	for evaluation).

etc.  You get the idea.  I don't think this would have to be particularly
lengthy or complicated, but, I bet if we hit the highlights that cover
most of the existing known vulnerabilities, it would do the trick.

Owen

-- 
If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20051227/15d128f3/attachment.sig>

• Previous message (by thread): Compromised machines liable for damage?
• Next message (by thread): Compromised machines liable for damage?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]