If the gun seller is selling guns to people he knows are murders, or is told to stop selling guns to known murders, then what would you say? I would say the gun seller is negligent. Likewise, if an ISP is told about a problem machine/user then (as much as the ISP folks here would hate to admit it) the ISP is negligent. I think it would be a pretty easy case to prove negligence if you have legally recorded phone calls to the ISP reporting the bot, email history of conversations reporting the bot, and proof of the bot attacking you. -Barrett On Dec 26, 2005, at 4:58 AM, Gadi Evron wrote:
On Sun, 25 Dec 2005, Dave Pooser wrote:
This should be another thread completely, but I am wondering about the liability of the individual's who have owned machines that are attacking me/my clients.
As a practical matter, I'd expect it to be difficult to try. Convincing a jury that running a PHP version that's three months out of date constitutes gross negligence because you should have read about the vulnerability on the Web might be... tricky. Especially when you have to explain to the jury what PHP is. Dueling expert witnesses arguing about best practice, poor confused webmaster/Amway distributor looking bewildered at all this technical talk ("I figgered I just buy Plesk and I was good to go. I dunno nothin' about PHP. Isn't that a drug?") Not to mention working out what percentage of the damages you suffered should come from each host.
But yeah, I'd like to see it tried. Lawyering up is one of our core competencies here in the USA; maybe we could use it for good instead of evil.
I'd like to bring some conclusions from past discussions on this issue to the table.
First, holding a person liable while he had no way of knowing he is doing something wrong is not right. Still, you know what they say about not knowing the law and punishment.
There are two somewhat interesting metaphopres that explain contradicting views: 1. The gun owner: If you own a gun, it is your duty to keep it safe. If it is stolen, you will be punished to differing degrees depending on country. From never owning a gun again or maybe a slap on the wrist... to going to jail.
If your gun is used in a crime such as say, murder, you can be held liable for not keeping your gun safe or maybe even confused for the actual criminal. You may also be the criminal (anyone remembers the Trojan horse defense? "I was hacked! It wasn't me who did that from my computer!").
2. Some believe that equating a gun to a computer is just wrong. Another metaphore might be a stolen car, or some completely different ones.
Still, today people do not have a quick and eay way of protecting their computers... and before anyone can start talking about ISP's and other organizations, one would be forced to talk about STANDARTISATION for the ISP industry, and so on.
Banks today don't follow standards, they follow regulations. If they fail to, they are liable. Same for the insurance industry in some countries.
I am not really sure what the best solution is here or what will cause more harm than good... but I am sure that from the complete lack of care that involved compromised computers to the complete kill-future when kiddie porn is involved, a solution can be found.
One has to remember though that law enforcement is limited in resources, and millions on millions of compromised machines just are not a priority on rape or murder.
Gadi.