Back to your example. IMO: The providers would be at a liability risk if they did not provide reasonable measures to insure that they did not contribute to the damages done to another party. This is like other liabilities where if someone is injured you are at risk unless you did everything reasonable to prevent putting other people in harms way.
The only problem I forsee with this is the means for security measures. We are talking about corporate America and not the military. The only way I can see taking appropriate steps it to come up with a book such as the DoD Orange Book (Trusted Systems Security) for commercial hosts. It would be quite a task to come up with such a book that would take in account all the loopholes and liabilities, and even then, who would enforce the regulations? Given this interpretation, compromised.jumpoff.com would be at
risk if they could be shown negligent in the administration of their site.
I agree, but what if compromised.jumpoff.com was simply lacking the manpower or the skills to completely secure their systems to the best of current security knowledge? If they believed that they had a secure site, and no one could prove that they were negligent(besides not hiring the best security consultant avaiable) then who is at fault? If they left the door wide open to hackers, IMO they'd be at
risk.
How does one do this? %cat /etc/motd ************** BrokenOS 2.1 Beta Hello hackers! Welcome to compromised.jumpoff.com, please use us for hacking purposes only! ************** :))) If they were warned due to prior incidents and continued to
leave the door wide open, they'd be very seriously at risk.
And they would also be very stupid :) The community needs to come up with a set security standards for different types of hosts, where it be a NAP, a NOC or an IAP or ISP. It needs to be comprehensive and contain software and support for early detection and audit, as well as wrapping and hacker deterrent mechanisms. Ben