RE: Compromised machines liable for damage?
In the general sense, possibly, but where there are lawyers there is always discoragement. Suing people with no money is easy, but it does stop them from contributing in most cases. There are always a few who like getting sued. RIAA has shown companies will widescale sue so your argument is suspect, IMO.. -----Original Message----- From: Owen DeLong [mailto:owen@delong.com] Sent: Mon Dec 26 23:11:13 2005 To: Hannigan, Martin; Joseph Jackson Cc: NANOG Subject: RE: Compromised machines liable for damage? I've seen this argument time and again, and, the reality is that it is absolutely false. In fact, it will do nothing but encourage freeware. Liability for a product generally doesn't exist until money changes hands. If you design a piece of equipment and post the drawings in the public domain, you are not liable if someone builds it and harms themselves. You are liable if someone pays you for the design, because, the money changing hands creates a "duty to care". Outside of a "duty to care", the only opening for liability is if they can prove that you failed to take some precaution that would be expected of any "reasonably prudent" person. So, liability for bad software and the consequences it creates would be bad for the Micr0$0ft and Oracles of the world, but, generally, very good for the Free Software movement. It might turn out to be bad for organizations like Cygnus and RedHat, but, that's more of a gray area. As to the specific example cited... If no update has been released, in the case of Open Source, that's no excuse. You have the source, so, you don't have to wait for an update. In the case of closed software, then, I think manufacturer liability is a good thing for the industry in general. Owen --On December 26, 2005 10:07:20 PM -0500 "Hannigan, Martin" <hannigan@verisign.com> wrote:
If you want to choke off freeware(gnu, et. Al), sure, go after them. I doubt the licensing agreement allows it though. (IANAL).
I think all you'd do is encourage people to write more music about 'freeing the software'. I'd rather not be stricken in that fashion.
I think that angle is DOA.
Martin
-----Original Message----- From: Joseph Jackson [mailto:jjackson@aninetworks.com] Sent: Mon Dec 26 03:13:02 2005 To: Hannigan, Martin Cc: NANOG Subject: RE: Compromised machines liable for damage?
What about the coders that write the buggy software in the first place? Don't they hold some of the responsibility also? IE I am running some webserver software that a bug is found in it. Attackers use that bug in the software to generate a DOS attack against you from my machines. No update has been released for the software I am running and/or no warning as been released. You sue me I sue the coders. What a wonderful world. (I'm not for this but its another side of the issue.)
_____
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Hannigan, Martin Sent: Sunday, December 25, 2005 9:22 PM To: Steven M. Bellovin Cc: Dave Pooser; NANOG Subject: Re: Compromised machines liable for damage?
Yes, I agree. As usual, I too am 'IANAL'.
Marty
-----Original Message----- From: Steven M. Bellovin [mailto:smb@cs.columbia.edu <mailto:smb@cs.columbia.edu> ] Sent: Sun Dec 25 23:52:27 2005 To: Hannigan, Martin Cc: Dave Pooser; NANOG Subject: Re: Compromised machines liable for damage?
In message <80632326218FE74899BDD48BB836421A033001@Dul1wnexmb04.vcorp.ad.vrsn.c om>, "Hannigan, Martin" writes:
Dave, RIAA wins almost 100pct vs p2p'ers ir sues. Its an interesting = dichotomy.
"Wins" is too strong a word, since I don't think any have gone to court -- see http://www.nytimes.com/aponline/arts/AP-Music-Download-Suit.html <http://www.nytimes.com/aponline/arts/AP-Music-Download-Suit.html> as my source.
Besides, it's a very different situation. For my take on liability issues -- note that I'm not a lawyer, and note that this is from 1994 -- see http://www.wilyhacker.com/1e/chap12.pdf <http://www.wilyhacker.com/1e/chap12.pdf>
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb <http://www.cs.columbia.edu/~smb>
-- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
RIAA is a very different context from what we are talking about here. First, the number of people getting attacked from Open Source systems is very small, so, you have a very small class of plaintiffs. Second, said class of plaintiffs is probably not as well funded as RIAA. OTOH, the number of people/organizations being attacked from Micr0$0ft based systems is relatively high, so, a large class of plaintiffs, and, some of them being enterprises are relatively well funded. Second, in the case of RIAA, it is businesses suing to do what they perceive as protecting their profit stream, and, they know they are suing a collection of defendants that are relatively poorly funded and have no organization. In the case of Open Source, I think there is a pretty good track record of the community coming to the aid of those that get sued for various reasons (DeCSS comes to mind). Sure, it's easy to sue someone who doesn't have any money, but, there's no point in doing so. Frankly, it's not the people with no money that are at risk here. It's the people with some money and some assets. If you have nothing, you're pretty safe ignoring a civil suit because you have nothing to lose. Frankly, if RIAA were to sue me, it wouldn't cost me $250,000 to fight it. It might cost me a few thousand if I chose to involve a lawyer in some portion of the process, but, initially, I think I could make their life difficult enough to get them to go away without involving a lawyer. I've already made MPAA/Disney go away twice without a lawyer. Admittedly, they went away before even filing a suit, so, technically, I haven't been sued, but, I've been threatened by them, and, I'm sure if I'd buckled under or failed to confront them appropriately, I would have either gotten sued or ended up handing over money. The costs of defending a suit are $0 until you hire a lawyer. Owen --On December 26, 2005 11:18:46 PM -0500 "Hannigan, Martin" <hannigan@verisign.com> wrote:
In the general sense, possibly, but where there are lawyers there is always discoragement.
Suing people with no money is easy, but it does stop them from contributing in most cases. There are always a few who like getting sued. RIAA has shown companies will widescale sue so your argument is suspect, IMO..
-----Original Message----- From: Owen DeLong [mailto:owen@delong.com] Sent: Mon Dec 26 23:11:13 2005 To: Hannigan, Martin; Joseph Jackson Cc: NANOG Subject: RE: Compromised machines liable for damage?
I've seen this argument time and again, and, the reality is that it is absolutely false.
In fact, it will do nothing but encourage freeware. Liability for a product generally doesn't exist until money changes hands. If you design a piece of equipment and post the drawings in the public domain, you are not liable if someone builds it and harms themselves. You are liable if someone pays you for the design, because, the money changing hands creates a "duty to care". Outside of a "duty to care", the only opening for liability is if they can prove that you failed to take some precaution that would be expected of any "reasonably prudent" person.
So, liability for bad software and the consequences it creates would be bad for the Micr0$0ft and Oracles of the world, but, generally, very good for the Free Software movement. It might turn out to be bad for organizations like Cygnus and RedHat, but, that's more of a gray area.
As to the specific example cited...
If no update has been released, in the case of Open Source, that's no excuse. You have the source, so, you don't have to wait for an update. In the case of closed software, then, I think manufacturer liability is a good thing for the industry in general.
Owen
--On December 26, 2005 10:07:20 PM -0500 "Hannigan, Martin" <hannigan@verisign.com> wrote:
If you want to choke off freeware(gnu, et. Al), sure, go after them. I doubt the licensing agreement allows it though. (IANAL).
I think all you'd do is encourage people to write more music about 'freeing the software'. I'd rather not be stricken in that fashion.
I think that angle is DOA.
Martin
-----Original Message----- From: Joseph Jackson [mailto:jjackson@aninetworks.com] Sent: Mon Dec 26 03:13:02 2005 To: Hannigan, Martin Cc: NANOG Subject: RE: Compromised machines liable for damage?
What about the coders that write the buggy software in the first place? Don't they hold some of the responsibility also? IE I am running some webserver software that a bug is found in it. Attackers use that bug in the software to generate a DOS attack against you from my machines. No update has been released for the software I am running and/or no warning as been released. You sue me I sue the coders. What a wonderful world. (I'm not for this but its another side of the issue.)
_____
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Hannigan, Martin Sent: Sunday, December 25, 2005 9:22 PM To: Steven M. Bellovin Cc: Dave Pooser; NANOG Subject: Re: Compromised machines liable for damage?
Yes, I agree. As usual, I too am 'IANAL'.
Marty
-----Original Message----- From: Steven M. Bellovin [mailto:smb@cs.columbia.edu <mailto:smb@cs.columbia.edu> ] Sent: Sun Dec 25 23:52:27 2005 To: Hannigan, Martin Cc: Dave Pooser; NANOG Subject: Re: Compromised machines liable for damage?
In message <80632326218FE74899BDD48BB836421A033001@Dul1wnexmb04.vcorp.ad.vrsn.c om>, "Hannigan, Martin" writes:
Dave, RIAA wins almost 100pct vs p2p'ers ir sues. Its an interesting = dichotomy.
"Wins" is too strong a word, since I don't think any have gone to court -- see http://www.nytimes.com/aponline/arts/AP-Music-Download-Suit.html <http://www.nytimes.com/aponline/arts/AP-Music-Download-Suit.html> as my source.
Besides, it's a very different situation. For my take on liability issues -- note that I'm not a lawyer, and note that this is from 1994 -- see http://www.wilyhacker.com/1e/chap12.pdf <http://www.wilyhacker.com/1e/chap12.pdf>
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb <http://www.cs.columbia.edu/~smb>
-- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
In message <80632326218FE74899BDD48BB836421A03300F@Dul1wnexmb04.vcorp.ad.vrsn.c om>, "Hannigan, Martin" writes:
In the general sense, possibly, but where there are lawyers there is = always discoragement.
Suing people with no money is easy, but it does stop them from = contributing in most cases. There are always a few who like getting = sued. RIAA has shown companies will widescale sue so your argument is = suspect, IMO..
I've spent a *lot* of time talking to lawyers about this. In fact, a few years ago I (together with an attorney I know) tried to organize a "moot court" liability trial of a major vendor for a security flaw. (It ended up being a conference on the issue.) The reason there have not been any lawsuits against vendors is because of license agreements -- every software license I've ever read, including the GPL, disclaims all warranties, liability, etc. It's not clear to me that that would stand up with a consumer plaintiff, as opposed to a business; that hasn't been litigated. I tried to get around that problem for the moot court by looking at third parties who were injured by a problem in a software package they hadn't licensed -- think Slammer, for example, which took out the Internet for everyone. The issue of liability based on operational practices is untested. As I concluded in that book chapter from 1994, I (and the attorneys who helped me (a lot) with it) felt that there may very well be cause for a lawsuit. However, to the best of my knowledge there have been no court rulings on this issue. Unless and until that happens, we're just guessing. I'll give two short quotes that illustrate why I'm concerned. This one is from a standard textbook on tort law: The standard of conduct imposed by the law is an external one, based upon what society demands generally of its members, rather than upon the actor's personal morality or individual sense of right and wrong. A failure to conform to the standard is negligence, therefore, even if it is due to clumsiness, stupidity, forgetfulness, an excitable temperament, or even sheer ignorance. An honest blunder, or a mistaken belief that no damage will result, may absolve the actor from moral blame, but the harm to others is still as great, and the actor's individual standards must give way in this area of the law to those of the public. In other words, society may require of a person not to be awkward or a fool. The second, a quote from a 1932 (U.S.) Court of Appeals opinion, was for a case where some barges sank because the tugboat pulling them had no radio receivers, and hence didn't know the weather forecast: Indeed in most cases reasonable prudence is in face common prudence; but strictly it is never its measure; a whole calling may have unduly lagged in the adoption of new and available devices. It may never set its own tests, however persuasive be its usages. Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission. ... But here there was no custom at all as to receiving sets; some had them, some did not; the most that can be urged is that they had not yet become general. Certainly in such a case we need not pause; when some have thought a device necessary, at least we may say that they were right, and the others too slack. ... We hold [against] the tugs therefore because [if] they had been properly equipped, they would have got the Arlington [weather] reports. The injury was a direct consequence of this unseaworthiness. Again, though, this has never been litigated for ISP-type issues.
The reason there have not been any lawsuits against vendors is because of license agreements -- every software license I've ever read, including the GPL, disclaims all warranties, liability, etc. It's not clear to me that that would stand up with a consumer plaintiff, as opposed to a business; that hasn't been litigated. I tried to get around that problem for the moot court by looking at third parties who were injured by a problem in a software package they hadn't licensed -- think Slammer, for example, which took out the Internet for everyone.
Yes, I think this is the only way it will work. Plaintiffs that are not subject to the EULA will have to sue the manufacturer of vulnerable software installed on remote systems that attack their site. Otherwise, the liability waivers they signed make it much harder. Of course, interestingly, automobile manufacturers cannot get around having to build cars that meet safety standards regardless of waivers customers may sign. Perhaps what we need first is a consortium to agree on a set of standards for software security followed by someone like Ralph Nader doing the "Unsafe at any clockspeed" campaign.
The issue of liability based on operational practices is untested. As I concluded in that book chapter from 1994, I (and the attorneys who helped me (a lot) with it) felt that there may very well be cause for a lawsuit. However, to the best of my knowledge there have been no court rulings on this issue. Unless and until that happens, we're just guessing. I'll give two short quotes that illustrate why I'm concerned. This one is from a standard textbook on tort law:
Yep... I think that is true. However, unless and until someone steps up and actually does it (and frankly, I think the effective strategy here would be coordinating a large number of injured parties in small offices and residences to sue in small claims court at roughly the same time), all we'll be able to do is guess.
The standard of conduct imposed by the law is an external one, based upon what society demands generally of its members, rather than upon the actor's personal morality or individual sense of right and wrong. A failure to conform to the standard is negligence, therefore, even if it is due to clumsiness, stupidity, forgetfulness, an excitable temperament, or even sheer ignorance. An honest blunder, or a mistaken belief that no damage will result, may absolve the actor from moral blame, but the harm to others is still as great, and the actor's individual standards must give way in this area of the law to those of the public. In other words, society may require of a person not to be awkward or a fool.
So, does that mean that if most of society is ignorant enough to tolerate insecure buggy software, we must accept that as the standard for software performance? That is an unfortunately low barrier indeed for a profession like software development. In general, professional liability is different from general civil liability. Once money changes hands, you have a much greater "duty to care" about the potential harm caused by your "product" than an individual citizen. For example, a guy that pours gasoline into his gopher holes and lights it is an idiot. However, as long as everything he blows up is his own and he harms noone else, he's still just an idiot, but, not liable. However, if he packages gas cans and matches together and sells them with instructions as a "Gopher Eradication Kit", he gets to be liable for the damage to all the houses of all the people dumb enough to use his product, and, any neighbors unfortunate enough to live within the blast radii. Let's face it, some software vendors are selling the moral equivalent of a minivan with no seatbelts and no airbags.
The second, a quote from a 1932 (U.S.) Court of Appeals opinion, was for a case where some barges sank because the tugboat pulling them had no radio receivers, and hence didn't know the weather forecast:
Indeed in most cases reasonable prudence is in face common prudence; but strictly it is never its measure; a whole calling may have unduly lagged in the adoption of new and available devices. It may never set its own tests, however persuasive be its usages. Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission. ... But here there was no custom at all as to receiving sets; some had them, some did not; the most that can be urged is that they had not yet become general. Certainly in such a case we need not pause; when some have thought a device necessary, at least we may say that they were right, and the others too slack. ... We hold [against] the tugs therefore because [if] they had been properly equipped, they would have got the Arlington [weather] reports. The injury was a direct consequence of this unseaworthiness.
Again, though, this has never been litigated for ISP-type issues.
Those will be interesting cases as well if they are ever tested, but, I think they will actually be more complex than injured third parties suing software VENDORS over vulnerable software which later caused harm. Again, I think that the David v. Goliath nature of the majority of injured parties v. software vendors means that a large highly visible class action or high-profile suit is unlikely to meet with much success. However, given the relatively low risks associated with filing in small claims court in most jurisdictions and extremely low filing costs associated, I think it would be very interesting to see a coordinated attack of this nature played out in the small claims courts across the country. Even if the software vendors were able to win each and every case, the costs of fighting them would be impressive and would send a pretty clear message that we, as a society, are fed up and won't take it any more. Owen
There was a lot of discussion about this in the music / technology / legal community at the time of the Sony root exploit CD's - which I and others thought fully opened Sony for liability for 2nd party attacks. (I.e., if a hacker uses the Sony root kit to exploit your machine, then Sony is probably liable, regardless of the EULA. They put it in there; they made the attack possible.) IANAL, but I believe that if a vendor has even a partial liability, they can be liable for the whole. I suspect that eventually EULA's will prove to be weak reeds, in much the same way that manufacturers may be liable when bad things happen, even if the product is being grossly misused. My intuition says that unfortunately somebody is going to have to die to establish this, as part of a wrongful death suit. With the explosion in VOIP use, this is probably only a matter of time. Regards Marshall Eubanks On Dec 27, 2005, at 8:55 AM, Owen DeLong wrote:
The reason there have not been any lawsuits against vendors is because of license agreements -- every software license I've ever read, including the GPL, disclaims all warranties, liability, etc. It's not clear to me that that would stand up with a consumer plaintiff, as opposed to a business; that hasn't been litigated. I tried to get around that problem for the moot court by looking at third parties who were injured by a problem in a software package they hadn't licensed -- think Slammer, for example, which took out the Internet for everyone.
Yes, I think this is the only way it will work. Plaintiffs that are not subject to the EULA will have to sue the manufacturer of vulnerable software installed on remote systems that attack their site. Otherwise, the liability waivers they signed make it much harder. Of course, interestingly, automobile manufacturers cannot get around having to build cars that meet safety standards regardless of waivers customers may sign. Perhaps what we need first is a consortium to agree on a set of standards for software security followed by someone like Ralph Nader doing the "Unsafe at any clockspeed" campaign.
The issue of liability based on operational practices is untested. As I concluded in that book chapter from 1994, I (and the attorneys who helped me (a lot) with it) felt that there may very well be cause for a lawsuit. However, to the best of my knowledge there have been no court rulings on this issue. Unless and until that happens, we're just guessing. I'll give two short quotes that illustrate why I'm concerned. This one is from a standard textbook on tort law:
Yep... I think that is true. However, unless and until someone steps up and actually does it (and frankly, I think the effective strategy here would be coordinating a large number of injured parties in small offices and residences to sue in small claims court at roughly the same time), all we'll be able to do is guess.
The standard of conduct imposed by the law is an external one, based upon what society demands generally of its members, rather than upon the actor's personal morality or individual sense of right and wrong. A failure to conform to the standard is negligence, therefore, even if it is due to clumsiness, stupidity, forgetfulness, an excitable temperament, or even sheer ignorance. An honest blunder, or a mistaken belief that no damage will result, may absolve the actor from moral blame, but the harm to others is still as great, and the actor's individual standards must give way in this area of the law to those of the public. In other words, society may require of a person not to be awkward or a fool.
So, does that mean that if most of society is ignorant enough to tolerate insecure buggy software, we must accept that as the standard for software performance? That is an unfortunately low barrier indeed for a profession like software development. In general, professional liability is different from general civil liability. Once money changes hands, you have a much greater "duty to care" about the potential harm caused by your "product" than an individual citizen.
For example, a guy that pours gasoline into his gopher holes and lights it is an idiot. However, as long as everything he blows up is his own and he harms noone else, he's still just an idiot, but, not liable.
However, if he packages gas cans and matches together and sells them with instructions as a "Gopher Eradication Kit", he gets to be liable for the damage to all the houses of all the people dumb enough to use his product, and, any neighbors unfortunate enough to live within the blast radii.
Let's face it, some software vendors are selling the moral equivalent of a minivan with no seatbelts and no airbags.
The second, a quote from a 1932 (U.S.) Court of Appeals opinion, was for a case where some barges sank because the tugboat pulling them had no radio receivers, and hence didn't know the weather forecast:
Indeed in most cases reasonable prudence is in face common prudence; but strictly it is never its measure; a whole calling may have unduly lagged in the adoption of new and available devices. It may never set its own tests, however persuasive be its usages. Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission. ... But here there was no custom at all as to receiving sets; some had them, some did not; the most that can be urged is that they had not yet become general. Certainly in such a case we need not pause; when some have thought a device necessary, at least we may say that they were right, and the others too slack. ... We hold [against] the tugs therefore because [if] they had been properly equipped, they would have got the Arlington [weather] reports. The injury was a direct consequence of this unseaworthiness.
Again, though, this has never been litigated for ISP-type issues.
Those will be interesting cases as well if they are ever tested, but, I think they will actually be more complex than injured third parties suing software VENDORS over vulnerable software which later caused harm. Again, I think that the David v. Goliath nature of the majority of injured parties v. software vendors means that a large highly visible class action or high-profile suit is unlikely to meet with much success. However, given the relatively low risks associated with filing in small claims court in most jurisdictions and extremely low filing costs associated, I think it would be very interesting to see a coordinated attack of this nature played out in the small claims courts across the country. Even if the software vendors were able to win each and every case, the costs of fighting them would be impressive and would send a pretty clear message that we, as a society, are fed up and won't take it any more.
Owen
On 12/27/05, Marshall Eubanks <tme@multicasttech.com> wrote:
There was a lot of discussion about this in the music / technology / legal community at the time of the Sony root exploit CD's - which I and others thought fully opened Sony for liability for 2nd party attacks. (I.e., if a hacker uses the Sony root kit to exploit your machine, then Sony is probably liable, regardless of the EULA. They put it in there; they made the attack possible.) IANAL, but I believe that if a vendor has even a partial liability, they can be liable for the whole.
But, what constitutes an exploit severe enough to warrant liability of this type? For instance, let's look at some scripts ... formmail is a perfect example. First, there was no "real" EULA. I'm definitely not a laywer, but I would think that would open up the writer to all sorts of liability... Anyways, the script was, obviously, flawed. Spammers took notice and used that script to spam all over the place. This hurt the hoster of the script, the people who were spammed, and probably the ISPs that wasted the bandwidth carrying the spam. So, should the writer of the script be sued for this? Is he liable for damages? If that's the case, then I'm gonna hang up my programming hat and go hide in a closet somewhere. I'm far from perfect and, while I'm relatively sure there are none, exploitable bugs *might* exist in my software. Or, perhaps, the exploit exists in a library I used. I've written a lot of PHP code, perhaps PHP has the flaw.. Am I still liable, or is PHP now liable? This has scary consequences if it becomes a blanket argument. Alternatively, if the programmer is made aware of the problem and does nothing, then perhaps they should be held accountable. But, then, what happens to "old" software that is no longer maintained?
I suspect that eventually EULA's will prove to be weak reeds, in much the same way that manufacturers may be liable when bad things happen, even if the product is being grossly misused. My intuition says that unfortunately somebody is going to have to die to establish this, as part of a wrongful death suit. With the explosion in VOIP use, this is probably only a matter of time.
Personally, I feel that is a person "grossly misuses" a product and is hurt as a result, they deserve it. Within some acceptable reason, of course. One expects that if you place a cup of coffee in your lap, that you just purchased, I might add, that it may burn you if it spills. Or, if you puncture a can of hair spray near an open fire, you may experience a slight burning sensation a few seconds later. People, use your brains. Next we'll have someone suing craftsman when they chop their leg off because there was no label on the saw that said "don't place running saw in lap" ... Come on, how stupid can you be? I apparently wouldn't make a good judge because I'd laugh most of these cases right out of the courtroom! Reasonable precaution should be expected of all people.
Regards Marshall Eubanks
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com
Jason Frisvold wrote:
On 12/27/05, Marshall Eubanks <tme@multicasttech.com> wrote:
There was a lot of discussion about this in the music / technology / legal community at the time of the Sony root exploit CD's - which I and others thought fully opened Sony for liability for 2nd party attacks. (I.e., if a hacker uses the Sony root kit to exploit your machine, then Sony is probably liable, regardless of the EULA. They put it in there; they made the attack possible.) IANAL, but I believe that if a vendor has even a partial liability, they can be liable for the whole.
But, what constitutes an exploit severe enough to warrant liability of this type? For instance, let's look at some scripts ... formmail is a perfect example. First, there was no "real" EULA. I'm definitely not a laywer, but I would think that would open up the writer to all sorts of liability... Anyways, the script was, obviously, flawed. Spammers took notice and used that script to spam all over the place. This hurt the hoster of the script, the people who were spammed, and probably the ISPs that wasted the bandwidth carrying the spam.
So, should the writer of the script be sued for this? Is he liable for damages?
I am not a lawyer, but I believe there is a significant difference in the liability that ensues from knowingly selling a defective product, and from giving something away for free. Matt gave away FormMail for free. When Matt wrote FormMail open relays were common on the internet. His Perl scripts were similar in security and utility to other software at the time. Once it became known how this type of software could be abused, *then* he had an obligation (moral obligation if not strictly legal obligation) to stop distributing the old insecure scripts, which is what he did. (Researching FormMail history, I found a page that suggested fixing the FormMail problem by replacing the FormMail scripts with PhP scripts. :-)
Personally, I feel that is a person "grossly misuses" a product and is hurt as a result, they deserve it. Within some acceptable reason, of course. One expects that if you place a cup of coffee in your lap, that you just purchased, I might add, that it may burn you if it spills.
If you tell someone "be careful, that coffee is hot and may burn you" most people will equate "burn" with "might cause some temporary pain or perhaps a minor blister" and not with "I will spend 2 weeks in the hospital with 3rd degree burns and require skin grafts and have over $20k in medical bills". Stella assumed the coffee she was served was served was at a normal hot coffee temperature, hot enough to perhaps hurt a bit if spilled but NOT so hot as to cause severe and disfiguring burns. See: <http://www.lectlaw.com/files/cur78.htm> <quote> McDonalds also said during discovery that, based on a consultants advice, it held its coffee at between 180 and 190 degrees fahrenheit to maintain optimum taste. He admitted that he had not evaluated the safety ramifications at this temperature. Other establishments sell coffee at substantially lower temperatures, and coffee served at home is generally 135 to 140 degrees." </quote> McDonalds intentionally served the coffee hotter than was safe, hotter than was safe for *drinking* (the purpose of the product) and ignored the dangers this presented and the prior cases of damage it caused. Back to the topic of computers and software that damages other computers over the network: Most people expect that their operating system and browser will work securely, not that it will let intruders steal their data, compromise their privacy, and inflict damage on others. Just as McDonalds was held liable for repeatedly intentionally selling coffee they knew was being served too hot and capable of causing much greater harm than the buyer was aware of, IMHO so should a software company be held liable for repeatedly knowingly selling defective software, especially when that software causes damage to 3rd parties who have not agreed to the EULA. jc
On 12/27/05, JC Dill <lists05@equinephotoart.com> wrote:
I am not a lawyer, but I believe there is a significant difference in the liability that ensues from knowingly selling a defective product, and from giving something away for free. Matt gave away FormMail for free. When Matt wrote FormMail open relays were common on the internet. His Perl scripts were similar in security and utility to other software at the time. Once it became known how this type of software could be abused, *then* he had an obligation (moral obligation if not strictly legal obligation) to stop distributing the old insecure scripts, which is what he did.
And I would agree with this reasoning. If the software is defective, fix it or stop selling it. However, I don't think all software developers have "control" over the selling of the software after it's sent to the publisher. (I'm by no means intimate with how all this works) So, for instance, if developer A creates product A+, publisher P deals with packaging it up, distributing it, etc. A few months later, developer A goes out of business for some insane reason. Publisher P continues to sell the software in which a security hole is discovered a month later. There's no way for developer A to fix the hole, they don't exist. And publisher P isn't near smart enough to fix it. So they just continue selling it. Life goes on, it eventually falls into the bargain bin where publisher P continues to package it, but in recycled fish wrap instead of the pristine new boxes it used to. So is developer A still liable? Is publisher P liable? Should they be?
If you tell someone "be careful, that coffee is hot and may burn you" most people will equate "burn" with "might cause some temporary pain or perhaps a minor blister" and not with "I will spend 2 weeks in the hospital with 3rd degree burns and require skin grafts and have over $20k in medical bills". Stella assumed the coffee she was served was served was at a normal hot coffee temperature, hot enough to perhaps hurt a bit if spilled but NOT so hot as to cause severe and disfiguring burns. See:
Still, a little common sense... Hot coffee of any type, between the legs, in a moving car? Umm.. even "normal" coffee still causes a jump of pain. That jump of pain could easily cause a car accident. So who do I sue? McDonalds for selling the coffee? Or the driver who put it between his/her legs?
Most people expect that their operating system and browser will work securely, not that it will let intruders steal their data, compromise their privacy, and inflict damage on others. Just as McDonalds was held liable for repeatedly intentionally selling coffee they knew was being served too hot and capable of causing much greater harm than the buyer was aware of, IMHO so should a software company be held liable for repeatedly knowingly selling defective software, especially when that software causes damage to 3rd parties who have not agreed to the EULA.
If it's a known issue and the developer continues to ignore it, then yeah, they should probably be held accountable. But, there's still the issue of what is bad and what isn't. Madden 2006 for the PSP reboots when I end a franchise mode game. It destroys the data I just spent 30 minutes generating while playing the game. Is that bad enough that the company should be held liable for it? (Yes, I'm aware they're replacing the discs now. Excellent move on EA's part) There's another form mailer out there that I dealt with, and wrote a large post on Bugtraq about, that continues to allow relaying even after a complete bug report with a fix. Should that developer be held liable for damages? It's just spam, it's not really hurting anyone, is it? Then there's something like Internet Explorer. Any one of the dozens of exploits "allows a remote attacker to assume control of the computer" ... That's bad.. That's definitely an issue. I could agree that the developer should be held liable for that ... Maden 2006 I had to pay for. IE came with Windows, so I didn't *really* have to pay for it, depending on how you look at it. The form mailer was free on the internet. Does having to pay for it determine if the developer should be liable? What if Linux had a security hole that was reported and never fixed? Should Linus get sued? Wow.. who would you even sue in that instance? Software confuses things a bit I think.. I can agree that an IE bug, unchecked, should be liable. But a form mailer? It was free to begin with, so just move on to something else... I'm not sure I, personally, could get behind holding software companies liable until some standard was set to determine what the expectations were... And setting those standards is the hard part...
jc
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com
Here is the link again: <http://www.lectlaw.com/files/cur78.htm> Please spend some time reading that site to educate yourself about the facts and common misconceptions about this incident before you try any further analogies based on it. In *this* case the injured woman had done most[1] of the reasonable things one should do to try to mitigate injury, but she was seriously injured and the seriousness of the injury was directly due to the product being defective. McDonalds was held liable because they knowingly and intentionally sold a defective product even after having over 700 prior incidents (serious burns) reported to them due to this defect (the coffee being too hot). Jason Frisvold wrote:
Still, a little common sense... Hot coffee of any type, between the legs, in a moving car? Umm.. even "normal" coffee still causes a jump of pain. That jump of pain could easily cause a car accident.
<quote> Critics of civil justice, who have pounced on this case, often charge that Liebeck was driving the car or that the vehicle was in motion when she spilled the coffee; neither is true. </quote> The coffee wasn't just "hot", it was much too hot to be safely consumed. Note that <quote> [if the] spill had involved coffee at 155 degrees, the liquid would have cooled and given her time to avoid a serious burn </quote> and <quote> The company admitted its customers were unaware that they could suffer third degree burns from the coffee and that a statement on the side of the cup was not a "warning" but a "reminder" since the location of the writing would not warn customers of the hazard. </quote> Now let us consider Microsoft's continued sales of defective Windows and IE software given their track record for failing to ensure that their product works safely and doesn't enable others to cause damage to the user's system and data or (of primary importance to the networking community) the systems and networks of others: <http://bcheck.scanit.be/bcheck/page.php?name=STATS2004> Even if the end user updates their Windows/IE software the minute a security update is available, their browser would still have been vulnerable for all but 7 days in 2004! I wonder how 2005 has been shaping up. Hmmm. I wonder if Stella's lawyers would like to take on Microsoft.... jc [1] The jury awarded Liebeck $200,000 in compensatory damages. This amount was reduced to $160,000 because the jury found Liebeck 20 percent at fault in the spill. The jury also awarded Liebeck $2.7 million in punitive damages, which equals about two days of McDonalds' coffee sales. Post-verdict investigation found that the temperature of coffee at the local Albuquerque McDonalds had dropped to 158 degrees fahrenheit. The trial court subsequently reduced the punitive award to $480,000 -- or three times compensatory damages -- even though the judge called McDonalds' conduct reckless, callous and willful.
[snip]
And I would agree with this reasoning. If the software is defective, fix it or stop selling it. However, I don't think all software developers have "control" over the selling of the software after it's sent to the publisher. (I'm by no means intimate with how all this works) So, for instance, if developer A creates product A+, publisher P deals with packaging it up, distributing it, etc. A few months later, developer A goes out of business for some insane reason. Publisher P continues to sell the software in which a security hole is discovered a month later. There's no way for developer A to fix the hole, they don't exist. And publisher P isn't near smart enough to fix it. So they just continue selling it. Life goes on, it eventually falls into the bargain bin where publisher P continues to package it, but in recycled fish wrap instead of the pristine new boxes it used to.
So is developer A still liable? Is publisher P liable? Should they be?
Liability generally ends at death. Since developer A is essentially dead (no longer exists), no. If publisher P is the current copyright owner, then probably yes. If they have been informed of the defect and continue to sell the defective product, yes.
So who do I sue? McDonalds for selling the coffee? Or the driver who put it between his/her legs?
In the case of an accident and you are the driver she hit, you would sue the driver. The driver may then sue McDonalds if the coffee was "too hot", but, your cause of action is against the direct actor... The driver, and, the owner of the vehicle that hit you.
If it's a known issue and the developer continues to ignore it, then yeah, they should probably be held accountable. But, there's still the issue of what is bad and what isn't. Madden 2006 for the PSP reboots when I end a franchise mode game. It destroys the data I just spent 30 minutes generating while playing the game. Is that bad enough that the company should be held liable for it? (Yes, I'm aware they're replacing the discs now. Excellent move on EA's part)
I guess that depends on how much you feel you are harmed by that loss of data. However, in that case, you probably accepted an EULA that says "We aren't liable for the software not functioning." This is much more a gray area than what I think is the first issue that should be addressed. What if, instead, your PSP was network enabled, and, at the end of your game, it not only rebooted, but, it wiped out all data from all PSPs it could find on the network. Then, the owner of thoses PSPs should have a cause of action against EA (and possibly you). They didn't agree to an EULA allowing EAs software to wipe their data. That's the situation of the third parties being harmed by exploited hosts.
There's another form mailer out there that I dealt with, and wrote a large post on Bugtraq about, that continues to allow relaying even after a complete bug report with a fix. Should that developer be held liable for damages? It's just spam, it's not really hurting anyone, is it?
SPAM does a lot of actual harm. There are relatively high costs associated with SPAM. Machine time, network bandwidth, and, labor.
Then there's something like Internet Explorer. Any one of the dozens of exploits "allows a remote attacker to assume control of the computer" ... That's bad.. That's definitely an issue. I could agree that the developer should be held liable for that ...
Yes. These are the sorts of things we are really talking about primarily.
Maden 2006 I had to pay for. IE came with Windows, so I didn't *really* have to pay for it, depending on how you look at it. The form mailer was free on the internet. Does having to pay for it determine if the developer should be liable? What if Linux had a security hole that was reported and never fixed? Should Linus get sued? Wow.. who would you even sue in that instance?
You did pay for it. It was part of what you paid for when you bought Windows. If Windows came bundled with your machine, you still paid for it in the form of buying the machine and it was part of what was included. In any case, you still paid for IE. As to Linux, I don't believe Linus ever sold it. For the most part, there's nobody to sue because nobody got paid. Further, since it is open source, you have the ability and responsibility to fix it if you are informed your machine is doing harm. You don't have the ability to fix IE. In the case of packages like Red Hat Enterprise Linux and such, yes, if they are exploited, it is not unlikely that Red Hat could be sued by injured third parties, and, this is not inappropriate.
Software confuses things a bit I think.. I can agree that an IE bug, unchecked, should be liable. But a form mailer? It was free to begin with, so just move on to something else...
Software doesn't confuse things. Things given away for free are not held to the same "duty to care" as things sold as a product. Software fits into this model nicely.
I'm not sure I, personally, could get behind holding software companies liable until some standard was set to determine what the expectations were... And setting those standards is the hard part...
I agree it would be nice to set some standards. I think what is needed is a consortium of software security experts to set some minimum "safety standards" that can be used as a legal basis. Something like: Prudently written software is expected to take the following precautions: + Check length on any storage operation to prevent undetected buffer overruns. + Check all external input for validity and consistency prior to placing it into an operation which could result in execution or harmful parsing of said input (such as passing it to a shell for evaluation). etc. You get the idea. I don't think this would have to be particularly lengthy or complicated, but, I bet if we hit the highlights that cover most of the existing known vulnerabilities, it would do the trick. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
On Tue, 27 Dec 2005 20:06:20 -0800, "Owen DeLong" <owen@delong.com> [snip]
I agree it would be nice to set some standards. I think what is needed is a consortium of software security experts to set some minimum "safety standards" that can be used as a legal basis.
You're barking up the wrong tree. Mediocre product quality is just one of many symptoms of a lack of competition. The real problem is that we've got monopolies backed by a draconian patent regime. Imagine a situation where there are drop-in replacements for most proprietary technologies with little or no barrier to entry (financial or technical). A serious flaw in product X could easily cause mass customer defection to competing products. Maybe some of the profits of today would have to be invested in quality assurance to prevent that. How would a brand of household-appliances hold up to the competition if their products were riddled with flaws that had no solution, just workarounds using expensive add-ons? Should the market accept that MS enter the market of "anti-products" instead of solving the problem within their products? Keep in mind that such products are parasites which represent no customer value. Why have the monopolies we normally despise become the norm in the software industry? Or rather, why did we let them dictate a legislation that give them legroom for such behaviour. //per -- Per Heldal heldal@eml.cc
To beat a dead horse just a little harder the problem I have is when a certain company kept distributing software with security flaws specifically because they're profiting from those flaws. For example, graphics libraries which accept binary code chunks to be executed in kernel mode without limits for support of quick screen updates in games considered of marketing importance. Blaming it on the games vendors seems inadequate, particularly over several years and releases of each. That's just pure economics and, hence, profiting on others' serious pain. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Wed, Dec 28, 2005 at 11:17:11PM -0500, Barry Shein wrote:
To beat a dead horse just a little harder the problem I have is when a certain company kept distributing software with security flaws specifically because they're profiting from those flaws.
For example, graphics libraries which accept binary code chunks to be executed in kernel mode without limits for support of quick screen updates in games considered of marketing importance. Blaming it on the games vendors seems inadequate, particularly over several years and releases of each.
That's just pure economics and, hence, profiting on others' serious pain.
And yet, I'd bet $10 that: * They know this. * They are just implementing what their customers demand. * They accept that allowing direct access in order to obtain performance at the experience of security is a necessary model in a wide variety of situations, particularly gaming. * They don't give a flying crap what a bunch of perceived whining kooks on NANOG think about that tradeoff. God knows, I wouldn't. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
--On December 27, 2005 10:39:38 AM -0500 Jason Frisvold <xenophage0@gmail.com> wrote:
On 12/27/05, Marshall Eubanks <tme@multicasttech.com> wrote:
There was a lot of discussion about this in the music / technology / legal community at the time of the Sony root exploit CD's - which I and others thought fully opened Sony for liability for 2nd party attacks. (I.e., if a hacker uses the Sony root kit to exploit your machine, then Sony is probably liable, regardless of the EULA. They put it in there; they made the attack possible.) IANAL, but I believe that if a vendor has even a partial liability, they can be liable for the whole.
But, what constitutes an exploit severe enough to warrant liability of this type? For instance, let's look at some scripts ... formmail is a perfect example. First, there was no "real" EULA. I'm definitely not a laywer, but I would think that would open up the writer to all sorts of liability... Anyways, the script was, obviously, flawed. Spammers took notice and used that script to spam all over the place. This hurt the hoster of the script, the people who were spammed, and probably the ISPs that wasted the bandwidth carrying the spam.
It's not just about the severity of the exploit. What did you pay for formmail? Did the author have a "duty to care"? If money did not change hands, then, liability becomes much more difficult unless you can show gross negligence. Further, since formmail is provided in source form, the server owner could have fully evaluated it for vulnerability prior to deploying it. Thus, even if there is some liablity, it primarily falls to the person/organization who placed the script in use on the server, not the author.
So, should the writer of the script be sued for this? Is he liable for damages? If that's the case, then I'm gonna hang up my programming hat and go hide in a closet somewhere. I'm far from perfect and, while I'm relatively sure there are none, exploitable bugs *might* exist in my software. Or, perhaps, the exploit exists in a library I used. I've written a lot of PHP code, perhaps PHP has the flaw.. Am I still liable, or is PHP now liable?
Again, it all boils down to whether money changed hands or not. If you didn't get paid for your script, you probably aren't liable. Since PHP is free (and there's not really a legal entity to sue for it anyway), PHP probably isn't liable.
This has scary consequences if it becomes a blanket argument. Alternatively, if the programmer is made aware of the problem and does nothing, then perhaps they should be held accountable. But, then, what happens to "old" software that is no longer maintained?
Look at it another way... If the software is open source, then, there is no requirement for the author to maintain it as any end user has all the tools necessary to develop and deploy a fix. In the case of closed software, liability may be the only tool society has to protect itself from the negligence of the author(s). What is the liability situation for, say, a Model T car if it runs over someone? Can Ford still be held liable if he accident turns out to be caused by a known design flaw in the car? (I don't know the answer, but, I suspect that it would be the same for "old" software).
I suspect that eventually EULA's will prove to be weak reeds, in much the same way that manufacturers may be liable when bad things happen, even if the product is being grossly misused. My intuition says that unfortunately somebody is going to have to die to establish this, as part of a wrongful death suit. With the explosion in VOIP use, this is probably only a matter of time.
Personally, I feel that is a person "grossly misuses" a product and is hurt as a result, they deserve it. Within some acceptable reason, of course. One expects that if you place a cup of coffee in your lap, that you just purchased, I might add, that it may burn you if it spills. Or, if you puncture a can of hair spray near an open fire, you may experience a slight burning sensation a few seconds later.
The first one here is not your best choice of examples. It turns out that in that suit, McDonalds was violating ANSI/ISO standards and handing out liquids that were hotter than the industry considers "safe". There is a major difference in the level of injury that occurs above a certain temperature (I think it's 180F if memory serves), and, their coffee was shown to be well above that. They had been repeatedly informed of this problem prior to the incident and had refused to do anything about it. Yes, you expect to get burned, and, if you keep the coffee below a serving temperature of 180F, then, there's no liability. However, serving it above 180F is not "reasonable and prudent" and that is why the jury found for the plaintiff. In general, if the gross act of stupidity was reasonably foreseeable, the manufacturer has a "duty to care" to make some attempt to mitigate or prevent the customer from taking such action. That's why toasters all come with warnings about unplugging them before you stick a fork in them. That's why every piece of electronic equipment says "No user serviceable parts inside" and "Warning risk of electric shock".
People, use your brains. Next we'll have someone suing craftsman when they chop their leg off because there was no label on the saw that said "don't place running saw in lap" ... Come on, how stupid can you be? I apparently wouldn't make a good judge because I'd laugh most of these cases right out of the courtroom! Reasonable precaution should be expected of all people.
Actually, there are several such warnings on saws for just that reason, so, that is history, not prediction. The letter of the law does expect the plaintiff to have been reasonable and prudent. Judges are not really the problem here. Unfortunately, our cultural tendency to feel for the underdog leads to a jury pool that often doesn't see "An idiot who chopped off his leg by sticking the saw in his lap vs. a company that builds nice saws." They see "The poor defenseless carpenter vs. the evil giant corporation profiting from his misery." They feel for the carpenter and the only option they have to help him is to take money from the corporation. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
On 12/27/05, Owen DeLong <owen@delong.com> wrote:
Look at it another way... If the software is open source, then, there is no requirement for the author to maintain it as any end user has all the tools necessary to develop and deploy a fix. In the case of closed software, liability may be the only tool society has to protect itself from the negligence of the author(s). What is the liability situation for, say, a Model T car if it runs over someone? Can Ford still be held liable if he accident turns out to be caused by a known design flaw in the car? (I don't know the answer, but, I suspect that it would be the same for "old" software).
But can't something similar be said for closed source? You know there's a vulnerability, stop using it... (I'm aware that this is much harder in practice) <snip dead horse />
In general, if the gross act of stupidity was reasonably foreseeable, the manufacturer has a "duty to care" to make some attempt to mitigate or prevent the customer from taking such action. That's why toasters all come with warnings about unplugging them before you stick a fork in them. That's why every piece of electronic equipment says "No user serviceable parts inside" and "Warning risk of electric shock".
So what if Microsoft put a warning label on all copies of Windows that said something to the tune of "Not intended for use without firewall and anti-virus software installed" ? :) Isn't the consumer at least partially responsible for reasonable precautions?
They feel for the carpenter and the only option they have to help him is to take money from the corporation.
I'm all for compassion, but sometimes it's a bit much.. :)
Owen
I guess, in a nutshell, I'm trying to understand the liability issue... It seems, based on the arguments, that it generally applies to "stuff" that was received due to some monetary transaction. And that the developer/manufacturer/etc is given a chance to repair the problem, provided that problem does not exist due to gross negligence on the part of the developer/manufacturer/etc ... Does that about sum it up? [From your other mail]
SPAM does a lot of actual harm. There are relatively high costs associated with SPAM. Machine time, network bandwidth, and, labor.
*nod* I agree.. My point here was that SPAM, when compared to something like a virus, is *generally* less harmful. Granted, SPAM is more of a constant problem rather than a single virus that may attack for a few days before mitigation is possible. I spend a great deal of time tweaking my mail servers to prevent spam.. :) -- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com
On Wed, Dec 28, 2005 at 09:38:11AM -0500, Jason Frisvold wrote: ...
So what if Microsoft put a warning label on all copies of Windows that said something to the tune of "Not intended for use without firewall and anti-virus software installed" ? :) Isn't the consumer at least partially responsible for reasonable precautions? ...
Last time I looked at an MS Windows package, Microsoft actually put a much stronger warning than that on all of its packages. And a truthful one, as well! Something like, "This software is not guaranteed to do anything in particular." ;-) -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
--On December 28, 2005 9:38:11 AM -0500 Jason Frisvold <xenophage0@gmail.com> wrote:
On 12/27/05, Owen DeLong <owen@delong.com> wrote:
Look at it another way... If the software is open source, then, there is no requirement for the author to maintain it as any end user has all the tools necessary to develop and deploy a fix. In the case of closed software, liability may be the only tool society has to protect itself from the negligence of the author(s). What is the liability situation for, say, a Model T car if it runs over someone? Can Ford still be held liable if he accident turns out to be caused by a known design flaw in the car? (I don't know the answer, but, I suspect that it would be the same for "old" software).
But can't something similar be said for closed source? You know there's a vulnerability, stop using it... (I'm aware that this is much harder in practice)
Yes... You say that as if I have a problem with people using bad software being held liable for the damage it does. I do not.
<snip dead horse />
In general, if the gross act of stupidity was reasonably foreseeable, the manufacturer has a "duty to care" to make some attempt to mitigate or prevent the customer from taking such action. That's why toasters all come with warnings about unplugging them before you stick a fork in them. That's why every piece of electronic equipment says "No user serviceable parts inside" and "Warning risk of electric shock".
So what if Microsoft put a warning label on all copies of Windows that said something to the tune of "Not intended for use without firewall and anti-virus software installed" ? :) Isn't the consumer at least partially responsible for reasonable precautions?
Yes. Again, I have no problem if every user of Windows starts paying for failing to prevent it from damaging the network (or any other software that does damage in this context). Perhaps that will finally start showing corporate america the true cost of running windows.
They feel for the carpenter and the only option they have to help him is to take money from the corporation.
I'm all for compassion, but sometimes it's a bit much.. :)
No argument. My point was that it isn't so much the judge as some aspects of our jury system that are at the root of many of these decisions.
I guess, in a nutshell, I'm trying to understand the liability issue... It seems, based on the arguments, that it generally applies to "stuff" that was received due to some monetary transaction. And that the developer/manufacturer/etc is given a chance to repair the problem, provided that problem does not exist due to gross negligence on the part of the developer/manufacturer/etc ... Does that about sum it up?
Mostly. Certainly, liability is more certain in those circumstances than if any of those things are not present.
[From your other mail]
SPAM does a lot of actual harm. There are relatively high costs associated with SPAM. Machine time, network bandwidth, and, labor.
*nod* I agree.. My point here was that SPAM, when compared to something like a virus, is *generally* less harmful. Granted, SPAM is more of a constant problem rather than a single virus that may attack for a few days before mitigation is possible. I spend a great deal of time tweaking my mail servers to prevent spam.. :)
The primary output of viruses these days is SPAM. The primary harm done by viruses is SPAM. Sure, there are occasional DOS issues, but, there is actually more harm done by SPAM than DOS from a monetary perspective. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
--On December 28, 2005 9:38:11 AM -0500 Jason Frisvold <xenophage0@gmail.com> wrote:
On 12/27/05, Owen DeLong <owen@delong.com> wrote:
Look at it another way... If the software is open source, then, there is no requirement for the author to maintain it as any end user has all the tools necessary to develop and deploy a fix. In the case of closed software, liability may be the only tool society has to protect itself from the negligence of the author(s). What is the liability situation for, say, a Model T car if it runs over someone? Can Ford still be held liable if he accident turns out to be caused by a known design flaw in the car? (I don't know the answer, but, I suspect that it would be the same for "old" software).
But can't something similar be said for closed source? You know there's a vulnerability, stop using it... (I'm aware that this is much harder in practice)
One other thing I forgot to say here... With closed software, you don't have the option of fixing it yourself. With open source, that claim cannot be made. As such, since there are some cases in which the damage done by stopping use must be weighed against the damage done by continued use, it's a harder question WRT closed software, especially when it is an operating system. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
On Dec 27, 2005, at 5:03 AM, Steven M. Bellovin wrote:
In message <80632326218FE74899BDD48BB836421A03300F@Dul1wnexmb04.vcorp.ad.vrsn.c om>, "Hannigan, Martin" writes:
In the general sense, possibly, but where there are lawyers there is = always discoragement.
Suing people with no money is easy, but it does stop them from = contributing in most cases. There are always a few who like getting = sued. RIAA has shown companies will widescale sue so your argument is = suspect, IMO..
I've spent a *lot* of time talking to lawyers about this. In fact, a few years ago I (together with an attorney I know) tried to organize a "moot court" liability trial of a major vendor for a security flaw. (It ended up being a conference on the issue.)
The reason there have not been any lawsuits against vendors is because of license agreements -- every software license I've ever read, including the GPL, disclaims all warranties, liability, etc. It's not clear to me that that would stand up with a consumer plaintiff, as opposed to a business; that hasn't been litigated. I tried to get around that problem for the moot court by looking at third parties who were injured by a problem in a software package they hadn't licensed -- think Slammer, for example, which took out the Internet for everyone.
There have been successful cases for pedestrians that used a train trestle as a walk-way, where warnings were clearly displayed, and a fence had been put in place, but the railroad failed to ensure repair of the fence. The warning sign was not considered adequate. Would this relate to trespassers that use an invalid copy of an OS refused patches? Would this be similar to not repairing the fence? Clearly the pedestrians are trespassing, nevertheless the railroad remains responsible for the safety of their enterprise. -Doug
--On December 28, 2005 11:09:31 AM -0800 Douglas Otis <dotis@mail-abuse.org> wrote:
On Dec 27, 2005, at 5:03 AM, Steven M. Bellovin wrote:
In message <80632326218FE74899BDD48BB836421A03300F@Dul1wnexmb04.vcorp.ad.vrsn.c om>, "Hannigan, Martin" writes:
In the general sense, possibly, but where there are lawyers there is = always discoragement.
Suing people with no money is easy, but it does stop them from = contributing in most cases. There are always a few who like getting = sued. RIAA has shown companies will widescale sue so your argument is = suspect, IMO..
I've spent a *lot* of time talking to lawyers about this. In fact, a few years ago I (together with an attorney I know) tried to organize a "moot court" liability trial of a major vendor for a security flaw. (It ended up being a conference on the issue.)
The reason there have not been any lawsuits against vendors is because of license agreements -- every software license I've ever read, including the GPL, disclaims all warranties, liability, etc. It's not clear to me that that would stand up with a consumer plaintiff, as opposed to a business; that hasn't been litigated. I tried to get around that problem for the moot court by looking at third parties who were injured by a problem in a software package they hadn't licensed -- think Slammer, for example, which took out the Internet for everyone.
There have been successful cases for pedestrians that used a train trestle as a walk-way, where warnings were clearly displayed, and a fence had been put in place, but the railroad failed to ensure repair of the fence. The warning sign was not considered adequate. Would this relate to trespassers that use an invalid copy of an OS refused patches? Would this be similar to not repairing the fence? Clearly the pedestrians are trespassing, nevertheless the railroad remains responsible for the safety of their enterprise.
-Doug
While I think it is unfair in the case of the railroad, and, burglars that injure themselves in peoples stores/houses, it works for me in the case of software. Denying patches doesn't tend to injure the trespassing user so much as it injures the others that get attacked by his compromised machine. I think that is why many manufacturers release security patches to anyone openly, while restricting other upgrades to registered users. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
On Wed, 28 Dec 2005 13:20:51 PST, Owen DeLong said:
Denying patches doesn't tend to injure the trespassing user so much as it injures the others that get attacked by his compromised machine. I think that is why many manufacturers release security patches to anyone openly, while restricting other upgrades to registered users.
Color me cynical, but I thought the manufacturers did that because a security issue has the ability to convince non-customers that your product sucks, while other bugs and upgrades only convince the sheep that already bought the product that the product is getting Even Better!(tm).....
--On December 29, 2005 5:51:04 AM -0500 Valdis.Kletnieks@vt.edu wrote:
On Wed, 28 Dec 2005 13:20:51 PST, Owen DeLong said:
Denying patches doesn't tend to injure the trespassing user so much as it injures the others that get attacked by his compromised machine. I think that is why many manufacturers release security patches to anyone openly, while restricting other upgrades to registered users.
Color me cynical, but I thought the manufacturers did that because a security issue has the ability to convince non-customers that your product sucks, while other bugs and upgrades only convince the sheep that already bought the product that the product is getting Even Better!(tm).....
That could be a factor, but, I know first hand from the legal departments of at least two software "manufacturers" that it was at least a factor in the decision, and, they do have concerns about being liable for damages caused by security flaws in their software. Owen -- If it wasn't crypto-signed, it probably didn't come from me.
There have been successful cases for pedestrians that used a train trestle as a walk-way, where warnings were clearly displayed, and a fence had been put in place, but the railroad failed to ensure repair of the fence. The warning sign was not considered adequate. Would this relate to trespassers that use an invalid copy of an OS refused patches? Would this be similar to not repairing the fence? Clearly the pedestrians are trespassing, nevertheless the railroad remains responsible for the safety of their enterprise.
There is a huge difference that everyone seems to keep ignoring. Most of the defective software issues we're talking about here cause no damage until a knowledgeable person with malicious intent knows the 'defect', specifically intends to cause harm with it, and uses the defect specifically to cause that harm. This, unfortunately, makes it more analogous to the 'defect' in a gun that a criminal can use it to do harm just as an honest person can use it to prevent harm. Of course, it also makes it analogous to a gun that, when you point it at a criminal, the criminal can make it blow up in your hands. DS
participants (13)
-
Barry Shein
-
David Schwartz
-
Douglas Otis
-
Hannigan, Martin
-
Jason Frisvold
-
JC Dill
-
Joseph S D Yao
-
Marshall Eubanks
-
Owen DeLong
-
Per Heldal
-
Richard A Steenbergen
-
Steven M. Bellovin
-
Valdis.Kletnieks@vt.edu