North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Compromised machines liable for damage?
[snip] > And I would agree with this reasoning. If the software is defective, > fix it or stop selling it. However, I don't think all software > developers have "control" over the selling of the software after it's > sent to the publisher. (I'm by no means intimate with how all this > works) So, for instance, if developer A creates product A+, publisher > P deals with packaging it up, distributing it, etc. A few months > later, developer A goes out of business for some insane reason. > Publisher P continues to sell the software in which a security hole is > discovered a month later. There's no way for developer A to fix the > hole, they don't exist. And publisher P isn't near smart enough to > fix it. So they just continue selling it. Life goes on, it > eventually falls into the bargain bin where publisher P continues to > package it, but in recycled fish wrap instead of the pristine new > boxes it used to. > > So is developer A still liable? Is publisher P liable? Should they be? > Liability generally ends at death. Since developer A is essentially dead (no longer exists), no. If publisher P is the current copyright owner, then probably yes. If they have been informed of the defect and continue to sell the defective product, yes. > So who do I sue? McDonalds for selling the coffee? Or the driver who > put it between his/her legs? > In the case of an accident and you are the driver she hit, you would sue the driver. The driver may then sue McDonalds if the coffee was "too hot", but, your cause of action is against the direct actor... The driver, and, the owner of the vehicle that hit you. > If it's a known issue and the developer continues to ignore it, then > yeah, they should probably be held accountable. But, there's still > the issue of what is bad and what isn't. Madden 2006 for the PSP > reboots when I end a franchise mode game. It destroys the data I just > spent 30 minutes generating while playing the game. Is that bad > enough that the company should be held liable for it? (Yes, I'm aware > they're replacing the discs now. Excellent move on EA's part) > I guess that depends on how much you feel you are harmed by that loss of data. However, in that case, you probably accepted an EULA that says "We aren't liable for the software not functioning." This is much more a gray area than what I think is the first issue that should be addressed. What if, instead, your PSP was network enabled, and, at the end of your game, it not only rebooted, but, it wiped out all data from all PSPs it could find on the network. Then, the owner of thoses PSPs should have a cause of action against EA (and possibly you). They didn't agree to an EULA allowing EAs software to wipe their data. That's the situation of the third parties being harmed by exploited hosts. > There's another form mailer out there that I dealt with, and wrote a > large post on Bugtraq about, that continues to allow relaying even > after a complete bug report with a fix. Should that developer be held > liable for damages? It's just spam, it's not really hurting anyone, > is it? > SPAM does a lot of actual harm. There are relatively high costs associated with SPAM. Machine time, network bandwidth, and, labor. > Then there's something like Internet Explorer. Any one of the dozens > of exploits "allows a remote attacker to assume control of the > computer" ... That's bad.. That's definitely an issue. I could > agree that the developer should be held liable for that ... > Yes. These are the sorts of things we are really talking about primarily. > Maden 2006 I had to pay for. IE came with Windows, so I didn't > *really* have to pay for it, depending on how you look at it. The > form mailer was free on the internet. Does having to pay for it > determine if the developer should be liable? What if Linux had a > security hole that was reported and never fixed? Should Linus get > sued? Wow.. who would you even sue in that instance? > You did pay for it. It was part of what you paid for when you bought Windows. If Windows came bundled with your machine, you still paid for it in the form of buying the machine and it was part of what was included. In any case, you still paid for IE. As to Linux, I don't believe Linus ever sold it. For the most part, there's nobody to sue because nobody got paid. Further, since it is open source, you have the ability and responsibility to fix it if you are informed your machine is doing harm. You don't have the ability to fix IE. In the case of packages like Red Hat Enterprise Linux and such, yes, if they are exploited, it is not unlikely that Red Hat could be sued by injured third parties, and, this is not inappropriate. > Software confuses things a bit I think.. I can agree that an IE bug, > unchecked, should be liable. But a form mailer? It was free to begin > with, so just move on to something else... > Software doesn't confuse things. Things given away for free are not held to the same "duty to care" as things sold as a product. Software fits into this model nicely. > I'm not sure I, personally, could get behind holding software > companies liable until some standard was set to determine what the > expectations were... And setting those standards is the hard part... > I agree it would be nice to set some standards. I think what is needed is a consortium of software security experts to set some minimum "safety standards" that can be used as a legal basis. Something like: Prudently written software is expected to take the following precautions: + Check length on any storage operation to prevent undetected buffer overruns. + Check all external input for validity and consistency prior to placing it into an operation which could result in execution or harmful parsing of said input (such as passing it to a shell for evaluation). etc. You get the idea. I don't think this would have to be particularly lengthy or complicated, but, I bet if we hit the highlights that cover most of the existing known vulnerabilities, it would do the trick. Owen -- If it wasn't crypto-signed, it probably didn't come from me.