No Security, No Excuse ?

[forn28]

I think you miss the point.

Nobody will be sued over a hole in any software when NO patch is available.

But, if you don't install the available patch and your computer is use in a DDoS, you will be sue, because you are negligent.

[xmaddness]

Maybe they should have thought about that before they released their software. In the automobile industry, when something they release is screwed up, they do what is called a "Recall" and they send out that information, by mail, to all the owners of their product. They also suggest and provide exact details on where I can take my product to be fixed for me, for free. If MS or any other software vendor did this, then I could be held liable. But until they do that....


Case closed.

[phishphreek]

Originally posted here by forn28
I think you miss the point.

Nobody will be sued over a hole in any software when NO patch is available.

But, if you don't install the available patch and your computer is use in a DDoS, you will be sue, because you are negligent.

I agree that everyone should install patches. But, when they have SO many patches that the downloading takes 10+ hours to download on dial up... then I should be compensated for the inconvenience, time wasted, etc.

Sure, I can order the CD that includes patches... but I have to PAY for it. It should be availabe for free.

http://www.microsoft.com/WindowsXP/p...p1/ordercd.asp

[AngelicKnight]

Well, I still am inclined to think something like this will never happen in the near future -- I think we'll have taxed Internet before anything this crazy passes! But on the other hand, I guess stranger things have happened. Good luck enforcing it though.

And indeed, those blasted CD patches should be free, but that's a whole other topic altogether. Grr....

[Tiger Shark]

Maestro:

If I buy a dog, set it loose in my neighborhood and it bites someone, I'm liable. If I buy a computer stick it on the net and its used to destroy millions of dollars worth of data, I say "oops,sorry?"

The problrm here is that every dog owner knows that their dog can and might bite. 99% of all computer owners have no idea that their camputer _can_ bite let alone will.

This subject is way too difficult for the lawyers and the legislators to be sticking their "ignorant of the facts" noses into it yet and for now it should remain as-is. The people best qualified to deal with such issues are doing it right now - the geeks.

[Zonednode]

You cant hold people whos computers are used for a destructive purpose without their knowledge. Its like convicting a 2 year old of murder. The 2 year old did not relise it was wrong or what they did. As someone who uses windows doesnt know the ins and outs of their system or knowledge or tcp/ip. You cant force people to know a certain amount to use a computer, its like making it a crime to be stupid. There simple are not enough jain cells for that many people.

[phishphreek]

I think what comcast is doing is a step in the right direction....

http://www.infoworld.com/article/04/...astspam_1.html

Now, they just need to take it a step further. Instead of just looking for hijacked spam relays... looks for zombies, trojaned hosts, etc

[RoadClosed]

I have analogy speaking to a few who agree with the ruling. I agree with Tiger Shark, you know your dog is prone to attack or bite and it's often the case in proven case law that dog owners can be held liable if the dog has a history of problems or the owner stands by and does nothing to save/help a victim from an attack by an animal in his control.

This analogy, the way I see it, does not apply in the realm of computers. It's more like if the dog got rabies (a virus) and went wild why you were at work and ate through the fence (your OS) in your yard and ran across the street (the internet) and bit Mr. Jones while he was polishing his 1969 Buick… the liability on the dog owner in reasonable terms is almost nil.

Or perhaps it's like this; a criminal breaks into your house, steals your gun and later uses it as a weapon to kill Sean Penn. All this while you were at work and have a strong alibi and have never been to Los Angeles. In fact you don’t even know the gun is gone or the house was broken into because last month your dog got rabies. The failure of your window that was forced open and the failure of your ability to hide your gun from thieves do not make you liable.

Perhaps Sean Penn's body guards (your office network, firewall, administrators) are liable for failing to stop an attack, then again who could reasonably be held liable for something of a surprise that is impossible to foresee? But if the person owning a computer is liable to patch a vulnerability then body guards of the system or liable as well. And equally so. The whole thing counterbalances itself and cancels out any mitigating circumstance. Seems a waste of energy.

[Maestr0]

Tiger,
While I'm inclined to agree with you that 99% of the users don't know their computer can "bite" is probably true, we have an old saying in the states I'm sure you've heard: "Ignorance of the law is no excuse." Whether the user is aware of it or not, their computer can be used to cause very real damages to someone else and ignorance is not an acceptable excuse for this. If you cannot drive, or have no knowledge of how to exercise due care when operating a motor vehicle, you shouldnt be operating one and are still liable for any damage you cause with it. (Telling the judge "I didn't know my dog would bite someone." will not fly in my state I don't know about yours) Don't misunderstand me, I'm not advocating suing grandma because someone hax0r3d her new Dell, but lets look at the legal definition of negligence(http://www.encyclopedia.com/html/n1/negligen.asp):
the breach of an obligation (duty) to act with care, or the failure to act as a reasonable and prudent person would under similar circumstances.

NOTE: Although I havent really looked I believe in legal cases the level of due care in negligence cases is commensurate to the defendants skill. ie. Companies/SysAdmins know better than home users and should behave like it.

This does not indicate to me that anyone whose machine is used for any illegal purpose is going to be prosecuted, but rather anyone who does not act reasonably and prudently MAY be found negligent ie. Are you even attempting to prevent damages which are well known and preventable through a little common sense? (As you can see this does not mean you are responsible for flaws in your OS, if anything it means the OS developer has an obligation to secure their system within reason prior to distribution) . I seriously doubt anyone will argue this type of case against an individual, but rather could be used to target a company or organization which has not used due care secure their assets against those who would steal or use them for malicous intent. In other words its COMMON SENSE. If you roll out 300 workstations with no patches and leave them accesable to world and they are used in a DDOS not only are you an ******* but you are negligent as well same goes if you leave your customer database available to the universe. This is especially imporatant when you think about companies which are storing sensitive data about you and me online and are not properly protecting these assets. I dont know about you but if company with a database containing my personal information and financial records is compromised because they didnt have a patch applied since 1996 and the only thing they have to say is "ooops, sorry" then I'm going to sic my dog on them.

-Maestr0

EDIT: (Just saw your post RoadClosed )

the liability on the dog owner in reasonable terms is almost nil.

Exactly, much like a home user would not be found negligent in this case either. And speaking of analogies I dont think your Sean Penn Conspiracy is accurate either. The house analogy doesnt sit well with me. First off, theres no 'gun' hiding in your private little house, your house IS the gun so maybe more of a tank than a house? Second, the internet is not PRIVATE! People stuck on this breaking into my house thing need to get the **** over it, it's not your house its not even your road. It more like you left your tank in THE road with keys in it and some one used your tank to blow up SCO's headquarters and you wanna cry because you didnt know anyone would steal your tank and how dare they open the hatch to look and see if the keys are in it, and besides I didnt know it was a tank.

[RoadClosed]

I don't subscribe much to the internet being a house thing, other than trying to make a point that you cannot hold someone liable for the actions of another who is acting in secret. By taking something that does indeed physically belong to a person, such as their computer, and using it as a tool to commit a crime. The internet is indeed public but the data housed in your computer is yours property, if that wasn't the case then why make the argument to protect it?