Page 1 of 6 123 ... LastLast
Results 1 to 10 of 56

Thread: Liability

  1. #1


    I just want to see what people think of this situation from different perspectives. Pick A or B for any step in this situation, and think of how you would place the blame for the death in #5 as a result.

    1. A) Professor at an educational institution releases a tool for his students to use in an infosec class that exploits a vulnerability, for research purposes (Professor never reports the bug). A student puts it on his personal homepage for his own reference, unencrypted. It's found by the blackhat community and distributed.
    B) 17 year old scripts a tool to release on his geocities website to show off in IRC. It's found by the blackhat community and distributed.

    2. A) Mallory compromises Alice's machine.
    B) Johnny writes a worm that eventually compromises Alice's machine.

    3. Alice's machine exploits the First National Hospital's database in an unfirewalled, unpatched, unsecured network service. The service did not need to be public.

    4. A) Side effect of exploit corrupts patient database.
    B) Mallory drops patient database

    5. Patient dies from allergic reaction to meds after Doctor can't access patient records.

    Who is at fault in the different situations? (make sure you point out which direction you're talking about)

    The professor (1a... Discovered the exploit, did not report it)
    The student (1a... Let the tool into the public unknowingly)
    The script kiddie (1b... Pumped the tool out to the blackhats)
    Johnny (2a... wrote the worm that mindlessly exploited the system)
    Mallory (2a... Knowingly exploited the system)
    Alice (3... Neglected to secure machine)
    First National Hospital Sysadmins(3... Neglected to secure machine)
    ISP (Because Bruce Schneier said so)

    Let me know if I'm making any sense. Who would you think is responsible in each situation, why, and how to what extent should the smackdown be layed?

    Raise your hand if you like threads on security issues!

  2. #2
    Join Date
    Aug 2001
    Are you looking for the legal or the ethical "explanation"?

    The professor does not have to report the vulnerability, it is not illegal (in this country) for the student to publish the tool on his website, and it is not illegal for Johnny to write a worm.
    The only one that can be held liable in court is Mallory: she's the only one who did something illegal.

  3. #3
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Hi Soda,

    Prior to the edit I take it you were refering to my thread in the ' inferior ' GCC...which was/is actually in Security News, not GCC...

    AntiOnline - Make ISP's liable for viruses

    Ultimately...ethically they are all responsible in a perfect world ( we are our brother's keeper )...we unfortunately do not live in such a world so we need to assign blame to someone or else no one gets blamed and nothing ever gets done to improve anything.

    In your senerios...ethically, any one of them could potentially be held liable...so...you pick one of them and say they're responsible and you hope that will wake up the others to their responsibilty thinking their heads may be on the block next.

    Like I said...someone has to be held responsible...even when many people had a hand in it.


  4. #4
    Eg- I don't read GCC, nor did I intend to knock any of your threads.


    I'll make an edit. The worm writer also released the worm. Are they responsible for the death, legally?

    If you were the hospital, who would you look to blame first in those situations?

  5. #5
    Join Date
    Aug 2001
    There are a bunch of fine lines in your examples, and I think that, ultimately, it's going to be a matter of interpretation (read: could turn either way, depending on the judge).

    It's not illegal to write worm code, and it's not illegal to release worm code. On the other hand: it is illegal to "knowingly release code that can harm others". Fine line...
    Johnny being held liable for the death is extremely unlikely: I don't think anyone can make a case that "Johnny knowingly wrote the worm to kill hospital patients"...
    As for Mallory: you tell me... if I decide to scare the neighbors by shining a flash light in their room in the middle of the night, and the old man dies of a heart attack, am I responsible for his death? Am I liable? I probably wouldn't get away with it, but I probably wouldn't be punished as if it were murder either...

    If you can prove that Mallory knowingly deleted patient records, you might have a strong case...

    On the other hand: if this were a real case, the doctor that administered the medicine would probably be the one that gets smacked...

  6. #6
    Join Date
    Jan 2005
    *Raises hand*

    As Eg said, in a perfect world, they'd all be liable. Here's my breakdown of the liability:

    Professor -> Did not disclose vulnerability to manufacturer, provided tool to students to exploit that vulnerability
    Student -> As a security student, should've been intelligent enough to at least encrypt the tool, or better yet, keep it off the net in the first place
    Script Kiddie-> Disseminated tool
    Johnny -> Wrote a worm in a non-quarantined network (i.e NOT connected to the internet)
    Mallory -> Broke in to a system
    Alice -> Unsecure system
    Hospital SysAdmin -> Put database on system which is accessable from the Internet, did not secure system
    Doctor -> Should have a hard copy of patient record

    In the "real world," I would suppose it would depend on how far back the issue could be tracked. If no one bothered to look in to WHY the doctor gave a med that the patient was allergic to, then he'd probably bear the brunt of legal responsibility. Because of bueaurocracy, I would say that the highest up the ladder that anyone would bother investigating is the hospital SysAdmin.
    \"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
    Phillip Toshio Sudo, Zen Computer
    Have faith, but lock your door.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    If you were the hospital, who would you look to blame first in those situations?
    Easy ................the administrators, you are paying them to prevent that kind of scenario...........they were incompetent?

    IRL anything life critical or top secret does NOT repeat NOT connect to the internet, period.

  8. #8
    Join Date
    May 2003
    I partially agree with Nihil, the First National Hospital Sysadmins are (maybe kinda) responsible, however this does not alleviate Mallory of guilt.

    The professor and Johnny have no legal responsibility here, otherwise it'd be illegal to make and/or sell guns or anything else that could be used illegally.

    The skript kiddie is breaking the law as much as any security advisory is, he merely published the vulnerability... doesn't matter if this was done on BugTraq, CVE, or geocities.

    The student and Alice have no responsibility of maintaining secure systems, since their systems are not accountable to anyone beside themselves.

    The Doctor is not responsible either, it is unreasonable to expect the doctor to operate in a manner unsupported by hospital administration...

    Which brings me to the real culprits... First National Hospital Administration. Their failure to either provide or enforce proper security guidelines over the IT department would be a pile of HIPAA violations at best, and some kind of homocide by gross neglect/deranged indifference at worst. Administration may argue that the cost cutting orders came from executive management... and well if this could be proven the guilt would then of course fall there.



  9. #9
    The student and Alice have no responsibility of maintaining secure systems, since their systems are not accountable to anyone beside themselves.
    Just for discussion, what if a neighborhood kid opens my fence, my dog runs out and bites you? Aren't people held responsible for situations like that all the time (dog bites?)?

    Aren't I responsible for the actions of my property?

    I agree FN Hospital is responsible both ethically and legally, legally they'd be reemed by HIPAA.

    Is it legal for me to make a gun? I can't make a bomb, I assume I can't make a gun either? At least without a permit... Had Johnny made the worm and released it, (and been caught) would be punished for manslaughter? (Or whatever, I'm not familiar with the correct terminology)

  10. #10
    Join Date
    Aug 2001
    If a neighborhood kid opens your fence, your dog runs out and bites someone, you are not responsible. In a case like that, negligence needs to be proven, which is not the case when faul play is present. Another example is the dog on a leash who breaks the leash and kills another dog: you are not responsible for that (unless they can prove that you had the same leash for 20 years and that you knew it was falling apart - again, negligence needs to be proven).

    If you want to go after Johnny, you'll have to someone prove that he knew that his worm has the ability to kill human beings - good luck doing that.

    The hospital can be sued for not complying with HIPAA, but that's got nothing to do with what happened here (nobody's privacy got breached, did it?). The issues are totally unrelated.

    The doctor who administered the deadly (because allergic to it) drug is the only one against whom they'll have a strong case: he isn't allowed to just administer anything and hope that the patient is not allergic to it - the entire database was dropped, so it must have been pretty obvious that something was missing... it's not like Mallory somehow managed to delete the allergy records for that one patient (which would totally change the case).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts