I just want to see what people think of this situation from different perspectives. Pick A or B for any step in this situation, and think of how you would place the blame for the death in #5 as a result.

1. A) Professor at an educational institution releases a tool for his students to use in an infosec class that exploits a vulnerability, for research purposes (Professor never reports the bug). A student puts it on his personal homepage for his own reference, unencrypted. It's found by the blackhat community and distributed.
B) 17 year old scripts a tool to release on his geocities website to show off in IRC. It's found by the blackhat community and distributed.

2. A) Mallory compromises Alice's machine.
B) Johnny writes a worm that eventually compromises Alice's machine.

3. Alice's machine exploits the First National Hospital's database in an unfirewalled, unpatched, unsecured network service. The service did not need to be public.

4. A) Side effect of exploit corrupts patient database.
B) Mallory drops patient database

5. Patient dies from allergic reaction to meds after Doctor can't access patient records.

Who is at fault in the different situations? (make sure you point out which direction you're talking about)

The professor (1a... Discovered the exploit, did not report it)
The student (1a... Let the tool into the public unknowingly)
The script kiddie (1b... Pumped the tool out to the blackhats)
Johnny (2a... wrote the worm that mindlessly exploited the system)
Mallory (2a... Knowingly exploited the system)
Alice (3... Neglected to secure machine)
First National Hospital Sysadmins(3... Neglected to secure machine)
ISP (Because Bruce Schneier said so)

Let me know if I'm making any sense. Who would you think is responsible in each situation, why, and how to what extent should the smackdown be layed?

Raise your hand if you like threads on security issues!