[133404] in North American Network Operators' Group
Re: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (Matthew Petach)
Thu Dec 9 03:37:32 2010
In-Reply-To: <4D0054CD.60009@gmail.com>
Date: Thu, 9 Dec 2010 00:37:28 -0800
From: Matthew Petach <mpetach@netflight.com>
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Dec 8, 2010 at 8:02 PM, JC Dill <jcdill.lists@gmail.com> wrote:
> =A0On 08/12/10 1:38 PM, Valdis.Kletnieks@vt.edu wrote:
>>
>> The second issue is that if you *do* establish a legal precident that
>> software vendors are liable for faults no matter what the contract/EULA
>> says,
>
> It doesn't matter what contract an auto maker makes with someone who
> purchases the car, if the brakes fail and the car hits ME, I can sue the
> auto maker due to the defective brakes. =A0If they design the car in a wa=
y
> that a 3rd party can easily tamper with the brakes, and then the car hits
> me, I can also sue the auto maker. =A0They are legally required to take d=
ue
> care in how they design the car to ensure that innocent bystanders aren't
> injured or killed by a design defect. =A0IMHO, there's no difference in t=
he
> core responsibility that software makers should be held to, to ensure tha=
t
> their software isn't easily compromised and used to attack and injure 3rd
> parties. =A0The EULA is a red herring, as it only applies to the purchase=
r
> (who agrees to the EULA when they purchase the computer or software), not=
to
> 3rd parties who are injured.
>
> If the software doesn't work as designed and the purchaser is unhappy,
> that's between them and the company they bought the software from. =A0But=
when
> it injures a 3rd party, that's a whole different ball game. =A0I truly do=
n't
> understand why ISP's (who bear the brunt of the burden of the fall-out fr=
om
> the compromised software, as they fight spam and have to provide customer
> support to users who complain that the "internet is slow" etc.) haven't s=
aid
> ENOUGH.
>
> jc
If you look at the national vulnerability database listings, though,
it's really not clear who you'd need to go after:
http://blogs.technet.com/b/security/archive/2008/05/15/q1-2008-client-os-vu=
lnerability-scorecard.aspx
Granted, that was two years ago; but it sure seems that just
vilifying Microsoft, satisfying though it might be, would be to
ignore the breadth of the problem.
Matt
