[87578] in North American Network Operators' Group
Re: Compromised machines liable for damage?
daemon@ATHENA.MIT.EDU (Daniel Senie)
Mon Dec 26 23:10:50 2005
Date: Mon, 26 Dec 2005 23:08:42 -0500
To: Gadi Evron <ge@linuxbox.org>
From: Daniel Senie <dts@senie.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.21.0512260650001.25220-100000@linuxbox.org>
Errors-To: owner-nanog@merit.edu
At 07:58 AM 12/26/2005, Gadi Evron wrote:
>On Sun, 25 Dec 2005, Dave Pooser wrote:
> >
> > > This should be another thread completely, but I am wondering about
> > > the liability of the individual's who have owned machines that are
> > > attacking me/my clients.
> >
> > As a practical matter, I'd expect it to be difficult to try. Convincing a
> > jury that running a PHP version that's three months out of date constitutes
> > gross negligence because you should have read about the
> vulnerability on the
> > Web might be... tricky. Especially when you have to explain to
> the jury what
> > PHP is. Dueling expert witnesses arguing about best practice, poor confused
> > webmaster/Amway distributor looking bewildered at all this technical talk
> > ("I figgered I just buy Plesk and I was good to go. I dunno nothin' about
> > PHP. Isn't that a drug?") Not to mention working out what percentage of the
> > damages you suffered should come from each host.
> >
> > But yeah, I'd like to see it tried. Lawyering up is one of our core
> > competencies here in the USA; maybe we could use it for good instead of
> > evil.
>
>I'd like to bring some conclusions from past discussions on this issue to
>the table.
>
>First, holding a person liable while he had no way of knowing he is doing
>something wrong is not right. Still, you know what they say about not
>knowing the law and punishment.
Bringing the discussion back to networking and away from gun issues,
the question of liability for negligence in network operations is not
new. There was discussion of this issue back when smurf attacks were
common, networks were generally not doing ingress filtering (though
many still are not) and many innocent third parties were being
attacked (Schwab, Yahoo, others all in one week as I recall).
At the time there was concern over suing folks, though in many cases
there was a strong case. Network operators continued to resist
filtering despite being aware their own networks were being used to
attack others. To my knowledge, BCP38 has not been cited in a court proceeding.
If you think it's OK to hold hosting providers at fault for
negligence, network operators should be prepared to defend their own
actions (or inaction) regarding any known or anticipated threats as well.
