[87610] in North American Network Operators' Group
RE: Compromised machines liable for damage?
daemon@ATHENA.MIT.EDU (David Schwartz)
Wed Dec 28 17:57:00 2005
From: "David Schwartz" <davids@webmaster.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: "NANOG" <nanog@merit.edu>
Date: Wed, 28 Dec 2005 14:56:18 -0800
In-Reply-To: <5FA70284-2A47-488A-A198-F818BF030AC5@mail-abuse.org>
X-MDaemon-Deliver-To: nanog@merit.edu
Reply-To: davids@webmaster.com
Errors-To: owner-nanog@merit.edu
> There have been successful cases for pedestrians that used a train
> trestle as a walk-way, where warnings were clearly displayed, and a
> fence had been put in place, but the railroad failed to ensure repair
> of the fence. The warning sign was not considered adequate. Would
> this relate to trespassers that use an invalid copy of an OS refused
> patches? Would this be similar to not repairing the fence? Clearly
> the pedestrians are trespassing, nevertheless the railroad remains
> responsible for the safety of their enterprise.
There is a huge difference that everyone seems to keep ignoring. Most of
the defective software issues we're talking about here cause no damage until
a knowledgeable person with malicious intent knows the 'defect',
specifically intends to cause harm with it, and uses the defect specifically
to cause that harm. This, unfortunately, makes it more analogous to the
'defect' in a gun that a criminal can use it to do harm just as an honest
person can use it to prevent harm.
Of course, it also makes it analogous to a gun that, when you point it at a
criminal, the criminal can make it blow up in your hands.
DS
