In the general sense, possibly, but where there are lawyers there is always discoragement.
Suing people with no money is easy, but it does stop them from contributing in most cases. There are always a few who like getting sued. RIAA has shown companies will widescale sue so your argument is suspect, IM
Message
From: DeLong [mailto:owen (AT) delong (DOT) com]
Sent:Mon Dec 26 23:11:13 2005
To:Hannigan, Martin; Joseph Jackson
Cc:NANG
Subject:RE: Compromised machines liable for damage?
I've seen this argument time and again, and, the reality is that it is
absolutely
false.
In fact, it will do nothing but encourage freeware. Liability for a product
generally doesn't exist until money changes hands. If you design a piece of
equipment and post the drawings in the public domain, you are not liable
if someone builds it and harms themselves. You are liable if someone pays
you for the design, because, the money changing hands creates a "duty to
care".
of a "duty to care", the only opening for liability is if they
can prove that you failed to take some precaution that would be expected
of any "reasonably prudent" person.
So, liability for bad software and the consequences it creates would be
bad for the Micr0$0ft and of the world, but, generally, very good
for the Free Software movement. It might turn out to be bad for
organizations
like Cygnus and RedHat, but, that's more of a gray area.
As to the specific example cited
If no update has been released, in the case of Source, that's no
excuse.
You have the source, so, you don't have to wait for an update. In the case
of closed software, then, I think manufacturer liability is a good thing
for the industry in general.
December 26, 2005 10:07:20 PM -0500 "Hannigan, Martin"
<hannigan (AT) verisign (DOT) comwrote:
--
If you want to choke off freeware(gnu, et. Al), sure, go after them. I
doubt the licensing agreement allows it though. (IANAL).
I think all you'd do is encourage people to write more music about
'freeing the software'. I'd rather not be stricken in that fashion.
I think that angle is DA.
Martin
--
Message
From: Joseph Jackson [mailto:jjackson (AT) aninetworks (DOT) com]
Sent: Mon Dec 26 03:13:02 2005
To: Hannigan, Martin
Cc: NANG
Subject: RE: Compromised machines liable for damage?
What about the coders that write the buggy software in the first place?
Don't they hold some of the responsibility also? IE I am running some
webserver software that a bug is found in it. Attackers use that bug in
the
software to generate a DS attack against you from my machines. No update
has been released for the software I am running and/or no warning as been
released. You sue me I sue the coders. What a wonderful world. (I'm not
for this but its another side of the issue.)
>
>
>
From: owner-nanog (AT) merit (DOT) edu [mailto:owner-nanog (AT) merit (DOT) edu] Behalf
Hannigan, Martin
Sent: Sunday, December 25, 2005 9:22 PM
To: Steven M. Bellovin
Cc: Dave Pooser; NANG
Subject: Re: Compromised machines liable for damage?
>
>
>
>
>
Yes, I agree. As usual, I too am 'IANAL'.
Marty
>
>
>
Message
From: Steven M. Bellovin [mailto:smb (AT) cs (DOT) columbia.edu
<mailto:smb (AT) cs (DOT) columbia.edu]
Sent: Sun Dec 25 23:52:27 2005
To: Hannigan, Martin
Cc: Dave Pooser; NANG
Subject: Re: Compromised machines liable for damage?
In message
<@Dul1wnexmb04.vcorp.ad.vrsn.c
om>, "Hannigan, Martin" writes:
>
>>
>Dave, RIAA wins almost 100pct vs p2p'ers ir sues. Its an interesting =
>dichotomy.
>>
>
"Wins" is too strong a word, since I don't think any have gone to
court -- see
<>
as my source.
Besides, it's a very different situation. For my take on liability
issues -- note that I'm not a lawyer, and note that this is from 1994
-- see
<>
M. Bellovin, http://www.cs.columbia.edu/~smb
<http://www.cs.columbia.edu/~smb>
>
>
>
>

RIAA is a very different context from what we are talking about here.

First, the number of people getting attacked from Source systems
is very small, so, you have a very small class of plaintiffs. Second,
said class of plaintiffs is probably not as well funded as RIAA.

TH, the number of people/organizations being attacked from Micr0$0ft
based systems is relatively high, so, a large class of plaintiffs,
and, some of them being enterprises are relatively well funded.

Second, in the case of RIAA, it is businesses suing to do what they
perceive as protecting their profit stream, and, they know they
are suing a collection of defendants that are relatively poorly
funded and have no organization. In the case of Source, I
think there is a pretty good track record of the community coming
to the aid of those that get sued for various reasons (DeCSS comes
to mind).

Sure, it's easy to sue someone who doesn't have any money, but,
there's no point in doing so. Frankly, it's not the people with
no money that are at risk here. It's the people with some money
and some assets. If you have nothing, you're pretty safe ignoring
a civil suit because you have nothing to lose. Frankly, if RIAA
were to sue me, it wouldn't cost me $250,000 to fight it. It
might cost me a few thousand if I chose to involve a lawyer in
some portion of the process, but, initially, I think I could
make their life difficult enough to get them to go away without
involving a lawyer.

I've already made MPAA/Disney go away twice without a lawyer. Admittedly,
they went away before even filing a suit, so, technically, I haven't been
sued, but, I've been threatened by them, and, I'm sure if I'd
buckled under or failed to confront them appropriately, I would
have either gotten sued or ended up handing over money.

The costs of defending a suit are $0 until you hire a lawyer.

December 26, 2005 11:18:46 PM -0500 "Hannigan, Martin"
<hannigan (AT) verisign (DOT) comwrote:

--
In the general sense, possibly, but where there are lawyers there is
always discoragement.

Suing people with no money is easy, but it does stop them from
contributing in most cases. There are always a few who like getting sued.
RIAA has shown companies will widescale sue so your argument is suspect,
IM
>
>
>
>
Message
From: DeLong [mailto:owen (AT) delong (DOT) com]
Sent: Mon Dec 26 23:11:13 2005
To: Hannigan, Martin; Joseph Jackson
Cc: NANG
Subject: RE: Compromised machines liable for damage?

I've seen this argument time and again, and, the reality is that it is
absolutely
false.

In fact, it will do nothing but encourage freeware. Liability for a
product
generally doesn't exist until money changes hands. If you design a piece
of
equipment and post the drawings in the public domain, you are not liable
if someone builds it and harms themselves. You are liable if someone pays
you for the design, because, the money changing hands creates a "duty to
care".
of a "duty to care", the only opening for liability is if they
can prove that you failed to take some precaution that would be expected
of any "reasonably prudent" person.

So, liability for bad software and the consequences it creates would be
bad for the Micr0$0ft and of the world, but, generally, very good
for the Free Software movement. It might turn out to be bad for
organizations
like Cygnus and RedHat, but, that's more of a gray area.

As to the specific example cited

If no update has been released, in the case of Source, that's no
excuse.
You have the source, so, you don't have to wait for an update. In the
case
of closed software, then, I think manufacturer liability is a good thing
for the industry in general.

--
December 26, 2005 10:07:20 PM -0500 "Hannigan, Martin"
<hannigan (AT) verisign (DOT) comwrote:
>
>>
>>
>If you want to choke off freeware(gnu, et. Al), sure, go after them. I
>doubt the licensing agreement allows it though. (IANAL).
>>
>I think all you'd do is encourage people to write more music about
>'freeing the software'. I'd rather not be stricken in that fashion.
>>
>I think that angle is DA.
>>
>Martin
>>
>>
>Message
>From: Joseph Jackson [mailto:jjackson (AT) aninetworks (DOT) com]
>Sent: Mon Dec 26 03:13:02 2005
>To: Hannigan, Martin
>Cc: NANG
>Subject: RE: Compromised machines liable for damage?
>>
>What about the coders that write the buggy software in the first place?
>Don't they hold some of the responsibility also? IE I am running some
>webserver software that a bug is found in it. Attackers use that bug in
>the
>software to generate a DS attack against you from my machines. No
>update has been released for the software I am running and/or no warning
>as been released. You sue me I sue the coders. What a wonderful world.
>(I'm not for this but its another side of the issue.)
>>
>>
>>
>
>>
>From: owner-nanog (AT) merit (DOT) edu [mailto:owner-nanog (AT) merit (DOT) edu] Behalf
>Hannigan, Martin
>Sent: Sunday, December 25, 2005 9:22 PM
>To: Steven M. Bellovin
>Cc: Dave Pooser; NANG
>Subject: Re: Compromised machines liable for damage?
>>
>>
>>
>>
>>
>Yes, I agree. As usual, I too am 'IANAL'.
>>
>Marty
>>
>>
>>
>Message
>From: Steven M. Bellovin [mailto:smb (AT) cs (DOT) columbia.edu
><mailto:smb (AT) cs (DOT) columbia.edu]
>Sent: Sun Dec 25 23:52:27 2005
>To: Hannigan, Martin
>Cc: Dave Pooser; NANG
>Subject: Re: Compromised machines liable for damage?
>>
>In message
><@Dul1wnexmb04.vcorp.ad.vrsn.c
>om>, "Hannigan, Martin" writes:
>>

Dave, RIAA wins almost 100pct vs p2p'ers ir sues. Its an interesting =
dichotomy.

>>
>"Wins" is too strong a word, since I don't think any have gone to
>court -- see
>
><>
>as my source.
>>
>Besides, it's a very different situation. For my take on liability
>issues -- note that I'm not a lawyer, and note that this is from 1994
>-- see
><>
>>
>M. Bellovin, http://www.cs.columbia.edu/~smb
><http://www.cs.columbia.edu/~smb>
>>
>>
>>
>>
>
>
>