> One of my clients is in discussion with their lawyers about the
> possibility of sueing the owner of one of the cracked machines
> for negligence.
IANAL, only a mere EE, but here's MHO, FWIW. If I, or anyone with any
technical computer knowledge, sat on this jury, your client would
probaby lose his case. The exception would be if this person put a
computer on the internet and advertised to others that the system was
available for illicit use - that would incur the sort of
responsibilities assigned to giving weapons to immature children with
obvious tendencies towards violence. Only the lawyers would be happy
in the end.
The reasoning is simple:
Any computer system can be broken into. Yes, that's right, any. It is
simply a matter of dedication and know how. The degree with which it
is easy certainly varies. In general, anyone running a Linux based
machine on the internet has taken a significant step towards improved
security without even knowing it. It requires a specific effort to
gain unauthorized access. There are other operating systems that are
much simpler to break into by (lack of) design. Anyone who breaks
into a linux system, or even the poorly designed other systems, has
commited a grievous act. That they then use the ground they gained to
cause more pain for others is not the fault of the one broken into.
Say for example that someone managed to break into your system. Yes
you, like I, probably make a serious effort to guard your security.
Neither of us probably does that to keep people from attacking others
from our system - that's just a side benefit. We do that for purely
selfish reasons - to protect what is under our charge. However, say
your or my system was compromised, and attacks launched. Should we be
at fault? What if it was KGB trained crackers, smoking unfiltered
cigarettes, and carrying CZ-75's for effect - i.e. the pros from
Dover? Are we at fault if they crack us and then attack others?
My point is that there is no certification required to be on the
internet beyond not emitting a bit stream except when commanded to.
The goal of the society minded computer scientist should be to make it
harder to break into systems anyway, regardless of where it's coming
from. The assumption should be made that any computer on the internet
is compromised from the moment that ifconfig responds. Draw the line
of protection around your own system, and spend otherwise litigious
energy improving the protection for all via education of others at the
least.
Might I make a suggestion to your client? Take the money it would
have cost for the court proceedings, and give it to one of the Linux
support agencies. Some portion of it will go toward improving
security by finding and fixing bugs that allow unauthorized access.
Just the ramblings of a geek, who occassionally lapses into believing
that the intent of laws is to encourage improvement of the lacking.
Regards,
Billy
-====---====---====---====---====---====---====---====---====---====---====-
to unsubscribe email "unsubscribe linux-admin" to [EMAIL PROTECTED]
See the linux-admin FAQ: http://www.kalug.lug.net/linux-admin-FAQ/
