I would go even further...

"Since the owner of a system has no responsibility for the actions of a worm, or any malicious process, that runs without their knowledge, I submit that they also have no rights to the process. No responsibility means no rights." Good, except that the user does not own the software being used in the attack - they only "license" it (lease it, borrow it, etc).

Most EULAs contain disclaimers that the software is provided 'as is' and that it may not suit your purpose, and that it may or may not work, etc, etc, etc. Where is the responsibility here? Other industries, such as the automotive industry, have clear definitions of rights and responsibilities written into LAW.

Also, most 'western' countries have laws relating to contracts between parties who are "equal"; meaning that a contract cannot be enforced where one party has significant technical, financial, or other benefit over the other party. How does this apply in EULAs, where many end users have no idea how the software even does what it is supposed to do let-alone the technical and other ramifications of any vulnerabilities that it may contain?

You cannot make the end user responsible for something that a) they don't own, and b) they don't control. Instead make the 'owner', ie the software company, responsible and even make them liable for these problems.

Shutting down another system/application/whatever simply because it is attacking you will simply create DoS wars, you will not solve the problem because you will become part of the problem.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/134/17686#17686