<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/3.12.3"> </HEAD> <BODY> On Tue, 2007-05-29 at 21:14 -0400, Patrick wrote: <BLOCKQUOTE TYPE=CITE> <PRE> jdow wrote: > And the first time a Fedora Core release is hacked Red Hat goes out of > business. Is this your goal? (Mind you, there are days when I have > uttered enough unkind words Fedora-wards that I'd applaud the concept. > Note, there are not as many such days as there are days I've felt the > urge to disembowel somebody on the Microsoft campus - which would be > too kind for some of them such as the doofus who invented "Clippy.") > > {^_-} I tend to think that if Red Hat is selling a distribution; then yes, they are liable just like Microsoft would be. If they are just selling support for a free distribution; then no, they would not be liable for anything they did not service. The end user should be liable for the software their machine is running unless it can be proven to be a problem which they could not be reasonably expected to know about. For instance, using the popular car analogy: if I buy a car from Ford and I keep it in the stock condition, then they are responsible for it working as it should. If I do not maintain it properly, then I can be held partially or fully responsible for an accident resulting from a problem with the vehicle. The court would have to assign the percentage of blame depending on how well I maintained the vehicle and if it had anything to do with the accident. However, if I modify the car from stock; then I become responsible for the modifications if they contribute to an accident. If I bought a kit, then I can also get the court to assign blame fully or a percentage depending on if I correctly followed the installation instructions. If I buy a Windows product and leave it totally stock, then I cannot be held responsible for problems with it. If Microsoft notifies me of a problem with the software and I ignore it, then I can be held partially or fully responsible (depending on what the court finds). If I install other software on the computer, then I assume responsibility unless I can show that the third-party was negligent in troubleshooting the software. Under those circumstances they can be assigned partial or full blame in the matter (depending on their user agreement). If I get a Linux distribution for free and agree to a user agreement which states that I am fully responsible for anything bad happening to the computer, then I should be held responsible for any problems it could create. If I do not want that responsibility, then I should not install the software and just stick with a stock Microsoft (or other vendor's) product. Just my thoughts. They could be subject to revision should a good argument present itself. :-) </PRE> </BLOCKQUOTE> One thing missing in this discussion is the scale of costs. No individual, outside of maybe Bill Gates could begin to repay for the damage caused by a rogue computer spreading a virus. Nor can one individual be even considered of being capable of patching a flaw in a piece of readily available software of proprietary nature (remember that "reverse engineering" is banned by most user license agreements.) So lets say you get a law passed that puts the onus on an individual. You get hacked, and the hacker uses a bit of code inside your system to "spiff up" his latest virus/worm program. Your name is in the code (courtesy of the memory map when your bit was built). Now that code breaks out and infects 200,000 systems, bringing them to their knees. You had all the good AV stuff installed, the system had a firewall, but this particular hacker managed to slip by, say by a reflection attack, posting a worm into your network layer, and recording itself on your printer's flash. Now even rebooting, even formatting the disk will not completely remove the infestation. You get on the next day and poof, it launches again from the printer. Now the worm works itself into a financial network, brining it to its knees. Only four systems were infected, but one of those contained customer records. Now what? What should the owner be charged with? How much should he pay when the second round damages are totaled and reach say 100Megabucks. Think about it. What would you do? Regards, Les H </BODY> </HTML>