Xref: utzoo gnu.misc.discuss:3288 comp.org.eff.talk:2485 Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!zaphod.mps.ohio-state.edu!think.com!barmar From: barmar@think.com (Barry Margolin) Newsgroups: gnu.misc.discuss,comp.org.eff.talk Subject: Re: Software vendor liability/culpability Message-ID: <1991May31.211748.21897@Think.COM> Date: 31 May 91 21:17:48 GMT References: <1991May31.073704.4847@elroy.jpl.nasa.gov> <1991May31.132152.10113@cs.utk.edu> Sender: news@Think.COM Reply-To: barmar@think.com Organization: Thinking Machines Corporation, Cambridge MA, USA Lines: 28 In article <1991May31.132152.10113@cs.utk.edu> Dave Sill writes: >In article <1991May31.073704.4847@elroy.jpl.nasa.gov>, earle@elroy.jpl.nasa.gov (Greg Earle (Sun Software)) writes: >> >>The bottom line: in such a circumstance, is company XYZ liable for damages >>caused as a direct/indirect result of the security hole opened due to the >>installation of their product? > >Yes, unless they have taken reasonable action to notify the installer >of potentially harmful side effects. Intuitively, this seems correct. I'm not sure if it's true under the law, though (take my comments with a grain of salt, as I'm not a lawyer). Much software comes with warranties that disclaim liability for damages due to use of the product. Often, the best they will warrant is that the software behaves as specified in the documentation; unless the documentation says that the software *doesn't* change the protection on security-relevant files, they can claim that this behavior is in spec. On the other hand, there are many "implied" warranties that are often in force. The customer could probably claim that they assume that software does not intentionally go around opening huge security holes without mentioning it in the documentation. In other words, the vendor is expected to be reasonable. -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar