RE: It takes two to tango

["John Howie" <JHowie () securitytoolkit com>]

Riad, et al,

You are ignoring a major difference between the software industry and
most other industries. The following applies to the US and most
jurisdictions.

The software vendor is selling you a license to use their product, not
the product itself. Their license requires you to agree to certain
conditions, including limited liability of the software company and
certain non-disclosure provisions. The software is copyrighted and
subject to copyright law. Your use of their product is an implicit
acceptance of their licensing conditions, and of copyright law.

If you find bugs or vulnerabilities in a software company's products you
have generally waived your rights to disclose that information in the
license agreement you implicitly agreed to. If you are using stolen, or
pirated, versions of the software when you make your disclosure known
you are subject to prosecution under copyright law. Some licenses could
allow a software manufacturer to sue an individual for losses if they
can prove a drop in license sales due to the disclosure. Under certain
circumstances you could be liable to prosecution under DMCA and other
legislation - legislation which is designed to enforce the rights of
copyright holders, not just the software industry.

In some jurisdictions you could be liable to prosecution under
anti-terrorism laws, if any disclosure you made is exploited and used to
harm life or property.

These are the laws. Like it or loathe it. If you really disagree with
vendor's licensing agreements, don't use their software. If you don't
like the law, petition your elected representative. It is only
relatively recently that the manufacturer of any defective product sold
(but not licensed) could be prosecuted for their negligence. Note that
under most jurisdictions there are options to prosecute companies who
are knowingly negligent and when their actions result in death, e.g.
Corporate Manslaughter. I am not aware of any software vendor prosecuted
under such a statute, though. To all those litigators out there - case
law is waiting to be written, and precedents set.

John Howie


-----Original Message-----
From: Riad S. Wahby [mailto:rsw () jfet org] 
Sent: Wednesday, July 31, 2002 12:19 PM
To: bugtraq () securityfocus com
Subject: Re: It takes two to tango

Chris Paget <ivegotta () tombom co uk> wrote:
> Does V still have the right to sue R?

Let's put this a different way:

Ford makes a car that seems to sell pretty well.  Unfortunately, it
has a fatal design flaw: if the car suffers a rear-end collision while
it's in third gear during a rainstorm at night while the moon is
waxing, the car explodes, killing its passengers.  Consumer Reports
discovers that this is the case and publishes a warning to its readers
concerning this car.  Ford is unable to reproduce the vulnerable
configuration and ignores the warning, assuming it's a hoax.

Two weeks later, a story breaks in the national news that a psychopath
has taken it upon himself to rear-end all Ford cars on rainy moonlit
nights.  So far, five people have died.

Who is responsible, Ford or Consumer Reports?  Do you think Ford could
successfully prosecute a lawsuit against Consumer Reports?

Extra credit: if you said "no" to the second question, but think V
should win a suit against R in Chris's hypothetical situation, please
explain how the two situations are so substantially different as to
result in completely opposite conclusions with regard to liability.

-- 
Riad Wahby
rsw () jfet org
MIT VI-2/A 2002