Wednesday, November 25, 2009

Tort Law on Negligence

If any lawyers want to contribute to this, please do. In my post Shodan: Another Step Towards Intrusion as a Service, some comments claim "negligence" as a reason why intruders aren't really to blame. I thought I would share this case from Tort Law, page 63:

In Stansbie v Troman [1948] 2 All ER 48 the claimant, a householder, employed the defendant, a painter. The claimant had to be absent from his house for a while and he left the defendant working there alone. Later, the defendant went out for two hours leaving the front door unlocked. He had been warned by the claimant to lock the door whenever he left the house.

While the house was empty someone entered it by the unlocked front door and stole some of the claimant's posessions. The defendant was held liable for the claimant's loss for, although the criminal action of a third party was involved, the possibility of theft from an unlocked house was one which should have occurred to the defendant.


So, the painter was liable. However, that doesn't let the thief off the hook. If the police find the thief, they will still arrest, prosecute, and incarcerate him. The painter won't serve part of the thief's jail time, even though the painter was held liable in this case. So, even in the best case scenario for those claiming "negligence" for vulnerable systems, it doesn't diminish the intruder's role in the crime.

7 comments:

Anonymous said...

Straw man. No one is saying it's not the attacker's fault that someone got attacked. The thief is still the thief. But an admin who puts telnet servers on the Internet with no password should be liable, just like the painter was liable in your example.

Richard Bejtlich said...

Not a straw man. I think I just moved the ball forward to have someone admit that.

Porter said...

Rich, you're absolutely right. I read the yesterday on the Shodan blog post that "it is very easy to blame the attacker when the victim failed to carry out due diligence to protect themselves."

Easy to blame the attacker? It should always be easy to blame the attacker! They are the ones who did it!

It appears to me that it's easier to blame the victim. The admin didn't do this, the admin didn't do that, so they were "asking for it."

Using the house analogy, protecting a house is much simpler, right? You only have a few entrances, windows, maybe a garage etc...

In an "Enterprise" house, you have a constantly changing structure. New doors are constructed, new windows are added, and all the while there's an underground railroad running through the basement. The enterprise house is an amoeba, a shape-shifter, constantly changing. And because there is no such thing as 100% security, how can someone be expected to make it so under conditions such as these?

Now certainly if there is direct proven negligence, there should be consequences. But security engineering hasn't reached the maturity of, let's say civil engineering.

In civil engineering, a bridge builder must be licensed and has liability if they build a faulty bridge. A bridge is constantly under attack (from the elements and cars driving across them) and the Earth underneath them is moving as well. However, it doesn't change shape at the same rate as an enterprise.

Anonymous said...

Take your argument and turn it slightly..

You leave your house unlocked when you leave to run to the store. When you come back your stereo is gone. In this case, who can be charged with negligence? Who is the wronged party due to the negligent act? Surely the state is inconvienced, even injured, by your actions? You knew, or reasonible should have known, that your actions placed you at risk....

The argument doesn't hold...

I'll let the lawyers talk about the civil vs. Tort aspects.

AppSec said...

Always Remember.. OJ was not found guilty in a criminal court, yet he was taken to task in civil court.

An individual is not going to sue themselves for negligence. The issue would be taken with the insurance company.

I'm not sure tort law would matter in this case.

jcg said...

disagree with the "Enterprise" house comment - "how can someone be expected to make it [secure] under conditions such as these?". if the value of the contents of the house is high (as you would expect of an enterprise house), then why are you adding new windows and doors without giving any thought to how to do so in a way that maintains the security of the enterprise/house? you wouldn't ask a contractor to add an addition to the house, but not think about the locks to the addition or the locks from the addition to the main house. you would want those to be secure from the beginning. the fact that we don't think about this in computer security "because it's hard" is negligence at its worst.

Jonathan said...
This comment has been removed by the author.