On Mon, 26 Jul 1999, Bennett Todd wrote:
> 1999-07-26-16:59:41 Paul D. Robertson:
> > If it had been a hospital's internal network and I'd done the scan at a
> > time where a doctor needed access to a patient's last CAT scan detail over
> > a network, it could have been catestrophic. US case law varies between
> > liability for manufacturers, implementors and initiators, but in almost all
> > cases the initiator of the problem is held liable.
>
> Could well be. Suppose the switch in question had simply been positioned out
> on the curb, perhaps under an awning to keep the rain off --- and someone
> tripped over the plug. That would certainly be a case where you'd have trouble
> holding the initiator liable for consequences to patient health.
In a criminal suit definitely - unless the curb were on private property
where the tripper had no business being. In a civil suit, it would depend
on the particular circumstances.
> Seems to me, if you can fling strange (at a low protocol level) packets at a
> router that's critical for patient care, the person who designed that network
> oughta be sued for a good bit. I'd enjoy serving as expert witness for the
> persecution in such a suit.
Personally, I'd agree, along with the vendor who designed such trash.
However, that's not a reality in the current landscape, and it would be
fairly easy to show that in normal operation such packets don't occur and
place the onus on the packet generator in my non-legally qualified opinon.
I've spent the last few weeks drawing up quite a bit of blanket "John Doe"
work with the lawyers, going over boilerplate affidavits, and all the
precursors to jamming such suits into the court system should they become
necessary. On the civil side, things are seeming to follow a fairly
well-beaten path, right or wrong (and I have opinons that go on both
sides of any argument, but those opinions don't change the landscape of
the law. Also, my personal opinions are starting to vary quite widely
from my professional ones.) At this point, based on my understanding of
the federal and civil ground I've covered, I'd be _much_ happier defending
the network administrator than the scanner in a suit. I'd be equally
(un)happy trying to prosecute (persecute?) either, but I'd be more upbeat
about getting a conviction on the scanner.
> I'd regard using a packet filter, even a "stateful" one, as the protection
> between the internet and a patient care system right on par with setting up
> the routers for the system out by the sidewalk.
I'm pretty sure you already know where I stand on that score- however, the
legal argument of having provided protection would probably give the
administrator enough coverage from fault to carry the case, especially in
a jury trial with "expert" witnesses willing to testify to the tune of
the stateful inspection dance. Note that I make no assumptions about "best
common practice", which I think doesn't hold any legal ground (certainly
it doesn't in criminal liability cases, my guess and understanding of
my counsel's interpretation would be that it doesn't in civil ones
either.)
IANAL
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
