RE: Legal problem - IDS - Commercial Vs Open Source.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can anyone tell me where I can get good cyber insurance?. - -l0rt- - - Disclaimer: Any resemblance between the above views and those of my employer, my terminal, or the view out my window are purely coincidental. Any resemblance between the above and my own views is non-deterministic. The question of the existence of views in the absence of anyone to hold them is left as an exercise for the reader. The question of the existence of the reader is left as an exercise for the second god coefficient. (A discussion of non-orthogonal, non-integral polytheism is beyond the scope of this article.) - - On Tue, 29 Jan 2002, Matthew F. Caldwell wrote: Get cyber insurance to cover the other risk factors of intrusion. -Original Message- From: Edward L. Jones [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 11:38 AM To: Hall Duane; [EMAIL PROTECTED] Subject: RE: Legal problem - IDS - Commercial Vs Open Source. I have a BS in criminal justice Pre-Law and a masters in Information System Science and I have never heard of a company suing a IDS vendor because of the software not catching the break in your company would definitely set a Precedence and I am curious to see what the outcome would be if your company actually went to court with this. I would agree with your reply to the answer as being NO But here are a few points you should propose to your management. 1) Was the problem really that of the software or was it a human error in overlooking the incidents leading up to the intrusion such as the recon phase and finally failure to detect the actual intrusion? 2) In the purchase order, contract or agreement to buy the software does it anywhere explicitly say that there IDS product protects you from all known and/or unknown attacks? 3) Finally does your company really think another vendor will help them if word gets out in the industry that you guys sue for this type of stuff? E.L. Jones Network Security Engineer -Original Message- From: Hall, Duane [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 8:09 AM To: [EMAIL PROTECTED] Subject: Legal problem - IDS - Commercial Vs Open Source. I have been a lurker to this mail-list for quite a while, so here it goes. I have come across an issue asked by management about IDS products. They are asking about the legality issues. For instance: If we have a breaking and are using a commercial IDS product and the IDS software doesn't catch it, do you have any legal recourse against the commercial product vendor? Can you sue them for not catching the intrusion. My thinking is NO. I'm sure the software license agreement takes care of this. The same is asked if we decide to use an open source product, like Snort. I have said the same. I tried to give an example, for instance Microsoft. If some one breaks into a Windows server, no one but the administrator is responsible. You can't sue Microsoft, because you didn't apply a patch or weren't watching the server. Does anyone have any articles or case studies to support my thinking.? Any help would be appreciated. Duane Hall ** Duane Hall Security Administrator Hastings Entertainment, Inc. 806-351-2300 X-3945 [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8VzVDHs/COEe/P4cRArp7AKDzgC32c+P2ITmmHZch6zh3qRxOEwCgzLYf IPh5EWkOcQcDn7URc5RHKaY= =NQEx -END PGP SIGNATURE-
Re: Legal problem - IDS - Commercial Vs Open Source.
What is in your licensing agreement? Hall, Duane wrote: [snip] If we have a breaking and are using a commercial IDS product and the IDS software doesn't catch it, do you have any legal recourse against the commercial product vendor? Can you sue them for not catching the intrusion. My thinking is NO. I'm sure the software license agreement takes care of this. [snip] -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566
RE: Legal problem - IDS - Commercial Vs Open Source.
I have a BS in criminal justice Pre-Law and a masters in Information System Science and I have never heard of a company suing a IDS vendor because of the software not catching the break in your company would definitely set a Precedence and I am curious to see what the outcome would be if your company actually went to court with this. I would agree with your reply to the answer as being NO But here are a few points you should propose to your management. 1) Was the problem really that of the software or was it a human error in overlooking the incidents leading up to the intrusion such as the recon phase and finally failure to detect the actual intrusion? 2) In the purchase order, contract or agreement to buy the software does it anywhere explicitly say that there IDS product protects you from all known and/or unknown attacks? 3) Finally does your company really think another vendor will help them if word gets out in the industry that you guys sue for this type of stuff? E.L. Jones Network Security Engineer -Original Message- From: Hall, Duane [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 8:09 AM To: [EMAIL PROTECTED] Subject: Legal problem - IDS - Commercial Vs Open Source. I have been a lurker to this mail-list for quite a while, so here it goes. I have come across an issue asked by management about IDS products. They are asking about the legality issues. For instance: If we have a breaking and are using a commercial IDS product and the IDS software doesn't catch it, do you have any legal recourse against the commercial product vendor? Can you sue them for not catching the intrusion. My thinking is NO. I'm sure the software license agreement takes care of this. The same is asked if we decide to use an open source product, like Snort. I have said the same. I tried to give an example, for instance Microsoft. If some one breaks into a Windows server, no one but the administrator is responsible. You can't sue Microsoft, because you didn't apply a patch or weren't watching the server. Does anyone have any articles or case studies to support my thinking.? Any help would be appreciated. Duane Hall ** Duane Hall Security Administrator Hastings Entertainment, Inc. 806-351-2300 X-3945 [EMAIL PROTECTED]
Re: Legal problem - IDS - Commercial Vs Open Source.
Hmm, I believe that almost WITHOUT EXCEPTION, ALL EULA's from any company I have ever done business with disclaimed liability on behalf of that company should their product not work in some way. Basically, the way I interpret it, whether it's Microsoft OS EULA, GNU, or homegrown, NO company is responsible for ANYTHING. In other words, caveat emptor reigns supreme, and you should NEVER buy a car from Microsoft. I think companies SHOULD be held accountable to some extent, the problem there is to what extent, and how do you prove it? The only way to determine whether you have any legal recourses in the event of such an intrustion is to examine that company's EULA with a fine tooth comb. Do they claim to provide any type of insurance? Do they have conditional clauses to these, such as You must use X hardware devices, X OS (lol), X firewall product in order for your rights under this EULA to be applicable. EULA's differ on a per-company and per-product basis, that is really the only place to answer this question at the moment. --- Hall, Duane [EMAIL PROTECTED] wrote: I have been a lurker to this mail-list for quite a while, so here it goes. I have come across an issue asked by management about IDS products. They are asking about the legality issues. For instance: If we have a breaking and are using a commercial IDS product and the IDS software doesn't catch it, do you have any legal recourse against the commercial product vendor? Can you sue them for not catching the intrusion. My thinking is NO. I'm sure the software license agreement takes care of this. The same is asked if we decide to use an open source product, like Snort. I have said the same. I tried to give an example, for instance Microsoft. If some one breaks into a Windows server, no one but the administrator is responsible. You can't sue Microsoft, because you didn't apply a patch or weren't watching the server. Does anyone have any articles or case studies to support my thinking.? Any help would be appreciated. Duane Hall ** Duane Hall Security Administrator Hastings Entertainment, Inc. 806-351-2300 X-3945 [EMAIL PROTECTED] __ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com
RE: Legal problem - IDS - Commercial Vs Open Source.
ALL SOFTWARE, Including Free, GNU, commercial, Open Source and all have NO WARRANTIES liscencies except some very rare and special cases. You'll not be able to suit anybody. That's my point. Absolutely yours Ivan Hernandez - .~. /V\ Free science and free software are just two aspects // \\of the same complex reality: long-term human survival. /( )\ Support humankind--use LINUX. ^^-^^ - -Original Message- From: Edward L. Jones [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 1:38 PM To: Hall Duane; [EMAIL PROTECTED] Subject: RE: Legal problem - IDS - Commercial Vs Open Source. I have a BS in criminal justice Pre-Law and a masters in Information System Science and I have never heard of a company suing a IDS vendor because of the software not catching the break in your company would definitely set a Precedence and I am curious to see what the outcome would be if your company actually went to court with this. I would agree with your reply to the answer as being NO But here are a few points you should propose to your management. 1) Was the problem really that of the software or was it a human error in overlooking the incidents leading up to the intrusion such as the recon phase and finally failure to detect the actual intrusion? 2) In the purchase order, contract or agreement to buy the software does it anywhere explicitly say that there IDS product protects you from all known and/or unknown attacks? 3) Finally does your company really think another vendor will help them if word gets out in the industry that you guys sue for this type of stuff? E.L. Jones Network Security Engineer -Original Message- From: Hall, Duane [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 8:09 AM To: [EMAIL PROTECTED] Subject: Legal problem - IDS - Commercial Vs Open Source. I have been a lurker to this mail-list for quite a while, so here it goes. I have come across an issue asked by management about IDS products. They are asking about the legality issues. For instance: If we have a breaking and are using a commercial IDS product and the IDS software doesn't catch it, do you have any legal recourse against the commercial product vendor? Can you sue them for not catching the intrusion. My thinking is NO. I'm sure the software license agreement takes care of this. The same is asked if we decide to use an open source product, like Snort. I have said the same. I tried to give an example, for instance Microsoft. If some one breaks into a Windows server, no one but the administrator is responsible. You can't sue Microsoft, because you didn't apply a patch or weren't watching the server. Does anyone have any articles or case studies to support my thinking.? Any help would be appreciated. Duane Hall ** Duane Hall Security Administrator Hastings Entertainment, Inc. 806-351-2300 X-3945 [EMAIL PROTECTED]
RE: Legal problem - IDS - Commercial Vs Open Source.
We have met the enemy, and he is us. One word: Disclaimer All commercial products will have a disclaimer stating they are not responsible for any breaches in security. In addition, freeware products will have an AS-IS with no implied guarantee or warranty disclaimer. Essentially, unless you have a security provider with a contract that indicates responsibility, the people responsible are you. M. Dante Mercurio, CCNA, MCSE+I, CCSA Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com http://www.ccgsecurity.com [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: Hall, Duane [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 11:09 AM To: [EMAIL PROTECTED] Subject: Legal problem - IDS - Commercial Vs Open Source. I have been a lurker to this mail-list for quite a while, so here it goes. I have come across an issue asked by management about IDS products. They are asking about the legality issues. For instance: If we have a breaking and are using a commercial IDS product and the IDS software doesn't catch it, do you have any legal recourse against the commercial product vendor? Can you sue them for not catching the intrusion. My thinking is NO. I'm sure the software license agreement takes care of this. The same is asked if we decide to use an open source product, like Snort. I have said the same. I tried to give an example, for instance Microsoft. If some one breaks into a Windows server, no one but the administrator is responsible. You can't sue Microsoft, because you didn't apply a patch or weren't watching the server. Does anyone have any articles or case studies to support my thinking.? Any help would be appreciated. Duane Hall ** Duane Hall Security Administrator Hastings Entertainment, Inc. 806-351-2300 X-3945 [EMAIL PROTECTED]
RE: Legal problem - IDS - Commercial Vs Open Source.
Get cyber insurance to cover the other risk factors of intrusion. -Original Message- From: Edward L. Jones [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 11:38 AM To: Hall Duane; [EMAIL PROTECTED] Subject: RE: Legal problem - IDS - Commercial Vs Open Source. I have a BS in criminal justice Pre-Law and a masters in Information System Science and I have never heard of a company suing a IDS vendor because of the software not catching the break in your company would definitely set a Precedence and I am curious to see what the outcome would be if your company actually went to court with this. I would agree with your reply to the answer as being NO But here are a few points you should propose to your management. 1) Was the problem really that of the software or was it a human error in overlooking the incidents leading up to the intrusion such as the recon phase and finally failure to detect the actual intrusion? 2) In the purchase order, contract or agreement to buy the software does it anywhere explicitly say that there IDS product protects you from all known and/or unknown attacks? 3) Finally does your company really think another vendor will help them if word gets out in the industry that you guys sue for this type of stuff? E.L. Jones Network Security Engineer -Original Message- From: Hall, Duane [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 8:09 AM To: [EMAIL PROTECTED] Subject: Legal problem - IDS - Commercial Vs Open Source. I have been a lurker to this mail-list for quite a while, so here it goes. I have come across an issue asked by management about IDS products. They are asking about the legality issues. For instance: If we have a breaking and are using a commercial IDS product and the IDS software doesn't catch it, do you have any legal recourse against the commercial product vendor? Can you sue them for not catching the intrusion. My thinking is NO. I'm sure the software license agreement takes care of this. The same is asked if we decide to use an open source product, like Snort. I have said the same. I tried to give an example, for instance Microsoft. If some one breaks into a Windows server, no one but the administrator is responsible. You can't sue Microsoft, because you didn't apply a patch or weren't watching the server. Does anyone have any articles or case studies to support my thinking.? Any help would be appreciated. Duane Hall ** Duane Hall Security Administrator Hastings Entertainment, Inc. 806-351-2300 X-3945 [EMAIL PROTECTED]