I've been looking at them for years, and so has FX, both of us will be
giving talks at DEFCON this year (and no, unlike Gobbles, I'll be paying
my own way this year and don't need anyone elses' help.) Epson is
terrible at dealing with vulnerabilities in their systems, and so are
the others.
ite
Desktop Systems Administrator
-Original Message-
From: Riad S. Wahby [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 1 August 2002 3:19 AM
To: [EMAIL PROTECTED]
Subject: Re: It takes two to tango
Chris Paget <[EMAIL PROTECTED]> wrote:
> Does V still have the right to sue
As much as it pains me to say this, I feel I must (for sake of argument).
There is an assumed risk in using any product. The different analogies that
people are coming up with are ludicrous. Given the current political and
prejudice* situations, litigation in the courts is not the way to go.
, and precedents set.
John Howie
-Original Message-
From: Riad S. Wahby [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 31, 2002 12:19 PM
To: [EMAIL PROTECTED]
Subject: Re: It takes two to tango
Chris Paget <[EMAIL PROTECTED]> wrote:
> Does V still have the right to sue R?
L
// I just read the article at News.com
// (http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
// controversy between HP and Snosoft. It seems that HP is upset that
// details of a dangerous security hole in the HP Tru64
... and why not? This has put all their customers at risk.
On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget wrote:
> IMHO, vendors SHOULD be responsible for security holes.
What, precisely, do you mean by "responsible"? Do you mean "monetary liable"?
Suppose I find a remotely exploitable flaw in a major open source project,
such as BIND or sendmail or A
As much as corporate liability makes sense, I doubt it will ever come to
fruition. I think it will be near impossible to prove "negligence." It
will be a matter on interpreting the raw code and showing that the
programmers intentionally cut corners. That won't be an easy thing to
prove.
Chris
On Wed, 2002-07-31 at 10:48, Jose Nazario wrote:
> > 4) R attempts communication several times over the next 90 days, but
> > never receives a response.
>
> if the researcher doesn't attempt to work with an established third party
> (ie CERT, SecurityFocus) to get this contact made, they are ac
> On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget <[EMAIL PROTECTED]> said:
CP>
>> "Ferson also said that HP reserves
>> the right to sue SnoSoft and its members "for monies
>> and damages caused by the posting and any use of the
>> buffer overflow exploit."
CP> Thi
EMAIL PROTECTED]]
Sent: Wednesday, July 31, 2002 3:35 AM
To: Richard M. Smith; [EMAIL PROTECTED]
Subject: Re: It takes two to tango
>"Ferson also said that HP reserves
>the right to sue SnoSoft and its members "for monies
>and damages caused by the posting and any use
[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]
> Subject: Re: It takes two to tango
>
> Does V still have the right to sue R?
Absolutely not. They were given more than fair notice.
> If vendors are made liable for
> security holes, and those vendors ha
On Wed, 31 Jul 2002 11:15:27 -0400 (EDT), Greg A. Woods wrote:
>[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]
>> Subject: Re: It takes two to tango
>>
>> Does V still have the right to sue R?
>
>Absolutely not. They were given more than fai
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At some point hitherto, Riad S. Wahby hath spake thusly:
> Two weeks later, a story breaks in the national news that a psychopath
> has taken it upon himself to rear-end all Ford cars on rainy moonlit
> nights. So far, five people have died.
>
> Who
There are some interesting issues being raised:
1) Researcher R finds a security hole in vendor V's product.
2) R attempts to contact V to reveal the bug.
3) V does not respond.
4) R attempts communication several times over the next 90 days, but
never receives a response.
5) R releases an
Chris Paget <[EMAIL PROTECTED]> wrote:
> Does V still have the right to sue R?
Let's put this a different way:
Ford makes a car that seems to sell pretty well. Unfortunately, it
has a fatal design flaw: if the car suffers a rear-end collision while
it's in third gear during a rainstorm at night
I agree fully, with what both of you have to say, and I have another
point to bring up. If companies like HP or Microsoft can put in their
license, terms which remove all liability of themselves for damage
caused security in their products or general defects, and this stands
up in court (and a
> Hi,
>
> I just read the article at News.com
> (http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
> controversy between HP and Snosoft. It seems that HP is upset that
> details of a dangerous security hole in the HP Tru64 operating system
> were published by "Phased", a security re
to continue the "it takes two to tango" metaphor, i will say the following
(inline):
On Wed, 31 Jul 2002, Chris Paget wrote:
> 2) R attempts to contact V to reveal the bug.
> 3) V does not respond.
this is the fault of the vendor for not having a well known and publicized
c
>"Ferson also said that HP reserves
>the right to sue SnoSoft and its members "for monies
>and damages caused by the posting and any use of the
>buffer overflow exploit."
This raises a very interesting point. Bruce Schneier has stated
publicly that he believes vendors should b
Hi,
I just read the article at News.com
(http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
controversy between HP and Snosoft. It seems that HP is upset that
details of a dangerous security hole in the HP Tru64 operating system
were published by "Phased", a security researcher with
20 matches
Mail list logo