I agree that their should be some accountability there but the whole idea of more lawyers and lawsuits and judgments just makes me sick. The not so golden rule applies here: Cover your own butt.
Gabriel G. ----- Original Message ----- From: "Bryan Murdock" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 12, 2003 10:21 AM Subject: Re: [uug] suing industries that don't patch > Now, if I've paid hundreds or thousands of dollars for a software > product, and it turns out that it has security holes in it, who is > really liable for those security holes? I understand that patches are > provided and they aren't that hard to apply, but are we ever going to > hold the providers of these software products a little more liable? > It's seems to me that it's all too easy these days to rush a product out > the door and plan on patching it later, never mind the inconvenience it > causes all our customers. > > Bryan > > On Wed, 2003-02-12 at 10:08, Tim Blalock wrote: > > > > Anybody read this on SearchSecurity.com? I think that it's about time. I > > spent the last two weeks patching computers from almost every business in my > > home town. Apparently they think that it's ok that someone breaks into > > their computer. They all told me "I don't have anything that they can > > steal". Well, there's something, a zombie. > > Tim Blalock > > [EMAIL PROTECTED] > > > > <Beginning article> > > > > Patching negligence can get you sued > > > > By Michael S. Mimoso, News Editor > > 12 Feb 2003, SearchSecurity.com > > > > MASHANTUCKET, Conn. -- Downstream liability sounds like a cable TV fishing > > show gone awry. But it's something enterprises need to quickly become aware > > of, especially in light of recent security incidents like the outbreak of > > the SQL Slammer worm and the attack on the Internet's root DNS servers. > > > > Essentially, downstream liability is all about the liability an enterprise > > could incur if its unsecured systems are used as part of a distributed > > denial-of-service attack. > > > > The topic came up during this week's CyberCrime Conference & Exhibition, > > where former Department of Justice cybercrime prosecutor Marc J. Zwillinger > > of Sonnenschein, Nath & Rosenthal declared that, indeed, enterprises can be > > liable for damages incurred during a DDoS attack. > > > > Zwillinger theorizes that breach of contract is no longer the only basis for > > liability; now enterprises will be held accountable if they are negligent in > > patching systems, for example. This is the commission of a tort, Zwillinger > > said. Negligence is the crux of downstream liability, according to a paper > > written by Scott C. Zimmerman, CISSP, a research associate with the Software > > Engineering Institute at Carnegie Mellon University; Ron Plesco, director of > > policy for the Pennsylvania state police; and Tim Rosenberg, president and > > CEO of White Wolf Security. > > > > Negligence, meanwhile, consists of four parts, according to the law: duty, > > breach, causation and harm. Zwillinger and Zimmerman said that all four are > > closely linked and, in order to gain damages, a victim must demonstrate all > > four. > > > > Duty, for example, is the reasonable expectation that an enterprise with IT > > assets linked to the Internet keep its systems secure. "Does an owner of IT > > assets on the Internet have a duty to keep his systems secure and not to be > > used to hurt another? We believe the answer to this question is a resounding > > yes," wrote Zimmerman, et al. > > > > A breach of duty is the failure to live up to that obligation. For example, > > leaving unpatched systems exposed to the Internet and ripe for exploitation > > would constitute a breach of duty. Next, a victim must prove this breach > > caused the damages. Finally, the victim must demonstrate he suffered harm, > > like loss of assets, loss of business opportunities, or damage to > > reputation, Zwillinger said. > > > > Slammer took advantage of vulnerable Microsoft SQL Servers and generated > > massive amounts of traffic that clogged Internet service providers and > > backbones worldwide. Code Red and Nimda exploited holes in Microsoft > > Internet Information Services (IIS) Web servers to bring the Internet to a > > screeching halt in 2001. While Internet performance slowed to a crawl in all > > three instances, businesses were also left inaccessible, at times resulting > > in expensive downtime. > > > > Now that victims are justified in pursuing damages via lawsuits, they must > > determine just who is liable, Zwillinger said. > > > > Zwillinger identified potential defendants: the perpetrator; the owners of > > unsecured systems; Internet service providers; and the victim. > > > > The perpetrator, Zwillinger said, has violated the law [the Computer Fraud > > and Abuse Act that covers DoS attacks, virus outbreaks, ping floods and > > more]. But the difficulty in prosecuting the attacker is finding the person. > > Often, the attacking computer does not belong to the attacker. > > > > That raises the specter of holding the owners of vulnerable systems liable. > > They would not be liable under breach of contract because usually there is > > no direct contact between this person and the victim. But they could be > > guilty of committing a tort by being negligent in not patching systems. > > Challenges here involve pursuing the owners of 100 systems involved in a > > DDoS, for example. All 100 would have to be investigated, and a portion of > > blame would have to be determined in each instance, Zwillinger said. "It's > > daunting, but it's not a disincentive," he said. > > > > ISPs, on the other hand, would be liable by contract. There is a reasonable > > expectation that service providers have measures in place to deny bad > > traffic and keep customers online, Zwillinger said. > > > > Victims also could be held liable. In addition to pursuing damages, victims > > could be forced to pay up if their systems are used to attack another. > > > > "It's time to recognize that this is a reality," Zwillinger said. > > "Enterprises need to determine best practices, adhere to regulation [HIPAA, > > Gramm-Leach-Bliley], hire consultants, adopt an incident response plan and > > stay current on information security and evolve with it." > > > > > > > > > > ____________________ > > BYU Unix Users Group > > http://uug.byu.edu/ > > ___________________________________________________________________ > > List Info: http://phantom.byu.edu/cgi-bin/mailman/listinfo/uug-list > > > > > > ____________________ > BYU Unix Users Group > http://uug.byu.edu/ > ___________________________________________________________________ > List Info: http://phantom.byu.edu/cgi-bin/mailman/listinfo/uug-list > ____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://phantom.byu.edu/cgi-bin/mailman/listinfo/uug-list
