Even you can be hacked
Owen DeLong
owen at delong.com
Thu Jun 10 22:06:54 UTC 2004
> It would be great if there always was a negligent party, but there is
> not always one. If Widgets Inc.'s otherwise ultra-secure web server gets
> 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc.
> or the ISP?
>
1. In Sean's example, clearly the customer was a negligent party.
2. If Widgets Inc. doesn't promptly disconnect their system from the
network upon notification of the problem, and/or fails to fix the
system before reconnecting it to the network, then they have become
a negligent party.
3. Although there's no real obligation for ISPs to do so, most that I
know will eat it on the customer's behalf until some reasonable
amount of time after they told the customer. That is exactly
what happened in the case Sean brought up, except, the ISP ate it
for far longer than reasonable.
> So how about this analogy: Someone breaks into my house and spends a few
> hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier?
> Neither of us was negligent.
>
Well... When I had a similar situation, the phone company tried very hard to
tell me it was my problem. Finally, I found out what had happened, and
provided them with photographs of a person tapping into lines from the
junction on my pole and making phone calls. They did give me credit
at that point, but, it took a lot of convincing and I got lucky with a
camera.
> [0] Unless someone can prove the software flaw was sloppy enough that it
> constitutes negligence and goes after the software authors. Good luck with
> that.
Actually, I'd say that anyone who hasn't signed Micr0$0ft's EULA and is a
victim of the crap their software ends up spewing has a pretty good case
against them for negligence at this point, but, IANAL.
Owen
--
If this message was not signed with gpg key 0FE2AA3D, it's probably
a forgery.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040610/c13a8828/attachment.sig>
More information about the NANOG
mailing list