[71208] in North American Network Operators' Group
Re: Even you can be hacked
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Jun 10 18:09:40 2004
Date: Thu, 10 Jun 2004 15:06:54 -0700
From: Owen DeLong <owen@delong.com>
To: Crist Clark <crist.clark@globalstar.com>, nanog@merit.edu
In-Reply-To: <40C8D87F.5080704@globalstar.com>
Errors-To: owner-nanog-outgoing@merit.edu
--==========3DCB2A917BD99FFC8F7F==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
> It would be great if there always was a negligent party, but there is
> not always one. If Widgets Inc.'s otherwise ultra-secure web server gets
> 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc.
> or the ISP?
>
1. In Sean's example, clearly the customer was a negligent party.
2. If Widgets Inc. doesn't promptly disconnect their system from the
network upon notification of the problem, and/or fails to fix the
system before reconnecting it to the network, then they have become
a negligent party.
3. Although there's no real obligation for ISPs to do so, most that I
know will eat it on the customer's behalf until some reasonable
amount of time after they told the customer. That is exactly
what happened in the case Sean brought up, except, the ISP ate it
for far longer than reasonable.
> So how about this analogy: Someone breaks into my house and spends a few
> hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier?
> Neither of us was negligent.
>
Well... When I had a similar situation, the phone company tried very hard =
to
tell me it was my problem. Finally, I found out what had happened, and
provided them with photographs of a person tapping into lines from the
junction on my pole and making phone calls. They did give me credit
at that point, but, it took a lot of convincing and I got lucky with a
camera.
> [0] Unless someone can prove the software flaw was sloppy enough that it
> constitutes negligence and goes after the software authors. Good luck =
with
> that.
Actually, I'd say that anyone who hasn't signed Micr0$0ft's EULA and is a
victim of the crap their software ends up spewing has a pretty good case
against them for negligence at this point, but, IANAL.
Owen
--=20
If this message was not signed with gpg key 0FE2AA3D, it's probably
a forgery.
--==========3DCB2A917BD99FFC8F7F==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAyNt/n5zKWQ/iqj0RArg5AKCYNMfe0VamqKykImFxvAHr+6AjkQCghLhT
IymeXfvBk6OKYKOLM3qQU9o=
=8qYl
-----END PGP SIGNATURE-----
--==========3DCB2A917BD99FFC8F7F==========--
