[1220] in bugtraq
Re: bug-testing identd NOT available here
daemon@ATHENA.MIT.EDU (Robert Harker)
Fri Mar 10 01:37:22 1995
Date: Thu, 9 Mar 95 17:40:41 PST
From: harker@harker.com (Robert Harker)
To: hobbit@avian.org
Cc: bugtraq@fc.net, firewalls@@GreatCircle.COM
> It would set a REALLY BAD precedent if the legal system decided that people
> attempting to help fix bugs were to be tarred with the same brush as those
> trying to exploit them. Think carefully about this.
I hate to say it, but there is a legal precedent in regards to this.
Caution: I am not a lawer and may have some of the terms wrong.
If you have questions, please consult a lawer for clarification
It is based on common law and is a tort liability.
This is described in the document:
csrc.ncsl.nist.gov:/secpubs/stewart.ps
From the index:
stewart.ps 11-08-92 Potential Liabilities of Computer Security
Response Centers - PostScript only
To quote from the document about tort liability:
"There is no general common-law duty to rescue a stranger in distress
even if the rescue can be accomplished at no cost to the rescuer...
But if you do begin to rescue someone, you must complete the rescue in
a nonnegligent fashion even though you had no duty of rescue in the
first place"
The document goes on to state:
"Section 323 of the "Restatement of Torts" provides that:
One who undertakes, gratuitously or for consideration, to render
services to another which he should recognize as necessary for the
protection of the other's person or things, is subject to liability
to the the other for physical harm resulting from his failure to
exercise reasonable care to perform his undertaking, if
(a) his failure to exercise care increases the risk of such harm, or
(b) the harm is suffered because of the other's reliance upon the
undertaking"
An example of how this might be applied is that if I see a person bleeding
to death and walk on by, I can not be held liable or negligent if the person
dies. But if I stop and provide aid, but do not apply everything I learned
about first aid 20 years ago, and the person dies, then the victim's family
can sue me for negligence in the victim's death. They may not win in court,
but the court would find that the suit has merit and would proceed with it.
This is the basis for the very un-popular policies that CERT uses when it
releases a security alert (please do not discuss problems with CERT, after
reading this document, I am amazed that CERT publishes anything at all)
Apologies in advance if people do not find this directly related to firewalls
or security bug tracking, but I found the document to be a very eye opening
document.
Again, I am not a lawer. If you have questions, please consult a lawer.
RLH
> For info about our Sendmail Made Simple and Advanced Sendmail classes and <
> a schedule of dates and locations, please send email to info@harker.com <
Robert Harker Harker Systems
Sendmail and TCP/IP Network Training 1180 Hester Ave
Network and Sysadmin Consulting San Jose, CA 95126
harker@harker.com 408-295-9432
