Dailydave mailing list archives
Re: HP getting sued
From: Charisse Castagnoli <charisse () charissec com>
Date: Thu, 8 Dec 2011 10:53:59 -0600
Wow - that is a creative lawyer (or a bored or not billable one) Not sure this line of liability will work since likely all the users signed a license agreement when they bought the printer that limits their remedy. And unfair business practices are really designed to be used by competitors not consumers. Also the supreme court has ruled that potential disclosure of PII is a "future harm that the court can not address" thanks for pointing this out I will definitely follow the case as it develops. charisse (a former attorney) On Dec 7, 2011, at 1:26 AM, Carl-Johan Bostorp wrote:
So it looks like HP is getting sued in a class action lawsuit over the firmware upgrade “potential security vulnerability”. It’s claimed that HP knew about the vulnerability, but failed to disclose it, and this constitutes an “unfair” business act. https://docs.google.com/gview?url=http://docs.justia.com/cases/federal/district-courts/california/candce/5:2011cv05779/248220/1/0.pdf?1322863230&chrome=true This is the first case I’ve heard of where this happens. Will be really interesting to see what happens. With any luck, vendors will have to at least disclose the shit they choose not to fix.http://www.digitalbond.com/2011/11/08/advantech-webaccess-first-on-insecure-products-list/ … but then again, there are gradients here that can be difficult to rule. How much would a vendor have to disclose of vulnerabilities known but not fixed? Do they get any grace period on fixing these vulnerabilities, or must they be made public as soon as they know *anything* ? Or is it just when they decided not to fix it? If so, can we then expect vendors to have vulnerabilities rated as “undetermined” for years? Maybe a 6 months grace period from vendor notification to people starting to sue? What about severity of vulnerability? What do you think is reasonable? Carl-Johan Bostorp Senior Consultant CISSP / QSA Cybercom Sweden East AB Lindhagensgatan 126, Box 30154 SE-104 25 Stockholm Mobile +46 722 328 220 Phone +46 8 726 75 00 Fax +46 8 19 33 22 carl-johan.bostorp () cybercom com www.cybercomgroup.com P Think before you print _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Charisse Castagnoli charisse () charissec com
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- HP getting sued Carl-Johan Bostorp (Dec 08)
- Re: HP getting sued Charisse Castagnoli (Dec 08)
- Re: HP getting sued Jeffrey Walton (Dec 08)