Full Disclosure mailing list archives

Re: Responsibility

From: Sean Comeau <scomeau () cansecwest com>
Date: Tue, 23 May 2006 22:30:03 -0700

On Mon, May 22, 2006 at 08:05:47AM +1000, Greg wrote:

Large motel/hotel chain I recently acquired wants to sue previous company
who did their I.T. work for them as a customer's wifi connected machine
infected their network and caused loss of booking data thus money.

My question then is - if you have done the utmost to lock down your customer
but someone connects an infected machine and somehow it gets in, is the
customer right in suing you? Eg, like a car mechanic, you do the best but
you cannot be 100% sure that something else that was never a problem will
now cause a problem (such as a new exploit in our case that wasn't known
generally until 24 hours ago). Should you be sued at that point?


What was their backup strategy? How many records were lost? It could have been 
disk failure that caused loss of data. Who cares what the cause was. If they
signed an agreement with this IT company to perform regular backups to prevent 
loss of data and then, when data was accidently deleted, they find out there are 
no backups they should sue these guys to recover losses. Just like if you paid 
a mechanic to fix your breaks and you find out (the first time you get near the 
bottom of a steep hill) that he took your money, lied to you and just didn't 
bother to do the work. And that he neglected to do it knowing full well that 
cars often drive down hills and that if they are unable to stop damage to 
property and injury will almost certainly occur.

Basically, shit happens. Computers are unreliable. It is common knowledge,
even among non technical people such as accountants, that backups are needed. 
It is not common knowledge how often backups need to be done for a particular
business. That's for good IT managers/management companies to ask about and 
their employers/clients to choose their own risk on.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Responsibility Greg (May 21)
- Re: Responsibility Line Noise (May 21)
- Re: Responsibility Paul Schmehl (May 21)
  - Re: Responsibility Sol Invictus (May 22)
- Re: Responsibility <...> (May 23)
- Re: Responsibility Sean Comeau (May 23)
- <Possible follow-ups>
- RE: Responsibility Scott Forrest (May 25)
  - Re: Responsibility Michael Holstein (May 25)
- RE: Responsibility Scott Forrest (May 25)
  - Re: Responsibility Valdis . Kletnieks (May 25)
    - Re: Responsibility gboyce (May 25)