Bugtraq mailing list archives

Re: It takes two to tango

From: Chris Paget <ivegotta () tombom co uk>
Date: Wed, 31 Jul 2002 16:53:26 +0100

On Wed, 31 Jul 2002 11:15:27 -0400 (EDT), Greg A. Woods wrote:

[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]

Subject: Re: It takes two to tango

Does V still have the right to sue R?


Absolutely not.  They were given more than fair notice.


According to the CNet article:

In HP's case, SnoSoft says that information made public last year
should have given the computer maker enough time to fix the problem. 

and

HP has known about the Tru64 vulnerability "for some time," SnoSoft's
Finisterre said, but never fixed the problem. An HP spokesman said he
did not know if a patch had been released.

Last year?  if >7 months isn't enough time to count as "fair notice"
then what is?  This was a new exploit for an old hole, demonstrating
that fair notice is irrelevant if the vendor doesn't like what's going
on.  That's what's frightening me - even if I follow widely recognised
industry best practices when releasing an advisory, I can still be
held personally liable if the vendor decides to invoke that magical
4-letter acronym - DMCA.

Yes, I'm in the UK, and could probably argue that the DMCA doesn't
apply to me.  But the EUCD is virtually identical, and would apply in
exactly the same way as the DMCA should the vendor choose to wield it.

Chris

-- 
Chris Paget
ivegotta () tombom co uk

 If vendors are made liable for
security holes, and those vendors have the right to sue the people who
find advisories and / or release exploits, then we'll be seeing
security researchers on the wrong end of multi-million dollar
lawsuits.


Only if the law fails to recognize the notice given by the discoverer to
the vendor.  Perhaps security researchers should begin using registered
mail to notify vendors.

It probably also means that those who feel vendors do not deserve fair
notice will (have to / continue to) resort to posting exploits anonymously.

IMHO, vendors SHOULD be responsible for security holes.  However,
before that can be done there needs to be some kind of law put in
place to protect the researchers who find the holes.


IANAL, but I would hope no new laws are necessary -- the recognition of
fair notice should be sufficient.

Current thread:

Re: It takes two to tango Riad S. Wahby (Jul 31)
- Re: It takes two to tango Derek D. Martin (Jul 31)
- it's all about timing Florin Andrei (Jul 31)
  - Re: [Full-Disclosure] it's all about timing John Scimone (Aug 01)
- <Possible follow-ups>
- RE: It takes two to tango Scott, Richard (Jul 31)
- Re: It takes two to tango Greg A. Woods (Jul 31)
  - Re: It takes two to tango Chris Paget (Jul 31)
- Re: It takes two to tango Tom Perrine (Jul 31)
- Re: It takes two to tango Branson Matheson (Jul 31)
- Re: It takes two to tango Kyle R. Hofmann (Jul 31)
- RE: It takes two to tango Mark L. Jackson (Jul 31)
- RE: It takes two to tango John Howie (Jul 31)
- Re: It takes two to tango Randy Hinders (Jul 31)
- Re: It takes two to tango Ltlw0lf (Aug 01)