Dailydave mailing list archives

Re: HP getting sued

From: Charisse Castagnoli <charisse () charissec com>
Date: Thu, 8 Dec 2011 10:53:59 -0600

Wow - that is a creative lawyer (or a bored or not billable one) 
Not sure this line of liability will work since likely all the users signed a license agreement when they bought the 
printer that limits their remedy.  And unfair business practices are really designed to be used by competitors not 
consumers.

Also the supreme court has ruled that potential disclosure of PII is a "future harm that the court can not address"

thanks for pointing this out I will definitely follow the case as it develops.

charisse
(a former attorney)




On Dec 7, 2011, at 1:26 AM, Carl-Johan Bostorp wrote:

So it looks like HP is getting sued in a class action lawsuit over the firmware upgrade “potential security 
vulnerability”. It’s claimed that HP knew about the vulnerability, but failed to disclose it, and this constitutes an 
“unfair” business act. 
https://docs.google.com/gview?url=http://docs.justia.com/cases/federal/district-courts/california/candce/5:2011cv05779/248220/1/0.pdf?1322863230&chrome=true
 
This is the first case I’ve heard of where this happens. Will be really interesting to see what happens. With any 
luck, vendors will have to at least disclose the shit they choose not to 
fix.http://www.digitalbond.com/2011/11/08/advantech-webaccess-first-on-insecure-products-list/  … but then again, 
there are gradients here that can be difficult to rule.
 
How much would a vendor have to disclose of vulnerabilities known but not fixed? Do they get any grace period on 
fixing these vulnerabilities, or must they be made public as soon as they know *anything* ? Or is it just when they 
decided not to fix it? If so, can we then expect vendors to have vulnerabilities rated as “undetermined” for years? 
Maybe a 6 months grace period from vendor notification to people starting to sue? What about severity of 
vulnerability?
 
What do you think is reasonable?
 
Carl-Johan Bostorp 
Senior Consultant
CISSP / QSA
 
Cybercom Sweden East AB
Lindhagensgatan 126,  Box 30154   SE-104 25  Stockholm
Mobile +46 722 328 220 
Phone +46 8 726 75 00   Fax +46 8 19 33 22
carl-johan.bostorp () cybercom com     www.cybercomgroup.com
P Think before you print
 
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave


Charisse Castagnoli
charisse () charissec com

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

HP getting sued Carl-Johan Bostorp (Dec 08)
- Re: HP getting sued Charisse Castagnoli (Dec 08)
- Re: HP getting sued Jeffrey Walton (Dec 08)