Re: Even you can be hacked

[Owen DeLong <owen () delong com>]

> It would be great if there always was a negligent party, but there is
> not always one. If Widgets Inc.'s otherwise ultra-secure web server gets
> 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc.
> or the ISP?
1.      In Sean's example, clearly the customer was a negligent party.

2.      If Widgets Inc. doesn't promptly disconnect their system from the
        network upon notification of the problem, and/or fails to fix the
        system before reconnecting it to the network, then they have become
        a negligent party.

3.      Although there's no real obligation for ISPs to do so, most that I
        know will eat it on the customer's behalf until some reasonable
        amount of time after they told the customer.  That is exactly
        what happened in the case Sean brought up, except, the ISP ate it
        for far longer than reasonable.

> So how about this analogy: Someone breaks into my house and spends a few
> hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier?
> Neither of us was negligent.
Well... When I had a similar situation, the phone company tried very hard to
tell me it was my problem.  Finally, I found out what had happened, and
provided them with photographs of a person tapping into lines from the
junction on my pole and making phone calls.  They did give me credit
at that point, but, it took a lot of convincing and I got lucky with a
camera.

> [0] Unless someone can prove the software flaw was sloppy enough that it
> constitutes negligence and goes after the software authors. Good luck with
> that.

Actually, I'd say that anyone who hasn't signed Micr0$0ft's EULA and is a
victim of the crap their software ends up spewing has a pretty good case
against them for negligence at this point, but, IANAL.

Owen

--
If this message was not signed with gpg key 0FE2AA3D, it's probably
a forgery.

Attachment: _bin
Description: