Forwarded from: Kurt Seifried <kurtat_private> http://www.eweek.com/article2/0,3959,1054790,00.asp http://english.chosun.com/w21data/html/news/200304/200304300025.html I see several problems with this suit and suspect it will fail. It seems overly broad, and while it covers one primary event (the Slammer worm) it is actually comprised of a number of completely separate incidents/issues. It also leaves out several notable groups of potential defendants. 1) Users who actually had MS-SQL or MSDE installed (as it turns out this is a lot of products) and were infected by Slammer 1a) I have not seen the South Korean "Product Liability Act" but I assume it means you can only sue the person who sold you the product, or the original manufacturer (i.e. the end seller or Microsoft). I do not see how an ISP/government agency comes into this. 1b) For MSDE users who is responsible? The vendor of the end software that uses MSDE or Microsoft? This is not clear as the vendor often includes MSDE in ways that do not allow it to be updated unless the vendor issues an update. This gives Microsoft a LOT of room to maneuver. 1c) Microsoft has consistently made it clear that products need to be patched, in the case of MS02-061: "Maximum Severity Rating: Critical" 1d) Improper use of affected products. It can easily be argued that people affected by the Slammer worm were negligent in the use and maintenance of the affected products. There are very few situations I can think of for legitimately opening up MS-SQL products to the Internet at wide. 1e) A patch was available for many months from Microsoft, thus it can be argued that they exercised their duty to customers, it now falls upon customers and third party software vendors to ensure that the patch is installed and is compatible with software packages. 1f) Software license agreements and all that stuff we love to hate, I won't even touch this can of worms other then to mention it. 2) Customers of affected ISPs 2a) The issue in question here is what the Service Level Agreements and other contracts with the affected ISPs say. I suspect many ISP's include terms like "act of god", "customer negligence" and "circumstances outside of our control", if this is the case then the case against them is greatly weakened. 2b) Was the disruption caused by the customer in question (i.e. the uplink was flooded) or other customers (i.e. the downlink is flooded), if it's the uplink then again the ISP has a lot of room to move. 3) Can losses be proven? 3a) In the case of on online store this is difficult, it seems simple at first. Simply show graphs and statistics of online sales over the last week/month/year(s) and note a large dip at the time Slammer occurred. Easy huh? But is that dip due to the online store not being available due to Slammer or because many client systems were affected, i.e. dialup users/broadband users were sufficiently slowed down that they gave up on using the Internet that day and went outside or something. 3b) In the case of an online user this is difficult, they can claim that the Internet slowed to a halt, but how many will have useful evidence (such as traceroutes) to end sites to prove that it was their end. Simply reverse the online store defense and claim that the sites the user tried to access were heavily lagged and at fault, not the user's ISP. Proving "damages" occurred because you could not access the Internet is unlikely for most users. This suit is especially messy in that it relies on laws not yet applied to such circumstances (i.e. it may be precedent setting) and also rests on a huge number of technical details (firewalls. patching. etc.). It will be interesting to see what happens (assuming it doesn't get quashed right away). Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed May 07 2003 - 04:42:34 PDT