Re: It takes two to tango

From: Chris Paget (ivegottaat_private)
Date: Wed Jul 31 2002 - 08:53:26 PDT

Next message: Greg A. Woods: "Re: It takes two to tango"

Previous message: Derek D. Martin: "Re: It takes two to tango"
Next in thread: Gibby McCaleb: "RE: It takes two to tango (or samba for that matter)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 31 Jul 2002 11:15:27 -0400 (EDT), Greg A. Woods wrote:

>[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]
>> Subject: Re: It takes two to tango
>>
>> Does V still have the right to sue R?
>
>Absolutely not.  They were given more than fair notice.

According to the CNet article:

In HP's case, SnoSoft says that information made public last year
should have given the computer maker enough time to fix the problem. 

and

HP has known about the Tru64 vulnerability "for some time," SnoSoft's
Finisterre said, but never fixed the problem. An HP spokesman said he
did not know if a patch had been released.

Last year?  if >7 months isn't enough time to count as "fair notice"
then what is?  This was a new exploit for an old hole, demonstrating
that fair notice is irrelevant if the vendor doesn't like what's going
on.  That's what's frightening me - even if I follow widely recognised
industry best practices when releasing an advisory, I can still be
held personally liable if the vendor decides to invoke that magical
4-letter acronym - DMCA.

Yes, I'm in the UK, and could probably argue that the DMCA doesn't
apply to me.  But the EUCD is virtually identical, and would apply in
exactly the same way as the DMCA should the vendor choose to wield it.

Chris

-- 
Chris Paget
ivegottaat_private

>
>>  If vendors are made liable for
>> security holes, and those vendors have the right to sue the people who
>> find advisories and / or release exploits, then we'll be seeing
>> security researchers on the wrong end of multi-million dollar
>> lawsuits.
>
>Only if the law fails to recognize the notice given by the discoverer to
>the vendor.  Perhaps security researchers should begin using registered
>mail to notify vendors.
>
>It probably also means that those who feel vendors do not deserve fair
>notice will (have to / continue to) resort to posting exploits anonymously.
>
>> IMHO, vendors SHOULD be responsible for security holes.  However,
>> before that can be done there needs to be some kind of law put in
>> place to protect the researchers who find the holes.
>
>IANAL, but I would hope no new laws are necessary -- the recognition of
>fair notice should be sufficient.

Next message: Greg A. Woods: "Re: It takes two to tango"
Previous message: Derek D. Martin: "Re: It takes two to tango"
Next in thread: Gibby McCaleb: "RE: It takes two to tango (or samba for that matter)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 22:28:36 PDT