Two responsive comments and then I need to do some work! 1. The fact that actually prevailing practices do not include widespread implementation of previously identified safeguards (e.g., patching) doesn't necessarily make that the standard of care. Where the cost of implementing a safeguard is reasonably low and the harm it could prevent is predictable and reasonably material, the fact that most of the industry doesn't bother will not prevent *you* from being liable if a judge decides the industry practice isn't reasonable - a well-established legal concept. 2. Technical contacts should be attempted as one of the first lines of action. If they are responsive that ought to fix the problem. But experience teaches they aren't always responsive, so what to do then? This is where "rules of engagement" might specify, for example, that you cannot legitimately escalate to self-help without trying this route first, and having it fail. John R. Christiansen Preston | Gates | Ellis LLP *Direct: 206.370.8118 *Cell: 206.683.9125 Reader Advisory Notice: Internet email is inherently insecure. Message content may be subject to alteration, and email addresses may incorrectly identify the sender. If you wish to confirm the content of this message and/or the identity of the sender please contact me at one of the phone numbers given above. Secure messaging is available upon request and recommended for confidential or other sensitive communications. -----Original Message----- From: Seth Arnold [mailto:sarnold@private] Sent: Thursday, June 19, 2003 10:44 AM To: crime@private Subject: Re: CRIME Senator Hatch - Destroy file swappers' computers On Thu, Jun 19, 2003 at 09:55:46AM -0700, Christiansen, John (SEA) wrote: > legal matter the "innocence defense" - or "inattentive and clueless defense" > - at some point turns into the *negligence liability* which might justify > intervention. There are far too many "0-day" exploits for me to take this seriously. http://news.com.com/2100-1002-995834.html?tag=lh http://www.alw.nih.gov/Support/Security_Notices/Oct30.sshcrc32.html Yeah, there are a lot of folks who don't patch their systems right away, but frequently, they've learned -not- to! http://lwn.net/Articles/15497/ http://www.miami.com/mld/miamiherald/business/5953698.htm http://www.spinics.net/lists/kernel/msg171866.html > defendant's systems to be taken over to attack plaintiff's network). The > question then is, if I could get a court order to stop harmful activity, can > I stop it myself without one? Wouldn't it be far easier to just contact the abuse@ contact for the ISP and the technical contact for the netblock in question, and have them fix the problem legitimately on their end, once for all? -- "[Attorney General] Ashcroft went to the University of Chicago Law School -- a very good law school -- but the Bill of Rights never quite reached him." -- Nat Hentoff
This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 11:18:58 PDT