Re: bug-testing identd NOT available here

[harker () harker com (Robert Harker)]

> It would set a REALLY BAD precedent if the legal system decided that people
> attempting to help fix bugs were to be tarred with the same brush as those
> trying to exploit them.  Think carefully about this.
 
I hate to say it, but there is a legal precedent in regards to this.

Caution: I am not a lawer and may have some of the terms wrong.
If you have questions, please consult a lawer for clarification

It is based on common law and is a tort liability.

This is described in the document:
        csrc.ncsl.nist.gov:/secpubs/stewart.ps

> From the index:
        stewart.ps   11-08-92 Potential Liabilities of Computer Security
                Response Centers - PostScript only

To quote from the document about tort liability:
        "There is no general common-law duty to rescue a stranger in distress
        even if the rescue can be accomplished at no cost to the rescuer...
        But if you do begin to rescue someone, you must complete the rescue in
        a nonnegligent fashion even though you had no duty of rescue in the
        first place"

The document goes on to state:
        "Section 323 of the "Restatement of Torts" provides that:

        One who undertakes, gratuitously or for consideration, to render
        services to another which he should recognize as necessary for the
        protection of the other's person or things, is subject to liability
        to the the other for physical harm resulting from his failure to
        exercise reasonable care to perform his undertaking, if

        (a) his failure to exercise care increases the risk of such harm, or

        (b) the harm is suffered because of the other's reliance upon the
                undertaking"

An example of how this might be applied is that if I see a person bleeding
to death and walk on by, I can not be held liable or negligent if the person
dies.  But if I stop and provide aid, but do not apply everything I learned
about first aid 20 years ago, and the person dies, then the victim's family
can sue me for negligence in the victim's death.  They may not win in court,
but the court would find that the suit has merit and would proceed with it.

This is the basis for the very un-popular policies that CERT uses when it
releases a security alert (please do not discuss problems with CERT, after
reading this document, I am amazed that CERT publishes anything at all)

Apologies in advance if people do not find this directly related to firewalls
or security bug tracking, but I found the document to be a very eye opening
document.

Again, I am not a lawer.  If you have questions, please consult a lawer.

RLH

> For info about our Sendmail Made Simple and Advanced Sendmail classes and <
>  a schedule of dates and locations, please send email to info () harker com  <

Robert Harker                                           Harker Systems
Sendmail and TCP/IP Network Training                    1180 Hester Ave
Network and Sysadmin Consulting                         San Jose, CA 95126
harker () harker com                                    408-295-9432