Re: Ok, so now we have a firewall, we're safe, right?

[Chris Blask <chris () blask org>]

<Paul?  Is this going to get to the list?  -chris>

Hi denizens!

This thread has evolved some very good points and examples.  It looks to me 
like birds could be made to come home to roost before too long...

o  SOX does exist, therefore diligence and lack thereof could be argued in 
a legal context.

o  Expert testimony from folks like many of us should be acceptable in court.

We need an example case to establish a precedent.  Anyone know of any 
shareholder class-action suits pending out there (or where there should be 
one) where "security design/implementation as part of SOX compliance" - or 
the lack thereof - is/could be part of demonstrating due diligence?

I'm not a litigious person by nature, but it is the engine of determining 
responsibility in society.  A few good precendents a lawyer can understand 
could provide very good fulcrums for keeping vendors and operators accountable.

At 05:09 PM 6/13/2005, Dave Piscitello wrote:
> We collapsing threads
.d.
> 2) Hiding complexity versus hiding the truth about a product
>
> I spoke of hiding complexity in my email - putting grep/awk/sed
> behind a GUI is very different from not documenting that "left set to
> factory default settings, our device accepts incoming ftp connections
> from guest accounts with no password enforcement."

Legal Due Diligence could reasonable be set at requiring a disclaimer 
something like:

o  "Default settings of this software may create security 
exposures.  Please consult a qualified security source for guidance."

That would be a baby step forward...

> On 13 Jun 2005 at 15:13, Marcus J. Ranum wrote:
>
> > R. DuFresne wrote:
> > >Failing to do so moves liability out of the end users realm, even
> > >Marcus would have to agree there.
> >
> > I couldn't agree more - if a vendor misrepresents their product they
> > should be held accountable. There are agencies of the government that
> > are already responsible for enforcing truth-in-advertising rules, and
> > there are precendent-setting decisions that hold the vendors liable in
> > such circumstances.

Exactly - no need to reinvent the wheel, someone just needs to get held 
responsible using the same mechanisms auto manufacturers have 
lived/suffered under for so long.

.d.
> > Outright lies? Isn't that a bit severe?  Well, I give you one
> > case in point: I recently re-installed Windows XP on my
> > desktop machine (my annual "clean scrape") and as it was
> > installing (and on the product box) Microsoft touted XP as
> > a way to "quickly and securely access the Internet"   Oh. Really?

"The new car you have purchased will Quickly and Securely get you to the 
store..."

o  With NO caveats?
o  For a 1955 Bel Air with NO Seat Belts?!?

Someone needs to poke that manufacturer with the well-worm sticks of legal 
liability...

-cheers

-chris





Think wrongly, if you please, but in all cases think for yourself.

 - Doris Lessing

Chris Blask
chris () blask org
http://blaskworks.blogspot.com