Re: bug-testing identd NOT available here

Robert Harker (harker@harker.com)
Thu, 9 Mar 95 17:40:41 PST

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Christopher Samuel: "sendmail 8.6.10 -> 8.6.11 changes"
Previous message: Dave Horsfall: "Re: Suspicious Mail"
Maybe in reply to: *Hobbit*: "bug-testing identd NOT available here"
Next in thread: Jim Thompson: "Re: bug-testing identd NOT available here"

> It would set a REALLY BAD precedent if the legal system decided that people
> attempting to help fix bugs were to be tarred with the same brush as those
> trying to exploit them.  Think carefully about this.
 
I hate to say it, but there is a legal precedent in regards to this.

Caution: I am not a lawer and may have some of the terms wrong.
If you have questions, please consult a lawer for clarification

It is based on common law and is a tort liability.

This is described in the document:
	csrc.ncsl.nist.gov:/secpubs/stewart.ps

>From the index:
	stewart.ps   11-08-92 Potential Liabilities of Computer Security
		Response Centers - PostScript only

To quote from the document about tort liability:
	"There is no general common-law duty to rescue a stranger in distress
	even if the rescue can be accomplished at no cost to the rescuer...
	But if you do begin to rescue someone, you must complete the rescue in
	a nonnegligent fashion even though you had no duty of rescue in the
	first place"

The document goes on to state:
	"Section 323 of the "Restatement of Torts" provides that:

	One who undertakes, gratuitously or for consideration, to render
	services to another which he should recognize as necessary for the
	protection of the other's person or things, is subject to liability
	to the the other for physical harm resulting from his failure to
	exercise reasonable care to perform his undertaking, if

	(a) his failure to exercise care increases the risk of such harm, or

	(b) the harm is suffered because of the other's reliance upon the
		undertaking"

An example of how this might be applied is that if I see a person bleeding
to death and walk on by, I can not be held liable or negligent if the person
dies.  But if I stop and provide aid, but do not apply everything I learned
about first aid 20 years ago, and the person dies, then the victim's family
can sue me for negligence in the victim's death.  They may not win in court,
but the court would find that the suit has merit and would proceed with it.

This is the basis for the very un-popular policies that CERT uses when it
releases a security alert (please do not discuss problems with CERT, after
reading this document, I am amazed that CERT publishes anything at all)

Apologies in advance if people do not find this directly related to firewalls
or security bug tracking, but I found the document to be a very eye opening
document.

Again, I am not a lawer.  If you have questions, please consult a lawer.

RLH

 > For info about our Sendmail Made Simple and Advanced Sendmail classes and <
 >  a schedule of dates and locations, please send email to info@harker.com  <

Robert Harker						Harker Systems
Sendmail and TCP/IP Network Training			1180 Hester Ave
Network and Sysadmin Consulting				San Jose, CA 95126
harker@harker.com					408-295-9432

Next message: Christopher Samuel: "sendmail 8.6.10 -> 8.6.11 changes"
Previous message: Dave Horsfall: "Re: Suspicious Mail"
Maybe in reply to: *Hobbit*: "bug-testing identd NOT available here"
Next in thread: Jim Thompson: "Re: bug-testing identd NOT available here"