Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?

• Previous message: Bill Sharrock: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
• Maybe in reply to: Carson Gaspar: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com, Paul Robertson <proberts@patriot.net>
Date: Thu, 23 Jun 2005 07:54:10 -0400

<Paul? Is this going to get to the list? -chris>

Hi denizens!

This thread has evolved some very good points and examples. It looks to me
like birds could be made to come home to roost before too long...

o SOX does exist, therefore diligence and lack thereof could be argued in
a legal context.

o Expert testimony from folks like many of us should be acceptable in court.

We need an example case to establish a precedent. Anyone know of any
shareholder class-action suits pending out there (or where there should be
one) where "security design/implementation as part of SOX compliance" - or
the lack thereof - is/could be part of demonstrating due diligence?

I'm not a litigious person by nature, but it is the engine of determining
responsibility in society. A few good precendents a lawyer can understand
could provide very good fulcrums for keeping vendors and operators accountable.

At 05:09 PM 6/13/2005, Dave Piscitello wrote:
>We collapsing threads
.d.
>2) Hiding complexity versus hiding the truth about a product
>
>I spoke of hiding complexity in my email - putting grep/awk/sed
>behind a GUI is very different from not documenting that "left set to
>factory default settings, our device accepts incoming ftp connections
>from guest accounts with no password enforcement."

Legal Due Diligence could reasonable be set at requiring a disclaimer
something like:

o "Default settings of this software may create security
exposures. Please consult a qualified security source for guidance."

That would be a baby step forward...

>On 13 Jun 2005 at 15:13, Marcus J. Ranum wrote:
>
> > R. DuFresne wrote:
> > >Failing to do so moves liability out of the end users realm, even
> > >Marcus would have to agree there.
> >
> > I couldn't agree more - if a vendor misrepresents their product they
> > should be held accountable. There are agencies of the government that
> > are already responsible for enforcing truth-in-advertising rules, and
> > there are precendent-setting decisions that hold the vendors liable in
> > such circumstances.

Exactly - no need to reinvent the wheel, someone just needs to get held
responsible using the same mechanisms auto manufacturers have
lived/suffered under for so long.

.d.
> > Outright lies? Isn't that a bit severe? Well, I give you one
> > case in point: I recently re-installed Windows XP on my
> > desktop machine (my annual "clean scrape") and as it was
> > installing (and on the product box) Microsoft touted XP as
> > a way to "quickly and securely access the Internet" Oh. Really?

"The new car you have purchased will Quickly and Securely get you to the
store..."

o With NO caveats?
o For a 1955 Bel Air with NO Seat Belts?!?

Someone needs to poke that manufacturer with the well-worm sticks of legal
liability...

-cheers

-chris

Think wrongly, if you please, but in all cases think for yourself.

  - Doris Lessing

Chris Blask
chris@blask.org
http://blaskworks.blogspot.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Bill Sharrock: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
• Maybe in reply to: Carson Gaspar: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]