Incorrect Dichotomy - Was: It takes two to tango

From: Matthew White (Matthew.White@pncs.com.au)
Date: 08/01/02


From: Matthew White <Matthew.White@pncs.com.au>
To: bugtraq@securityfocus.com
Date: Thu, 1 Aug 2002 10:32:39 +0800 


A line in the post from Riad S. Wahby bothered me.
"Who is responsible, Ford or Consumer Reports?"

This is a false dichotomy where we have to choose between the only two
options presented. Neither should be sued however - this is why America is
so litigious. The REAL person to blame and at fault is the aforementioned
psychopath!

Think about it. He used a vulnerability to destroy property. He willingly
and deliberately actioned it. He is at fault.

And before someone says "That's obvious, but who ELSE is at fault?" That's
fallacious too. There doesn't need to be someone else. That's usually why
people sue someone with deep pockets - because they a) want someone to blame
or b) just want some money back from someone.

Regarding this specific issue at hand, neither should be able to be sued. If
vendors don't accept liability then consumers can't be sued for the above
reasoning as well as the reasons that Stan Bubrouski brought up.

This needs more than just talk though. As to what to do about it you
Americans need to lobby your politicians (as I do in Australia) to either
remove specific legislation allowing suits or to enact laws protecting
researchers (as the case may be in your jurisdiction).

**********************************************
A not so irrelevant, only semi-humorous analogy:

Researcher Bob published a vulnerability with the model "Human." The report
stated that it can be demonstrated that the puncturing of the chest cavity
causes a "blood overflow" terminating the "human." Both versions of human
are susceptible (male and female).
Researcher Bob released an exploit of this vulnerability using a "knife."

If a psychopath uses this vulnerability, who do you sue? The knife maker,
Researcher Bob, the person's creators (the parents) who created a faulty
model "human," God if you're religious ... ? Who's got the deepest pockets
you can pin it on?

Keep responsibility where it belongs. Shit happens - get on with life.

 
Matthew White
Desktop Systems Administrator
 
 
 
 

-----Original Message-----
From: Riad S. Wahby [mailto:rsw@jfet.org]
Sent: Thursday, 1 August 2002 3:19 AM
To: bugtraq@securityfocus.com
Subject: Re: It takes two to tango

Chris Paget <ivegotta@tombom.co.uk> wrote:
> Does V still have the right to sue R?

Let's put this a different way:

Ford makes a car that seems to sell pretty well. Unfortunately, it has a
fatal design flaw: if the car suffers a rear-end collision while it's in
third gear during a rainstorm at night while the moon is waxing, the car
explodes, killing its passengers. Consumer Reports discovers that this is
the case and publishes a warning to its readers concerning this car. Ford
is unable to reproduce the vulnerable configuration and ignores the warning,
assuming it's a hoax.

Two weeks later, a story breaks in the national news that a psychopath has
taken it upon himself to rear-end all Ford cars on rainy moonlit nights. So
far, five people have died.

Who is responsible, Ford or Consumer Reports? Do you think Ford could
successfully prosecute a lawsuit against Consumer Reports?

Extra credit: if you said "no" to the second question, but think V should
win a suit against R in Chris's hypothetical situation, please explain how
the two situations are so substantially different as to result in completely
opposite conclusions with regard to liability.

-- 
Riad Wahby
rsw@jfet.org
MIT VI-2/A 2002

---------------------------------------------------------------------------------------- This email, and any attachments, contain confidential information which is intended only for use by the addressee. If you are not the intended recipient, please notify us immediately. Any views expressed in this communication are those of the author except where specifically stated that it is the view of the Society. As unencrypted email may not be secure, we cannot guarantee reliability, completeness or confidentiality. Any attachments should be checked for viruses and defects prior to opening. We do not accept any liability in these respects. ----------------------------------------------------------------------------------------



Relevant Pages