Legal problem - IDS - Commercial Vs Open Source.

From: Hall, Duane (hallu@hastings-ent.com)
Date: 01/28/02


Date: Mon, 28 Jan 2002 10:09:05 -0600
From: "Hall, Duane" <hallu@hastings-ent.com>
To: <security-basics@securityfocus.com>

I have been a lurker to this mail-list for quite a while, so here it
goes. I have come across an issue asked by management about IDS
products. They are asking about the legality issues.

For instance:

If we have a breaking and are using a commercial IDS product and the IDS
software doesn't catch it, do you have any legal recourse against the
commercial product vendor?
Can you sue them for not catching the intrusion. My thinking is NO.
I'm sure the software license agreement takes care of this.

The same is asked if we decide to use an open source product, like
Snort. I have said the same.

I tried to give an example, for instance Microsoft. If some one breaks
into a Windows server, no one but the administrator is responsible.
You can't sue Microsoft, because you didn't apply a patch or weren't
watching the server.

Does anyone have any articles or case studies to support my thinking.?
Any help would be appreciated.

Duane Hall

**************************
Duane Hall
Security Administrator
Hastings Entertainment, Inc.
806-351-2300 X-3945
hallu@hastings-ent.com