Tuesday, January 28, 2003

This is akin to what Eli Lilly did. Lilly drew the enforcement from the FTC, and had to enter into a settlement agreement that causes Lilly to have to perform some tasks for as long as 20 years. Accidental release of customer names is not a joke. While this was not medical-related information, this release is the sort of behavior that, the FTC argued, showed lack of management supervision and training at Lilly. Take care with sending out e-mails to customers to ensure that there's no accidental release of customer e-mail addresses or identities. http://www.washingtonpost.com/wp-dyn/articles/A35318-2003Jan23.html 9:00:42 PM    comment []

This is the second recent attack that slowed the internet. The internet bent, but it didn't break, thanks to good planning and quick work by the admirable men and women (I assume there are some women) who operate the internet. What this raises for lawyers is the question of what liability there ought to be for a software vendor that is responsible for the code that permitted the attack. I guess that MSFT. If tobacco companies are guilty for having failed to publicize the dangers of their products, maybe a software vendor that fails to publicize the dangers of its products should also be liable for the damage caused by the product. In tort law, we constantly are asking the question of who is in the best position to avoid the harm caused by the defective product---the buyer or the seller or some other person. It looks as if the company that is the purveyor of the defective product (assuming a defect, based on the worm's attack) is in the best position to evaluate the safety features of the product prior to its release to the public. Of course, that means the release is delayed. Is the public better off from the quicker release of the product? Or, is the public better off from the more thoroughly tested, later product? The answer to that is not always clear. In tort law, intervening criminal behavior usually relieves the careless actor from liability, unless the criminal behavior is foreseeable or likely. What duty does the software vendor have to reasonably foresee the cracker's intervening criminal behavior? Does it matter whether the behavior is criminal in the place where the cracker operates? Will the contract or license be effective to relieve the software vendor from liability if the criminal behavior is readily foreseeable? Until that enforceability is tested in a real legal proceeding, we licensing professionals will have a hard time assuring people of the likely outcomes. Is public policy against bad code so strong that the contract relieving the software vendor of liability should not be enforced? Or, is the public policy encouraging dissemination of software as soon as possible so important that the legal system will allow the losses to fall on the system operators, rather than on the software vendors? What kind of public duty does the software vendor have to deliver a repair to its code, once the worm appears? Because of the importance of homeland security, does a software vendor have an obligation to alert its customers to the patch or fix? Or, does the software vendor have an obligation to push out the patch or fix by e-mail or some other method, once the patch or fix becomes available? What kind of public duty does the software vendor have to ensure that its publication of the bug fix or patch on the 'net remains up and available and capable of hundreds of simultaneous downloads, once the patch or fax has been accomplished? What if someone other than the software vendor creates an effective patch or repair to avoid the worm? Would that be a violation of the DMCA for trafficking in a way around a trade secret of the software vendor? These are hard questions to answer with certainty. There is lots of room for litigation. http://www.infoworld.com/articles/hn/xml/03/01/25/030125hnsqlnetupd.xml http://www.nytimes.com/aponline/technology/AP-Microsoft-Worm.html http://ap.tbo.com/ap/breaking/MGAWJE75HBD.html http://www.techie.hopto.org/sqlworm.html http://www.washingtonpost.com/wp-dyn/articles/A43267-2003Jan25.html http://www.sans.org/webcasts/012703.php http://www.computerworld.com/securitytopics/security/holes/story/0,10801,77898,00.html http://www.washingtonpost.com/wp-dyn/articles/A46928-2003Jan26.html http://www.cnn.com/2003/TECH/internet/01/27/internet.attack.ap/index.html http://www.cnn.com/2003/TECH/internet/01/27/worm.why/index.html http://news.com.com/2100-1001-982284.html http://www.govexec.com/dailyfed/0103/012703h1.htm http://www.theregister.co.uk/content/56/29040.html http://www.cert.org/advisories/CA-2003-04.html http://news.com.com/2100-1023-981800.html Slammer attacks! http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eTpr0EzKIy0HX60t780Ac How Slammer Works: http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eTpr0EzKIy0HX60t8A0Am Are your systems clean? http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eTpr0EzKIy0HX60t8A0Am Clues lead to nefarious criminal group: http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eTpr0EzKIy0HX60t7E0Ap Simple Ways to Avoid Slammer's Ilk: http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eTpr0EzKIy0HX60t660AZ Dvorak Calls Slammer a Hoax: http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eTpr0EzKIy0HX60t8B0An http://www.smh.com.au/articles/2003/01/31/1043804503508.html Thanks to the SANS Institute for comments: The Slammer worm infected 90% of vulnerable computers within ten minutes, according to the Cooperative Association for Internet Data Analysis (CAIDA). The number of infections doubled in size every 8.5 seconds; after three minutes, Slammer was generating 55 million scans for vulnerable computers every second. http://news.zdnet.co.uk/story/0,,t269-s2129785,00.html Thanks to SANS Institute for comment: --Benchmark Could Have Slowed Slammer's Progress (31 January 2003) Slammer's rapid spread across the Internet could have been slowed if companies had installed the patch Microsoft had issued for the vulnerability and if they had used the free Consensus Minimum Security Benchmarks, which are designed to detect vulnerabilities, including the one exploited by Slammer. The benchmarks were developed by five federal agencies, the SANS Institute and the Center for Internet Security (CIS). http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78063,00.html [Editor's Note (Schultz): There was no patch for those who installed the Microsoft Desktop Engine (MSDE) using the Microsoft .NET Framework Software Developer's Kit until several days after Slammer first struck the Internet.] Don't count on government help. http://www.zdnet.com/anchordesk/stories/story/0,10738,2909992,00.html Thanks to SANS Newsbites: (20 February 2003) Symantec's Vincent Weafer clarified the company's statement last week that claimed it had detected the Slammer worm hours before it became public knowledge. Actually, Symantec's DeepSight Threat Management System sends automated alerts to customers when firewall sensors picked up increased attempts to access port 1434. At that time the company was aware of a "network anomaly," but not until a few hours later, about the time the first Slammer postings appeared on Bugtraq, did the information coalesce to indicate an actual attack. http://www.theregister.co.uk/content/56/29406.html UDP is an older protocol that is less secure than TCP. UDP lacks the "three-way handshake" authentication that TCP requires, I'm told. This site attributes the Slammer worm's lightning-speed infection of the Internet to Slammer's use of UDP. http://www.newsfactor.com/perl/story/20776.html 8:42:04 PM    comment []

© Copyright 2003 Noel D. Humphreys.