.
John Howie
-Original Message-
From: Riad S. Wahby [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 31, 2002 12:19 PM
To: [EMAIL PROTECTED]
Subject: Re: It takes two to tango
Chris Paget [EMAIL PROTECTED] wrote:
Does V still have the right to sue R?
Let's put this a different way
As much as it pains me to say this, I feel I must (for sake of argument).
There is an assumed risk in using any product. The different analogies that
people are coming up with are ludicrous. Given the current political and
prejudice* situations, litigation in the courts is not the way to
I've been looking at them for years, and so has FX, both of us will be
giving talks at DEFCON this year (and no, unlike Gobbles, I'll be paying
my own way this year and don't need anyone elses' help.) Epson is
terrible at dealing with vulnerabilities in their systems, and so are
the others.
snip
Ferson also said that HP reserves
the right to sue SnoSoft and its members for monies
and damages caused by the posting and any use of the
buffer overflow exploit.
This raises a very interesting point. Bruce Schneier has stated
publicly that he believes vendors should be
to continue the it takes two to tango metaphor, i will say the following
(inline):
On Wed, 31 Jul 2002, Chris Paget wrote:
2) R attempts to contact V to reveal the bug.
3) V does not respond.
this is the fault of the vendor for not having a well known and publicized
contact point for
Hi,
I just read the article at News.com
(http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
controversy between HP and Snosoft. It seems that HP is upset that
details of a dangerous security hole in the HP Tru64 operating system
were published by Phased, a security researcher
I agree fully, with what both of you have to say, and I have another
point to bring up. If companies like HP or Microsoft can put in their
license, terms which remove all liability of themselves for damage
caused security in their products or general defects, and this stands
up in court (and
Chris Paget [EMAIL PROTECTED] wrote:
Does V still have the right to sue R?
Let's put this a different way:
Ford makes a car that seems to sell pretty well. Unfortunately, it
has a fatal design flaw: if the car suffers a rear-end collision while
it's in third gear during a rainstorm at night
There are some interesting issues being raised:
snip
1) Researcher R finds a security hole in vendor V's product.
2) R attempts to contact V to reveal the bug.
3) V does not respond.
4) R attempts communication several times over the next 90 days, but
never receives a response.
5) R
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At some point hitherto, Riad S. Wahby hath spake thusly:
Two weeks later, a story breaks in the national news that a psychopath
has taken it upon himself to rear-end all Ford cars on rainy moonlit
nights. So far, five people have died.
Who is
On Wed, 31 Jul 2002 11:15:27 -0400 (EDT), Greg A. Woods wrote:
[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]
Subject: Re: It takes two to tango
Does V still have the right to sue R?
Absolutely not. They were given more than fair notice.
According to the CNet
[ On Wednesday, July 31, 2002 at 11:34:57 (+0100), Chris Paget wrote: ]
Subject: Re: It takes two to tango
Does V still have the right to sue R?
Absolutely not. They were given more than fair notice.
If vendors are made liable for
security holes, and those vendors have the right to sue
]
Subject: Re: It takes two to tango
snip
Ferson also said that HP reserves
the right to sue SnoSoft and its members for monies
and damages caused by the posting and any use of the
buffer overflow exploit.
This raises a very interesting point. Bruce Schneier has stated
publicly
On Wed, 31 Jul 2002 11:34:57 +0100, Chris Paget [EMAIL PROTECTED] said:
CP snip
Ferson also said that HP reserves
the right to sue SnoSoft and its members for monies
and damages caused by the posting and any use of the
buffer overflow exploit.
CP This raises a very
On Wed, 2002-07-31 at 10:48, Jose Nazario wrote:
4) R attempts communication several times over the next 90 days, but
never receives a response.
if the researcher doesn't attempt to work with an established third party
(ie CERT, SecurityFocus) to get this contact made, they are acting
15 matches
Mail list logo
