> On 23/02/2013, at 2:53 AM, Jo Rhett <[email protected]> wrote:
>> No. I've had this conversation many times and employees of big companies
>> feel that it's impossible, and don't even raise the issue with their
>> management. In two different occasions I arranged a meeting with their
>> management and made the case for it, at which point the managers told the
>> unbelieving employee to make it happen.
On Feb 23, 2013, at 8:36 PM, Daniel Griggs wrote:
>
> If you have a presentation that you can share with the class, that would be
> great.
> It would make a useful addition to any security workshops or discussions I
> have with providers around security.
This topic really is so much simpler than most people put it out there.
Completely ignore any topic of "being a good person". There are a group of
related legal terms that come into play:
1. Gross Negligence
2. Good Faith Business Judgement
3. Commercially Reasonable Effort
...a few others, it's been a while since I had this discussion.
But the long and short is that for a person or company suing the provider to
prove gross negligence, they must prove that this particular provider (1) knew
that the damage it would cause and (2) failed to provide reasonable effort to
prevent the damage.
It's a very short trip for a lawyer to convince even the most ignorant jury
what the IETF is, and what BCP38 is, and that there is no reasonable way that
the commercial entity was unaware of BCP38. Last time I was in court the lawyer
threw three other RFCs into the mix but I have forgotten offhand what they are.
Tail that together with the extensive promotion efforts by others, and a
company would have to claim that they had never heard of the IETF and never
went to any conferences and never participated any forums or mailing lists.
That's a very easy bit of information to gather to prove they did.
Note: I have always entered the conversation having this exact
information in hand, to show just how easy it was to prove.
Then the lawyer must prove that it was "commercially reasonable", ie, their
competition does it. In the lawsuits that I was involved in, the lawyer didn't
bother making a case for the industry as a whole but instead made a case for
the providers "just down the street". In particular, the fact that the customer
who initiated the attack moved from a provider who was BCP38 compliant to them
just days before the attack was used as evidence that the provider was directly
to blame.
Note: I don't bring this up, but several providers have asked if
implementing BCP38 would make it more likely their competitors would face this
lawsuit. I plead off being a lawyer but I acknowledge that it seems entirely
reasonable. I do point out that if a competitor's failure to implement BCP38
was involved in an outage in their network, all of the same facters are
involved. (and vice versa)
Then, the lawyer must simply provide evidence that the attacks came from the
provider's network (wouldn't be a lawsuit without that part) and voila, you
have a clear judgement for gross negligence.
The last bit of information that I bring is a round-up of what awards juries
toss at large corporations convicted of gross negligence. Given the current
anti-big-business mindset in this country, it is always ridiculously high
numbers.
note 1: not a lawyer and I make it clear. In fact, I express clearly that this
is something they should discuss with their own lawyer(s).
note 2: I've only done this with US companies, or companies with US divisions.
Legal terms and expectations may differ elsewhere.
--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
