"We have met the enemy, and he is us." One word: Disclaimer All commercial products will have a disclaimer stating they are not responsible for any breaches in security. In addition, freeware products will have an AS-IS with no implied guarantee or warranty disclaimer.
Essentially, unless you have a security provider with a contract that indicates responsibility, the people responsible are you. M. Dante Mercurio, CCNA, MCSE+I, CCSA Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com <http://www.ccgsecurity.com> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > -----Original Message----- > From: Hall, Duane [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 11:09 AM > To: [EMAIL PROTECTED] > Subject: Legal problem - IDS - Commercial Vs Open Source. > > > I have been a lurker to this mail-list for quite a while, so > here it goes. I have come across an issue asked by > management about IDS products. They are asking about the > legality issues. > > For instance: > > If we have a breaking and are using a commercial IDS product > and the IDS software doesn't catch it, do you have any legal > recourse against the commercial product vendor? Can you sue > them for not catching the intrusion. My thinking is NO. I'm > sure the software license agreement takes care of this. > > The same is asked if we decide to use an open source product, > like Snort. I have said the same. > > I tried to give an example, for instance Microsoft. If some > one breaks into a Windows server, no one but the > administrator is responsible. You can't sue Microsoft, > because you didn't apply a patch or weren't watching the server. > > Does anyone have any articles or case studies to support my > thinking.? Any help would be appreciated. > > Duane Hall > > ************************** > Duane Hall > Security Administrator > Hastings Entertainment, Inc. > 806-351-2300 X-3945 > [EMAIL PROTECTED] > >
