[2648] in cryptography@c2.net mail archive
Re: PPTP (again)
daemon@ATHENA.MIT.EDU (Black Unicorn)
Sun May 10 19:26:56 1998
Date: Sun, 10 May 1998 16:41:28 -0500
To: "Arnold G. Reinhold" <reinhold@world.std.com>,
"Paul Leach" <paulle@microsoft.com>, cryptography@c2.net
From: Black Unicorn <unicorn@schloss.li>
Cc: firewall-wizards@nfr.com, NTSECURITY@LISTSERV.NTBUGTRAQ.COM
In-Reply-To: <v03130302b177a612d78f@[24.128.118.45]>
At 04:08 AM 5/8/98 , Arnold G. Reinhold wrote:
[PPTP (in)security discussed]
>The security of this protocol does not appear to meet the most minimal
>standards of modern cryptographic practice. A properly implemented 40-bit
>key system would be far more secure. This protocol will be used to
>transmit medical records, lawyer-client meeting notes, new product plans,
>merger negotiations, and other sensitive internal communications. Do
>Microsoft's attorneys realize the company's potential exposure here? Can
>you say "class action lawsuit," "punitive damages," "strict liability,"
>"criminal negligence," "deep pockets?"
I've been watching trends which might suggest that a firm could be sued for
failing to exercise due diligence in their information protection efforts.
Shareholder derivative suits would be the most interesting from a legal
point of view because the cause-effect chain doesn't need to be very strong
for one such to succeed. So, under what circumstances would Microsoft
(which is exceptionally well represented from a legal standpoint, by the
way) be potentially liable for a security oversight? Well, that would be a
very hard case to make. Unless you could show very distinct statements
which represent a promise of security (which no firm could be so silly as
to make). Even from a products liability standpoint, and bringing strict
liability into the picture, you still have to show that Mircosoft
represented the product as unconditionally secure to show it had a material
defect. That gets awfully difficult awfully quick.
Let's take a shot at an example:
First, Mircosoft is never going to get hit for liability unless the
offended party can show actual damages directly resultant from the use of
PPTP (or some other Mircosoft (in)security product). Since it's my view
that a shareholder derivative suit is the easiest way to accomplish this,
let's run that example.
ABC corp uses PPTP to protect vital R&D work. Our genius hacker SiR
hAxAlOt uses a fairly well known vulnerability in PPTP to discover this R&D
work, and sells it to ABC's arch rival firm, XYZ. Or just publishes it on
the internet. Like a typical hacker, SiR hAxAlOt brags to the world about
his exploits and John Markoff picks up the story which ends up on the front
page of the New York Times, and then the WSJ in column two, or perhaps even
"Heard on the Street."
ABC shares, at 20 on the open, lose $5 a share immediately as, true to
stock market form, the inflated stock price of ABC was mostly dependent on
the high promise of earnings from the trade secret R&D work which has now
been stolen. Intel had a similar drop in mid April though it had nothing
to do, so far as I am aware, with trade secrets, so its hardly unheard of.
A group of shareholders is lured into suit by the firm of fabulously
wealthy contingency fee lawyers, Hitem Lowe & Phast, LLP which files suit
for $100 million the next day, charging that the firm failed to protect its
valuable data well enough and is therefore responsible to the shareholders
for the loss. After all, some 13 year old managed to steal the stuff on
his own.
Hitem Lowe & Phast's argument is a simple one. ABC knew the data was
essential to the well being of the company, comprised millions if not
hundreds of millions of dollars in market value, and was not well protected
(obviously).
ABC's argument is a bit more complex. The crux of their argument is that
computer security is a "black art." It's difficult to get right, and
impossible to always know when you've gotten it wrong. (One can imagine
Bruce Schnieder, Perry Metzger and surprise witness Ian Goldberg in the
techno-court drama of the century. I imagine all of their discussions
would generally trend to that direction and support the defense. More so
because any expert testimony will have to admit the depth of literature and
vulnerabilities out there in the public and the level of effort required to
keep up with it all. Of course, implementation error is a big black hole
which just helps Mircosoft's avoiding liability). ABC will argue that most
firms don't bother to use any encryption at all, that they did the best
they could, they didn't, after all, lose this data because some moron left
a file folder at a ball game. They have a security officer, they have a
corporate security policy, they even hired a consulting firm. They relied
on a "reputable" vendor of software and did what every other reasonable
firm would do in trying to secure their data. Or so their argument goes.
In the face of all the testimony about how hard it is to get it right, I'd
lay odds on ABC.
Of course, Mircosoft will deny that they made any firm statements about the
security of PPTP, which they won't have exactly so they could make this
denial in a case like this.
Let's say that the jury doesn't buy Microsoft's denial. ABC corp is off
the hook. They made a reasonable reliance on Mircosoft. Mircosoft would
be liable, but for the fact that there are no damages anymore. You'd have
to attach Mircosoft to the suit. That's an interesting standing issue, and
I'm not sure you'd get far once ABC got yanked out.
If the jury does buy Mircosoft's denial, you just strengthen the argument
that this stuff is just too complex and difficult to actually hold people
to any kind of "best practices" standard.
In the end ABC gets to fall back on "what the hell else did you expect from
us? We did the best we possibly could" argument, which is a powerful one
in this context.
I might add that products liability law hasn't extended very far into the
software arena yet. When it finally does, I'm not sure security is going
to be easy to attach.
Time will tell.
