[2651] in cryptography@c2.net mail archive
Re: PPTP (again)
daemon@ATHENA.MIT.EDU (Steve Bellovin)
Sun May 10 23:10:55 1998
To: Black Unicorn <unicorn@schloss.li>
cc: "Arnold G. Reinhold" <reinhold@world.std.com>,
"Paul Leach" <paulle@microsoft.com>, cryptography@c2.net,
firewall-wizards@nfr.com, NTSECURITY@LISTSERV.NTBUGTRAQ.COM
Date: Sun, 10 May 1998 22:39:36 -0400
From: Steve Bellovin <smb@research.att.com>
ABC will argue that most firms don't bother to use any
encryption at all, that they did the best they could, they
didn't, after all, lose this data because some moron left a
file folder at a ball game. They have a security officer,
they have a corporate security policy, they even hired a
consulting firm. They relied on a "reputable" vendor of
software and did what every other reasonable firm would do in
trying to secure their data. Or so their argument goes. In
the face of all the testimony about how hard it is to get it
right, I'd lay odds on ABC.
I've heard other lawyers argue the reverse. Here's a quote from
Judge Learned Hand in 1932:
Indeed in most cases reasonable prudence is in face common
prudence; but strictly it is never its measure; a whole calling
may have unduly lagged in the adoption of new and available
devices. It may never set its own tests, however persuasive be
its usages. Courts must in the end say what is required; there
are precautions so imperative that even their universal
disregard will not excuse their omission. ... But here there
was no custom at all as to receiving sets; some had them, some
did not; the most that can be urged is that they had not yet
become general. Certainly in such a case we need not pause;
when some have thought a device necessary, at least we may say
that they were right, and the others too slack. ... We hold
[against] the tugs therefore because [if] they had been
properly equipped, they would have got the Arlington [weather]
reports. The injury was a direct consequence of this
unseaworthiness.
Would that precedent hold?
The best argument I've heard excusing software vendors is that the
contracts typically disclaim all warranties, consequential damages,
etc. I'm not at all convinced that that would hold if, say, a
consumer suffered loss, say by someone hacking into his or her PC
and absconding with the information necessary to use an online banking
system.
