[2652] in cryptography@c2.net mail archive
Re: PPTP (again)
daemon@ATHENA.MIT.EDU (Black Unicorn)
Mon May 11 10:12:40 1998
Date: Mon, 11 May 1998 00:11:55 -0500
To: Steve Bellovin <smb@research.att.com>
From: Black Unicorn <unicorn@schloss.li>
Cc: "Arnold G. Reinhold" <reinhold@world.std.com>,
"Paul Leach" <paulle@microsoft.com>, cryptography@c2.net,
firewall-wizards@nfr.com, NTSECURITY@LISTSERV.NTBUGTRAQ.COM
In-Reply-To: <199805110239.WAA17566@postal.research.att.com>
At 09:39 PM 5/10/98 , Steve Bellovin wrote:
> ABC will argue that most firms don't bother to use any
> encryption at all, that they did the best they could, they
> didn't, after all, lose this data because some moron left a
> file folder at a ball game. They have a security officer,
> they have a corporate security policy, they even hired a
> consulting firm. They relied on a "reputable" vendor of
> software and did what every other reasonable firm would do in
> trying to secure their data. Or so their argument goes. In
> the face of all the testimony about how hard it is to get it
> right, I'd lay odds on ABC.
>
>I've heard other lawyers argue the reverse. Here's a quote from
>Judge Learned Hand in 1932:
>
> Indeed in most cases reasonable prudence is in face common
> prudence; but strictly it is never its measure; a whole calling
> may have unduly lagged in the adoption of new and available
> devices. It may never set its own tests, however persuasive be
> its usages. Courts must in the end say what is required; there
> are precautions so imperative that even their universal
> disregard will not excuse their omission. ... But here there
> was no custom at all as to receiving sets; some had them, some
> did not; the most that can be urged is that they had not yet
> become general. Certainly in such a case we need not pause;
> when some have thought a device necessary, at least we may say
> that they were right, and the others too slack. ... We hold
> [against] the tugs therefore because [if] they had been
> properly equipped, they would have got the Arlington [weather]
> reports. The injury was a direct consequence of this
> unseaworthiness.
There's a long way between weather reporting gear and security software. I
can cite due care standards all day long, but you still don't get around
the basic nature of information security.
>Would that precedent hold?
Sure, if it was a case where the tugs had weather reporting gear, but the
vendor of the gear provided only incomplete weather reports. (That's a
closer analogy to my example). That's a much tougher case to drop
liability on the tugs for.
>The best argument I've heard excusing software vendors is that the
>contracts typically disclaim all warranties, consequential damages,
>etc.
Well, that's not really the crux of the matter, since the disclaimers on
the back of ski lift tickets don't prevent people from suing ski slope
operators, and winning. That's because the terms of that contract are not
negotiated. Courts generally dislike "adhesion contracts" like this.
