[2655] in cryptography@c2.net mail archive
Re: PPTP (again)
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Mon May 11 12:36:59 1998
In-Reply-To: <199805110512.AA12413@world.std.com>
Date: Mon, 11 May 1998 08:58:14 -0400
To: Black Unicorn <unicorn@schloss.li>, Steve Bellovin <smb@research.att.com>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: "Paul Leach" <paulle@microsoft.com>, cryptography@c2.net,
firewall-wizards@nfr.com, NTSECURITY@LISTSERV.NTBUGTRAQ.COM
At 12:11 AM -0500 5/11/98, Black Unicorn, replying to Steve Bellovin
citation from
Judge Learned Hand in 1932, opined:
>There's a long way between weather reporting gear and security software. I
>can cite due care standards all day long, but you still don't get around
>the basic nature of information security.
>
>>Would that precedent hold?
>
>Sure, if it was a case where the tugs had weather reporting gear, but the
>vendor of the gear provided only incomplete weather reports. (That's a
>closer analogy to my example). That's a much tougher case to drop
>liability on the tugs for.
>
Since I started this thread, let me try to be a bit clearer about the
situation I have in mind.
Wealthy manufacturer M sells product P that contains component R licensed
from vendor S. M cites R as a feature in M's printed literature. But M
installs R in a way that defeats its operation. In doing so M knowingly
disregards S's instructions, numerous textbook admonitions, and specific
warnings from others in the industry. Companies X, Y, and Z, of varying
financial stability, use P, which fails and cause damages to A, B, and C.
A, B, and C sue X, Y, Z, and M; also X, Y and Z also sue M.
Here is a non-crypto hypothetical example:
Ford sells trucks with an advanced anti-skid braking system that it
licenses from BMW. BMW advises using the brakes on all four cab wheels.
Indeed, the principal of operation of the BMW anti-skid system, well known
to automotive engineers, requires sensors on all four wheels. Disregarding
pleas from independent automotive consultants, Ford sells its truck cabs
with brakes on only two wheels. Trucks skid all over the place, crashing
into cars, setting fires, spilling hazardous material. Those injured do not
just sue the trucking companies, they also name Ford as a defendant.
Is M (or Ford) liable for the damages caused by P failing? I think so.
Complexity of the underlying design issues is no excuse for ignoring
component specs; on the contrary, it makes careful attention to supplier
recommendations all the more imperative. Even if the evidence connecting
the designed-in defect to the product failures were weak, no lawyer
defending M would want a case like this to go to a jury.
Is there a criminal case against M for negligence or fraud? Perhaps. I
suspect the nature of the injuries would be a factor. A big insider
trading prosecution might do.
Is there an antitrust angle if M used its dominant market position to force
P on the industry at large? Harder to prove, but damages are tripled.
Is S also liable if it was aware of M's plans for R and did not attempt to
prevent the misuse? Security Dynamics should think about this question.
I am not a lawyer, but I have had experience with product safety reviews. I
would never allow a critical component to be used in a way that violated
its specifications. By designing the PPTP protocol so that it uses the same
RC4 key more than once, Microsoft is hanging a big "Sue Me!" sign around
its neck.
Arnold Reinhold
Got Crypto? http://ciphersaber.gurus.com
