tag:blogger.com,1999:blog-4088979.post27102994102749789..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Tort Law on NegligenceRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-46434361579963383582010-02-12T04:49:02.049-05:002010-02-12T04:49:02.049-05:00This comment has been removed by the author.Lifting Cremehttps://www.blogger.com/profile/03326460047181934360noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-74913191017410595102009-12-01T12:37:27.546-05:002009-12-01T12:37:27.546-05:00disagree with the "Enterprise" house com...disagree with the "Enterprise" house comment - "how can someone be expected to make it [secure] under conditions such as these?". if the value of the contents of the house is high (as you would expect of an enterprise house), then why are you adding new windows and doors without giving any thought to how to do so in a way that maintains the security of the enterprise/house? you wouldn't ask a contractor to add an addition to the house, but not think about the locks to the addition or the locks from the addition to the main house. you would want those to be secure from the beginning. the fact that we don't think about this in computer security "because it's hard" is negligence at its worst.jcgnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-19441845494972519952009-11-27T09:04:09.405-05:002009-11-27T09:04:09.405-05:00Always Remember.. OJ was not found guilty in a cri...Always Remember.. OJ was not found guilty in a criminal court, yet he was taken to task in civil court.<br /><br />An individual is not going to sue themselves for negligence. The issue would be taken with the insurance company. <br /><br />I'm not sure tort law would matter in this case.AppSecnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-67310282263838964232009-11-26T17:28:20.023-05:002009-11-26T17:28:20.023-05:00Take your argument and turn it slightly..
You lea...Take your argument and turn it slightly..<br /><br />You leave your house unlocked when you leave to run to the store. When you come back your stereo is gone. In this case, who can be charged with negligence? Who is the wronged party due to the negligent act? Surely the state is inconvienced, even injured, by your actions? You knew, or reasonible should have known, that your actions placed you at risk....<br /><br />The argument doesn't hold...<br /><br />I'll let the lawyers talk about the civil vs. Tort aspects.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-7994669180311266322009-11-26T07:24:16.616-05:002009-11-26T07:24:16.616-05:00Rich, you're absolutely right. I read the yes...Rich, you're absolutely right. I read the yesterday on the Shodan blog post that "it is very easy to blame the attacker when the victim failed to carry out due diligence to protect themselves."<br /><br />Easy to blame the attacker? It should always be easy to blame the attacker! They are the ones who did it!<br /><br />It appears to me that it's easier to blame the victim. The admin didn't do this, the admin didn't do that, so they were "asking for it."<br /><br />Using the house analogy, protecting a house is much simpler, right? You only have a few entrances, windows, maybe a garage etc... <br /><br />In an "Enterprise" house, you have a constantly changing structure. New doors are constructed, new windows are added, and all the while there's an underground railroad running through the basement. The enterprise house is an amoeba, a shape-shifter, constantly changing. And because there is no such thing as 100% security, how can someone be expected to make it so under conditions such as these? <br /><br />Now certainly if there is direct proven negligence, there should be consequences. But security engineering hasn't reached the maturity of, let's say civil engineering. <br /><br />In civil engineering, a bridge builder must be licensed and has liability if they build a faulty bridge. A bridge is constantly under attack (from the elements and cars driving across them) and the Earth underneath them is moving as well. However, it doesn't change shape at the same rate as an enterprise.Porternoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-82680930087902306442009-11-25T16:15:27.403-05:002009-11-25T16:15:27.403-05:00Not a straw man. I think I just moved the ball fo...Not a straw man. I think I just moved the ball forward to have someone admit that.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-26022970376906486922009-11-25T16:09:12.424-05:002009-11-25T16:09:12.424-05:00Straw man. No one is saying it's not the atta...Straw man. No one is saying it's not the attacker's fault that someone got attacked. The thief is still the thief. But an admin who puts telnet servers on the Internet with no password should be liable, just like the painter was liable in your example.Anonymousnoreply@blogger.com