A line in the post from Riad S. Wahby bothered me. "Who is responsible, Ford or Consumer Reports?" This is a false dichotomy where we have to choose between the only two options presented. Neither should be sued however - this is why America is so litigious. The REAL person to blame and at fault is the aforementioned psychopath! Think about it. He used a vulnerability to destroy property. He willingly and deliberately actioned it. He is at fault. And before someone says "That's obvious, but who ELSE is at fault?" That's fallacious too. There doesn't need to be someone else. That's usually why people sue someone with deep pockets - because they a) want someone to blame or b) just want some money back from someone. Regarding this specific issue at hand, neither should be able to be sued. If vendors don't accept liability then consumers can't be sued for the above reasoning as well as the reasons that Stan Bubrouski brought up. This needs more than just talk though. As to what to do about it you Americans need to lobby your politicians (as I do in Australia) to either remove specific legislation allowing suits or to enact laws protecting researchers (as the case may be in your jurisdiction). ********************************************** A not so irrelevant, only semi-humorous analogy: Researcher Bob published a vulnerability with the model "Human." The report stated that it can be demonstrated that the puncturing of the chest cavity causes a "blood overflow" terminating the "human." Both versions of human are susceptible (male and female). Researcher Bob released an exploit of this vulnerability using a "knife." If a psychopath uses this vulnerability, who do you sue? The knife maker, Researcher Bob, the person's creators (the parents) who created a faulty model "human," God if you're religious ... ? Who's got the deepest pockets you can pin it on? Keep responsibility where it belongs. Shit happens - get on with life. Matthew White Desktop Systems Administrator -----Original Message----- From: Riad S. Wahby [mailto:rsw@jfet.org] Sent: Thursday, 1 August 2002 3:19 AM To: bugtraq@securityfocus.com Subject: Re: It takes two to tango Chris Paget <ivegotta@tombom.co.uk> wrote: > Does V still have the right to sue R? Let's put this a different way: Ford makes a car that seems to sell pretty well. Unfortunately, it has a fatal design flaw: if the car suffers a rear-end collision while it's in third gear during a rainstorm at night while the moon is waxing, the car explodes, killing its passengers. Consumer Reports discovers that this is the case and publishes a warning to its readers concerning this car. Ford is unable to reproduce the vulnerable configuration and ignores the warning, assuming it's a hoax. Two weeks later, a story breaks in the national news that a psychopath has taken it upon himself to rear-end all Ford cars on rainy moonlit nights. So far, five people have died. Who is responsible, Ford or Consumer Reports? Do you think Ford could successfully prosecute a lawsuit against Consumer Reports? Extra credit: if you said "no" to the second question, but think V should win a suit against R in Chris's hypothetical situation, please explain how the two situations are so substantially different as to result in completely opposite conclusions with regard to liability. -- Riad Wahby rsw@jfet.org MIT VI-2/A 2002 ---------------------------------------------------------------------------------------- This email, and any attachments, contain confidential information which is intended only for use by the addressee. If you are not the intended recipient, please notify us immediately. Any views expressed in this communication are those of the author except where specifically stated that it is the view of the Society. As unencrypted email may not be secure, we cannot guarantee reliability, completeness or confidentiality. Any attachments should be checked for viruses and defects prior to opening. We do not accept any liability in these respects. ----------------------------------------------------------------------------------------
