Slashdot Mirror
Nike Gets Sued Over Nike.com Hijack
kwsNI writes: "Wired has this article on an ISP trying to sue Nike over the recent hijack of Nike.com. He claims that his ISP suffered when the hackers routed the Nike.com traffic through his servers. He claims that Nike is at fault for not having better security. This really scares me. Can you really be sued for having your domain hijacked?" I'm interested to see where this will go.
In this case at least, it doesn't seem right to be suing Nike over a hack. It's obviously NSI's fault for taking an email so seriously.
What I had hoped to see was someone who had their box hacked for an attack on another domain, or email spoofing or whatever. Just like you can be sued for leaving a gun cabinet unlocked if a gun taken from it kills someone, why can't you be proven negligent if your box, which you have not attempted to provide adequate security for, is hacked and used against someone else?
If you've provided adequate security, though or it's someone else's fault (NSI), then I don't think you should be held responsible..,
but that answer isn't fun! I wanna buy a new car! ;-)
"It's tough to be bilingual when you get hit in the head."
I figured, I've just always been amused by the "Thinking Outside the Box" metaphor... I need a box, so I can think outside of it... of course, if I don't have a box, I'm at least outside of one... unless the Matrix is a big box, maybe being shipped UPS, and mis-routed through three continents... that would explain this past week.
"It's tough to be bilingual when you get hit in the head."
Well who knows about a coincidence but Network Solutions is stepping up the Security of their service. We got an email yesterday at the company i work at about this.
"I INSTALLED LUNIX AND FPROTTED HIS TARBALL!!!!!@#"
Shame on Nike.com is hacked and a DOS is sent to nike.com? Will he be billed by Nike for crashing their server? "But..but.. the hacker did it, not me!!"
Either way, the woman spilled hot coffee on herself, then sued the restaurant for selling it to her. That's like suing a power tool company after you fire a nail-gun into the back of your hand, saying "they should have put a sensor on it so it could tell flesh from drywall".
No, it's more like buying a nail-gun, loading it with studs, and having it launch one into your backside the minute you plug it in. Sure, you should have been careful not having it aimed at anyone while loaded, but at the same time there's a reasonable expectation that it's not going to injure anyone who isn't being careless.
Jay (=
Personally I am sick an tired of everyone trying to pass the blame to scam a buck. This was a criminal act directed at Nike. If others got hit in the process, it is not the fault of Nike, it is the fault of the criminals who did the domain hijack.
I mean, c'mon - if someone storms into your house to shoot someone, and in the process shoots you - are you going to go after the original target of the shooting or the shooter? In the immortal words of John Stossel - Gimme a Break!
What a bunch of crap. This is nothing more than a money grab by the ISP. I may be conservative but I am all for the socialization of the legal profession. If you take the asinine amount of money out of it you would solve a significant amount of these problem.
It does not matter what you do, it's wrong.
Absolutely not. If such security measures are not written into the ISP contract with the company, then the ISP has no recourse at all. In a world with umpteen gazillion different things to know about, how can anyone keep up on absolutely every technology?
It does not matter what you do, it's wrong.
Jeff
How about this: A burglar uses my neighbor's lawn gnome to get into a first story window I inadvertently left unlocked. Am I accountable for the gnome's crushed cap?
The analogy here would be a swimming pool (your web page). If you have a swimming pool, and this swimming pool is protected by a gate, and the gate has a large sign saying "stay the heck out" and a neighborhood kid climbs your fence, jumps in your pool and drowns, you can be sued by the kid's parents. Your pool represented an attractive nuisance, an entity that wasn't dangerous in and of itself, but could be dangerous if used in an unsafe manner. As long as a kid can overcome your precautions, you are responsible for that kid's behavior. And what kid doesn't love a swimming pool?
In this case, the web site had minimal security, and some kid came along and used it for other than its intended purpose. But is the owner of the site still responsible for the consequences?
It doesn't sound like the bozo doing the suing is thinking of this ploy, but it will probably just be a matter of time...
---
Gort! Klatu Barata Nikto!
I wonder if Verisign realizes what a bastard child they bought, and the negative impact it'll have on their reputation ..
What's funny is, his own site, admits that they were not only hacked but it was because they didn't have good security on their servers and that it wasn't hard for the hackers to compromise their servers too. This guy is so hypocritical, it's amazing.
kwsNI
"Um, how can you sue a company for doing what you tell it to do???
No, this is just a bunch of hot air. A misdirected and leech-like lawsuit (from a guy who shamelessly tried to sell books from amazon.gk), a mega-corp that (frankly) deserved the hack, and a hapless NetSol that can't really be blamed (come on, do you think they *don't* explain the security levels???)sig not found
IANAUKL (I am not a UK lawyer), but in the States you can be sued for pretty much anything. I could sue Taco for bad grammar, claiming that his awful prose has caused me to misunderstand technical issues that are important to my job, and hence Taco is responsible for damaging my wage earning ability.
But remember, filling a lawsuit is significantly different than bringing a succsessful lawsuit in front of a judge.
I can see three possible outcomes from this lawsuit:
Things that will not happen include:
I suspect we won't hear about this case again. If this was happening in the States, I'd expect to see Mr. Smith's name on the front pages in a few years, when he walks into an office building somewhere and starts shoot ing people. Since its the UK, I expect he'll just become a school teacher or some other profession where he can inflict damage on people with immunity. Or, perhaps he'll just continue being a totally irresponsible and technically incompetent system administrator for his own ISP, and just continue inflicting damages on his clueless customers.
Slashdot is jumping the shark. I'm just driving the boat.
Newsline: car owner sued after death of girl
Robert Wilson -- a wealthy and respected professor at MIT -- was recently sued for damages after theives stole his BMW and killed a girl on their joyride. The theives broke through a sophisticated alarm system and took the BMW for a joyride through outer neighbourhoods of Boston while under the influence of alchohol. During the joyride, Samantha Caily was knocked over and killed - a tragic death for a young girl barely 15. Samantha's parents sued Robert Wilson for damages, claiming that he was responsible for their childs death. "If he'd employed a better alarm system, Samantha would be with us today. It's clearly his fault. Those boys are known theives, and they can't help themselves, but Robert should know better", said Martha Caily. The theives, who were later caught, have a history of car theft, they were released with a traffic infringement: they're poor and of no fixed abode - barely able to afford the bus ticket home.
^sarcastic humour-- Matthew - matthew.gream@pobox.com, http://matthewgream.net
Actually I do believe that purpose has a large part to do with it.
Yes, I know about the kubotan, infact I own one (wood version). I also know all about the martial arts weapons. Nunchaku's were used to bash rice, the Bo staff was used to carry water, so on and so forth.
But today, unless you work in a rice field, nunchaku's are mainly a weapon. Infact, where I live (New York), nunchaku's are illegal to own. Its funny that it is more illegal to own nunchakus than it is to own a gun.
Again, purpose and usefulness play a large part. Since cars need a key to start, it is harder for a kid to cause too much damage (although they can take it out of park and roll down a hill). So, ok, If you leave your keys in the car and running, you have some responsibility if a child gets in and hurts someone.
There is a layer of responsibility that comes with things that can kill. Although I wouldn't say a car is more destructive then some guns. Maybe a
As for me being more against guns. No, I believe they serve a purpose. I'm not against hunting or even just recreational shooting. But I'm for strict gun laws since they are the equalizer. Even though you can be killed by a knife, I much rather face someone who has a knife than someone who has a gun.
My in-laws are big time hunters and I have no problems with that. But they take big responsibility for their guns. They always lock them up and they teach all their children to respect the power of a gun. I don't think of guns as evil, I think of guns as very powerful and dangerous in the wrong hands.
And actually, I believe that a car is more evil than a gun. They hurt the environment more. They make people lazy (I know people who drive a quarter mile on sunny days and no hurry). And with the gas prices of today... Damn!
Steven Rostedt
Steven Rostedt
-- Nevermind
The thing people need to realize, is that this was not a hack due to low security, it was a hack due to human error. To me its the equivalent of locking yourself through 18" thick steel walls, with 100 doors that you need to go through, with card security, retina scans, thumbprints, and passwords, and then some idiot who works there lets the pizza guy all the way on the inside so he can go get his wallet. This same guy is the type of person who writes his login name and password on a sticky note and attaches it to his monitor. There is no way you can hold nike negligent, you need to hold the moron who accepted the spoofed id. There was nothing Nike could have possibly done to prevent this.
This was bound to happen, and, unfortunately, will probably proliferate. As ridiculous as it may sound, look at the current state of our civil law system and you can see *exactly* where this mentality comes from.
A: Two boys go to a high school and proceed to shoot stuff up. Victims, demanding compensation, sue the gun manufacturers, althouth the gun manufacturers didn't pull the triggers. If you think that the gun manufacturers are liable, then you should also think that the manufacturers of computer components should also be sued, because computers are most certainly used to commit crimes.
That's just one that ought to be stuck in your heads. Everyone knows that the criminal should be liable for damages, but most criminals don't have anything. Desperate, people will rationalize anything and sue everybody and just hope for a settlement.
I'm waiting to see a class action lawsuit against Microsoft, Intel, AMD, Phoenix, Creative Labs, Matrox, etc, for being responsible for the ILOVEYOU email thingie. Forget the poor college kid who wrote it, he's poor. Let's get some real money....
If you were me, you'd be good lookin'. - six string samurai
I mean come on, I've see enough of that damn swoosh when I simply walk outside....
Who is at more fault? The intruder, or the person who left the door unlocked and didn't tell anyone?
And IMHO it is almost always the negligence that I am more angry about. Selling a house to someone and keeping one of the keys, or making it so that if you turn the doorknob in a certain way also unlocks the house would get you sued and fired. Why do we put up with this crap in the Computer industry?!? Why is it permissible to leave backdoors, or to simply ignore security or privacy?
But, to take up tyler's point of view, "But that's what I think, I could be wrong."
Lemure, wtf! Don't you mean Lemur?
Look, the reason McDonald's coffee was hotter than the stuff you got out of your pot at home was not because of some nefarious corporate scheme to burn old ladies.
No one said they were malicious, only derelict in their responsibility.
It was hotter because most of their customers wanted it that way!
Really? Their customers wanted coffee served at a temperature that becomes "extremely dangerous when it comes in contact with human body tissue"? (A part you neatly snipped off in your reply, I noticed.)
The typical McCoffee drinker is a blue-collar 9-to-5er who buys the coffee on their way to work, and doesn't actually drink it until much later, sometimes a half hour or hour later. In order to prevent the coffee from being as cold as a witch's t?? by the time they drink it, the coffee was sold hotter than the temperature you would normally drink it at.
Where did you get this information? Did McDonald's commission a survey as a response to this woman's lawsuit? Was an independant poll conducted by some news agency in relation to this case? Or are you making some totally unfounded assumption because this particular story annoys you?
It may have been extremely hot, but this woman jammed the coffee cup into her crotch and drove off without even checking if the lid was secure; and when she spilled the molten stuff all over her groin, what did she do? She kept right on driving while the skin on her lap was being destroyed.
Okay, now I'm sure you've just got an axe to grind. (Either that, or I'm being trolled.) In the article I quoted, it states quite clearly that she was a passenger in the car, and that the car was not moving when she spilled the coffee on herself.
If you can't get the facts straight, why bother replying?
Jay (=
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Matters not; a liquid at 180 degrees Fahrenheit can give you serious full-depth (al through every skin layers) burns in less than five seconds of contact. It's one thing to serve coffee hot; it's another altogether to serve it so hot it's actually dangerous, particularly when it's served in a drive through and thus the company has reason to believe it will be drank in a moving vehicle with greater chance of spillage (even though this wasn't the case in this particular instance).
Beyond that, the fact McDonalds had had already lots of complaints and had done nothing about them except for settling out of court points towards negligence. If it happens once, it's an accident; if it happens lots of times and McD does squat about it, it is not.
The other part of the story, which the post neglects to tell, is that the woman originally went to McD and only wanted reimbursement for medical expenses ($20k or so). McD refused altogether, and this outraged the jury into giving the woman the punitive award.
Now, what is a punitive award? It is, as the name implies, intended to punish and deter similar behavior in the future; because of its very nature, the size of such an award maps not only to the offense committed but also to the defendant's ability to pay. It's supposed to hurt. If the defendant can just shurg the award off because of deep pockets, then it's no deterrent. Thus the magnitude of the punitive award.
It's easy to spout off without knowing the facts; the facts make it clear the decision was appropriate and correct, even though big-mouthed know-nothings blast it because they're uninformed.
He was damaged bandwidth and manpower is not free.
NSI may hold some blame in this but if
they do its up to Nike to sue them
to recover any money spent recovering
from this.
I for one am sick of big companies making
noise about security and not really doing
anything about it. Remember all those
credit card numbers that were stolen?
The owners of those cards and the credit
card companies should sue the online stores
for every penny spent recovering from it!
In the real world you are resonsible if you
damage someones property or cost
them money to repair stuff you damage.
Why should the net be any different???
Step 1: Boil Water
Step 2: Filter through coffee grounds
Step 3: There's no step three.
Coffee is hot. It is supposed to be hot. If steam is not coming off the cup, it must have sat out too long.
Hot food is not safe. You need to use caution. Every time I make a chicken pot pie for myself, I know for a fact that the inside of it is like molton lava, so I am careful with it. I break the crust open and let all that gooey stuff cool a little. I blow on it. Most importantly, I don't dump it on my lap!
In the event that I am clumsy enough to dump a steaming hot chicken pot pie on my lap (or hot grits down the pants, as the trolls would say), I would not sue swansons for marketing such a dangerous product. The accident would be my fault, therefore my problem.
Were I on that jury, I would have ruled that McD's was right to tell that lady to buzz off and awarded no punative damages whatsoever. S* happens, that's why we pay for health insurance.
Information wants to be anthropomorphized.
Well who knows about a coincidence but Network Solutions is stepping up the Security of their service. We got an email yesterday at the company i work at about this.
"I INSTALLED LUNIX AND FPROTTED HIS TARBALL!!!!!@#"
Imagine going to the supermarket. While going around and finding the things your going to buy, you slip and feel because the floor is dangerously slippery. You not just fall, but you also brake your arm. I wouldn't look at it as unreasonable if you decided to sue the supermarket for having a slippery floor. And just as in this case, you can compare Nike to the supermarket and "you" to the ISP.
- cfelde
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I mean - do you see any difference between "being hacked by bunch of hackers" and "being sued by bunch of sueing-addicted lawyers"? I don't see any difference. This is one of dark sides of democracy - being hacked and being sued ;)))
this field has been intentionally left blank
Can you really be sued for having your domain hijacked? I like the fact that these stories are posted, but it's really getting boring -- all of them ending with the same question, "Can you really be sued for X?" Come now, we're smarter than that... we know that there's a big difference between being sued and losing a suit. We are smart enough to know that anybody can be sued for anything. We are also smart enough to know that many lawsuits get thrown out because they are trivial or harrasing.
-- "In order to have power, I must be taken seriously." -Mojo Jojo
The most incredible thing about this whole mess is that the loser in question (the ISP operator) ADMITS that his server was cracked as well so that the crackers were able to add information to his named.conf and DNS database yet he is sueing Nike because of THEIR failure in security. Hypocrisy at it's finest. I hope someone mirrors his page where he freely admits this before he figured out how stupid he really is.
What do you mean, no other purpose? I use it for driving nails into a wall by repeatedly shooting them very accurately. It's faster than a hammer, really. Not only that, if you use hollow points, you end up with a neat shape on your wall afterwards.
Need a Python, C++, Unix, Linux develop
Just something else to think about...
I'm a leaf on the wind. Watch how I soar.
In the UK I recently had to deal with a similar situation - We were changing ISPs and we ran our own DNS servers so we had to get the registration updated with new server IPs. For the 2 domains I had registered there was no problem, but for one of them (registered way back by a couple of IT guys who hadnt worked there for over 5 years when I started!) we hit a brick wall.. Even though all 3 were registered to the same company, in order to change the 3rd one I had to get our CEO and company lawyer to send written confirmation (nothing electronic - they only accepted snailmail not email or fax) to the registrar that I was who I said I was and that they knew about this before they would update the registration info. It was a pain in the ass but overall I think it was a good thing.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
I had a
through fault of his own (he leaves it until the end of his rant), Smith's major contention is that he went through major difficulty to inform nike of what was going on, then they asked him to point his dns at their server, which he did, then they asked him to do the MX record as well, which he did, then millions of hits later he sent them a bill, and they were like "no sorry, we're not paying".
so unless he actually created the situation in the first place (possible - this guy tried to do business with amazon.com when he fired up amazon.gr a year or so ago) i reckon he deserves to get a cheque from nike for his trouble!
plenty of activists including s11.org would have loved to have seen 46 hours of nike email, which smith helped nike to get back into their grubby little hands by pointing his dns servers back at nike.com
pay the man!
In the Beginning,
The 'Net emerged from the primortial ooze of analog bit streams and flaky phone lines. The Denizens of this early 'Net learned about cooperation and fault tolerance, and it was good. As time progressed (fast forward) the uninitated, the normal citizens of the BBR, used to protection under the law and the burden of it's restrictiveness were unprepared for a world where there was no shelter for the expliotable under a omnipotent protector.
Seriously folks, the laws regarding 'Net crime are both vauge and largely untested. I think that Nike might be liable. On the 'Net you have to take total responsibility for your presence. Like every tinker and his brother on @Home, putting up insecure servers, it's you (Give me a sword of burning code and the arrows of design.), your box and the forces of darkness. The artical yeaterday about the unfortunate lack of a "hacker threat" does demonstrate the pricipal 'The bigger the name the bigger the target.'. Nike has spent millions (billions?) becoming a brand name that every 4 year old in America knows, and in accordance should be persuing security with due vigilance. The big expliots that security pros tell their children at night, the 'Net age boogie man, DDoS on Yahoo.com and others, IExplore that shut down part of MCI, have all been perpetrated on big names.
General System Fault:
Please sacrifice two chickens and a goat to continue.
Spyder
"Why didn't NSI think of this years ago?"
.blank.-digit number, for example .blank. The numbers used, other than the date, are sequential. Which means - guess what? - the numbers can be predicted with only a very little bit of work. Just include the predicted tracking number in the spoofed email, and there you go!
Umm....They did.
The email they send you has a tracking number, which you must include in the Subject field of any response you send.
Here's the catch - the tracking number is made up of the date and a
For a better description, check here.
reverend lola
the titanium sheep
provider of steel wool
The BugTraq discussion thread about this issue can be found here.
reverend lola
the titanium sheep
provider of steel wool
What next? Slashdot getting sued for Slashdotting servers?
-- "I can't tell the future, I just work there." -- The Doctor
Truth is, most keys aren't very secure, even double-sided ones (unless they're asymmetrical). The standard Schlage or Kwickset 5-pin lock has about 100,000 possible combinations (when there are 10 pin lengths)... but it's not unsual for two locks with similar but different pin configurations to be accessable by the same key. Once I grabbed a key at random from the garbage key bin, and imagine my surprise when it opened not only my apartment, but also my parents' home. Though the two locks were different, they were only off by a couple of pins which varied in length by 1 (up or down).
"Prejudice is wrong; you should hate everyone the same."
had reprehensibly bad security, and poor maintenance of their domain,
etc., it seems to me that could be indicative of negligence. I don't think
we will see that not having a 24/7 ERT will qualify as being negligent,
but I wouldn't mind if being just plain irresponsible with your computing
systems and DNS and etc. could qualify.
I know that my company's mail servers are queuing up a fair amount of
D.O.A. mail due to companies that don't have the brains to set their MX
records properly. It'd be nice if we could find a way to get those
companies to make amends for that sort of thing; not just to compensate us
for unnecessary use of our resources, but also to better encourage them to
fix it and make sure they don't make stupid mistakes again.
Think about it; we can't allow every damn fool ISP and dot-com to make
stupid mistakes that have negative side effects on our own networks. The
old social mechanisms of peer scorn and of retaliatory blockading don't
work so well anymore, both mainly because there are already too many damn
fools who aren't even aware of what they're doing wrong or thatanyone else has a problem. (Many of the new-skool dot-com admins treat
old-school admins with the same snideness that jocks treated the geeks in
high school with; e.g. of being "too picky" or "too anal" about network
config issues. Or even worse, will insist that the old schoolers are the
ones breaking things.)
As for Nike, in terms of being negligent: Who is responsible for all the
traffic going to the domain nike.com? It's Nike, who is the sole
advertsier of the domain. Nike's target audience is a segment of the
population that doesn't visit web sites unless (ironically) their URL has
been advertised on TV. So the amount of traffic going to nike.com is no
accident. I expect the plaintiff will argue that Nike is therefore
accountable for where that traffic actually goes.
If my dog, for example, gets loose and chews up the neighbor's azaleas, I
can be found accountable for the damage, because I was negligible for not
keeping him secured. Likewise, Nike.com may be held accountable for the
traffic they have generated for the nike.com domain going to the wrongplace, if it turns out they didn't take sufficient measures to ensure that
their domain wouldn't be rerouted.
Yes, this could have bad side effects on the Slashdot effect. I don't have
any ideas on that one, but there are differences between being negligent
with your OWN domain and simply drawing traffic to another person's site.
(Of course, if they rule this week that hyperlinks are illegal, that won't
matter anyway.)
--
Terrorists can attack freedom, but only Congress can destroy it.
You think that's a joke - but does anyone remember when Micros~1 tried to have a go at someone for publishing benchmarks about SQL Server performance?
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Security is definitely at question, but what's wrong with the ISP being bogged down. AFAIK, the ISP really doesn't put limits on how much bandwidth a customer can use. Unless it was in the terms of the contract somehow, I don't see how this ISP could possibly have a case against Nike!
When you buy coffee, do you expect it to be near-boiling? Do you expect it to cause third degree burns if spilled on you?
I mean this is a world of lawsuits now. If I can blame a problem on someone else regardless of whos at fault......LETS FILE SUIT, While Where at it I still need money for smoking cause the tabbaco companeys made me smoke, and Drinking I must sue BUSH cause they made me drink.
Welcome to the New Golden Age
Free Unix? Free Windows. http://www.reactos.com
Will this be the first time a person or organization was sued for not having strong enough Internet security? If so, then I'm glad it's happening just for the reason of getting the precedent set. Personally, I think that such a suit is somewhat scary: what if someone cracks my FreeBSD box at home, uses it in a DDOS attack, and my ISP (who is currently very nice to me) decides not only to terminate my account, but sue me? If such a thing became common, it would be an anti-boon for many individuals or small groups who want to run their own servers and don't have a large IT staff to manage security for their site. ISP's could say "Use our hosting services or take the chance of being sued". Yikes!
Washington, DC: It's like Hollywood for ugly people.
This guy is in the U.K.
---
how do we know it wasn't a set up and that it was the this Smith bloke who hijacked nike.com, or got someone else to do it for him.
i mean - it's a nice and easy way to make money
------------------
So, let's get this straight...
This suit is patently ridiculous and should get thrown out as soon as Nike's lawyers say "We had nothing to do with this." Then the lawyers should say, "Here's our counter-suit for this bonehead aiding the hax0rs." Nike does have a legitimate suit against Smith and NSI.
It is Smith (or his host) who is to blame for lax security on his own box, and NSI who is to blame for their incompetant SOP for domain transfers.
-sk
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
It's the case where a thief got into your car (by your lack of adequate security) and banged into the third person, then you are in some aspects partly responsible for the accident.
Because it was with your "careless permission" (note the meaning), that the thief got into the car!
The same applies to this case. You should choose your domain incharge carefully, otherwise all you may get is these lawsuits!
Think about it idiot. Nike can't be held responsible for this. It wasn't even their servers that were hacked. Someone changed the Domain Name database at NSI. NSI has a history of changing Domain information on request of hackers so how can Nike be blamed for that. This guy has no case and should be required to pay a fine for wasting the court's and nike's time.
Often when people launch frivolous lawsuits, the company will settle to avoid legal fees and embarrassment, in some situations, the person suing can play for sympathy (like that pathetic old lady that dumped coffee all over her lap, and sued McDonald's for the burns).
I'm going to have to write this URL down, I keep looking for it so often.
http://www.injurycases.com/coffee.html
(The emphasized parts above were done by me.)
Jay (=
Nike says they did use crypt-pw, so someone's lying here. I have no idea who.
I don't think Nike's security is to blame at all for this, unless they had too secure a site. It makes sense in a strange way, I mean you finally get all the exploits and bugs ironed out of your IIS, everything is singing quite nice, and there haven't been any hack attempts on your page in a dogs age. So people have finally figured out that there's a really great way to create the illusion of defacing a web page, and it requires much less effort than actually looking for security holes. Enter the age of the DNS-submission-form-kiddie.
Clue number one should have been that the Admin contact ws listed as "ph34r m3".
Fist Prost
"We're talking about a planet of helpdesks."
-Jaron Lanier
I thought that we called people who hyjacked web sites script kiddies.
So quick with fear you tiny fools!
My point was to look at the issue more generally than our usually narrow computer-driven perspective, and to draw analogies in other places which might make the mess a little less murky, and a little less of a technical "did they have x and y and z procedures in place" without the benefit of a larger perspective. In this particular case, my intention was to demonstrate that while we could get bogged down in a bitter and detailed "blocked services" and "secure passwords" (and so on) discussion, it could be reduced to a simpler, albeit still familiar, problem by drawing a parallel with which we are all familiar.
:)\n"
if ($user =~ m/shaldannon/i) {
print "\n-- $user
}
What is your Slash Rating?
Are all of Nike's commercials stupid?
No. I thought the Y2k commercial was hilarious.
Do I have to pay for overpriced Nike products?
No. I don't have to buy them.
Do I care if Nike gets sued?
Yes! When some moron who has some how managed to avoid "natural selection" all these years sees the judicial system as a means to make a quick buck.
I'm not a big fan of Nike, but I already know I hate this guy even more. First the try and extort Amazon thing, and then this. This guy probably gets christmas cards from his attorney every year thanking him for keeping the law office in business.
"The words of the prophets are written on the Slashdot walls."
That's the funniest thing I've read all day :)))
;) )
:)\n"
(and no, you don't need to feel obliged to get me on their spam list
if ($user =~ m/shaldannon/i) {
print "\n-- $user
}
What is your Slash Rating?
-sk
You buy a goat, 'cause you like goat milk. Then some guy shoots your goat with a gun that somebody else left lying around in some unnamed fourth party's unlocked car. But, get this... the GOAT DOESN'T DIE! So then the guy with the gun (Guy-sub-Alpha) sues the owner of the car, for leaving his door unlocked so that guy-sub-alpha could steal a gun that was incapable of killing a freakin' goat.
And there you are with a bloody, wounded goat on your hands, wondering what happened.
You see what I'm saying?
There's hypocrisy, and then there's hiphoprissy.
Hope this helps.
(yea, yea, axe my piddlin' karma)
This is all true...unless you research the company or have your footwear custom made...there is no way to know what conditions your shoes are being made in...for all you know its probably sweatshop labor.
Tho personally...I prefer to goto k-mart and pay $10 for a nice pair of flimsy velcro instead of lace sneakers. They last about a year...but at about $10/pair...its not too bad.
"I opened my eyes, and everything went dark again"
No, of course not in this case, but what it reveals, is that real-world analogies fail with net for one reason. Anonymity. As long as everything isn't traced and supervised by big brother, these things will continute to happen. Face it. If same kind of anonymity where possible (in large scale) at real world, the villains wouldn't get caught (in large scale again), and who would pay for stolen goods? Nobody? Or owner of the car? The latter of course.
So, for your own safety, accept the future. It's really no big deal, since there really is no anonymity in the real world too. It's temporary privilege for netizens now, but not for long. There must be some reason and order in net too. I've spoken.
Watch Judge Judy (or people's court). A law suit does not require a reason. I can sue Commander Taco cuz he gave me intestinal distress. Doesn't mean I he automatically pays me 1,000,000 $. Taco, send me $100,000 or I will sue! People who sue for stupid reasons are lusers.
Yes, he may have been inconvienenced by this. Now, if he wants to sue someone, sue the hackers that were responsible. Hell, sue Network Solutions for their screw up. Nike isn't the one that did something wrong.
Personally, I think it's part of being on the internet. To me, this is the same thing as owning a store on a street and trying to sue the store down the road because protesters gather out in front of it and the traffic jam they cause hurts your business. Sorry. C'est la vie. It's life, get on with it.
I've worked in customer service and tech support for an ISP before. Tell your clients what happened and most of them will understand. If you loose a few customers, that's business. They can go to another network and the next domain hijack can hurt them again. Most people realize that they can be hit by this anywhere on the net, regardless of their network.
kwsNI
Why may I ask would they be, if they are a big web-hosting doing the following: (direct quote from www.shameonnike.com) "The file [nike.com.dns] was recognised by our server as being valid on the next scheduled reboot. We reboot three-four times each day depending upon how many new domains we are registering for clients through FrugalNames, FrugalHosting and or FrugalPlus." If they are really that worried about security I guess the reason they are rebooting would be to flush out anyone who's attacking them and make sure that any trojans that they've added have been activated??
check out http://slashdot.org/comments.pl?sid=links....
This doesn't seem that different from M$ providing a way for "I love You" type bugs from being created and spread so easily. Seems like they're more responsible in that case that nike is here... -ryan
Nike gets sued for having their domain hijacked and therefore having some ISP suffer from all the extra traffic.
:)
This doesn't quite make sense.
Thank god people weren't thinking this way back in February, or the targets of mafiaboy's flood would have been sued for the same reason.
Unless they were and I just wasn't paying attention...
--
* Q
P.S. If you don't get this note, let me know and I'll write you another.
The ISP obviously did not prevent such bandwidth from being redirected, which might have foiled the hacker's attacks on Nike. So Nike should sue the ISP. Isn't it nice that Sun Microsystems has taught us to compete through litigation? Use competitive litigation while you can, before sun gets a patent on this innovative new business practice!
Please note the light mood in which the post was made, and the general responses (especially the 'Funny' moderation). Sit back, relax, and enjoy the show.
Also, it's not quite certain that NSI didn't screw up - if the email came unencrypted and they made the change, NSI is at fault. It was supposed to be encrypted, and they claim that the forged mail was supposedly from the billing contact, who doesn't have authority to request those changes anyway. 0 for 2...
I wouldn't put a lot of faith in the guy raising the suit (not clear whether he was the one who initiated this in the first place), but Nike should have a case against NSI if the other points hold true. I can't see how they 'deserved the hack'. NSI may be hapless (that's never been questioned), but in this case they may have been willfully negligent, and there are many reports of the same problem with other domains they control. We'll see what happens. Should be interesting.
"It's tough to be bilingual when you get hit in the head."
First, Smith is in the UK (apparently).
Second, s11.org is in Oz. (I checked the IP block of www.s11.org, and it's served by Telestra, so it doesn't appear to be an Oz site based on Smith's UK server.)
These together make it hard to see why Smith has any involvement.
Third, to get to s11.org took more than an Internic entry. It took a name server that resolved nike.com to s11.org which was pointed to by the bogus NSI record.
Fourth, s11.org's site is on a named virtual host. If someone provided DNS without s11's knowledge, nike.com would have resolved to "GreenNet Australia", which is the default.
It seems that the only solution to satisfy all of these conditions is that s11.org (and / or GreenNet) were involved up to their eyeballs, since the VirtualHost record could only have been created on their site. Obviously they wouldn't have done that had the DNS not pointed to them, and to point a name server to themselves, they'd have had to control the Internic record.
Unless a) someone else hacked Internic and pointed the name server to s11, and, seeing the requests, they added the VirtualHost opportunistically. Or b) GreenNet was also hacked.
In any case, I don't see Smith's involvement here, unless he was the one to set up the name service for a) above.
I've transferred all my regs from NSI to Tucows mainly because of the ease of domain hijacking, and NSI's security is certainly the source of this problem. But I'm totally unconvinced that it happened as the Wired reported presented.
I bet Smith thinks he's just purchasing a ticket in the American Legal Lottery. He probably doesn't realize that frivolous lawsuits aren't any more socially acceptable in the US than in the UK.
People outside the US seem to think all US citizens are rude, poor listeners, carry guns, and sue each other at the drop of a hat. If Americans don't fit that image, they are assumed to be Canadian.
Seriously, I was asked in Australia, "Did you bring your gun to Australia?" Pretty sad. I'm not a gun-control supporter, but I don't own any guns either.
include $sig;
1;
They can both be telling the truth - Nike could have printed out the crypt-pw source and papier-mache'd it to the monitor ("Look ma, can't see it, it's secure!"). They may have *used* it, but in using it they did not necessarily use it *correctly*.
You could be sued only if they can get $$$ from you, I think...
...if a kid falls in and drowns. Same principle.
If I go to punch John, and I hit Alice too, should Alice sue John?
-sk
That poor, bloody goat.
"Prejudice is wrong; you should hate everyone the same."
nike asked these idiots to re-route nike traffic until network solutions could fix the problem.
they did.
nike says thanks for letting us fuck you hard, but you deserve nothing more than our gratitude.
nike gets sued.
slashdot roars into action about frivolous lawsuit.
I happen to agree with you completely. It's amusing that you were moderated to -1 by someone.
Need a Python, C++, Unix, Linux develop
IMPORTANT ACCOUNT ENHANCEMENTS SCHEDULED: SECURITY UPGRADES*
MAY REQUIRE ADDITIONAL STEP BEFORE CHANGES ARE MADE
*************************************************
Security for our customers has always been a top priority
at Network Solutions...
Was I the only one who got a chuckle out of that?
Don't want to pay Lars? Sue him!
I think the difference between the two examples lies in the intended purpose of the given instrument. Yeah, a car can be used to kill a person, but I think a reasonable person (ie. juror) could not conclude that the owner would know, beyond a reasonable doubt, that the intention of the thief would be to use the car for nefarious purposes. However, they still may be considered negligent, but that would be a prosecutorial determination made in applying charges.
A gun on the other hand, any form of negligence would be considered gross, since it's uses are limited.
I'm not a laywer, so these are just my feelings/opinions on the subject.
-buffy
Sorry attempt of trolling this really. You can do
better, right? Sheesh where is this site going,
good old trolls fall for flamebaiting. It's a
shame, I tell you.
Once again people are losing out because of lawyers/Judges perception of damage / abuse. I am sure that the judge that took this case doesn't know what "Packets being routed" means , he will probably file it under sexual abuse in his archive. Please America, sort it out. Ill hate it if the UK starts on the suing drug coz we have enough problems with censorship as it is.
The difference to most people is simple...the primary use of a car is transportation. The primary use of a gun is to lodge a projectile in a target, causing damage. The nature of the gun is significantly more malicious than a car. You can use a car to kill someone, but that's not the normal operational nature of a car.
In my opinion, there should not be a difference. If you leave a loaded weapon around and someone uses it to commit murder, there is one person to blame: the person who picked up the gun. Now, if you left the gun there specifically for another to pick it up and use it for a crime, then you're an accessory, but that's a whole other situation.
"That's Tron. He fights for the Users."
where is this box that you are stepping out of? Is it the same box that people think outside of, or is it a different color?
"It's tough to be bilingual when you get hit in the head."
This is true. Really, Smith should be suing NSI, but it's already been demonstrated numerous times that NSI can't be sued. If Nike were to sue NSI, it might be possible to set a new legal precedent making it possible to sue them again in the future.
I've worked in customer service and tech support for an ISP before. Tell your clients what happened and most of them will understand. If you loose a few customers, that's business.
This is also true; I've also worked in customer service/tech support at a couple of ISPs.
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Yeah. Nike was quakin' in their "air-what-the-fuck-ever"'s. They probably, like most large corporations, have a legal department that could qualify for third world country status. Even if this lawsuit had merit, Nike would win.
Shift happens. Fire it up.
but it's already been demonstrated numerous times that NSI can't be sued.
Why not? Is it just that they have good legal people? I can't recall any case of someone claiming that NSI caused problems for a third party through negligence. Only their customers.
Sure sounds like the lot of us agree - this is a needless lawsuit brought on by some schmuck vs. deep pockets.
So, how do we change it? How do we enact real tort reform in this country? How do we put a cap on punitive damages vs. real damages?
This is not the fault of the lawyers or the plaintives but the system. How do we change it?
Slashdotters living outside of the States: What do your respective home governments do about this? Do they allow silly lawsuits over errant packets and spilled coffee? Are there caps in place?
Nike Rerouted
ISP is Hopping Mad
NSI to Blame
"It's tough to be bilingual when you get hit in the head."
any judge with half a brain will see that and throw the case out.
So all Nike needs is a judge with at least half a brain. This could be harder than you make out.
Dear Customer,
* **
* **
* **
* **
g uardian/
c ontact1/
c ontact2/
IMPORTANT ACCOUNT ENHANCEMENTS SCHEDULED: SECURITY UPGRADES
MAY REQUIRE ADDITIONAL STEP BEFORE CHANGES ARE MADE
***********************************************
Security for our customers has always been a top priority
at Network Solutions. Now we are taking that even further
as we merge with VeriSign, one of the industry leaders in
Internet security. We all recognize information security is
vital on the Internet, and we want to assure you that we
constantly monitor security and maintain systems that help
protect you and your information. This message is about
changes in our guardian security system.
WHAT DOES THIS MEAN FOR ME?
***********************************************
When you first registered your domain name you may have
selected a security option. You then currently have one
of three Guardian authentication methods: "Mail-From,"
Password (Crypt-PW), and Secure Encryption (PGP).
With our upcoming upgrade, customers who have not yet
selected a security option will be migrated to "Mail-From"
security. Customers who currently use the "Mail-From After
Update" Guardian authentication method will now have to
respond to an e-mail security check before the requested
changes will be implemented. Customers who currently use
existing Guardian security options do not have to make
any changes at all.
WHAT WILL HAPPEN WHEN I REQUEST A CHANGE?
***********************************************
NSI is enhancing "Mail-From" with an additional e-mail
security check. Specifically, NSI will e-mail a validation
request to the specific administrative and technical
contact listed for a domain name before making any
modification to that domain name. This means, if you have
"Mail-From" security, NSI will no longer implement a
requested change until we receive e-mail verification
confirming authorization from either contact. It's an extra
step, but it's worth it to protect your account.
WHEN WILL THIS HAPPEN?
***********************************************
We have scheduled the modification for Saturday, July 8,
2000, so you should check your account information to see
if it is correct. Actually, it's a good idea to check your
account periodically anyway.
To make modifications easier, we provided easy-to-follow
instructions on our web site at:
http://info.networksolutions.com/go/t/security/
Additionally, we updated the contact form FAQs, which can
be found at:
http://info.networksolutions.com/go/t/security/
Please note that we continue to enhance security. Future
security plans include the use of VeriSign certificates
for authentication. But don't worry; we will keep you
completely informed about these upcoming changes.
If you have further questions or concerns about this
current security upgrade, please contact our Customer
Service Department at:
http://info.networksolutions.com/go/t/security/
Sincerely,
F. Michael Kyle
Vice President, Customer Service
Network Solutions(R)
a VeriSign(R) company
Hello little man. I will destroy you!
Your case doesn't have to have merit in order for you to file it. This doesn't mean the opposing lawyer can't immediately file for summary judgement and get it thrown out.
Netsol updated the nike.com NS records based on a bogus email.
This ISP had their nameserver hacked, and the hacker created a nike.com zone.
And.... nike is at fault? None of this had anything whatsoever to do with any system even remotely controlled by Nike...
I *really* hate it when people misquote the rhetorical questions used to illustrate legal principles....
The original rhetorical question is "if one were to leave a loaded gun ON AN OPEN WINDOWSILL and a passerby picked it up..." The key phrase is "open windowsill" - it's at a location where the owner is nominally in control of it, but anyone passing on the street could easily grab it. Hell, it's at a location where it could be easily knocked out of house without deliberate effort. The gunowner is clearly acting negligently.
(A modern analogue to this question is someone leaving a gun in plain sight in a locked car. This requires smashing a car window, but the risks of a parking lot "smash & grab" are less than a home burglary.)
In contrast, put the gun more than an arm's length away from the window and it's *far* harder to claim that the owner is negligent. Put the gun out of reach and out of plain sight (e.g., in a closed nightstand or a locked glove compartment) and claims that the gunowner was negligent if the gun is subsequently stolen start to wear very thin - by that metric, some people will argue that their responsibility *requires* that they keep their gun on their person at all times!
N.B., the cited quote doesn't even posit that the gun was stolen from a house or other area where the gunowner has a reasonable expectation of sole dominion - he's trying to bring to mind the image of a latter-day Johnny Appleseed prancing through a park tossing out loaded guns. Of course that's an unspeakably reckless act.
For some reason most people here seem to assume that he's refering to home burglaries, and while it's true that some jurisdictions have vicarious liability laws the general principal remains - as a rule people aren't held responsible for reasonable omissions, and almost never when those omissions are required by reasonable actions.
(E.g., you put a pie on the windowsill to cool, someone steals it, burns their fingers or mouth, and sues you. They'll have a *very* hard time winning since you had to put the pie *somewhere* to cool.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
With this ISP's way of thinking I could simply brak into someone's home, take a gun from their stand beside their bed, go into town, and kill someone. The person who's home I broke into would then be sued for having the gun in a place that a burgler would look. Seems logical to me. Cheers and Happy HIjackin'
---
---
Rob Flynn
Pidgin
A nail gun is actually a tool that's meant to be used in construction
And I would say the samething about a nail gun as I would the car. But I don't consider a nail gun to be the same as a pistol.
The more problematic place to draw a line, would be dynamite. Since that is a tool as well. But being very dangerous, it needs to be kept secure.
Nothing's black and white. You have to judge it case by case and different people will judge it differently. But I would say that you need to take into account the availability of the weapon/tool and the likelyhood that it will cause damage.
I would hold responsible if an adult gave keys to a 10 year old and said, go ahead and drive. But I won't blame the adult if the 10 year old took the keys from the table and went out and drove, although there could be blame for raising that kid.
Ok, I had enough of being Offtopic
Steven Rostedt
Steven Rostedt
-- Nevermind
What I find funny is that on S11's site they actually thank Nike for the extra traffic. This is what is says...
NIKE DISCLAIMER: This site's administrators have no idea how or why the nike.com page was redirected to s11.org and do not condone this action, however we do thank nike for the extra hits.
------------
Tonight on Fox: Deadliest Executions Part XVII
...or when Microsoft wanted to include the number of HTTP sessions in amongst the number of NT user licenses :) what a bunch of morons. I get so sick of hearing about how brilliant they are.
so sue me :-)
as for nike deserving the hack...well, it's a tough call maybe. but, keep in mind that they are not well liked by anti-corporate types and there's good reason for that.
regarding the loose security, i had a friend whose domain was similarly misplaced by his chosen provider, for essentially the same reason. i think that the lowest security level on these things is a sham. do these companies want domains hijacked???
sig not found
This is the same guy who registered "amazon.gr" and then tried to "partner" with Amazon.com. Not to repeat what's already been repeated, but this does reek of trying to use the legal system to make a fast buck. While most /.ers are in agreement that the case is frivolous, stupid, irrelevant and totally uncalled for, there is the problem that the judges and juries who decide the cases frequently do not understand what's really going on. That's where those analogies start to come into play, and whoever has the more plausable, convincing analogy wins. Legally, this is actually a pretty precarious time. Technology is moving forward at incredible speeds, but the judicial system is still figuring out how to cope with the new medium of the Internet. In many cases, the judges making the rulings don't know about the technical aspects, nor do they care to be enlightened beyond one or two sentences. I am reminded of many years ago, when cordless telephones were just entering the mainstream. Initially, the courts ruled that because cordless telephones transmitted on an FM band, they fell under the category of "radio" rather than "telephone," making tapping and recording without consent perfectly legal. Since then, that decision has been reversed. As far as I can see, until the judicial system becomes more familiar with the Internet, with domains and with how technology functions in general, there are still going to be a great deal of frivolous lawsuits, legal reversals and wrangling back and forth about who owns what and how what gets defined. Remember, the U.S. legal system was established back in 1787. It wasn't designed for the pace of the modern world.
----------
Something cleverTechRepublic.com also has an article titled Could a DDoS attack land you in court? Experts say yes
Do your best, hope for the best, suspect the worst.
I would say the differences is that a gun is a weapon and a car is a tool made for transportation.
Yes a car can kill, but that is not the purpose of it. A gun on the other hand doesn't really have any other purpose but to kill.
Tell me, how exactly is this a difference? Why is the purpose of a tool more important than the use to which it is put? A car may have transportation as its primary use, but it can be far deadlier than a simple handgun. It requires less skill, has greater range, and offers a level of defense to the user. If I wanted to kill a large group of people, and didn't care about getting caught in the process, I think I would choose a motor vehicle as a more effective weapon. It also has as an advantage the fact that people won't see it as a weapon until I use it as such.
Once upon a time, a man in California named Dr. Kubota developed a set of self defense techniques that could be used by businessmen carrying an implement that they generally had on them. Namely, a metal pen such as a Cross or Parker pen. He discovered, however, that the techniques were far too dangerous and it was difficult for the users to defend themselves without either killing or seriously injuring their assailants. You may not consider this a bad thing, but he did.
He developed a new device he called a Kubotan. It was a cylinder of plastic or metal 5-6 inches long with a .5 inch diameter. In many states, the metal version is illegal. In some places the plastic version is illegal. Keep in mind that it exists only because it is safer than a metal pen which is legal everywhere.
Mag manufactures a small aluminum flashlight that takes two AA batteries. This flashlight is functionally equivalent to a metal Kubotan except for the fact that is also provides illumination. It is also legal everywhere.
Many martial arts weapons are actually farm implements which were put to use as weapons out of necessity and the desire to get around laws banning weapons.
Now, a gun is an extremely dangerous weapon. In a house with children, it should be kept locked up when it is not in use, and it should not be left out around people you don't know. Maybe the same restriction should apply to cars. It is certainly a tragedy when a child gets access to a gun and an accident results. It is also, however, a tragedy when a child gets access to a car and an accident results. I don't know the statistics, but I would be surprised if deaths involving children trying to drive cars were not far more common than deaths involving children playing with guns. The difference is that deaths involving guns involve guns.
You said that regarding the gun issue you are neutral, and I think you really believe that. However, your position implies that at some level you have a perception that guns are fundamentally evil in a way that cars are not.
Somehow, I don't think that the concept of original sin should be relevant.
pornking
Did I mention IANAL?
Ushers will eat latecomers.
IP is just rude.
Is there any torture so subl
ahh but NIKE did not hing wrong, NSI was the one who screwed up. They did not get hacked, waht happened was someone hijacked the domain and rtedirected it to that guy. Now they have a right to complain about NSI letting this happen.
Again they did nothing wrong, why should the take the blame for something that they should not, doesnt matter how big or small you are in this case. It's a BS lawsuit.
this space for rent
Do i expect i should be careful when handling something i KNOW is hot? How hot it was is irrelevent; she spilled it herself, with no help from anyone. Its nice to know that i can get compensated whenever i am careless or clumbsy.
This sounds an awful lot like reporting that you were raped, then getting arrested for lewd conduct.
If I left my parked car unlocked and someone hopped in and stole it - proceeded to drive down a freeway, had a accident and caused a major traffic pile-up where several people died, would I be responsible?
I would say no.
Actually, teh funny thing is that in New York (and until recently in Illinois), under a law known as vicarious liability, YOU are responsible for the actions of your vehicle, EVEN IF SOMEONE STEALS IT!!!!
Rental car companies hate this law. I don't know if other states have it, but the rental car agency I used to work for had locations in Illinois and New York that were constantly getting sued... A great example is one that happened in New York. Lady rents a car from us and drives it home. She lets her SIXTEEN YEAR OLD son drive the car. Now, this is wrong in two ways. Our rental agreement says nobody under 25, AND if their name/driver's license isn't on the contract, they can't drive the car. So anyways, he takes this car around, and mows down a five year old kid on a street (The poor kid spent two months in the hospital, but is OK now.) The best part is, the cops wind up sending the kid home in the car, even though they found it was a rental. Even better is that this kid doesn't tell his mom what happened! Three months later, our rental agency gets a lawsuit for $3 Mill (BTW - The kid and his mom were named co-defendants, so this is when she found out about it!!). I never heard how the case wound up as I left the agency before it went to court...
Anyway, the rental car agencies hate this law so much, that they banded togehter in Illinois and gave LOTS of money to the state legislature to get it removed there...
You can't seriously think they are the bad guys here. NSI is at fault for bad security, end of story. The bad guy here is the ISP, who is suing based entirely on greed. Also at fault is American tort law which allows for compensational damages. (dumb)
Just because Nike is a huge corporation doesn't mean they are automatically bad. And you can't sue a company for making stupid ads.
Where would you be without huge corporations like Intel, GE, GM, Nike?...Probably using a typewriter, in the dark, with no car and bare feet.
Grow up.
Remove the NOSPAM to spam me...
This site has the ISP's POV. Mostly it's a lot of "poor little me" crap, but they do give more information on how this actually occurred.
I stole this sig from a more creative user.
I agree, the issues are negligence vs. due diligence where 'due diligence' means acting to the best of your ability. The catch is that acting to the best of your ability means that you will be held to a standard percieved as average or higher, depending on your perceived expertize. Note that doesn't mean you need to be perfect, just competent and acting in a non-negligent/due diligence way. If Nike knew about the security problem or can reasonably be expected to know, then they are expected to react on that information to either solve the problem or attempt to solve the problem. Litigation against them needs to prove that they did act in a negligent manner as compared to their peers. This, in spirit, doesn't sound a lot different from proving negligent endangerment.
The best way to protect yourself from successful litigation against you ( I don't think there's anyway to protect from all litigation) is to act in a responsible manner and document it.
on #1, come on. this is a multibillion $ global organization. do you think if i slipped and fell on the sidewalk in front of their sweatshop, they would lose in court? yeah right. on #2, yes you are responsible. unles it is your child doing the rampaging. everyone knows marilyn manson and dr. dre are responsible for your childerens actions...
Shift happens. Fire it up.
Nike left no loaded gun lying around. It wasn't their lack of security, it was Network Solutions. Even if Smith is right and Nike chose the lowest security model, so what? NSI is the ones who were offering it, right? Smith is basically saying that the low security model is itself criminal because it's too easy to break. And yet, it was Smith's system that was hacked, in order to introduce the Nike DNS info on his box. Who's security is actually at fault?
You want an accurate analogy? Okay, here it is: I buy a car. Some guy goes to the manufacturer of my car, tells them that it's his and he needs another copy of my car key. The manufacturer just fucking gives it to him, he steals my car and drives it into some guy's store, smashing it and causing a lot of damage. The store owner sues me because I didn't buy the super deluxe model of the car that comes with a code-activated alarm system. Well, shit, what was I thinking?
I ask you: which analogy is more accurate? Who is really at fault?
"Prejudice is wrong; you should hate everyone the same."
The proper analogy isn't like leaving "a loaded gun laying about and if another person picked it up and killed someone with it" like Smith says. Rather, it's like a car (Smith's server) being hit in a bankrobber's (crackers) getway chase (from NSI) from the bank (Nike.) Now who would sue the bank in that situation?
-sk
Careful. That kind of talk is probably restricted by your EULA.
Shift happens. Fire it up.
Do you honestly believe that Reebok and Adidas don't employ slave labor and overprice their shoes?
I've seen reebok cross-trainers for over $100. Simple shoes... I don't know a soccer player who has a pair of good Adidas cleats for less than $100.
If Nike were gone, Reebok would take their place quite quickly. Don't fool yourself into thinking one company has more morals than another. It's all bottom line for them...all of them.
And another thing, Nike makes decent shoes... There are better, but for some people a $25 pair of flimsy All Stars isn't going to cut it.
Remove the NOSPAM to spam me...
This is just what happened to Harris last week!
I suppose that, just as last week, some AC is going to shoot off their keyboard, saying how they'd not want to do business with Nike due to their obvious ineptitude, letting their domain get hijacked through inadequate security and all.
{/rant}
NSI has obviously got to go. Their services are vital; I'll admit that. Their execution is just awful. As much as people talk about the 'net as free, much of what the internet is to the average joe is handed down from ivory towers like NSI.
Domain names aren't necessary, but they sure do make life a lot more fun and user-friendly. NSI provides a service to the community, but they need to have some kind of accountability.
If NSI is truly a private organization, the most direct way to institute that accountability is to hit them where it hurts-- their pocketbook. Perhaps Nike, Harris, and all the other domain registrants that have had their domains hijacked because NSI wouldn't follow their own security policies should file a class action suit against them, and shake them down a little
NSI will now join a growing list of organizations that have gotta go:
- Internal Revenue Service
- Department of Education
- Environmental Protection Agency
- Department of Energy (give good stuff back to DOD first!)
{Lightbulb turns on} In the meantime maybe there should be something like Gnutella that would be used to keep domain name servers going without the services of NSI and all the other domain registration companies. With no ivory tower to become bloated or irresponsible, these kinds of attacks couldn't happen!Jeff
Nike left no loaded gun lying around. It wasn't their lack of security, it was Network Solutions. Even if Smith is right and Nike chose the lowest security model, so what? NSI is the ones who were offering it, right? Smith is basically saying that the low security model is itself criminal because it's too easy to break. And yet, it was Smith's system that was hacked, in order to introduce the Nike DNS info on his box. Who's security is actually at fault?
You want an accurate analogy? Okay, here it is: I buy a car. Some guy goes to the manufacturer of my car, tells them that it's his and he needs another copy of my car key. The manufacturer just fucking gives it to him, he steals my car and drives it into some guy's store, smashing it and causing a lot of damage. The store owner sues me because I didn't buy the super deluxe model of the car that comes with a code-activated alarm system. Well, shit, what was I thinking?
I ask you: which analogy is more accurate? Who is really at fault?
"Prejudice is wrong; you should hate everyone the same."
Nike is rich. ISP needs money. America. Sue, easy money.
Exactly how did his ISP suffer? Emotional damages? Those big, bad packets scare customers away?
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
In a world where someone can successfully sue for coffee being hot, what do you expect? Some lawyer just smells money, I bet.
Insert wit here.
Interesting. It's like I have the right to do a full security audit on everyone else's servers since any one of them has the potential for being hacked, and thus could be used as a place to hack MY servers.
Can you get sued if you leave your keys in your car, and someone goes out for a joyride in your Saturn and drives through a shopping mall(like the Blues Brothers)? If so, it's time to do a big security sweep, MY profits are at stake!
For hiring 8 year old pakistanis as sysadmins.
- My password is slashdot
Shit, what's next? Will you be sued for having an angry mob smash your house up because they blocked the road you live on? This seems to me like a blatent attempt by an ISP to make a quick bit of cash off of a flimsy excuse, something which the US has a lot of unfortunately for it, and anyone that gets involved with it.
This bloke seems like a bit of an arsehole anyway - setting up an online bookstore called Amazon.gr is not the actions of someone who is really dedicated to starting up an online business, it's the actions of someone trying to cash in on the dot-com craze.
If I were Nike I wouldn't be too worried about this at all - the guy is an idiot out for easy money and any judge with half a brain will see that and throw the case out.
---
Jon E. Erikson
Jon Erikson, IT guru
...for hijacking my servers. Slower than molasses. I guess I shouldn't have installed Win2000.
This has got to be the first lawsuit involving Nike in quite some time that hasn't had anything to do with exploitation of child labourers in sweatshops...
kudos for finding something Original to sue Nike for!!!
bet they didn't see that one coming!!
sue the ass off of Network Solutions!
"If anyone screwed up, said Casler, it was Network Solutions, which apparently allowed the hijacker to change Nike's registry information on the basis of a spoofed email from the Nike billing contact -- a person that did not have password authority to make changes to Nike's domain status."
Yeah, everyone knows that they are a bunch of swindling, boorish jerks. We've heard it before, we'll hear it again...
On a more realistic note, I don't think that Nike can/should be held repsonsible, if in fact, NSI made a change due to an email from an unauthorized account (the billing contact). More details need to be seen on this one - still not good, whatever happened...
"It's tough to be bilingual when you get hit in the head."
I notice that he's got the Nike executive email addresses all over the site but no mention of how we can contact him. That seems a little odd, or maybe he realizes how idiotic he is, so he doesn't want to be contacted.
This guy claims that Nike was negligent by only using mail-from authorization with Network Solutions, allowing anyone who can spoof an email to hijack their domain. Apparently, if Nike is to be believed, they had crypt-pw security, but NSI simply ignored it. The article claims that NSI has done this before. If all this is true, then I'd say the guy has a pretty good case against NSI, and that Nike probably does as well.
Yo dawg, I heard you like the Ackermann function, so OH GOD OH GOD OH GOD
It appears to me that there are some parallels between domain hijacking and airplane hijacking :)
:)\n"
It seems that if you take reasonable precautions to prevent hijacking, then you shouldn't be held liable for one that takes place. On the other hand, if you're wide open (e.g., no metal detectors at the terminal), then you deserve a lawsuit.
Not being familiar with Nike's security precautions and procedures, I can't speak for whether they were reasonable or not.
if ($user =~ m/shaldannon/i) {
print "\n-- $user
}
What is your Slash Rating?
...implying that this lawsuit is frivilous, when it doesn't sound frivilous to me.
Nike is negligent for not using crypt-pw or PGP authentication to protect its domain records from being hijacked. That negligence lead to someone else's site from being hammered. If that person happens to pay extra for extra traffic to their site (as I once had to--most folks pay based on how much traffic their Internet pipe uses), shouldn't Nike be held accountable?
NSI allows you to select the level of security you want to protect your domain changes. If you choose an insecure, easily spoofed option, it's your fault! With all the news stories about domain hijacking, are Nike's security folks just asleep at the wheel?
-core
Shit man! So much for my days of bashing the corporate lobbying of legislatures. You just provided a perfect example of the good that they can do.
hmm.
guess i'll have to find something else to bitch about now.
primary nike.com nike.com.dns
So, doesn't this sound to you like the guy is admitting that he was the one who hacked Nike? "Err, yeah, evil hackers broke into my system and modified my boot file! That's the ticket!" Maybe he should be a little less transparent in his attempts. (First, "amazon.gr," now this.)
If this scares anyone it should be sane people that don't sit before computer monitors writing code all day, surfing the web all day, worrying about tech. stocks, pissing and moaning about Intel or Microsoft or commercialization, constantly checking email, needing "Bigger, better, faster!" technology, and just being a whiny weak willed repressed fool who sits around thinking that everyone else's actions should make some kind of impact on his life.
No sig for you!!
Subj!
It's open to public scrutiny that Smith is unscrupulous and out to make fast money from whomever he can, and the US Court system will not look kindly on someone like him trying to waste their time.
At least, I can hope.
Lets see without nike the world would be a better place. For one, kids could afford to buy reeboks or converse or adidas. Without the High prices of nike then the other companies wouldn't have to be like them. Why cant we all just stop spending so much money and buy converse all stars for $25 at your local department store.
"I INSTALLED LUNIX AND FPROTTED HIS TARBALL!!!!!@#"
The ever popular "I forgot my password" or "I suddenly lost my ISP (mail-from address)" cry seems to work quite well.
I know a friend who really did forget his Crypt-PW password. How did he get his domain back under his control? He faxed NSI with the new updated DNS info and and asked for a return to Mail-From security using his updated email address. And faxed with his request a photocopy of his drivers license. NSI said "good enough" and made the change.
When I first learned of this was when NSI's policies first scared the crap out of me.
Now this was a legitimate case of a forgotton password, but NSI has no power to query DMV databases in every state or any state. I could easily scan my DL, paste Rob Malda's name and address on it and fax it to NSI and steal slashdot.org. With fax quality what it is, no one would know it's a forgery.
NSI's security is PATHETIC. Everyone still with NSI is subject to domain hijacking.
Can a pawn shop sue burglary-victims if the pawn shop's inventory is repossessed by the police?
Can I sue the St. Louis Cardinals if the traffic created by people getting to the stadium causes the ambulance to my house to be late and my mom to die?
Could I sue 1(900)Mix-A-Lot if the phone company accidentally switched the lines so I got all those phone calls?
Seems like the ISP could legitimately sue the hijackers, but it's obvious he's just looking for the biggest pot of money and suing them, relevant or not.
-----
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I've been reading lots of comments as to why this guy is suing Nike and not NSI. I thought that the answer is simple: Deep Pockets.
Nike is one of the biggest shoe companies in the world, if not the biggest. It stands to reason that suing this multi-million dollar company has a better chance of settling out of court for the simple reason that the company may not understand what has happened, and propose a quick settlement.
a) Smith should be reasonably entitled to compensation from Nike for costs incurred in redirecting the nike.com traffic back to nike through his DNS.
b) Nike should pay the man for his time and effort, thank him and there should end the relationship between Nike and Smith. No negligence suit against Nike should (and IMHO could) be instigated.
c) Nike probably has reasonable cause to take measures against NSI for negligence (for allowing the attackers access to compromise the nike web presence)
--
Tarkwyn.
1) He (Smith) has a point if Nike was negligent. Just like there are laws if someone gets hurt on your property because of negligence on your part, there should probably be some similar laws in cyberspace. Now exactly how you define those... I'm not sure. Maybe check to see if the people have kept reasonably up-to-date with bug patches?
2) If someone steal a gun from your house and goes on a shooting rampage, are you responsible? (Well, probably again it depends whether you were negligable or not.) But, assuming that the person was responsible... how can you blame them?
Bottom line - I do think web sites have a responsibility to be attentive to protecting their resources and ensuring that they don't hurt other with them... but beyond doing your best, you can't do any more.
"Let your heart soar as high as it will. Refuse to be average." - A. W. Tozer
Wouldn't it be great if somebody sued the American Bar Association for allowing such frivolous lawsuits to choke our legal system?
After reading this story, several other stories about this event, and Smith's web page (www.shameonnike.com) I think that one of 2 things actually happend.
First, notice that this page calls Nike's buisness practices "shabby" and at the bottom of the page there is a "Boycott Nike" icon. This seems to me like someone that is emotionally connected to a movement against Nike (in and of itself this is not a bad thing) - the point is that this lawsuit sounds like it is based more on a bias than facts and laws.
So I think one of two things is actually going on:
1) Smith or his freinds are responsible for the crack and their plan was to redirect people going to www.nike.com to their own web sites against nike. I went to http://212.92.192.218 (from the dns file on Smith's web page) but this address no longer hosts any web pages. This crack caused negative press for the movement against nike so Smith is trying to divert the blame
2) Smith was indeed a victom of the crackers but he is sympathetic to what they were trying to do and doesn't like nike himself so again he's trying to throw mud on nike hoping some of it will stick (I think this is the most probable)
For all of you out there that think I might be saying this because I'm a nike fan - well I'm not. I haven't purchased anything from Nike for 3-4 years (only Dr. Martins) and I don't like the way they exploit forgien labor.
BTW - I saw an Investigative Reports on A&E last night (I think that was the program) about passangers that tried to sue Amtrack for injuries that were caused by a sabatour that derailed the train. The Judge ruled that the derailment was caused by the sabatour and not Amtrack and Amtrack won the case and counter sued for legal costs and won.
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
It's time to start punishing the companies for the hacking attempts they failed to predict and defend against. It's the case of a company that has no plan and no thought about a hacking attempt, because they're all too busy whipping the Pakastani child laborers who run the site. Nike liable? You bet! The next step is for Nike to extract some money from the hackers, but Nike needs to learn the lesson about hacking attempts and security. It's such a shame when the lesson has to be learned the hard way, but it has to happen.
Discuss trolling and moderation
I think perhaps you're a little mistaken. Nike isn't being sued for "negligence". Nike is being sued for "having deep pockets".
Someone should initiate class action against NSI for their consumer practices. Ralph Nader could have a field day with DN registrations and other related matters.
In space, no one can hear you moo.
Just like a person being in trouble for a burgler stealing a gun from their house, and then committing a crime. What if they steal a steak knife? Or drill, and injure or kill someone with it? It's all nonsense. The legal system in this country is pure rubbish, and needs to be gutted. No, it's not like the roman empire, where you'd get crucified - in this age, you get lawyered to death.
The hijack pointed to a web site owned by the hijackers. All the ISP traffic was directed to the
.microsoft.com at .smallcompany.com in a destructive flooding attempt might be liable for an increase in traffic on a part of the net they are not associated with.
ISP clients site at the specific direction of the ISP client.
The ISP should have no claim as their client generated all the demand for network services.
In this case the nike.com DNS entry was hijacked with the express pupose of directing traffic to the hijackers site. The ISP hosted the hijackers site. All this traffic was "correctly" routed to the hijackers site, at the hijackers expressed request. The hijackers were clients of the ISP. I say the ISP has no case.
Now a 3rd party redirecting something like
If you go to s11.org's main page you'll see this:
<i>NIKE DISCLAIMER: This site's administrators have no idea how or why the nike.com page was redirected to s11.org and do not condone this action, however we do thank nike for the extra hits.</i>
Seems like they're happy to get their message out but are still suing?!?! Rather strange if you ask me.
Nike's DNS records were hacked, yes yes, and maybe they used poor security,
/dev/sda on his computer, would he
yes yes. However *HIS* systems were comprimised by the hacker, his OWN DNS
was reconfigured, and his OWN server was rebooted.
If the hacker logged in and did a mke2fs
still sue nike? [Your honor, Nike is responsbile on the grounds that
because after the hacker changed their domain, he was angered by the nike
swoosh into a destructive rage, and he destroyed my server.]
Anyway, how much "server load" can be rendered by DNS lookups for nike.com?
Has anyone ever BEEN to nike.com before? S11.org obviously had CONSIDERABLY
more traffic then this guy; and he could EASILY have fixed his "traffic"
problem, by removing his hacked DNS records
Funny how stupid some people are.
In Southern California a few months ago a girl got wasted and shot at a group of cops. Guess what, cops don't like being shot at by some stoner and they shot her dead.
Now stoneheads family is suing the gun company (raven) on the basis that had raven never made the gun, she wouldn't have been able to shoot at cops. And the cops couldn't have killed her because some of the cops had raven handguns as well. The lack of logic here is that had stonehead or the cops not had a raven handgun they would have had some other type of handgun. Pick up a copy of guns monthly and look in the back. There are thousands of manufacters making other guns.
Now that I'm finished with that stupid analogy, let me explain why I used it. Stonehead was not a responsible person. Or else she wouldn't have gotten stoned, wouldn't have had cops watching her and wouldn't have been shooting at cops. It is not the cops fault that she got stoned, it is not the cops fault that she shot at them, it is not the cops fault that she was not a responsible person. It is the cops fault that she got killed by cops but they did that in self defense. You would shoot back too. It is not the ISP's fault that they have irresponsible people (hackers) getting through their servers. It is not the isp's fault that the hackers managed to hack nike's site through their servers. It is however the ISP's fault that they didn't shoot back. If they got killed by hackers it is their own fault. They should've banned those IPs/accounts or blocked access to nike's website.
And being too stupid to defend themselves is why this is a completely frivolous lawsuit. I hope nike wins in court.
Kris
botboy60@hotmail.com
Nerdnetwork.net
Kris
botboy60@hotmail.com
Nerdnetwork.net
People must be financially responsible for not making proper effort in securing their sites. If nike.com can prove that they tried and still got problems they will not loose the case, but if tehir ISP can prove that they neglected, why they should not be responsible
Look.
I'm fully of the opinion that if you have completely incompetent security policies, and those policies lead to direct monetary damage to another party, you should probably be somewhat liable, at least to the degree of your incompetence.
The best example would probably be a fully loaded hospital intranet complete with patient charts and remotely writable data--with no firewall against the Internet. Somebody dies? Somebody is definitely liable.
But this case is bizarrely inappropriate. Nike had a security policy that depended on a shared secret--the name of the user authorized to issue changes. The shared secret was not disclosed by Nike nor discovered by the attackers, but NSI allowed the switch anyway. I find it hard to believe that this was not an automated process--a request to change the domain of a transnational company comes in, and the new IP is to some tiny guy; you can bet no human approved THAT transaction--despite what NSI might have you believe. Therefore NSI is in breach all over the place, and they're liable.
I think the real strategy here is to force Nike to sue NSI...by making Nike do all the legwork of proving that this was Network Solution's fault, suddenly NSI has a very big and very angry enemy indeed. It's co-option of a very large legal department, and in that context, it's a damn brilliant idea.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Nike's website was redirected to the site of an anti-corporate globalization group called S-11.org , [...]
;)
Signal 11? What?
eudas
Blessed is he who expects the worst, for he shall not be disappointed.
If anything, Nike should be able to countersue Network Solutions to cover the legal costs that surely will accrue from this sue-happy idiot Smith, who might just be the hacker that started this whole thing!!
Sheesh! What a money-grubbing grabass! (As Metallica might put it)
The Necromancer
Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
"If I left my parked car unlocked and someone hopped in and stole it..."Did you leave the keys in it too? If not, then it can be argued that you took reasonable precautions by taking the keys with you. If you left the keys in it, then you did not, and it is quite possible that you could be held liable.
Similarly, "..if one were to leave a loaded gun laying about..."Where did they leave it? Was it in a house with the doors locked, or was it laying on a street corner with the safety off?
The legal question is one of taking what the average person would consider to be reasonable precautions to prevent misuse. In my view, the guy has absolutely no case either way, because Nike took what most people would consider to be reasonable precautions no matter what level of security they had...After all, someone can break a window on the house, get in and steal the gun, and use it to commit a crime and you will not be liable as long as you reported the theft. This theft wouldn't even require the special skills required to spoof the "from address" on an email...just the ability to break a window. I don't even think NSI could be held accountable unless you could prove gross negligence on their part.
It's not funny till someone gets hurt.
See this post for a more reasonable thought. It's probably not Nike (not that I care for them, but really, they are as much the victim here as that other ISP).
"It's tough to be bilingual when you get hit in the head."
Its Network Solutions... I mean, it's pretty indefensible, check out the email I found below to see how low their security is:
FROM: admin@nike.com
TO: admin@networksolutions.net
SUBJECT: nike.com registration
BODY:
D00dz!!!! GiMmE N1k3.K0M yA B4574rD5!!!
3y3 0Wn u!!!!!!!!!
Simon
Simon
The real linux_penguin has Slashdot ID 101961. Anyone else is an impostor. Including Bruce Perens.
If I left my parked car unlocked and someone hopped in and stole it - proceeded to drive down a freeway, had a accident and caused a major traffic pile-up where several people died, would I be responsible?
I would say no.
However, if you use the analogy that Smith used: if one were to leave a loaded gun laying about and if another person picked it up and killed someone with it, the owner of that gun would be held responsible for negligence
I would say yes.
So what is the difference? I don't know myself - I just thought I'd provoke some thinking amongst everyone and hopefully someone else who is thinking straight at the moment (it late at night here) can give some insight! :)
hmmmm million dollar company showing stupid commercials of things turning into shoes and selling over priced products. And we are getting mad cause they are getting sued?? They should get sued it will wake them up and realize tey are not invincible.
"I INSTALLED LUNIX AND FPROTTED HIS TARBALL!!!!!@#"
Since Nike doesn't control the name registration records (unless they've gotten into that business recently) then they are not responsible for a hack which redirects the name servers to point somewhere else. That said, there might be negligence if Nike didn't take appropriate and timely action to correct the problem.
"Stop whining!" - Arnold, as Mr. Kimble
But thats not the point we are discussing, are we? ;-)
(Disclaimer.. IANAL!)
/. posted an article with links back to sites with th 'real dirt' on the topic. From there on it is individual people causing the site and its provider trauma, there is no compromise of any system. However in many cases, if the increased rtaffic is sustained, do you not think the providers asks the /.'ed site for more greenbacks?
At first glance, this sounds just like another case of sue the big guy and get some money. Which, in many situations is not necessarily a bad thing. I myself am sick of being raped by the big guys (RIAA, pharm. corps, big tobacco, ect.). But in actuality he has a legitamate point.
Nike is a gargantuan corporation with virtually infinite resources and they get hacked. This caused significant problems to the ISP's network and other customers, disrupting business. IMO, nike should ahve at least sad "uh, we fucked up.. here is some compensation." But as I read this, it would seem that Nike did NOTHING. Nothing except fix the problems, and then whine about being hacked. Whhopty woo, boxes get compromised every single day. If yours is, and it causes sever problems for someone else, wouldn't you at least apologise? I would.
It does open up some interesting legal questions, like the slashdotted server question posted earlier, but in effect thats different.
#include caffiene.c
www.mp3.com/Undocumented