Slashdot Mirror
Nike Gets Sued Over Nike.com Hijack
kwsNI writes: "Wired has this article on an ISP trying to sue Nike over the recent hijack of Nike.com. He claims that his ISP suffered when the hackers routed the Nike.com traffic through his servers. He claims that Nike is at fault for not having better security. This really scares me. Can you really be sued for having your domain hijacked?" I'm interested to see where this will go.
In this case at least, it doesn't seem right to be suing Nike over a hack. It's obviously NSI's fault for taking an email so seriously.
What I had hoped to see was someone who had their box hacked for an attack on another domain, or email spoofing or whatever. Just like you can be sued for leaving a gun cabinet unlocked if a gun taken from it kills someone, why can't you be proven negligent if your box, which you have not attempted to provide adequate security for, is hacked and used against someone else?
If you've provided adequate security, though or it's someone else's fault (NSI), then I don't think you should be held responsible..,
What's funny is, his own site, admits that they were not only hacked but it was because they didn't have good security on their servers and that it wasn't hard for the hackers to compromise their servers too. This guy is so hypocritical, it's amazing.
kwsNI
IANAUKL (I am not a UK lawyer), but in the States you can be sued for pretty much anything. I could sue Taco for bad grammar, claiming that his awful prose has caused me to misunderstand technical issues that are important to my job, and hence Taco is responsible for damaging my wage earning ability.
But remember, filling a lawsuit is significantly different than bringing a succsessful lawsuit in front of a judge.
I can see three possible outcomes from this lawsuit:
Things that will not happen include:
I suspect we won't hear about this case again. If this was happening in the States, I'd expect to see Mr. Smith's name on the front pages in a few years, when he walks into an office building somewhere and starts shoot ing people. Since its the UK, I expect he'll just become a school teacher or some other profession where he can inflict damage on people with immunity. Or, perhaps he'll just continue being a totally irresponsible and technically incompetent system administrator for his own ISP, and just continue inflicting damages on his clueless customers.
Slashdot is jumping the shark. I'm just driving the boat.
Newsline: car owner sued after death of girl
Robert Wilson -- a wealthy and respected professor at MIT -- was recently sued for damages after theives stole his BMW and killed a girl on their joyride. The theives broke through a sophisticated alarm system and took the BMW for a joyride through outer neighbourhoods of Boston while under the influence of alchohol. During the joyride, Samantha Caily was knocked over and killed - a tragic death for a young girl barely 15. Samantha's parents sued Robert Wilson for damages, claiming that he was responsible for their childs death. "If he'd employed a better alarm system, Samantha would be with us today. It's clearly his fault. Those boys are known theives, and they can't help themselves, but Robert should know better", said Martha Caily. The theives, who were later caught, have a history of car theft, they were released with a traffic infringement: they're poor and of no fixed abode - barely able to afford the bus ticket home.
^sarcastic humour-- Matthew - matthew.gream@pobox.com, http://matthewgream.net
The thing people need to realize, is that this was not a hack due to low security, it was a hack due to human error. To me its the equivalent of locking yourself through 18" thick steel walls, with 100 doors that you need to go through, with card security, retina scans, thumbprints, and passwords, and then some idiot who works there lets the pizza guy all the way on the inside so he can go get his wallet. This same guy is the type of person who writes his login name and password on a sticky note and attaches it to his monitor. There is no way you can hold nike negligent, you need to hold the moron who accepted the spoofed id. There was nothing Nike could have possibly done to prevent this.
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Well who knows about a coincidence but Network Solutions is stepping up the Security of their service. We got an email yesterday at the company i work at about this.
"I INSTALLED LUNIX AND FPROTTED HIS TARBALL!!!!!@#"
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Can you really be sued for having your domain hijacked? I like the fact that these stories are posted, but it's really getting boring -- all of them ending with the same question, "Can you really be sued for X?" Come now, we're smarter than that... we know that there's a big difference between being sued and losing a suit. We are smart enough to know that anybody can be sued for anything. We are also smart enough to know that many lawsuits get thrown out because they are trivial or harrasing.
-- "In order to have power, I must be taken seriously." -Mojo Jojo
through fault of his own (he leaves it until the end of his rant), Smith's major contention is that he went through major difficulty to inform nike of what was going on, then they asked him to point his dns at their server, which he did, then they asked him to do the MX record as well, which he did, then millions of hits later he sent them a bill, and they were like "no sorry, we're not paying".
so unless he actually created the situation in the first place (possible - this guy tried to do business with amazon.com when he fired up amazon.gr a year or so ago) i reckon he deserves to get a cheque from nike for his trouble!
plenty of activists including s11.org would have loved to have seen 46 hours of nike email, which smith helped nike to get back into their grubby little hands by pointing his dns servers back at nike.com
pay the man!
What next? Slashdot getting sued for Slashdotting servers?
-- "I can't tell the future, I just work there." -- The Doctor
You think that's a joke - but does anyone remember when Micros~1 tried to have a go at someone for publishing benchmarks about SQL Server performance?
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
Security is definitely at question, but what's wrong with the ISP being bogged down. AFAIK, the ISP really doesn't put limits on how much bandwidth a customer can use. Unless it was in the terms of the contract somehow, I don't see how this ISP could possibly have a case against Nike!
Will this be the first time a person or organization was sued for not having strong enough Internet security? If so, then I'm glad it's happening just for the reason of getting the precedent set. Personally, I think that such a suit is somewhat scary: what if someone cracks my FreeBSD box at home, uses it in a DDOS attack, and my ISP (who is currently very nice to me) decides not only to terminate my account, but sue me? If such a thing became common, it would be an anti-boon for many individuals or small groups who want to run their own servers and don't have a large IT staff to manage security for their site. ISP's could say "Use our hosting services or take the chance of being sued". Yikes!
Washington, DC: It's like Hollywood for ugly people.
So, let's get this straight...
This suit is patently ridiculous and should get thrown out as soon as Nike's lawyers say "We had nothing to do with this." Then the lawyers should say, "Here's our counter-suit for this bonehead aiding the hax0rs." Nike does have a legitimate suit against Smith and NSI.
It is Smith (or his host) who is to blame for lax security on his own box, and NSI who is to blame for their incompetant SOP for domain transfers.
-sk
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Often when people launch frivolous lawsuits, the company will settle to avoid legal fees and embarrassment, in some situations, the person suing can play for sympathy (like that pathetic old lady that dumped coffee all over her lap, and sued McDonald's for the burns).
I'm going to have to write this URL down, I keep looking for it so often.
http://www.injurycases.com/coffee.html
(The emphasized parts above were done by me.)
Jay (=
My point was to look at the issue more generally than our usually narrow computer-driven perspective, and to draw analogies in other places which might make the mess a little less murky, and a little less of a technical "did they have x and y and z procedures in place" without the benefit of a larger perspective. In this particular case, my intention was to demonstrate that while we could get bogged down in a bitter and detailed "blocked services" and "secure passwords" (and so on) discussion, it could be reduced to a simpler, albeit still familiar, problem by drawing a parallel with which we are all familiar.
:)\n"
if ($user =~ m/shaldannon/i) {
print "\n-- $user
}
What is your Slash Rating?
That's the funniest thing I've read all day :)))
;) )
:)\n"
(and no, you don't need to feel obliged to get me on their spam list
if ($user =~ m/shaldannon/i) {
print "\n-- $user
}
What is your Slash Rating?
You buy a goat, 'cause you like goat milk. Then some guy shoots your goat with a gun that somebody else left lying around in some unnamed fourth party's unlocked car. But, get this... the GOAT DOESN'T DIE! So then the guy with the gun (Guy-sub-Alpha) sues the owner of the car, for leaving his door unlocked so that guy-sub-alpha could steal a gun that was incapable of killing a freakin' goat.
And there you are with a bloody, wounded goat on your hands, wondering what happened.
You see what I'm saying?
Yes, he may have been inconvienenced by this. Now, if he wants to sue someone, sue the hackers that were responsible. Hell, sue Network Solutions for their screw up. Nike isn't the one that did something wrong.
Personally, I think it's part of being on the internet. To me, this is the same thing as owning a store on a street and trying to sue the store down the road because protesters gather out in front of it and the traffic jam they cause hurts your business. Sorry. C'est la vie. It's life, get on with it.
I've worked in customer service and tech support for an ISP before. Tell your clients what happened and most of them will understand. If you loose a few customers, that's business. They can go to another network and the next domain hijack can hurt them again. Most people realize that they can be hit by this anywhere on the net, regardless of their network.
kwsNI
check out http://slashdot.org/comments.pl?sid=links....
Please note the light mood in which the post was made, and the general responses (especially the 'Funny' moderation). Sit back, relax, and enjoy the show.
Also, it's not quite certain that NSI didn't screw up - if the email came unencrypted and they made the change, NSI is at fault. It was supposed to be encrypted, and they claim that the forged mail was supposedly from the billing contact, who doesn't have authority to request those changes anyway. 0 for 2...
I wouldn't put a lot of faith in the guy raising the suit (not clear whether he was the one who initiated this in the first place), but Nike should have a case against NSI if the other points hold true. I can't see how they 'deserved the hack'. NSI may be hapless (that's never been questioned), but in this case they may have been willfully negligent, and there are many reports of the same problem with other domains they control. We'll see what happens. Should be interesting.
"It's tough to be bilingual when you get hit in the head."
I bet Smith thinks he's just purchasing a ticket in the American Legal Lottery. He probably doesn't realize that frivolous lawsuits aren't any more socially acceptable in the US than in the UK.
People outside the US seem to think all US citizens are rude, poor listeners, carry guns, and sue each other at the drop of a hat. If Americans don't fit that image, they are assumed to be Canadian.
Seriously, I was asked in Australia, "Did you bring your gun to Australia?" Pretty sad. I'm not a gun-control supporter, but I don't own any guns either.
include $sig;
1;
...if a kid falls in and drowns. Same principle.
The trouble is that it's usually pretty easy to pick a lock (As long as it has a single side, and a single tumbler) by the rake method; Put one thing in the lock, turn it in the direction it's supposed to go, and then rake something (like a bent pin) over the pins in the lock. If you get the pressure right, and the lock sucks (Like a master, for example) then the pins will get stuck down to the right degrees and you can open the lock.
Also, as previously mentioned, some key sets just don't come in very many combinations. There are about twenty different key configurations for BMW motorcycles, which is abominable enough; But there are only about five different combinations on BMW motorcycle luggage, and they use the same keys as the ignition, just using a smaller number of pins. This equates to it being REALLY EASY for one BMW motorcycle owner to open a significant number of lockers on other peoples' bikes.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You can sue for anything. Winning is a different matter. Heck, getting the suit before a court is a different matter.
-- Ever notice that fast-burning fuse looks exactly the same as slow-burning fuse? I didn't... (Edgar Montrose)
Nike Rerouted
ISP is Hopping Mad
NSI to Blame
"It's tough to be bilingual when you get hit in the head."
Dear Customer,
* **
* **
* **
* **
g uardian/
c ontact1/
c ontact2/
IMPORTANT ACCOUNT ENHANCEMENTS SCHEDULED: SECURITY UPGRADES
MAY REQUIRE ADDITIONAL STEP BEFORE CHANGES ARE MADE
***********************************************
Security for our customers has always been a top priority
at Network Solutions. Now we are taking that even further
as we merge with VeriSign, one of the industry leaders in
Internet security. We all recognize information security is
vital on the Internet, and we want to assure you that we
constantly monitor security and maintain systems that help
protect you and your information. This message is about
changes in our guardian security system.
WHAT DOES THIS MEAN FOR ME?
***********************************************
When you first registered your domain name you may have
selected a security option. You then currently have one
of three Guardian authentication methods: "Mail-From,"
Password (Crypt-PW), and Secure Encryption (PGP).
With our upcoming upgrade, customers who have not yet
selected a security option will be migrated to "Mail-From"
security. Customers who currently use the "Mail-From After
Update" Guardian authentication method will now have to
respond to an e-mail security check before the requested
changes will be implemented. Customers who currently use
existing Guardian security options do not have to make
any changes at all.
WHAT WILL HAPPEN WHEN I REQUEST A CHANGE?
***********************************************
NSI is enhancing "Mail-From" with an additional e-mail
security check. Specifically, NSI will e-mail a validation
request to the specific administrative and technical
contact listed for a domain name before making any
modification to that domain name. This means, if you have
"Mail-From" security, NSI will no longer implement a
requested change until we receive e-mail verification
confirming authorization from either contact. It's an extra
step, but it's worth it to protect your account.
WHEN WILL THIS HAPPEN?
***********************************************
We have scheduled the modification for Saturday, July 8,
2000, so you should check your account information to see
if it is correct. Actually, it's a good idea to check your
account periodically anyway.
To make modifications easier, we provided easy-to-follow
instructions on our web site at:
http://info.networksolutions.com/go/t/security/
Additionally, we updated the contact form FAQs, which can
be found at:
http://info.networksolutions.com/go/t/security/
Please note that we continue to enhance security. Future
security plans include the use of VeriSign certificates
for authentication. But don't worry; we will keep you
completely informed about these upcoming changes.
If you have further questions or concerns about this
current security upgrade, please contact our Customer
Service Department at:
http://info.networksolutions.com/go/t/security/
Sincerely,
F. Michael Kyle
Vice President, Customer Service
Network Solutions(R)
a VeriSign(R) company
Hello little man. I will destroy you!
Netsol updated the nike.com NS records based on a bogus email.
This ISP had their nameserver hacked, and the hacker created a nike.com zone.
And.... nike is at fault? None of this had anything whatsoever to do with any system even remotely controlled by Nike...
I *really* hate it when people misquote the rhetorical questions used to illustrate legal principles....
The original rhetorical question is "if one were to leave a loaded gun ON AN OPEN WINDOWSILL and a passerby picked it up..." The key phrase is "open windowsill" - it's at a location where the owner is nominally in control of it, but anyone passing on the street could easily grab it. Hell, it's at a location where it could be easily knocked out of house without deliberate effort. The gunowner is clearly acting negligently.
(A modern analogue to this question is someone leaving a gun in plain sight in a locked car. This requires smashing a car window, but the risks of a parking lot "smash & grab" are less than a home burglary.)
In contrast, put the gun more than an arm's length away from the window and it's *far* harder to claim that the owner is negligent. Put the gun out of reach and out of plain sight (e.g., in a closed nightstand or a locked glove compartment) and claims that the gunowner was negligent if the gun is subsequently stolen start to wear very thin - by that metric, some people will argue that their responsibility *requires* that they keep their gun on their person at all times!
N.B., the cited quote doesn't even posit that the gun was stolen from a house or other area where the gunowner has a reasonable expectation of sole dominion - he's trying to bring to mind the image of a latter-day Johnny Appleseed prancing through a park tossing out loaded guns. Of course that's an unspeakably reckless act.
For some reason most people here seem to assume that he's refering to home burglaries, and while it's true that some jurisdictions have vicarious liability laws the general principal remains - as a rule people aren't held responsible for reasonable omissions, and almost never when those omissions are required by reasonable actions.
(E.g., you put a pie on the windowsill to cool, someone steals it, burns their fingers or mouth, and sues you. They'll have a *very* hard time winning since you had to put the pie *somewhere* to cool.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
If I left my parked car unlocked and someone hopped in and stole it - proceeded to drive down a freeway, had a accident and caused a major traffic pile-up where several people died, would I be responsible?
I would say no.
Actually, teh funny thing is that in New York (and until recently in Illinois), under a law known as vicarious liability, YOU are responsible for the actions of your vehicle, EVEN IF SOMEONE STEALS IT!!!!
Rental car companies hate this law. I don't know if other states have it, but the rental car agency I used to work for had locations in Illinois and New York that were constantly getting sued... A great example is one that happened in New York. Lady rents a car from us and drives it home. She lets her SIXTEEN YEAR OLD son drive the car. Now, this is wrong in two ways. Our rental agreement says nobody under 25, AND if their name/driver's license isn't on the contract, they can't drive the car. So anyways, he takes this car around, and mows down a five year old kid on a street (The poor kid spent two months in the hospital, but is OK now.) The best part is, the cops wind up sending the kid home in the car, even though they found it was a rental. Even better is that this kid doesn't tell his mom what happened! Three months later, our rental agency gets a lawsuit for $3 Mill (BTW - The kid and his mom were named co-defendants, so this is when she found out about it!!). I never heard how the case wound up as I left the agency before it went to court...
Anyway, the rental car agencies hate this law so much, that they banded togehter in Illinois and gave LOTS of money to the state legislature to get it removed there...
This site has the ISP's POV. Mostly it's a lot of "poor little me" crap, but they do give more information on how this actually occurred.
I stole this sig from a more creative user.
Nike left no loaded gun lying around. It wasn't their lack of security, it was Network Solutions. Even if Smith is right and Nike chose the lowest security model, so what? NSI is the ones who were offering it, right? Smith is basically saying that the low security model is itself criminal because it's too easy to break. And yet, it was Smith's system that was hacked, in order to introduce the Nike DNS info on his box. Who's security is actually at fault?
You want an accurate analogy? Okay, here it is: I buy a car. Some guy goes to the manufacturer of my car, tells them that it's his and he needs another copy of my car key. The manufacturer just fucking gives it to him, he steals my car and drives it into some guy's store, smashing it and causing a lot of damage. The store owner sues me because I didn't buy the super deluxe model of the car that comes with a code-activated alarm system. Well, shit, what was I thinking?
I ask you: which analogy is more accurate? Who is really at fault?
"Prejudice is wrong; you should hate everyone the same."
Nike left no loaded gun lying around. It wasn't their lack of security, it was Network Solutions. Even if Smith is right and Nike chose the lowest security model, so what? NSI is the ones who were offering it, right? Smith is basically saying that the low security model is itself criminal because it's too easy to break. And yet, it was Smith's system that was hacked, in order to introduce the Nike DNS info on his box. Who's security is actually at fault?
You want an accurate analogy? Okay, here it is: I buy a car. Some guy goes to the manufacturer of my car, tells them that it's his and he needs another copy of my car key. The manufacturer just fucking gives it to him, he steals my car and drives it into some guy's store, smashing it and causing a lot of damage. The store owner sues me because I didn't buy the super deluxe model of the car that comes with a code-activated alarm system. Well, shit, what was I thinking?
I ask you: which analogy is more accurate? Who is really at fault?
"Prejudice is wrong; you should hate everyone the same."
Exactly how did his ISP suffer? Emotional damages? Those big, bad packets scare customers away?
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
Interesting. It's like I have the right to do a full security audit on everyone else's servers since any one of them has the potential for being hacked, and thus could be used as a place to hack MY servers.
Can you get sued if you leave your keys in your car, and someone goes out for a joyride in your Saturn and drives through a shopping mall(like the Blues Brothers)? If so, it's time to do a big security sweep, MY profits are at stake!
Shit, what's next? Will you be sued for having an angry mob smash your house up because they blocked the road you live on? This seems to me like a blatent attempt by an ISP to make a quick bit of cash off of a flimsy excuse, something which the US has a lot of unfortunately for it, and anyone that gets involved with it.
This bloke seems like a bit of an arsehole anyway - setting up an online bookstore called Amazon.gr is not the actions of someone who is really dedicated to starting up an online business, it's the actions of someone trying to cash in on the dot-com craze.
If I were Nike I wouldn't be too worried about this at all - the guy is an idiot out for easy money and any judge with half a brain will see that and throw the case out.
---
Jon E. Erikson
Jon Erikson, IT guru
...for hijacking my servers. Slower than molasses. I guess I shouldn't have installed Win2000.
This has got to be the first lawsuit involving Nike in quite some time that hasn't had anything to do with exploitation of child labourers in sweatshops...
kudos for finding something Original to sue Nike for!!!
bet they didn't see that one coming!!
sue the ass off of Network Solutions!
"If anyone screwed up, said Casler, it was Network Solutions, which apparently allowed the hijacker to change Nike's registry information on the basis of a spoofed email from the Nike billing contact -- a person that did not have password authority to make changes to Nike's domain status."
Yeah, everyone knows that they are a bunch of swindling, boorish jerks. We've heard it before, we'll hear it again...
On a more realistic note, I don't think that Nike can/should be held repsonsible, if in fact, NSI made a change due to an email from an unauthorized account (the billing contact). More details need to be seen on this one - still not good, whatever happened...
"It's tough to be bilingual when you get hit in the head."
This guy claims that Nike was negligent by only using mail-from authorization with Network Solutions, allowing anyone who can spoof an email to hijack their domain. Apparently, if Nike is to be believed, they had crypt-pw security, but NSI simply ignored it. The article claims that NSI has done this before. If all this is true, then I'd say the guy has a pretty good case against NSI, and that Nike probably does as well.
Yo dawg, I heard you like the Ackermann function, so OH GOD OH GOD OH GOD
It appears to me that there are some parallels between domain hijacking and airplane hijacking :)
:)\n"
It seems that if you take reasonable precautions to prevent hijacking, then you shouldn't be held liable for one that takes place. On the other hand, if you're wide open (e.g., no metal detectors at the terminal), then you deserve a lawsuit.
Not being familiar with Nike's security precautions and procedures, I can't speak for whether they were reasonable or not.
if ($user =~ m/shaldannon/i) {
print "\n-- $user
}
What is your Slash Rating?
Can a pawn shop sue burglary-victims if the pawn shop's inventory is repossessed by the police?
Can I sue the St. Louis Cardinals if the traffic created by people getting to the stadium causes the ambulance to my house to be late and my mom to die?
Could I sue 1(900)Mix-A-Lot if the phone company accidentally switched the lines so I got all those phone calls?
Seems like the ISP could legitimately sue the hijackers, but it's obvious he's just looking for the biggest pot of money and suing them, relevant or not.
-----
1) He (Smith) has a point if Nike was negligent. Just like there are laws if someone gets hurt on your property because of negligence on your part, there should probably be some similar laws in cyberspace. Now exactly how you define those... I'm not sure. Maybe check to see if the people have kept reasonably up-to-date with bug patches?
2) If someone steal a gun from your house and goes on a shooting rampage, are you responsible? (Well, probably again it depends whether you were negligable or not.) But, assuming that the person was responsible... how can you blame them?
Bottom line - I do think web sites have a responsibility to be attentive to protecting their resources and ensuring that they don't hurt other with them... but beyond doing your best, you can't do any more.
"Let your heart soar as high as it will. Refuse to be average." - A. W. Tozer
Wouldn't it be great if somebody sued the American Bar Association for allowing such frivolous lawsuits to choke our legal system?
After reading this story, several other stories about this event, and Smith's web page (www.shameonnike.com) I think that one of 2 things actually happend.
First, notice that this page calls Nike's buisness practices "shabby" and at the bottom of the page there is a "Boycott Nike" icon. This seems to me like someone that is emotionally connected to a movement against Nike (in and of itself this is not a bad thing) - the point is that this lawsuit sounds like it is based more on a bias than facts and laws.
So I think one of two things is actually going on:
1) Smith or his freinds are responsible for the crack and their plan was to redirect people going to www.nike.com to their own web sites against nike. I went to http://212.92.192.218 (from the dns file on Smith's web page) but this address no longer hosts any web pages. This crack caused negative press for the movement against nike so Smith is trying to divert the blame
2) Smith was indeed a victom of the crackers but he is sympathetic to what they were trying to do and doesn't like nike himself so again he's trying to throw mud on nike hoping some of it will stick (I think this is the most probable)
For all of you out there that think I might be saying this because I'm a nike fan - well I'm not. I haven't purchased anything from Nike for 3-4 years (only Dr. Martins) and I don't like the way they exploit forgien labor.
BTW - I saw an Investigative Reports on A&E last night (I think that was the program) about passangers that tried to sue Amtrack for injuries that were caused by a sabatour that derailed the train. The Judge ruled that the derailment was caused by the sabatour and not Amtrack and Amtrack won the case and counter sued for legal costs and won.
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
Someone should initiate class action against NSI for their consumer practices. Ralph Nader could have a field day with DN registrations and other related matters.
In space, no one can hear you moo.
Nike's DNS records were hacked, yes yes, and maybe they used poor security,
/dev/sda on his computer, would he
yes yes. However *HIS* systems were comprimised by the hacker, his OWN DNS
was reconfigured, and his OWN server was rebooted.
If the hacker logged in and did a mke2fs
still sue nike? [Your honor, Nike is responsbile on the grounds that
because after the hacker changed their domain, he was angered by the nike
swoosh into a destructive rage, and he destroyed my server.]
Anyway, how much "server load" can be rendered by DNS lookups for nike.com?
Has anyone ever BEEN to nike.com before? S11.org obviously had CONSIDERABLY
more traffic then this guy; and he could EASILY have fixed his "traffic"
problem, by removing his hacked DNS records
In this case, Nike has no reason to settle. Their case looks lead-pipe solid, and (from what I can see) the person suing them is a whining little bitch of an ISP sysadmin.
Even though nothing is likely to come out of this lawsuit, it will be played up in the news because so many people hate Nike. They charge "too much" for their shoes, they use overseas labor for their manufacturing, and they paste that Swoosh-thing on every flat surface within 5 miles of every stadium and golf course. On top of that, they are playing those stupid "Mrs. Jones" comercials, where a cardboard blaxploitation character talks jive into a radio microphone about how women athletes should be paid the same absurdly-high salaries as the men, even though hardly anybody watches them.
Yessiree, plenty of reasons for people of various political stripes to hate Nike... but this isn't one of them. I hope they win, and get counter-damages for having to waste their time on it.
Information wants to be anthropomorphized.
Look.
I'm fully of the opinion that if you have completely incompetent security policies, and those policies lead to direct monetary damage to another party, you should probably be somewhat liable, at least to the degree of your incompetence.
The best example would probably be a fully loaded hospital intranet complete with patient charts and remotely writable data--with no firewall against the Internet. Somebody dies? Somebody is definitely liable.
But this case is bizarrely inappropriate. Nike had a security policy that depended on a shared secret--the name of the user authorized to issue changes. The shared secret was not disclosed by Nike nor discovered by the attackers, but NSI allowed the switch anyway. I find it hard to believe that this was not an automated process--a request to change the domain of a transnational company comes in, and the new IP is to some tiny guy; you can bet no human approved THAT transaction--despite what NSI might have you believe. Therefore NSI is in breach all over the place, and they're liable.
I think the real strategy here is to force Nike to sue NSI...by making Nike do all the legwork of proving that this was Network Solution's fault, suddenly NSI has a very big and very angry enemy indeed. It's co-option of a very large legal department, and in that context, it's a damn brilliant idea.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
If I left my parked car unlocked and someone hopped in and stole it - proceeded to drive down a freeway, had a accident and caused a major traffic pile-up where several people died, would I be responsible?
I would say no.
However, if you use the analogy that Smith used: if one were to leave a loaded gun laying about and if another person picked it up and killed someone with it, the owner of that gun would be held responsible for negligence
I would say yes.
So what is the difference? I don't know myself - I just thought I'd provoke some thinking amongst everyone and hopefully someone else who is thinking straight at the moment (it late at night here) can give some insight! :)