Slashdot Mirror
Nike Gets Sued Over Nike.com Hijack
kwsNI writes: "Wired has this article on an ISP trying to sue Nike over the recent hijack of Nike.com. He claims that his ISP suffered when the hackers routed the Nike.com traffic through his servers. He claims that Nike is at fault for not having better security. This really scares me. Can you really be sued for having your domain hijacked?" I'm interested to see where this will go.
What's funny is, his own site, admits that they were not only hacked but it was because they didn't have good security on their servers and that it wasn't hard for the hackers to compromise their servers too. This guy is so hypocritical, it's amazing.
kwsNI
IANAUKL (I am not a UK lawyer), but in the States you can be sued for pretty much anything. I could sue Taco for bad grammar, claiming that his awful prose has caused me to misunderstand technical issues that are important to my job, and hence Taco is responsible for damaging my wage earning ability.
But remember, filling a lawsuit is significantly different than bringing a succsessful lawsuit in front of a judge.
I can see three possible outcomes from this lawsuit:
Things that will not happen include:
I suspect we won't hear about this case again. If this was happening in the States, I'd expect to see Mr. Smith's name on the front pages in a few years, when he walks into an office building somewhere and starts shoot ing people. Since its the UK, I expect he'll just become a school teacher or some other profession where he can inflict damage on people with immunity. Or, perhaps he'll just continue being a totally irresponsible and technically incompetent system administrator for his own ISP, and just continue inflicting damages on his clueless customers.
Slashdot is jumping the shark. I'm just driving the boat.
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
What next? Slashdot getting sued for Slashdotting servers?
-- "I can't tell the future, I just work there." -- The Doctor
So, let's get this straight...
This suit is patently ridiculous and should get thrown out as soon as Nike's lawyers say "We had nothing to do with this." Then the lawyers should say, "Here's our counter-suit for this bonehead aiding the hax0rs." Nike does have a legitimate suit against Smith and NSI.
It is Smith (or his host) who is to blame for lax security on his own box, and NSI who is to blame for their incompetant SOP for domain transfers.
-sk
Often when people launch frivolous lawsuits, the company will settle to avoid legal fees and embarrassment, in some situations, the person suing can play for sympathy (like that pathetic old lady that dumped coffee all over her lap, and sued McDonald's for the burns).
I'm going to have to write this URL down, I keep looking for it so often.
http://www.injurycases.com/coffee.html
(The emphasized parts above were done by me.)
Jay (=
You buy a goat, 'cause you like goat milk. Then some guy shoots your goat with a gun that somebody else left lying around in some unnamed fourth party's unlocked car. But, get this... the GOAT DOESN'T DIE! So then the guy with the gun (Guy-sub-Alpha) sues the owner of the car, for leaving his door unlocked so that guy-sub-alpha could steal a gun that was incapable of killing a freakin' goat.
And there you are with a bloody, wounded goat on your hands, wondering what happened.
You see what I'm saying?
Yes, he may have been inconvienenced by this. Now, if he wants to sue someone, sue the hackers that were responsible. Hell, sue Network Solutions for their screw up. Nike isn't the one that did something wrong.
Personally, I think it's part of being on the internet. To me, this is the same thing as owning a store on a street and trying to sue the store down the road because protesters gather out in front of it and the traffic jam they cause hurts your business. Sorry. C'est la vie. It's life, get on with it.
I've worked in customer service and tech support for an ISP before. Tell your clients what happened and most of them will understand. If you loose a few customers, that's business. They can go to another network and the next domain hijack can hurt them again. Most people realize that they can be hit by this anywhere on the net, regardless of their network.
kwsNI
Dear Customer,
* **
* **
* **
* **
g uardian/
c ontact1/
c ontact2/
IMPORTANT ACCOUNT ENHANCEMENTS SCHEDULED: SECURITY UPGRADES
MAY REQUIRE ADDITIONAL STEP BEFORE CHANGES ARE MADE
***********************************************
Security for our customers has always been a top priority
at Network Solutions. Now we are taking that even further
as we merge with VeriSign, one of the industry leaders in
Internet security. We all recognize information security is
vital on the Internet, and we want to assure you that we
constantly monitor security and maintain systems that help
protect you and your information. This message is about
changes in our guardian security system.
WHAT DOES THIS MEAN FOR ME?
***********************************************
When you first registered your domain name you may have
selected a security option. You then currently have one
of three Guardian authentication methods: "Mail-From,"
Password (Crypt-PW), and Secure Encryption (PGP).
With our upcoming upgrade, customers who have not yet
selected a security option will be migrated to "Mail-From"
security. Customers who currently use the "Mail-From After
Update" Guardian authentication method will now have to
respond to an e-mail security check before the requested
changes will be implemented. Customers who currently use
existing Guardian security options do not have to make
any changes at all.
WHAT WILL HAPPEN WHEN I REQUEST A CHANGE?
***********************************************
NSI is enhancing "Mail-From" with an additional e-mail
security check. Specifically, NSI will e-mail a validation
request to the specific administrative and technical
contact listed for a domain name before making any
modification to that domain name. This means, if you have
"Mail-From" security, NSI will no longer implement a
requested change until we receive e-mail verification
confirming authorization from either contact. It's an extra
step, but it's worth it to protect your account.
WHEN WILL THIS HAPPEN?
***********************************************
We have scheduled the modification for Saturday, July 8,
2000, so you should check your account information to see
if it is correct. Actually, it's a good idea to check your
account periodically anyway.
To make modifications easier, we provided easy-to-follow
instructions on our web site at:
http://info.networksolutions.com/go/t/security/
Additionally, we updated the contact form FAQs, which can
be found at:
http://info.networksolutions.com/go/t/security/
Please note that we continue to enhance security. Future
security plans include the use of VeriSign certificates
for authentication. But don't worry; we will keep you
completely informed about these upcoming changes.
If you have further questions or concerns about this
current security upgrade, please contact our Customer
Service Department at:
http://info.networksolutions.com/go/t/security/
Sincerely,
F. Michael Kyle
Vice President, Customer Service
Network Solutions(R)
a VeriSign(R) company
Hello little man. I will destroy you!
I *really* hate it when people misquote the rhetorical questions used to illustrate legal principles....
The original rhetorical question is "if one were to leave a loaded gun ON AN OPEN WINDOWSILL and a passerby picked it up..." The key phrase is "open windowsill" - it's at a location where the owner is nominally in control of it, but anyone passing on the street could easily grab it. Hell, it's at a location where it could be easily knocked out of house without deliberate effort. The gunowner is clearly acting negligently.
(A modern analogue to this question is someone leaving a gun in plain sight in a locked car. This requires smashing a car window, but the risks of a parking lot "smash & grab" are less than a home burglary.)
In contrast, put the gun more than an arm's length away from the window and it's *far* harder to claim that the owner is negligent. Put the gun out of reach and out of plain sight (e.g., in a closed nightstand or a locked glove compartment) and claims that the gunowner was negligent if the gun is subsequently stolen start to wear very thin - by that metric, some people will argue that their responsibility *requires* that they keep their gun on their person at all times!
N.B., the cited quote doesn't even posit that the gun was stolen from a house or other area where the gunowner has a reasonable expectation of sole dominion - he's trying to bring to mind the image of a latter-day Johnny Appleseed prancing through a park tossing out loaded guns. Of course that's an unspeakably reckless act.
For some reason most people here seem to assume that he's refering to home burglaries, and while it's true that some jurisdictions have vicarious liability laws the general principal remains - as a rule people aren't held responsible for reasonable omissions, and almost never when those omissions are required by reasonable actions.
(E.g., you put a pie on the windowsill to cool, someone steals it, burns their fingers or mouth, and sues you. They'll have a *very* hard time winning since you had to put the pie *somewhere* to cool.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
If I left my parked car unlocked and someone hopped in and stole it - proceeded to drive down a freeway, had a accident and caused a major traffic pile-up where several people died, would I be responsible?
I would say no.
Actually, teh funny thing is that in New York (and until recently in Illinois), under a law known as vicarious liability, YOU are responsible for the actions of your vehicle, EVEN IF SOMEONE STEALS IT!!!!
Rental car companies hate this law. I don't know if other states have it, but the rental car agency I used to work for had locations in Illinois and New York that were constantly getting sued... A great example is one that happened in New York. Lady rents a car from us and drives it home. She lets her SIXTEEN YEAR OLD son drive the car. Now, this is wrong in two ways. Our rental agreement says nobody under 25, AND if their name/driver's license isn't on the contract, they can't drive the car. So anyways, he takes this car around, and mows down a five year old kid on a street (The poor kid spent two months in the hospital, but is OK now.) The best part is, the cops wind up sending the kid home in the car, even though they found it was a rental. Even better is that this kid doesn't tell his mom what happened! Three months later, our rental agency gets a lawsuit for $3 Mill (BTW - The kid and his mom were named co-defendants, so this is when she found out about it!!). I never heard how the case wound up as I left the agency before it went to court...
Anyway, the rental car agencies hate this law so much, that they banded togehter in Illinois and gave LOTS of money to the state legislature to get it removed there...
This site has the ISP's POV. Mostly it's a lot of "poor little me" crap, but they do give more information on how this actually occurred.
I stole this sig from a more creative user.
Nike left no loaded gun lying around. It wasn't their lack of security, it was Network Solutions. Even if Smith is right and Nike chose the lowest security model, so what? NSI is the ones who were offering it, right? Smith is basically saying that the low security model is itself criminal because it's too easy to break. And yet, it was Smith's system that was hacked, in order to introduce the Nike DNS info on his box. Who's security is actually at fault?
You want an accurate analogy? Okay, here it is: I buy a car. Some guy goes to the manufacturer of my car, tells them that it's his and he needs another copy of my car key. The manufacturer just fucking gives it to him, he steals my car and drives it into some guy's store, smashing it and causing a lot of damage. The store owner sues me because I didn't buy the super deluxe model of the car that comes with a code-activated alarm system. Well, shit, what was I thinking?
I ask you: which analogy is more accurate? Who is really at fault?
"Prejudice is wrong; you should hate everyone the same."
Exactly how did his ISP suffer? Emotional damages? Those big, bad packets scare customers away?
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
Shit, what's next? Will you be sued for having an angry mob smash your house up because they blocked the road you live on? This seems to me like a blatent attempt by an ISP to make a quick bit of cash off of a flimsy excuse, something which the US has a lot of unfortunately for it, and anyone that gets involved with it.
This bloke seems like a bit of an arsehole anyway - setting up an online bookstore called Amazon.gr is not the actions of someone who is really dedicated to starting up an online business, it's the actions of someone trying to cash in on the dot-com craze.
If I were Nike I wouldn't be too worried about this at all - the guy is an idiot out for easy money and any judge with half a brain will see that and throw the case out.
---
Jon E. Erikson
Jon Erikson, IT guru
...for hijacking my servers. Slower than molasses. I guess I shouldn't have installed Win2000.
sue the ass off of Network Solutions!
"If anyone screwed up, said Casler, it was Network Solutions, which apparently allowed the hijacker to change Nike's registry information on the basis of a spoofed email from the Nike billing contact -- a person that did not have password authority to make changes to Nike's domain status."
Yeah, everyone knows that they are a bunch of swindling, boorish jerks. We've heard it before, we'll hear it again...
On a more realistic note, I don't think that Nike can/should be held repsonsible, if in fact, NSI made a change due to an email from an unauthorized account (the billing contact). More details need to be seen on this one - still not good, whatever happened...
"It's tough to be bilingual when you get hit in the head."
This guy claims that Nike was negligent by only using mail-from authorization with Network Solutions, allowing anyone who can spoof an email to hijack their domain. Apparently, if Nike is to be believed, they had crypt-pw security, but NSI simply ignored it. The article claims that NSI has done this before. If all this is true, then I'd say the guy has a pretty good case against NSI, and that Nike probably does as well.
Yo dawg, I heard you like the Ackermann function, so OH GOD OH GOD OH GOD
Can a pawn shop sue burglary-victims if the pawn shop's inventory is repossessed by the police?
Can I sue the St. Louis Cardinals if the traffic created by people getting to the stadium causes the ambulance to my house to be late and my mom to die?
Could I sue 1(900)Mix-A-Lot if the phone company accidentally switched the lines so I got all those phone calls?
Seems like the ISP could legitimately sue the hijackers, but it's obvious he's just looking for the biggest pot of money and suing them, relevant or not.
-----
1) He (Smith) has a point if Nike was negligent. Just like there are laws if someone gets hurt on your property because of negligence on your part, there should probably be some similar laws in cyberspace. Now exactly how you define those... I'm not sure. Maybe check to see if the people have kept reasonably up-to-date with bug patches?
2) If someone steal a gun from your house and goes on a shooting rampage, are you responsible? (Well, probably again it depends whether you were negligable or not.) But, assuming that the person was responsible... how can you blame them?
Bottom line - I do think web sites have a responsibility to be attentive to protecting their resources and ensuring that they don't hurt other with them... but beyond doing your best, you can't do any more.
"Let your heart soar as high as it will. Refuse to be average." - A. W. Tozer
Wouldn't it be great if somebody sued the American Bar Association for allowing such frivolous lawsuits to choke our legal system?
After reading this story, several other stories about this event, and Smith's web page (www.shameonnike.com) I think that one of 2 things actually happend.
First, notice that this page calls Nike's buisness practices "shabby" and at the bottom of the page there is a "Boycott Nike" icon. This seems to me like someone that is emotionally connected to a movement against Nike (in and of itself this is not a bad thing) - the point is that this lawsuit sounds like it is based more on a bias than facts and laws.
So I think one of two things is actually going on:
1) Smith or his freinds are responsible for the crack and their plan was to redirect people going to www.nike.com to their own web sites against nike. I went to http://212.92.192.218 (from the dns file on Smith's web page) but this address no longer hosts any web pages. This crack caused negative press for the movement against nike so Smith is trying to divert the blame
2) Smith was indeed a victom of the crackers but he is sympathetic to what they were trying to do and doesn't like nike himself so again he's trying to throw mud on nike hoping some of it will stick (I think this is the most probable)
For all of you out there that think I might be saying this because I'm a nike fan - well I'm not. I haven't purchased anything from Nike for 3-4 years (only Dr. Martins) and I don't like the way they exploit forgien labor.
BTW - I saw an Investigative Reports on A&E last night (I think that was the program) about passangers that tried to sue Amtrack for injuries that were caused by a sabatour that derailed the train. The Judge ruled that the derailment was caused by the sabatour and not Amtrack and Amtrack won the case and counter sued for legal costs and won.
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
In this case, Nike has no reason to settle. Their case looks lead-pipe solid, and (from what I can see) the person suing them is a whining little bitch of an ISP sysadmin.
Even though nothing is likely to come out of this lawsuit, it will be played up in the news because so many people hate Nike. They charge "too much" for their shoes, they use overseas labor for their manufacturing, and they paste that Swoosh-thing on every flat surface within 5 miles of every stadium and golf course. On top of that, they are playing those stupid "Mrs. Jones" comercials, where a cardboard blaxploitation character talks jive into a radio microphone about how women athletes should be paid the same absurdly-high salaries as the men, even though hardly anybody watches them.
Yessiree, plenty of reasons for people of various political stripes to hate Nike... but this isn't one of them. I hope they win, and get counter-damages for having to waste their time on it.
Information wants to be anthropomorphized.
Look.
I'm fully of the opinion that if you have completely incompetent security policies, and those policies lead to direct monetary damage to another party, you should probably be somewhat liable, at least to the degree of your incompetence.
The best example would probably be a fully loaded hospital intranet complete with patient charts and remotely writable data--with no firewall against the Internet. Somebody dies? Somebody is definitely liable.
But this case is bizarrely inappropriate. Nike had a security policy that depended on a shared secret--the name of the user authorized to issue changes. The shared secret was not disclosed by Nike nor discovered by the attackers, but NSI allowed the switch anyway. I find it hard to believe that this was not an automated process--a request to change the domain of a transnational company comes in, and the new IP is to some tiny guy; you can bet no human approved THAT transaction--despite what NSI might have you believe. Therefore NSI is in breach all over the place, and they're liable.
I think the real strategy here is to force Nike to sue NSI...by making Nike do all the legwork of proving that this was Network Solution's fault, suddenly NSI has a very big and very angry enemy indeed. It's co-option of a very large legal department, and in that context, it's a damn brilliant idea.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
If I left my parked car unlocked and someone hopped in and stole it - proceeded to drive down a freeway, had a accident and caused a major traffic pile-up where several people died, would I be responsible?
I would say no.
However, if you use the analogy that Smith used: if one were to leave a loaded gun laying about and if another person picked it up and killed someone with it, the owner of that gun would be held responsible for negligence
I would say yes.
So what is the difference? I don't know myself - I just thought I'd provoke some thinking amongst everyone and hopefully someone else who is thinking straight at the moment (it late at night here) can give some insight! :)