Slashdot Mirror
Nike Gets Sued Over Nike.com Hijack
kwsNI writes: "Wired has this article on an ISP trying to sue Nike over the recent hijack of Nike.com. He claims that his ISP suffered when the hackers routed the Nike.com traffic through his servers. He claims that Nike is at fault for not having better security. This really scares me. Can you really be sued for having your domain hijacked?" I'm interested to see where this will go.
What next? Slashdot getting sued for Slashdotting servers?
-- "I can't tell the future, I just work there." -- The Doctor
So, let's get this straight...
This suit is patently ridiculous and should get thrown out as soon as Nike's lawyers say "We had nothing to do with this." Then the lawyers should say, "Here's our counter-suit for this bonehead aiding the hax0rs." Nike does have a legitimate suit against Smith and NSI.
It is Smith (or his host) who is to blame for lax security on his own box, and NSI who is to blame for their incompetant SOP for domain transfers.
-sk
You buy a goat, 'cause you like goat milk. Then some guy shoots your goat with a gun that somebody else left lying around in some unnamed fourth party's unlocked car. But, get this... the GOAT DOESN'T DIE! So then the guy with the gun (Guy-sub-Alpha) sues the owner of the car, for leaving his door unlocked so that guy-sub-alpha could steal a gun that was incapable of killing a freakin' goat.
And there you are with a bloody, wounded goat on your hands, wondering what happened.
You see what I'm saying?
Yes, he may have been inconvienenced by this. Now, if he wants to sue someone, sue the hackers that were responsible. Hell, sue Network Solutions for their screw up. Nike isn't the one that did something wrong.
Personally, I think it's part of being on the internet. To me, this is the same thing as owning a store on a street and trying to sue the store down the road because protesters gather out in front of it and the traffic jam they cause hurts your business. Sorry. C'est la vie. It's life, get on with it.
I've worked in customer service and tech support for an ISP before. Tell your clients what happened and most of them will understand. If you loose a few customers, that's business. They can go to another network and the next domain hijack can hurt them again. Most people realize that they can be hit by this anywhere on the net, regardless of their network.
kwsNI
Nike left no loaded gun lying around. It wasn't their lack of security, it was Network Solutions. Even if Smith is right and Nike chose the lowest security model, so what? NSI is the ones who were offering it, right? Smith is basically saying that the low security model is itself criminal because it's too easy to break. And yet, it was Smith's system that was hacked, in order to introduce the Nike DNS info on his box. Who's security is actually at fault?
You want an accurate analogy? Okay, here it is: I buy a car. Some guy goes to the manufacturer of my car, tells them that it's his and he needs another copy of my car key. The manufacturer just fucking gives it to him, he steals my car and drives it into some guy's store, smashing it and causing a lot of damage. The store owner sues me because I didn't buy the super deluxe model of the car that comes with a code-activated alarm system. Well, shit, what was I thinking?
I ask you: which analogy is more accurate? Who is really at fault?
"Prejudice is wrong; you should hate everyone the same."
Shit, what's next? Will you be sued for having an angry mob smash your house up because they blocked the road you live on? This seems to me like a blatent attempt by an ISP to make a quick bit of cash off of a flimsy excuse, something which the US has a lot of unfortunately for it, and anyone that gets involved with it.
This bloke seems like a bit of an arsehole anyway - setting up an online bookstore called Amazon.gr is not the actions of someone who is really dedicated to starting up an online business, it's the actions of someone trying to cash in on the dot-com craze.
If I were Nike I wouldn't be too worried about this at all - the guy is an idiot out for easy money and any judge with half a brain will see that and throw the case out.
---
Jon E. Erikson
Jon Erikson, IT guru
...for hijacking my servers. Slower than molasses. I guess I shouldn't have installed Win2000.
Can a pawn shop sue burglary-victims if the pawn shop's inventory is repossessed by the police?
Can I sue the St. Louis Cardinals if the traffic created by people getting to the stadium causes the ambulance to my house to be late and my mom to die?
Could I sue 1(900)Mix-A-Lot if the phone company accidentally switched the lines so I got all those phone calls?
Seems like the ISP could legitimately sue the hijackers, but it's obvious he's just looking for the biggest pot of money and suing them, relevant or not.
-----
Wouldn't it be great if somebody sued the American Bar Association for allowing such frivolous lawsuits to choke our legal system?
In this case, Nike has no reason to settle. Their case looks lead-pipe solid, and (from what I can see) the person suing them is a whining little bitch of an ISP sysadmin.
Even though nothing is likely to come out of this lawsuit, it will be played up in the news because so many people hate Nike. They charge "too much" for their shoes, they use overseas labor for their manufacturing, and they paste that Swoosh-thing on every flat surface within 5 miles of every stadium and golf course. On top of that, they are playing those stupid "Mrs. Jones" comercials, where a cardboard blaxploitation character talks jive into a radio microphone about how women athletes should be paid the same absurdly-high salaries as the men, even though hardly anybody watches them.
Yessiree, plenty of reasons for people of various political stripes to hate Nike... but this isn't one of them. I hope they win, and get counter-damages for having to waste their time on it.
Information wants to be anthropomorphized.
Look.
I'm fully of the opinion that if you have completely incompetent security policies, and those policies lead to direct monetary damage to another party, you should probably be somewhat liable, at least to the degree of your incompetence.
The best example would probably be a fully loaded hospital intranet complete with patient charts and remotely writable data--with no firewall against the Internet. Somebody dies? Somebody is definitely liable.
But this case is bizarrely inappropriate. Nike had a security policy that depended on a shared secret--the name of the user authorized to issue changes. The shared secret was not disclosed by Nike nor discovered by the attackers, but NSI allowed the switch anyway. I find it hard to believe that this was not an automated process--a request to change the domain of a transnational company comes in, and the new IP is to some tiny guy; you can bet no human approved THAT transaction--despite what NSI might have you believe. Therefore NSI is in breach all over the place, and they're liable.
I think the real strategy here is to force Nike to sue NSI...by making Nike do all the legwork of proving that this was Network Solution's fault, suddenly NSI has a very big and very angry enemy indeed. It's co-option of a very large legal department, and in that context, it's a damn brilliant idea.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
If I left my parked car unlocked and someone hopped in and stole it - proceeded to drive down a freeway, had a accident and caused a major traffic pile-up where several people died, would I be responsible?
I would say no.
However, if you use the analogy that Smith used: if one were to leave a loaded gun laying about and if another person picked it up and killed someone with it, the owner of that gun would be held responsible for negligence
I would say yes.
So what is the difference? I don't know myself - I just thought I'd provoke some thinking amongst everyone and hopefully someone else who is thinking straight at the moment (it late at night here) can give some insight! :)