Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nike Gets Sued Over Nike.com Hijack

Posted by emmett on from the consider-the-following dept.

kwsNI writes: "Wired has this article on an ISP trying to sue Nike over the recent hijack of Nike.com. He claims that his ISP suffered when the hackers routed the Nike.com traffic through his servers. He claims that Nike is at fault for not having better security. This really scares me. Can you really be sued for having your domain hijacked?" I'm interested to see where this will go.

8 of 219 comments (clear)

  1. What next? by Netsnipe · · Score: 5

    What next? Slashdot getting sued for Slashdotting servers?

    --
    -- "I can't tell the future, I just work there." -- The Doctor
  2. What an idoit by Squirrel+Killer · · Score: 5
    Per this moron's own site:
    To put it in simple terms, someone changed the information held by Network Solutions, Inc. (NETSOL) so that instead of the three DNS entries shown:

    DNSAUTH1.SYS.GTEI.NET
    DNSAUTH2.SYS.GTEI.NET
    DNSAUTH3.SYS.GTEI.NET

    ...new DNS values were provided to NETSOL which resulted in the domain name being 'pointed' to another NameServer. In this case, the domain was pointed to the primary and secondary NameServer for FirstNET Online (Management) Limited.

    Then (presumably) the same person or persons gained access to our boot file and added the following line of text: (the boot file tells the server which domains it is hosting or reporting DNS for)

    primary nike.com nike.com.dns

    So, let's get this straight...

    • Hax0rs fool NSI to change the domain
    • Haxors break into this guy's server to facilitate fooling NSI
    • And Nike is to blame for all of this!?

    This suit is patently ridiculous and should get thrown out as soon as Nike's lawyers say "We had nothing to do with this." Then the lawyers should say, "Here's our counter-suit for this bonehead aiding the hax0rs." Nike does have a legitimate suit against Smith and NSI.

    It is Smith (or his host) who is to blame for lax security on his own box, and NSI who is to blame for their incompetant SOP for domain transfers.

    -sk

  3. Re:The problem with analogies... by mcsnee · · Score: 5
    Ok, here's what it's _really_ like.

    You buy a goat, 'cause you like goat milk. Then some guy shoots your goat with a gun that somebody else left lying around in some unnamed fourth party's unlocked car. But, get this... the GOAT DOESN'T DIE! So then the guy with the gun (Guy-sub-Alpha) sues the owner of the car, for leaving his door unlocked so that guy-sub-alpha could steal a gun that was incapable of killing a freakin' goat.

    And there you are with a bloody, wounded goat on your hands, wondering what happened.

    You see what I'm saying?

  4. Re:Uh huh by kwsNI · · Score: 5
    But Nike didn't DoS them. Hell, Nike didn't do anything. Someone else sent NetSol an (unencrypted) e-mail spoofed to look like the billing contact for nike.com asking to change Nike.com to their control. For one thing, this person wasn't supposed to be able to controll the domain name and for another, it was supposed to be an encrypted e-mail. NetSol screwed up on this one.

    Yes, he may have been inconvienenced by this. Now, if he wants to sue someone, sue the hackers that were responsible. Hell, sue Network Solutions for their screw up. Nike isn't the one that did something wrong.

    Personally, I think it's part of being on the internet. To me, this is the same thing as owning a store on a street and trying to sue the store down the road because protesters gather out in front of it and the traffic jam they cause hurts your business. Sorry. C'est la vie. It's life, get on with it.

    I've worked in customer service and tech support for an ISP before. Tell your clients what happened and most of them will understand. If you loose a few customers, that's business. They can go to another network and the next domain hijack can hurt them again. Most people realize that they can be hit by this anywhere on the net, regardless of their network.

    kwsNI

  5. The problem with analogies... by Quintin+Stone · · Score: 5
    ...is that you can make up any shit you want and people never seem to ask themselves "Does this analogy make sense?"

    Nike left no loaded gun lying around. It wasn't their lack of security, it was Network Solutions. Even if Smith is right and Nike chose the lowest security model, so what? NSI is the ones who were offering it, right? Smith is basically saying that the low security model is itself criminal because it's too easy to break. And yet, it was Smith's system that was hacked, in order to introduce the Nike DNS info on his box. Who's security is actually at fault?

    You want an accurate analogy? Okay, here it is: I buy a car. Some guy goes to the manufacturer of my car, tells them that it's his and he needs another copy of my car key. The manufacturer just fucking gives it to him, he steals my car and drives it into some guy's store, smashing it and causing a lot of damage. The store owner sues me because I didn't buy the super deluxe model of the car that comes with a code-activated alarm system. Well, shit, what was I thinking?

    I ask you: which analogy is more accurate? Who is really at fault?

    --

    "Prejudice is wrong; you should hate everyone the same."

  6. Sue Microsoft... by Anonymous Coward · · Score: 5

    ...for hijacking my servers. Slower than molasses. I guess I shouldn't have installed Win2000.

  7. A good lawsuit... by Picass0 · · Score: 5

    Wouldn't it be great if somebody sued the American Bar Association for allowing such frivolous lawsuits to choke our legal system?

  8. The Bad Precedent is the Red Herring by Effugas · · Score: 5

    Look.

    I'm fully of the opinion that if you have completely incompetent security policies, and those policies lead to direct monetary damage to another party, you should probably be somewhat liable, at least to the degree of your incompetence.

    The best example would probably be a fully loaded hospital intranet complete with patient charts and remotely writable data--with no firewall against the Internet. Somebody dies? Somebody is definitely liable.

    But this case is bizarrely inappropriate. Nike had a security policy that depended on a shared secret--the name of the user authorized to issue changes. The shared secret was not disclosed by Nike nor discovered by the attackers, but NSI allowed the switch anyway. I find it hard to believe that this was not an automated process--a request to change the domain of a transnational company comes in, and the new IP is to some tiny guy; you can bet no human approved THAT transaction--despite what NSI might have you believe. Therefore NSI is in breach all over the place, and they're liable.

    I think the real strategy here is to force Nike to sue NSI...by making Nike do all the legwork of proving that this was Network Solution's fault, suddenly NSI has a very big and very angry enemy indeed. It's co-option of a very large legal department, and in that context, it's a damn brilliant idea.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com