> I'm not an expert in US computer crime law, so this may not be relevant, but
> consider the following scenario :
> The same cracker that broke in GE's network breaks in X's network, and is
> caught, but not before doing substantial damage. A subsequent inquiry finds
> out that X has the same firewall system as GE, and that the same security
> holes were used in both cases. Would GE in this case be liable for damage,
> since disclosure of the methods used in that case would have allowed X to
> plug in its own security holes ?
You really should direct legal questions to an attorney. There is a
difference between logic and U.S. law.
When CERT first started, we discussed this with a few attorneys. One
provided the following story.
If you see someone drowning and you do nothing and the person dies, you
would not be arrested. The person would have died if you were not present.
If you attempt to save the person and the person dies, the police and
next of kin would examine everything you did in case you made a mistake.
It is possible that you could be charged with a crime or sued by the next
Most would think this story to be silly but there is case law to support
If site X had security problems, an intruder could have attacked them
regardless of what happened at GE. GE not discussing their breakin
would not make things worst. They would not be helping either the
site or the intruder.
If GE announced a problem with ABCD's firewall product and an intruder used
the same method as described in GE announcement to break into site X, GE
could be sued. A good attorney could get away without proving the intruder
knew about GE's announcement.