On Fri, 8 Sep 1995 the firewalls-digest included:
> From: Danny Cox <dannyc @
gmap .
leeds .
ac .
uk>
> Date: Fri, 8 Sep 1995 12:45:48 +0100
> Subject: upgrade to commercial firewalls
>
> Management here seems to have a healthy attitude to security - bordering on
> the paranoid if anything, but willing to spend the money, which is good.
>
> Just talking now with one of the senior managers .. our current situation is
> that I've built a firewall router using SOCKS .. my next step may have been
> to upgrade using the TIS fwtk stuff ..
>
> Interesting comment though from him, which in my naivete I'd not thought
> about. If we get attacked and lose software/data etc, then who's liable ?
> If we use freeware products, then noone is. If we use a commercial product,
> then we can, I guess, sue the firewall supplier ... ? At least that was
> his comment, and I'd be very interested to hear what you all think to this
> concept. This is based on the idea that they'd be covered by their indemnity
> insurance ...
>
> ------------------------------
>
> From: Steve Marquess <steve @
rsca .
com>
> Date: Fri, 8 Sep 1995 10:07:32 -0400
> Subject: Re: upgrade to commercial firewalls
>
> <Quotes from the Danny Cox post snipped>
>
> This exact same point has been raised repeatedly at my company, a large
> financial
> services firm with a "healthy bordering on paranoid" concern about security.
> The ability to assign blame in the event of problems is a very significant
> consideration in the acquisition of important systems and services. And if
> you think about it from the management point of view there is a certain
> logic to it: if we suffer a business loss due to the failure of "home grown"
> or "roll your own" (terms of disparagement here...) software then the blame
> must fall on those permitting/approving/performing that software development.
>
> If a commercially acquired and configured product failed then it's just "well,
> vendor X let us down again". A fairly common and believable situation here.
> The possibility of actually collecting financial damages seems to be less
> important than the exculpatory assignment of responsibility. I don't think
> anyone really thinks we could pry money out of a major vendor because of
> software
> defects, especially not for incidental damages.
>
> Keep in mind also that any significant decisions about deploying a firewall
> will be made by upper management, all business types far removed from any
> close appreciation of the technical nuances. With all the confusing and
> conflicting advice and information they get from vendors, trade rags, and
> in-house staff they really don't what to believe. Those of us in the
> boiler room
> are close to the issues and have definite opinions, but we are only a small
> piece of the real decision process.
>
> The bigger and better known the vendor the more powerful the attraction of
> this argument. Hence a strong predisposition to well known and well marketed
> products, with cost and product quality often very secondary considerations.
>
>
> ------------------------------
>
> From: Brian Murrell <murrell @
bctel .
net>
> Date: Fri, 8 Sep 1995 08:32:15 -0700
> Subject: Re: upgrade to commercial firewalls
>
>
> > Interesting comment though from him, which in my naivete I'd not thought
> > about. If we get attacked and lose software/data etc, then who's liable ?
>
> Oh goody. I'd love to see this one hashed out, although I think it'll be
> relevant to firewalls for a day or two tops. :-)
>
> > If we use freeware products, then noone is. If we use a commercial product,
> > then we can, I guess, sue the firewall supplier ... ? At least that was
> > his comment, and I'd be very interested to hear what you all think to this
> > concept. This is based on the idea that they'd be covered by their
> > indemnity insurance ...
>
> Good luck.
>
> b.
>
>
> ------------------------------
>
> From: Ted Doty <ted @
kgbvax .
network .
com>
> Date: Fri, 8 Sep 1995 10:27:56 -0400
> Subject: Re: upgrade to commercial firewalls
>
> Steve Marquess <steve @
rsca .
com> writes:
> > >From: Danny Cox <dannyc @
gmap .
leeds .
ac .
uk>
> > >
> > ><Steve Marquess' quote from Danny Cox snipped>
> >
> > This exact same point has been raised repeatedly at my company, a large
> > financial
> > services firm with a "healthy bordering on paranoid" concern about security.
> > The ability to assign blame in the event of problems is a very significant
> > consideration in the acquisition of important systems and services. And if
>
> [snip]
>
> So long as people keep thinking that a magic box will solve all their
> present and future security worries, assigning blame is a somewhat humorous
> exercise in futility. Also, as long as 80% (or whatever the current number
> is ... send your flames to /dev/null) of all "break-ins" are internal, and
> as long as only 5% (same comment as above) of all corporate security
> policies are detailed enough to actually implement something from, you
> probably are barking up the wrong tree.
>
> Most of the security consultants will tell you that a firewall will help,
> but your security is ultimately your own responsibility. Get a policy,
> implement it, track it, tell your users what it is, keep your eye on
> bugtraq, (...) and you'll be in pretty good shape. This doesn't mean that
> you won't get hacked, or that you won't lose data (you mean that disaster
> recovery isn't in your policy either?).
>
> Without the above, liability is probably hard to demonstrate.
> - --
>
> - - Ted
Though this discussion sorely tempts me simply to post "Have gun, will
travel", I must agree --as a lawyer-- with Steve, Brian and Ted that the
only solace Danny's management can realistically find in the vendor's
potential liability is that there will be an identifiable scapegoat to
which everyone can point. Steve reminds me of those ancient days when
Compaq was struggling to make it as a fledgling vendor of "clones" and
the word generally going around was that "nobody ever got fired for
buying IBM".
If, as I've so often read here, "security by obscurity" is foolish, then I
would add that "security by obscurity + litigation" is downright insane.
Even if one is able to surmount the many obstacles to victory, including
those described by Ted, it is virtually impossible to be made "whole".
There will be elements of damage which even the most generous judge or
jury will not adequately recompense, not to mention the astronomical
expenses which we hired guns are wont to run up (over and above our almost
invariably modest fees <G>). Also, a major litigation, in and of itself,
tends to consume enormous chunks of management's time and energy which
otherwise could have been put to much more productive use. In short, if,
*despite* the best laid plans ..., the sky falls in, then litigation might
sensibly be considered as a possible element of damage control. But, to
base one's plans and choices on the availability of litigation is, IMNSHO,
to court disaster. The place where a good lawyer can best help vis-a-vis
a vendor is right at the start, when the purchase contract is being
discussed. Even then, the lawyer's primary value can come from helping
you be sure you have properly articulated your needs and that you get what
is needed (e.g., access to source code) to satisfy yourself that they are
being met -- and not from artfully drafting clauses to pin liability on
the vendor if anything goes wrong.
[soapbox mode: off]
Regards,
John
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
* Providing user-friendly assistance : LawNYC @
panix .
com
to techies and others, from NYC and : John A. Young, J.D. (Yale 1964)
around the world, in dealing with : P.O. Box 4695
the problems, opportunities and : New York, NY 10185-4695
plain conundrums encountered when : Telephone (voice & fax)
interfacing with the arcane worlds : (212) 765-2170
of business, law and property. * : (718) 875-0337
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzA2deMAAAEEANg3rhWjDOg6CUJ01zp6VaPc+Vebzh2cYuLrJCwXOwJS+mmF
vhFuxHwe+sJrDxmEFMI5lsvQbSC9E5L7dUBqVvp4f5MeysnZ6u9h/Vc2TwbS8QSn
hQmqBEaWcunsIN8RU2xTMT5B5Frr+uMhWL681e2L0mx11uc157fUcvRcULXFAAUR
tCZKb2huIEEuIFlvdW5nLCBKLkQuIDxMYXdOWUNAcGFuaXguY29tPg==
=7QlE
-----END PGP PUBLIC KEY BLOCK-----
|
|
