On Fri, 13 Mar 1998, Roger Books wrote:
> That's fine, but both legal and medical fields have explicit training
> standards. Do we really want to drop the hammer on some poor schmuck
> who has had the sysadmin job for his organization dropped on his back
> because "Oh, we only have one machine and you know Unix."? I really
> have the feeling that those of us who chose to be sysadmins are in
> the minority.
The other piece of the puzzle is the tool used. As has been stressed
here ad nauseum, not holding vendors to security criteria is part of the
problem. A doctor hacking on a patient doesn't generally have to worry
that his new Forcept98 will only clamp for 5 minutes between reboots.
The problem with the whole liability question is the chain of liability.
If someone is attacked because of a bad authentication scheme in NT when
using Windows95 clients, is it the fault of the deployer, the designer,
the coder, user, or the distributer?
Is there anyone here running a complex, large, multi-protocol network every
day who can claim to know how, or be able to test all interoperability
situations, or would want to go through the reams and reams of documentation
required to figure out if the new router with XQW version 3.4.56 has suddenly
introduced a DHCP bug that wasn't present in XQW 3.4.55?
What about standards as they apply to firewalls? Letting HTTP through
and then having a user load Exploder 4.5 with SuperTunnel extensions to
access their desktop from home is it (a) The user's fault for ignoring
the security policy, (b) The company's fault for not having a real-time
audit mechanism in place, (c) The vendor's fault for producing a product
which was "known" to violate a gajillion security policies, (d) All of
If you introduce liability on the wrong terms, you seriously change the
model. While we probably can't stop the ambulance chasers from becoming
bug chasers, we as an industry should be prepared to be very exacting in
how we present these issues.
What happens to freeware if we introduce vendor liability? What happens to
people coming in to the field learning on the job if we introduce
administrator liability? Should companies fold if they can't afford X
adminstrators for Y servers? Should the guy in the mailroom have to
worry that he won't have a job tomorrow because the company is getting
sued for not applying a little-known patch to the Monrovian version of
Internet Explorer used by a secretary in legal?
In case anyone's forgotten, IP is peer-to-peer, so the traditional
point-the-finger-at-the-big-machine-staff isn't really relevant anymore
Do most of us deploy systems in general use that provide enough
accounting to say if a patch was applied? Who's head does testing fall
on? What if someone FTPs the patch, and the data is modified in
transit? How do you prove/disprove such an event?
Server Farm Liability Insurance Company anyone?
Paul D. Robertson "My statements in this message are personal opinions
net which may have no basis whatsoever in fact."