lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: jasonc at science.org (Jason Coombs)
Subject: If Lycos can attack spammer sites, can we all start doing it?

Are we forgetting that there is no such thing as software product liability?

Look at the EULA for the Lycos screen saver.

Even without explicit language in the EULA, Lycos is just a software maker in this case. It is the end user who is guilty of an abusive attack -- if anyone is. The rate limit per client is set to prevent a single client from crossing the attack threshold, so this could be the first test of product liability for the intentional creation of zombie armies.

Microsoft, Symantec, and other vendors of products that auto-update have been in control of zombie armies for many years, with periodic DoS of the zombies, but as of yet no known external impact. Lycos is the first, and they are pioneering an odd precedent.

More proof that the nature of capitalism is that anything that can be done that might be profitable eventually will be done. This does not bode well for nanotechnology and genetic engineering.

Jason Coombs
jasonc@...ence.org

-----Original Message-----
From: Kyle Maxwell <krmaxwell@...il.com>
Date: Thu, 2 Dec 2004 08:48:18 
To:n3td3v <xploitable@...il.com>
Cc:full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?

On Thu, 2 Dec 2004 03:47:06 +0000, n3td3v <xploitable@...il.com> wrote:
> Thought:
> Hey, thanks for the insight. I can't see Lycos introducing the
> screensaver without talking with legal teams first, so surely we can
> presume everything is legal and above board?! Otherwise, why would
> Lycos want to put themselves in a legal tangle? Unless they weighed up
> the legal costs against the profit they would make from the PR stunt,
> from which all I can see, is all this whole thing appears to be.

It's entirely possible that their lawyers cleared it but that doesn't
necessarily make it really above board; if lawyers always agreed on
what was allowed, we wouldn't have so many corporate lawsuits. :) They
may be standing on the principle of "these are just a bunch of website
visits" without taking into account the fact that there's a stated
intent beyond just visiting the sites.

This is probably going to get a lot messier for Lycos before it's all over.

-- 
Kyle Maxwell
[krmaxwell@...il.com]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ