lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed May 24 06:30:13 2006 From: scomeau at cansecwest.com (Sean Comeau) Subject: Responsibility On Mon, May 22, 2006 at 08:05:47AM +1000, Greg wrote: > Large motel/hotel chain I recently acquired wants to sue previous company > who did their I.T. work for them as a customer's wifi connected machine > infected their network and caused loss of booking data thus money. > > My question then is - if you have done the utmost to lock down your customer > but someone connects an infected machine and somehow it gets in, is the > customer right in suing you? Eg, like a car mechanic, you do the best but > you cannot be 100% sure that something else that was never a problem will > now cause a problem (such as a new exploit in our case that wasn't known > generally until 24 hours ago). Should you be sued at that point? What was their backup strategy? How many records were lost? It could have been disk failure that caused loss of data. Who cares what the cause was. If they signed an agreement with this IT company to perform regular backups to prevent loss of data and then, when data was accidently deleted, they find out there are no backups they should sue these guys to recover losses. Just like if you paid a mechanic to fix your breaks and you find out (the first time you get near the bottom of a steep hill) that he took your money, lied to you and just didn't bother to do the work. And that he neglected to do it knowing full well that cars often drive down hills and that if they are unable to stop damage to property and injury will almost certainly occur. Basically, shit happens. Computers are unreliable. It is common knowledge, even among non technical people such as accountants, that backups are needed. It is not common knowledge how often backups need to be done for a particular business. That's for good IT managers/management companies to ask about and their employers/clients to choose their own risk on.
Powered by blists - more mailing lists