earle@elroy.jpl.nasa.gov (Greg Earle (Sun Software)) (05/31/91)
[Apologies if these groups are not the right place for this kind of question.] [This might be better for comp.risks I suppose, I'm not sure.] Consider the following hypothetical situation: A software vendor, XYZ Inc., sells a "network" software product. The software product itself requires the ability to broadcast on the network to perform part of its function. The product could be anything which this feature would be useful for, e.g., a multi-user chat program, a network game (a la the X11 version of "mazewar"), or whathaveyou. Several vendors of BSD UNIX based systems offer an interface to accessing network interfaces directly, usually via a driver and an associated device in /dev. Since the ability to read and write to the network directly can be considered a major security hole, under normal circumstances, access to such a device is restricted to the super-user. Let's say that the software does not do the "correct" thing, "correct" in this case being a setuid root program that opens the network device, and then immediately resets itself to the uid/gid of the user running the software (via setreuid() and setregid() under BSD UNIX). Let's say instead that the program's installation script, if installed by "root", were to instead do something like silently chmod the network device to mode 666 or 777, making it world-readable and world-writable for all users. Continuing the scenario, consider the following. A user on a system which has had this software installed now discovers that the network device is readable. Using a program to display packet traffic, such as "tcpdump", this unscrupulous user then takes advantage of the newly created security hole to snoop on the network, and in the process s/he obtains a password for another user on another machine as it goes by, perhaps in an FTP or Telnet packet. S/he then uses this information to break into the other system using the snooped user's name and password, and proceeds to delete all of the user's files on the remote machine. Taking the simplistic route, let's assume then that the violated user discovers the infiltration, and the sys admin traces the invasion back to the originating machine. Contacting the sys admin on the cracker machine, they quickly narrow down the candidates, and the unscrupulous snooper is discovered. Upon questioning, the snooper admits to having gotten the password by snooping on the net, due to the network device being world-readable. Eventually, the sys admin miraculously determines that the normally -rw------- device was changed at the same time as XYZ's software product was installed. The sys admin then looks at the installation script and discovers the modification of the device, which allowed the cracker to gain access to the Ethernet which would not normally be possible. The bottom line: in such a circumstance, is company XYZ liable for damages caused as a direct/indirect result of the security hole opened due to the installation of their product? Or is it a case of "If you don't read the installation script of all products you install, then you get what you deserve" for the sys admin of the cracker system? In general, is a software vendor liable/responsible for anything deletirious that occurs as a byproduct of the installation of their product(s) on a customer's machine? [Please followup to the newsgroups rather than replying by e-mail. Thanks.] -- Greg Earle earle@Sun.COM Sun Microsystems earle@mahendo.JPL.NASA.GOV JPL on-site Software Support poseur!earle@elroy.JPL.NASA.GOV
de5@ornl.gov (Dave Sill) (05/31/91)
In article <1991May31.073704.4847@elroy.jpl.nasa.gov>, earle@elroy.jpl.nasa.gov (Greg Earle (Sun Software)) writes: > >The bottom line: in such a circumstance, is company XYZ liable for damages >caused as a direct/indirect result of the security hole opened due to the >installation of their product? Yes, unless they have taken reasonable action to notify the installer of potentially harmful side effects. >Or is it a case of "If you don't read the >installation script of all products you install, then you get what >you deserve" >for the sys admin of the cracker system? In general, is a software vendor >liable/responsible for anything deletirious that occurs as a byproduct of the >installation of their product(s) on a customer's machine? Yes, if the vendor provides a script or installation instructions, they're responsible for making resonably sure that they're safe. -- Dave Sill (de5@ornl.gov) It will be a great day when our schools have Martin Marietta Energy Systems all the money they need and the Air Force Workstation Support has to hold a bake sale to buy a new bomber.
barmar@think.com (Barry Margolin) (06/01/91)
In article <1991May31.132152.10113@cs.utk.edu> Dave Sill <de5@ornl.gov> writes: >In article <1991May31.073704.4847@elroy.jpl.nasa.gov>, earle@elroy.jpl.nasa.gov (Greg Earle (Sun Software)) writes: >> >>The bottom line: in such a circumstance, is company XYZ liable for damages >>caused as a direct/indirect result of the security hole opened due to the >>installation of their product? > >Yes, unless they have taken reasonable action to notify the installer >of potentially harmful side effects. Intuitively, this seems correct. I'm not sure if it's true under the law, though (take my comments with a grain of salt, as I'm not a lawyer). Much software comes with warranties that disclaim liability for damages due to use of the product. Often, the best they will warrant is that the software behaves as specified in the documentation; unless the documentation says that the software *doesn't* change the protection on security-relevant files, they can claim that this behavior is in spec. On the other hand, there are many "implied" warranties that are often in force. The customer could probably claim that they assume that software does not intentionally go around opening huge security holes without mentioning it in the documentation. In other words, the vendor is expected to be reasonable. -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
zane@ddsw1.MCS.COM (Sameer Parekh) (06/06/91)
Looks to me like the liability lies with the unscrupulous user. It was this user's choice to snoop the network and take the password and delete the other person's files. The company is guilty of irresponsible programming, but unless the program itself found the pw, then the program holds no liability. (Just a VERY bad reputation.) (And the sysadmin of the site holds no liability either.) -- The Ravings of the Insane Maniac Sameer Parekh -- zane@ddsw1.MCS.COM