[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Responsibility

To: Greg <full-disclosure3@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Responsibility
From: Sean Comeau <scomeau@xxxxxxxxxxxxxx>
Date: Tue, 23 May 2006 22:30:03 -0700

On Mon, May 22, 2006 at 08:05:47AM +1000, Greg wrote:
> Large motel/hotel chain I recently acquired wants to sue previous company
> who did their I.T. work for them as a customer's wifi connected machine
> infected their network and caused loss of booking data thus money.
> 
> My question then is - if you have done the utmost to lock down your customer
> but someone connects an infected machine and somehow it gets in, is the
> customer right in suing you? Eg, like a car mechanic, you do the best but
> you cannot be 100% sure that something else that was never a problem will
> now cause a problem (such as a new exploit in our case that wasn't known
> generally until 24 hours ago). Should you be sued at that point?

What was their backup strategy? How many records were lost? It could have been 
disk failure that caused loss of data. Who cares what the cause was. If they
signed an agreement with this IT company to perform regular backups to prevent 
loss of data and then, when data was accidently deleted, they find out there 
are 
no backups they should sue these guys to recover losses. Just like if you paid 
a mechanic to fix your breaks and you find out (the first time you get near the 
bottom of a steep hill) that he took your money, lied to you and just didn't 
bother to do the work. And that he neglected to do it knowing full well that 
cars often drive down hills and that if they are unable to stop damage to 
property and injury will almost certainly occur.

Basically, shit happens. Computers are unreliable. It is common knowledge,
even among non technical people such as accountants, that backups are needed. 
It is not common knowledge how often backups need to be done for a particular
business. That's for good IT managers/management companies to ask about and 
their employers/clients to choose their own risk on.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Responsibility
  - From: Greg

Prev by Date: [Full-disclosure] VSR Advisory: PDF Tools AG - PDF Form Filling and Flattening Tool Overflow
Next by Date: [Full-disclosure] [USN-286-1] Dia vulnerabilities
Previous by thread: Re: [Full-disclosure] Responsibility
Next by thread: RE: [Full-disclosure] Responsibility
Index(es):
- Date
- Thread