
Nike Gets Sued Over Nike.com Hijack 219
kwsNI writes: "Wired has this article on an ISP trying to sue Nike over the recent hijack of Nike.com. He claims that his ISP suffered when the hackers routed the Nike.com traffic through his servers. He claims that Nike is at fault for not having better security. This really scares me. Can you really be sued for having your domain hijacked?" I'm interested to see where this will go.
Maybe not this time around... (Score:2)
What I had hoped to see was someone who had their box hacked for an attack on another domain, or email spoofing or whatever. Just like you can be sued for leaving a gun cabinet unlocked if a gun taken from it kills someone, why can't you be proven negligent if your box, which you have not attempted to provide adequate security for, is hacked and used against someone else?
If you've provided adequate security, though or it's someone else's fault (NSI), then I don't think you should be held responsible..,
Re:NSI's gotta go, plus a rant! (Score:1)
Re:Thinking differently (Score:1)
Re:Well, the popular answer would be... (Score:1)
Wouldn't it be funny if (Score:1)
Re:Off topic, but since it was brought up... (Score:1)
No, it's more like buying a nail-gun, loading it with studs, and having it launch one into your backside the minute you plug it in. Sure, you should have been careful not having it aimed at anyone while loaded, but at the same time there's a reasonable expectation that it's not going to injure anyone who isn't being careless.
Jay (=
Passing the Blame (Score:1)
I mean, c'mon - if someone storms into your house to shoot someone, and in the process shoots you - are you going to go after the original target of the shooting or the shooter? In the immortal words of John Stossel - Gimme a Break!
What a bunch of crap. This is nothing more than a money grab by the ISP. I may be conservative but I am all for the socialization of the legal profession. If you take the asinine amount of money out of it you would solve a significant amount of these problem.
Re:A good lawsuit... (Score:1)
Re:NSI's gotta go, plus a rant! (Score:1)
Jeff
Re:Using an analogy .... (Score:1)
Attractive nuisance (Score:1)
The analogy here would be a swimming pool (your web page). If you have a swimming pool, and this swimming pool is protected by a gate, and the gate has a large sign saying "stay the heck out" and a neighborhood kid climbs your fence, jumps in your pool and drowns, you can be sued by the kid's parents. Your pool represented an attractive nuisance, an entity that wasn't dangerous in and of itself, but could be dangerous if used in an unsafe manner. As long as a kid can overcome your precautions, you are responsible for that kid's behavior. And what kid doesn't love a swimming pool?
In this case, the web site had minimal security, and some kid came along and used it for other than its intended purpose. But is the owner of the site still responsible for the consequences?
It doesn't sound like the bozo doing the suing is thinking of this ploy, but it will probably just be a matter of time...
Verisign .. (Score:1)
Re:What next? (Score:3)
What's funny is, his own site [shameonnike.com], admits that they were not only hacked but it was because they didn't have good security on their servers and that it wasn't hard for the hackers to compromise their servers too. This guy is so hypocritical, it's amazing.
kwsNI
Re:Well, the popular answer would be... (Score:1)
"Um, how can you sue a company for doing what you tell it to do???
No, this is just a bunch of hot air. A misdirected and leech-like lawsuit (from a guy who shamelessly tried to sell books from amazon.gk), a mega-corp that (frankly) deserved the hack, and a hapless NetSol that can't really be blamed (come on, do you think they *don't* explain the security levels???)This is a silly lawsuite, but cool... (Score:3)
IANAUKL (I am not a UK lawyer), but in the States you can be sued for pretty much anything. I could sue Taco for bad grammar, claiming that his awful prose has caused me to misunderstand technical issues that are important to my job, and hence Taco is responsible for damaging my wage earning ability.
But remember, filling a lawsuit is significantly different than bringing a succsessful lawsuit in front of a judge.
I can see three possible outcomes from this lawsuit:
Things that will not happen include:
I suspect we won't hear about this case again. If this was happening in the States, I'd expect to see Mr. Smith's name on the front pages in a few years, when he walks into an office building somewhere and starts shoot ing people [dilbert.com]. Since its the UK, I expect he'll just become a school teacher or some other profession where he can inflict damage on people with immunity. Or, perhaps he'll just continue being a totally irresponsible and technically incompetent system administrator for his own ISP, and just continue inflicting damages on his clueless customers.
Newsline: car owner sued after death of girl (Score:2)
Newsline: car owner sued after death of girl
Robert Wilson -- a wealthy and respected professor at MIT -- was recently sued for damages after theives stole his BMW and killed a girl on their joyride. The theives broke through a sophisticated alarm system and took the BMW for a joyride through outer neighbourhoods of Boston while under the influence of alchohol. During the joyride, Samantha Caily was knocked over and killed - a tragic death for a young girl barely 15. Samantha's parents sued Robert Wilson for damages, claiming that he was responsible for their childs death. "If he'd employed a better alarm system, Samantha would be with us today. It's clearly his fault. Those boys are known theives, and they can't help themselves, but Robert should know better", said Martha Caily. The theives, who were later caught, have a history of car theft, they were released with a traffic infringement: they're poor and of no fixed abode - barely able to afford the bus ticket home.
^sarcastic humourRe:I'll try to answer. (Score:1)
Actually I do believe that purpose has a large part to do with it.
Yes, I know about the kubotan, infact I own one (wood version). I also know all about the martial arts weapons. Nunchaku's were used to bash rice, the Bo staff was used to carry water, so on and so forth.
But today, unless you work in a rice field, nunchaku's are mainly a weapon. Infact, where I live (New York), nunchaku's are illegal to own. Its funny that it is more illegal to own nunchakus than it is to own a gun.
Again, purpose and usefulness play a large part. Since cars need a key to start, it is harder for a kid to cause too much damage (although they can take it out of park and roll down a hill). So, ok, If you leave your keys in the car and running, you have some responsibility if a child gets in and hurts someone.
There is a layer of responsibility that comes with things that can kill. Although I wouldn't say a car is more destructive then some guns. Maybe a
As for me being more against guns. No, I believe they serve a purpose. I'm not against hunting or even just recreational shooting. But I'm for strict gun laws since they are the equalizer. Even though you can be killed by a knife, I much rather face someone who has a knife than someone who has a gun.
My in-laws are big time hunters and I have no problems with that. But they take big responsibility for their guns. They always lock them up and they teach all their children to respect the power of a gun. I don't think of guns as evil, I think of guns as very powerful and dangerous in the wrong hands.
And actually, I believe that a car is more evil than a gun. They hurt the environment more. They make people lazy (I know people who drive a quarter mile on sunny days and no hurry). And with the gas prices of today... Damn!
Steven Rostedt
Human Error (Score:2)
Why is this surprising? (Score:1)
A: Two boys go to a high school and proceed to shoot stuff up. Victims, demanding compensation, sue the gun manufacturers, althouth the gun manufacturers didn't pull the triggers. If you think that the gun manufacturers are liable, then you should also think that the manufacturers of computer components should also be sued, because computers are most certainly used to commit crimes.
That's just one that ought to be stuck in your heads. Everyone knows that the criminal should be liable for damages, but most criminals don't have anything. Desperate, people will rationalize anything and sue everybody and just hope for a settlement.
I'm waiting to see a class action lawsuit against Microsoft, Intel, AMD, Phoenix, Creative Labs, Matrox, etc, for being responsible for the ILOVEYOU email thingie. Forget the poor college kid who wrote it, he's poor. Let's get some real money....
Who would visit nike.com anyway? (Score:1)
NSI deserves to get beaten (Score:1)
Who is at more fault? The intruder, or the person who left the door unlocked and didn't tell anyone?
And IMHO it is almost always the negligence that I am more angry about. Selling a house to someone and keeping one of the keys, or making it so that if you turn the doorknob in a certain way also unlocks the house would get you sued and fired. Why do we put up with this crap in the Computer industry?!? Why is it permissible to leave backdoors, or to simply ignore security or privacy?
But, to take up tyler's point of view, "But that's what I think, I could be wrong."
Re:Off topic, but since it was brought up... (Score:1)
No one said they were malicious, only derelict in their responsibility.
It was hotter because most of their customers wanted it that way!
Really? Their customers wanted coffee served at a temperature that becomes "extremely dangerous when it comes in contact with human body tissue"? (A part you neatly snipped off in your reply, I noticed.)
The typical McCoffee drinker is a blue-collar 9-to-5er who buys the coffee on their way to work, and doesn't actually drink it until much later, sometimes a half hour or hour later. In order to prevent the coffee from being as cold as a witch's t?? by the time they drink it, the coffee was sold hotter than the temperature you would normally drink it at.
Where did you get this information? Did McDonald's commission a survey as a response to this woman's lawsuit? Was an independant poll conducted by some news agency in relation to this case? Or are you making some totally unfounded assumption because this particular story annoys you?
It may have been extremely hot, but this woman jammed the coffee cup into her crotch and drove off without even checking if the lid was secure; and when she spilled the molten stuff all over her groin, what did she do? She kept right on driving while the skin on her lap was being destroyed.
Okay, now I'm sure you've just got an axe to grind. (Either that, or I'm being trolled.) In the article I quoted, it states quite clearly that she was a passenger in the car, and that the car was not moving when she spilled the coffee on herself.
If you can't get the facts straight, why bother replying?
Jay (=
Possibly the best outcome (Score:3)
--
Re:Off topic, but since it was brought up... (Score:1)
Matters not; a liquid at 180 degrees Fahrenheit can give you serious full-depth (al through every skin layers) burns in less than five seconds of contact. It's one thing to serve coffee hot; it's another altogether to serve it so hot it's actually dangerous, particularly when it's served in a drive through and thus the company has reason to believe it will be drank in a moving vehicle with greater chance of spillage (even though this wasn't the case in this particular instance).
Beyond that, the fact McDonalds had had already lots of complaints and had done nothing about them except for settling out of court points towards negligence. If it happens once, it's an accident; if it happens lots of times and McD does squat about it, it is not.
The other part of the story, which the post neglects to tell, is that the woman originally went to McD and only wanted reimbursement for medical expenses ($20k or so). McD refused altogether, and this outraged the jury into giving the woman the punitive award.
Now, what is a punitive award? It is, as the name implies, intended to punish and deter similar behavior in the future; because of its very nature, the size of such an award maps not only to the offense committed but also to the defendant's ability to pay. It's supposed to hurt. If the defendant can just shurg the award off because of deep pockets, then it's no deterrent. Thus the magnitude of the punitive award.
It's easy to spout off without knowing the facts; the facts make it clear the decision was appropriate and correct, even though big-mouthed know-nothings blast it because they're uninformed.
He should win (Score:1)
NSI may hold some blame in this but if
they do its up to Nike to sue them
to recover any money spent recovering
from this.
I for one am sick of big companies making
noise about security and not really doing
anything about it. Remember all those
credit card numbers that were stolen?
The owners of those cards and the credit
card companies should sue the online stores
for every penny spent recovering from it!
In the real world you are resonsible if you
damage someones property or cost
them money to repair stuff you damage.
Why should the net be any different???
Re:Off topic, but since it was brought up... (Score:1)
Step 1: Boil Water
Step 2: Filter through coffee grounds
Step 3: There's no step three.
Coffee is hot. It is supposed to be hot. If steam is not coming off the cup, it must have sat out too long.
Hot food is not safe. You need to use caution. Every time I make a chicken pot pie for myself, I know for a fact that the inside of it is like molton lava, so I am careful with it. I break the crust open and let all that gooey stuff cool a little. I blow on it. Most importantly, I don't dump it on my lap!
In the event that I am clumsy enough to dump a steaming hot chicken pot pie on my lap (or hot grits down the pants, as the trolls would say), I would not sue swansons for marketing such a dangerous product. The accident would be my fault, therefore my problem.
Were I on that jury, I would have ruled that McD's was right to tell that lady to buzz off and awarded no punative damages whatsoever. S* happens, that's why we pay for health insurance.
Re:This is a silly lawsuite, but cool... (Score:1)
A UK lawyer writes...
It's the same here. Any damn' fool with a Claim Form can start an action at law, and frequently does.
The way it'll work is this:
Net result: Smith loses his case in somewhere less than three months (the record is, I believe, 9 days) and has 14 days to pay Nike what, for a no-brainer like this, should be around 1500 pounds sterling.
Well Speak of the Devil (Score:2)
Nike = Supermarket and ISP = You.. (Score:1)
Re:A good lawsuit... (Score:2)
--
do you see a parallel (or a plot)? (Score:1)
"Can you really be sued for X?" (Score:2)
The most incredible thing... (Score:1)
Re:I'll try to answer. (Score:1)
What do you mean, no other purpose? I use it for driving nails into a wall by repeatedly shooting them very accurately. It's faster than a hammer, really. Not only that, if you use hollow points, you end up with a neat shape on your wall afterwards.
Re:I'll try to answer. (Score:1)
Just something else to think about...
Resgistrar policy (Score:1)
In the UK I recently had to deal with a similar situation - We were changing ISPs and we ran our own DNS servers so we had to get the registration updated with new server IPs. For the 2 domains I had registered there was no problem, but for one of them (registered way back by a couple of IT guys who hadnt worked there for over 5 years when I started!) we hit a brick wall.. Even though all 3 were registered to the same company, in order to change the 3rd one I had to get our CEO and company lawyer to send written confirmation (nothing electronic - they only accepted snailmail not email or fax) to the registrar that I was who I said I was and that they knew about this before they would update the registration info. It was a pain in the ass but overall I think it was a good thing.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
You All Missed Smith's Point (Score:2)
so unless he actually created the situation in the first place (possible - this guy tried to do business with amazon.com when he fired up amazon.gr a year or so ago) i reckon he deserves to get a cheque from nike for his trouble!
plenty of activists including s11.org would have loved to have seen 46 hours of nike email, which smith helped nike to get back into their grubby little hands by pointing his dns servers back at nike.com
pay the man!
Your Bullet, Your Foot (Score:1)
The 'Net emerged from the primortial ooze of analog bit streams and flaky phone lines. The Denizens of this early 'Net learned about cooperation and fault tolerance, and it was good. As time progressed (fast forward) the uninitated, the normal citizens of the BBR, used to protection under the law and the burden of it's restrictiveness were unprepared for a world where there was no shelter for the expliotable under a omnipotent protector.
Seriously folks, the laws regarding 'Net crime are both vauge and largely untested. I think that Nike might be liable. On the 'Net you have to take total responsibility for your presence. Like every tinker and his brother on @Home, putting up insecure servers, it's you (Give me a sword of burning code and the arrows of design.), your box and the forces of darkness. The artical yeaterday about the unfortunate lack of a "hacker threat" does demonstrate the pricipal 'The bigger the name the bigger the target.'. Nike has spent millions (billions?) becoming a brand name that every 4 year old in America knows, and in accordance should be persuing security with due vigilance. The big expliots that security pros tell their children at night, the 'Net age boogie man, DDoS on Yahoo.com and others, IExplore that shut down part of MCI, have all been perpetrated on big names.
General System Fault:
Please sacrifice two chickens and a goat to continue.
Re:NSI's new security feature (Score:1)
Umm....They did.
The email they send you has a tracking number, which you must include in the Subject field of any response you send.
Here's the catch - the tracking number is made up of the date and a
For a better description, check here. [securityfocus.com]
P.S. (Forgot a useful link)... (Score:1)
What next? (Score:5)
Keys (Score:1)
Re:Attractive nuisance (Score:1)
The web site hacker is not doing what the site is intended for. Though some might disagree, web sites are not made to be hacked. :)
I don't think that argument would stand up in this (or similar) case.
Negligence (Score:1)
had reprehensibly bad security, and poor maintenance of their domain,
etc., it seems to me that could be indicative of negligence. I don't think
we will see that not having a 24/7 ERT will qualify as being negligent,
but I wouldn't mind if being just plain irresponsible with your computing
systems and DNS and etc. could qualify.
I know that my company's mail servers are queuing up a fair amount of
D.O.A. mail due to companies that don't have the brains to set their MX
records properly. It'd be nice if we could find a way to get those
companies to make amends for that sort of thing; not just to compensate us
for unnecessary use of our resources, but also to better encourage them to
fix it and make sure they don't make stupid mistakes again.
Think about it; we can't allow every damn fool ISP and dot-com to make
stupid mistakes that have negative side effects on our own networks. The
old social mechanisms of peer scorn and of retaliatory blockading don't
work so well anymore, both mainly because there are already too many damn
fools who aren't even aware of what they're doing wrong or thatanyone else has a problem. (Many of the new-skool dot-com admins treat
old-school admins with the same snideness that jocks treated the geeks in
high school with; e.g. of being "too picky" or "too anal" about network
config issues. Or even worse, will insist that the old schoolers are the
ones breaking things.)
As for Nike, in terms of being negligent: Who is responsible for all the
traffic going to the domain nike.com? It's Nike, who is the sole
advertsier of the domain. Nike's target audience is a segment of the
population that doesn't visit web sites unless (ironically) their URL has
been advertised on TV. So the amount of traffic going to nike.com is no
accident. I expect the plaintiff will argue that Nike is therefore
accountable for where that traffic actually goes.
If my dog, for example, gets loose and chews up the neighbor's azaleas, I
can be found accountable for the damage, because I was negligible for not
keeping him secured. Likewise, Nike.com may be held accountable for the
traffic they have generated for the nike.com domain going to the wrongplace, if it turns out they didn't take sufficient measures to ensure that
their domain wouldn't be rerouted.
Yes, this could have bad side effects on the Slashdot effect. I don't have
any ideas on that one, but there are differences between being negligent
with your OWN domain and simply drawing traffic to another person's site.
(Of course, if they rule this week that hyperlinks are illegal, that won't
matter anyway.)
--
Re:Sue Microsoft... (Score:2)
Re:Attractive nuisance (Score:1)
I hope all suits like these are simply discarded by the courts before they waste too much of our time & money! :)
Why? (Score:2)
Re:People get sued for anything... (Score:1)
Does this come as a shock? (Score:1)
Welcome to the New Golden Age
Setting a legal precedence? (Score:2)
Re:This is Why... (Score:1)
---
Re:Possibly the best outcome (Score:1)
which allows them to not be sued for crimes against little kiddies in sweatshops that work for food while I pay $90 for 'em
This is my first troll, i have ten karma, be as mean as you like
who dunnit? (Score:1)
i mean - it's a nice and easy way to make money
------------------
What an idoit (Score:5)
So, let's get this straight...
This suit is patently ridiculous and should get thrown out as soon as Nike's lawyers say "We had nothing to do with this." Then the lawyers should say, "Here's our counter-suit for this bonehead aiding the hax0rs." Nike does have a legitimate suit against Smith and NSI.
It is Smith (or his host) who is to blame for lax security on his own box, and NSI who is to blame for their incompetant SOP for domain transfers.
-sk
NSI's new security feature (Score:2)
--
I see a point in there... (Score:1)
It's the case where a thief got into your car (by your lack of adequate security) and banged into the third person, then you are in some aspects partly responsible for the accident.
Because it was with your "careless permission" (note the meaning), that the thief got into the car!
The same applies to this case. You should choose your domain incharge carefully, otherwise all you may get is these lawsuits!
Re:Both sides (Score:1)
Off topic, but since it was brought up... (Score:3)
Often when people launch frivolous lawsuits, the company will settle to avoid legal fees and embarrassment, in some situations, the person suing can play for sympathy (like that pathetic old lady that dumped coffee all over her lap, and sued McDonald's for the burns).
I'm going to have to write this URL down, I keep looking for it so often.
http://www.injurycases.com/coffee.html [injurycases.com]
(The emphasized parts above were done by me.)
Jay (=
Re:I see a point in there... (Score:1)
Thinking differently (Score:2)
if ($user =~ m/shaldannon/i) {
print "\n-- $user
}
Re:What next? (Score:2)
To Karma Whore well you need
Visibility.
Negligence is an interesting issue. How secure does a server have to be before it is free from liability? I used to work for a law firm, and I've seen Nevada casinos sued many times for having inadequate numbers of security guards. (Do these suits win? I don't know, because we always, always, always settled. Trial is expensive.)
I'm racking my brain for a good, solid analogy to a web server, but it really feels like apples and oranges. Should a corporation be liable and open to lawsuits simply because it uses Microsoft products?
In conclusion, this suit is in some ways a good thing, because we really need to bring this sort of issue to the attention of the courts so they can formulate some kind of clear law on the matter.
Actually, I didn't, but :) (Score:2)
(and no, you don't need to feel obliged to get me on their spam list
if ($user =~ m/shaldannon/i) {
print "\n-- $user
}
Re:The problem with analogies... (Score:5)
You buy a goat, 'cause you like goat milk. Then some guy shoots your goat with a gun that somebody else left lying around in some unnamed fourth party's unlocked car. But, get this... the GOAT DOESN'T DIE! So then the guy with the gun (Guy-sub-Alpha) sues the owner of the car, for leaving his door unlocked so that guy-sub-alpha could steal a gun that was incapable of killing a freakin' goat.
And there you are with a bloody, wounded goat on your hands, wondering what happened.
You see what I'm saying?
Re:Uh huh (Score:5)
Yes, he may have been inconvienenced by this. Now, if he wants to sue someone, sue the hackers that were responsible. Hell, sue Network Solutions for their screw up. Nike isn't the one that did something wrong.
Personally, I think it's part of being on the internet. To me, this is the same thing as owning a store on a street and trying to sue the store down the road because protesters gather out in front of it and the traffic jam they cause hurts your business. Sorry. C'est la vie. It's life, get on with it.
I've worked in customer service and tech support for an ISP before. Tell your clients what happened and most of them will understand. If you loose a few customers, that's business. They can go to another network and the next domain hijack can hurt them again. Most people realize that they can be hit by this anywhere on the net, regardless of their network.
kwsNI
WAY offtopic... (Score:2)
Re:Well, the popular answer would be... (Score:2)
Also, it's not quite certain that NSI didn't screw up - if the email came unencrypted and they made the change, NSI is at fault. It was supposed to be encrypted, and they claim that the forged mail was supposedly from the billing contact, who doesn't have authority to request those changes anyway. 0 for 2...
I wouldn't put a lot of faith in the guy raising the suit (not clear whether he was the one who initiated this in the first place), but Nike should have a case against NSI if the other points hold true. I can't see how they 'deserved the hack'. NSI may be hapless (that's never been questioned), but in this case they may have been willfully negligent, and there are many reports of the same problem with other domains they control. We'll see what happens. Should be interesting.
The Mythical American Legal Lottery (Score:2)
People outside the US seem to think all US citizens are rude, poor listeners, carry guns, and sue each other at the drop of a hat. If Americans don't fit that image, they are assumed to be Canadian.
Seriously, I was asked in Australia, "Did you bring your gun to Australia?" Pretty sad. I'm not a gun-control supporter, but I don't own any guns either.
You can be sued for not fencing your pool (Score:2)
Re:Keys (Score:2)
The trouble is that it's usually pretty easy to pick a lock (As long as it has a single side, and a single tumbler) by the rake method; Put one thing in the lock, turn it in the direction it's supposed to go, and then rake something (like a bent pin) over the pins in the lock. If you get the pressure right, and the lock sucks (Like a master, for example) then the pins will get stuck down to the right degrees and you can open the lock.
Also, as previously mentioned, some key sets just don't come in very many combinations. There are about twenty different key configurations for BMW motorcycles, which is abominable enough; But there are only about five different combinations on BMW motorcycle luggage, and they use the same keys as the ignition, just using a smaller number of pins. This equates to it being REALLY EASY for one BMW motorcycle owner to open a significant number of lockers on other peoples' bikes.
Re:Does this come as a shock? (Score:2)
Haiku? (Score:2)
ISP is Hopping Mad
NSI to Blame
Re:Well, the popular answer would be... (Score:3)
IMPORTANT ACCOUNT ENHANCEMENTS SCHEDULED: SECURITY UPGRADES
MAY REQUIRE ADDITIONAL STEP BEFORE CHANGES ARE MADE
***********************************************
Security for our customers has always been a top priority
at Network Solutions. Now we are taking that even further
as we merge with VeriSign, one of the industry leaders in
Internet security. We all recognize information security is
vital on the Internet, and we want to assure you that we
constantly monitor security and maintain systems that help
protect you and your information. This message is about
changes in our guardian security system.
WHAT DOES THIS MEAN FOR ME?
***********************************************
When you first registered your domain name you may have
selected a security option. You then currently have one
of three Guardian authentication methods: "Mail-From,"
Password (Crypt-PW), and Secure Encryption (PGP).
With our upcoming upgrade, customers who have not yet
selected a security option will be migrated to "Mail-From"
security. Customers who currently use the "Mail-From After
Update" Guardian authentication method will now have to
respond to an e-mail security check before the requested
changes will be implemented. Customers who currently use
existing Guardian security options do not have to make
any changes at all.
WHAT WILL HAPPEN WHEN I REQUEST A CHANGE?
***********************************************
NSI is enhancing "Mail-From" with an additional e-mail
security check. Specifically, NSI will e-mail a validation
request to the specific administrative and technical
contact listed for a domain name before making any
modification to that domain name. This means, if you have
"Mail-From" security, NSI will no longer implement a
requested change until we receive e-mail verification
confirming authorization from either contact. It's an extra
step, but it's worth it to protect your account.
WHEN WILL THIS HAPPEN?
***********************************************
We have scheduled the modification for Saturday, July 8,
2000, so you should check your account information to see
if it is correct. Actually, it's a good idea to check your
account periodically anyway.
To make modifications easier, we provided easy-to-follow
instructions on our web site at:
http://info.networksolutions.com/go/t/security/
Additionally, we updated the contact form FAQs, which can
be found at:
http://info.networksolutions.com/go/t/security/
Please note that we continue to enhance security. Future
security plans include the use of VeriSign certificates
for authentication. But don't worry; we will keep you
completely informed about these upcoming changes.
If you have further questions or concerns about this
current security upgrade, please contact our Customer
Service Department at:
http://info.networksolutions.com/go/t/security/
Sincerely,
F. Michael Kyle
Vice President, Customer Service
Network Solutions(R)
a VeriSign(R) company
Re:Off topic, but since it was brought up... (Score:2)
(Gasp!) What a shocker!!!! I never heard that side of the story before, let alone have I heard it over and over and over by whiney crybabies who simply can't accept that a faceless corporation might not be the bad guy in every single case.
Look, the reason McDonald's coffee was hotter than the stuff you got out of your pot at home was not because of some nefarious corporate scheme to burn old ladies. It was hotter because most of their customers wanted it that way! The typical McCoffee drinker is a blue-collar 9-to-5er who buys the coffee on their way to work, and doesn't actually drink it until much later, sometimes a half hour or hour later. In order to prevent the coffee from being as cold as a witch's t?? by the time they drink it, the coffee was sold hotter than the temperature you would normally drink it at.
It may have been extremely hot, but this woman jammed the coffee cup into her crotch and drove off without even checking if the lid was secure; and when she spilled the molten stuff all over her groin, what did she do? She kept right on driving while the skin on her lap was being destroyed.
I knew that the judge reduced the punative damages, and when he did so, it was because the original ruling was absolutely insane. The final judgement was still far more than she had a right to ask for, and I'm sure her ambulance-chasing lawyers collected most of it anyway.
Thanks to this old bat not taking responsibility for her own actions, thousands of schlepps that can't afford the good stuff are chugging down their morning brew right away on the highway commute while it still is above body temperature, which can't be much less dangerous than hot liquid in a cup.
After reading this.... (Score:2)
This ISP had their nameserver hacked, and the hacker created a nike.com zone.
And.... nike is at fault? None of this had anything whatsoever to do with any system even remotely controlled by Nike...
The *real* gun liability rhetorical question.... (Score:3)
The original rhetorical question is "if one were to leave a loaded gun ON AN OPEN WINDOWSILL and a passerby picked it up..." The key phrase is "open windowsill" - it's at a location where the owner is nominally in control of it, but anyone passing on the street could easily grab it. Hell, it's at a location where it could be easily knocked out of house without deliberate effort. The gunowner is clearly acting negligently.
(A modern analogue to this question is someone leaving a gun in plain sight in a locked car. This requires smashing a car window, but the risks of a parking lot "smash & grab" are less than a home burglary.)
In contrast, put the gun more than an arm's length away from the window and it's *far* harder to claim that the owner is negligent. Put the gun out of reach and out of plain sight (e.g., in a closed nightstand or a locked glove compartment) and claims that the gunowner was negligent if the gun is subsequently stolen start to wear very thin - by that metric, some people will argue that their responsibility *requires* that they keep their gun on their person at all times!
N.B., the cited quote doesn't even posit that the gun was stolen from a house or other area where the gunowner has a reasonable expectation of sole dominion - he's trying to bring to mind the image of a latter-day Johnny Appleseed prancing through a park tossing out loaded guns. Of course that's an unspeakably reckless act.
For some reason most people here seem to assume that he's refering to home burglaries, and while it's true that some jurisdictions have vicarious liability laws the general principal remains - as a rule people aren't held responsible for reasonable omissions, and almost never when those omissions are required by reasonable actions.
(E.g., you put a pie on the windowsill to cool, someone steals it, burns their fingers or mouth, and sues you. They'll have a *very* hard time winning since you had to put the pie *somewhere* to cool.)
Re:Using an analogy .... (Score:3)
I would say no.
Actually, teh funny thing is that in New York (and until recently in Illinois), under a law known as vicarious liability, YOU are responsible for the actions of your vehicle, EVEN IF SOMEONE STEALS IT!!!!
Rental car companies hate this law. I don't know if other states have it, but the rental car agency I used to work for had locations in Illinois and New York that were constantly getting sued... A great example is one that happened in New York. Lady rents a car from us and drives it home. She lets her SIXTEEN YEAR OLD son drive the car. Now, this is wrong in two ways. Our rental agreement says nobody under 25, AND if their name/driver's license isn't on the contract, they can't drive the car. So anyways, he takes this car around, and mows down a five year old kid on a street (The poor kid spent two months in the hospital, but is OK now.) The best part is, the cops wind up sending the kid home in the car, even though they found it was a rental. Even better is that this kid doesn't tell his mom what happened! Three months later, our rental agency gets a lawsuit for $3 Mill (BTW - The kid and his mom were named co-defendants, so this is when she found out about it!!). I never heard how the case wound up as I left the agency before it went to court...
Anyway, the rental car agencies hate this law so much, that they banded togehter in Illinois and gave LOTS of money to the state legislature to get it removed there...
The ISP has this to say... (Score:3)
The problem with analogies... (Score:5)
Nike left no loaded gun lying around. It wasn't their lack of security, it was Network Solutions. Even if Smith is right and Nike chose the lowest security model, so what? NSI is the ones who were offering it, right? Smith is basically saying that the low security model is itself criminal because it's too easy to break. And yet, it was Smith's system that was hacked, in order to introduce the Nike DNS info on his box. Who's security is actually at fault?
You want an accurate analogy? Okay, here it is: I buy a car. Some guy goes to the manufacturer of my car, tells them that it's his and he needs another copy of my car key. The manufacturer just fucking gives it to him, he steals my car and drives it into some guy's store, smashing it and causing a lot of damage. The store owner sues me because I didn't buy the super deluxe model of the car that comes with a code-activated alarm system. Well, shit, what was I thinking?
I ask you: which analogy is more accurate? Who is really at fault?
The problem with using analogies... (Score:2)
Nike left no loaded gun lying around. It wasn't their lack of security, it was Network Solutions. Even if Smith is right and Nike chose the lowest security model, so what? NSI is the ones who were offering it, right? Smith is basically saying that the low security model is itself criminal because it's too easy to break. And yet, it was Smith's system that was hacked, in order to introduce the Nike DNS info on his box. Who's security is actually at fault?
You want an accurate analogy? Okay, here it is: I buy a car. Some guy goes to the manufacturer of my car, tells them that it's his and he needs another copy of my car key. The manufacturer just fucking gives it to him, he steals my car and drives it into some guy's store, smashing it and causing a lot of damage. The store owner sues me because I didn't buy the super deluxe model of the car that comes with a code-activated alarm system. Well, shit, what was I thinking?
I ask you: which analogy is more accurate? Who is really at fault?
Uh huh (Score:3)
Re:Read your own post (Score:2)
Can you get sued if you leave your keys in your car, and someone goes out for a joyride in your Saturn and drives through a shopping mall(like the Blues Brothers)? If so, it's time to do a big security sweep, MY profits are at stake!
Nike shouldn't worry too much (Score:4)
Shit, what's next? Will you be sued for having an angry mob smash your house up because they blocked the road you live on? This seems to me like a blatent attempt by an ISP to make a quick bit of cash off of a flimsy excuse, something which the US has a lot of unfortunately for it, and anyone that gets involved with it.
This bloke seems like a bit of an arsehole anyway - setting up an online bookstore called Amazon.gr is not the actions of someone who is really dedicated to starting up an online business, it's the actions of someone trying to cash in on the dot-com craze.
If I were Nike I wouldn't be too worried about this at all - the guy is an idiot out for easy money and any judge with half a brain will see that and throw the case out.
---
Jon E. Erikson
Sue Microsoft... (Score:5)
what!! no child explotation??? (Score:2)
kudos for finding something Original to sue Nike for!!!
bet they didn't see that one coming!!
Well, the popular answer would be... (Score:3)
"If anyone screwed up, said Casler, it was Network Solutions, which apparently allowed the hijacker to change Nike's registry information on the basis of a spoofed email from the Nike billing contact -- a person that did not have password authority to make changes to Nike's domain status."
Yeah, everyone knows that they are a bunch of swindling, boorish jerks. We've heard it before, we'll hear it again...
On a more realistic note, I don't think that Nike can/should be held repsonsible, if in fact, NSI made a change due to an email from an unauthorized account (the billing contact). More details need to be seen on this one - still not good, whatever happened...
Re:You can be sued for not fencing your pool (Score:2)
In most all localities (talking US here) it's against the law to not have a security fence around your pool
Unless a lot of new legislation was passed while I was asleep last night it is still perfectly legal to have lax security on your server.
Sue NSI, not Nike (Score:3)
Stepping out of the box (Score:2)
It seems that if you take reasonable precautions to prevent hijacking, then you shouldn't be held liable for one that takes place. On the other hand, if you're wide open (e.g., no metal detectors at the terminal), then you deserve a lawsuit.
Not being familiar with Nike's security precautions and procedures, I can't speak for whether they were reasonable or not.
if ($user =~ m/shaldannon/i) {
print "\n-- $user
}
Re:What an idoit (Score:2)
You know, that may be the best suggestion yet. If Smith can claim that Nike's security was lax, Nike can surely claim the same of Smith's ISP for letting his DNS servers get h4x0r3d (assuming he didn't do that himself, which he claims he didn't).
In order for there to have been a major problem, he must have had nike.com in his nameservers pointing to the IP of one of his customers. If this was just about getting gazillions of DNS queries, well, that doesn't eat up that much bandwidth, and BIND should be able to handle the load just fine.
--
Re:Uh huh (Score:2)
It wasn't broken into. Just that packets were directed at him rather than at Nike.
Apart from that your analogy is quite accurate. Although I'd say it was more like the bank suing the owner of the car that was stolen as a getaway vehicle.
Similarly... (Score:4)
Can I sue the St. Louis Cardinals if the traffic created by people getting to the stadium causes the ambulance to my house to be late and my mom to die?
Could I sue 1(900)Mix-A-Lot if the phone company accidentally switched the lines so I got all those phone calls?
Seems like the ISP could legitimately sue the hijackers, but it's obvious he's just looking for the biggest pot of money and suing them, relevant or not.
-----
Both sides (Score:3)
1) He (Smith) has a point if Nike was negligent. Just like there are laws if someone gets hurt on your property because of negligence on your part, there should probably be some similar laws in cyberspace. Now exactly how you define those... I'm not sure. Maybe check to see if the people have kept reasonably up-to-date with bug patches?
2) If someone steal a gun from your house and goes on a shooting rampage, are you responsible? (Well, probably again it depends whether you were negligable or not.) But, assuming that the person was responsible... how can you blame them?
Bottom line - I do think web sites have a responsibility to be attentive to protecting their resources and ensuring that they don't hurt other with them... but beyond doing your best, you can't do any more.
A good lawsuit... (Score:5)
A more likely story... (Score:3)
First, notice that this page calls Nike's buisness practices "shabby" and at the bottom of the page there is a "Boycott Nike" icon. This seems to me like someone that is emotionally connected to a movement against Nike (in and of itself this is not a bad thing) - the point is that this lawsuit sounds like it is based more on a bias than facts and laws.
So I think one of two things is actually going on:
1) Smith or his freinds are responsible for the crack and their plan was to redirect people going to www.nike.com to their own web sites against nike. I went to http://212.92.192.218 (from the dns file on Smith's web page) but this address no longer hosts any web pages. This crack caused negative press for the movement against nike so Smith is trying to divert the blame
2) Smith was indeed a victom of the crackers but he is sympathetic to what they were trying to do and doesn't like nike himself so again he's trying to throw mud on nike hoping some of it will stick (I think this is the most probable)
For all of you out there that think I might be saying this because I'm a nike fan - well I'm not. I haven't purchased anything from Nike for 3-4 years (only Dr. Martins) and I don't like the way they exploit forgien labor.
BTW - I saw an Investigative Reports on A&E last night (I think that was the program) about passangers that tried to sue Amtrack for injuries that were caused by a sabatour that derailed the train. The Judge ruled that the derailment was caused by the sabatour and not Amtrack and Amtrack won the case and counter sued for legal costs and won.
NSI Strikes again (Score:2)
Someone should initiate class action against NSI for their consumer practices. Ralph Nader could have a field day with DN registrations and other related matters.
Re:Uh huh (Score:2)
You've never been in one of those wrecks. From experience, the insurance companies all went after the original car because it was their fault. That went for my insurance and the guy in front of me when I was in the middle of a 3 car wreck. But, I appreciate the analogy - wrong as it was - you still proved my point.
kwsNI
HIS Servers were hacked too (Score:2)
yes yes. However *HIS* systems were comprimised by the hacker, his OWN DNS
was reconfigured, and his OWN server was rebooted.
If the hacker logged in and did a mke2fs
still sue nike? [Your honor, Nike is responsbile on the grounds that
because after the hacker changed their domain, he was angered by the nike
swoosh into a destructive rage, and he destroyed my server.]
Anyway, how much "server load" can be rendered by DNS lookups for nike.com?
Has anyone ever BEEN to nike.com before? S11.org obviously had CONSIDERABLY
more traffic then this guy; and he could EASILY have fixed his "traffic"
problem, by removing his hacked DNS records
Re:Does this come as a shock? (Score:4)
In this case, Nike has no reason to settle. Their case looks lead-pipe solid, and (from what I can see) the person suing them is a whining little bitch of an ISP sysadmin.
Even though nothing is likely to come out of this lawsuit, it will be played up in the news because so many people hate Nike. They charge "too much" for their shoes, they use overseas labor for their manufacturing, and they paste that Swoosh-thing on every flat surface within 5 miles of every stadium and golf course. On top of that, they are playing those stupid "Mrs. Jones" comercials, where a cardboard blaxploitation character talks jive into a radio microphone about how women athletes should be paid the same absurdly-high salaries as the men, even though hardly anybody watches them.
Yessiree, plenty of reasons for people of various political stripes to hate Nike... but this isn't one of them. I hope they win, and get counter-damages for having to waste their time on it.
The Bad Precedent is the Red Herring (Score:5)
I'm fully of the opinion that if you have completely incompetent security policies, and those policies lead to direct monetary damage to another party, you should probably be somewhat liable, at least to the degree of your incompetence.
The best example would probably be a fully loaded hospital intranet complete with patient charts and remotely writable data--with no firewall against the Internet. Somebody dies? Somebody is definitely liable.
But this case is bizarrely inappropriate. Nike had a security policy that depended on a shared secret--the name of the user authorized to issue changes. The shared secret was not disclosed by Nike nor discovered by the attackers, but NSI allowed the switch anyway. I find it hard to believe that this was not an automated process--a request to change the domain of a transnational company comes in, and the new IP is to some tiny guy; you can bet no human approved THAT transaction--despite what NSI might have you believe. Therefore NSI is in breach all over the place, and they're liable.
I think the real strategy here is to force Nike to sue NSI...by making Nike do all the legwork of proving that this was Network Solution's fault, suddenly NSI has a very big and very angry enemy indeed. It's co-option of a very large legal department, and in that context, it's a damn brilliant idea.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Using an analogy .... (Score:4)
If I left my parked car unlocked and someone hopped in and stole it - proceeded to drive down a freeway, had a accident and caused a major traffic pile-up where several people died, would I be responsible?
I would say no.
However, if you use the analogy that Smith used: if one were to leave a loaded gun laying about and if another person picked it up and killed someone with it, the owner of that gun would be held responsible for negligence
I would say yes.
So what is the difference? I don't know myself - I just thought I'd provoke some thinking amongst everyone and hopefully someone else who is thinking straight at the moment (it late at night here) can give some insight! :)