RE: Disclosure of vulns and its legal aspects...

["Craig Wright" <Craig.Wright () bdo com au>]

No, I am not mistaken. People have this right (ie stupidity). I do not
like it, I would prefer the concept of privileges to rights as
privileges have to be earnt and may be lost - but our society allows the
right for stupidity.

As an example - you are legally allowed to store $1,000,000 in cash in
the back shed with a sign on the front yard stating "I have a million
dollars in the unlocked back shed, keep out!"

"Mere excitability of a normal man, passion, even stupidity, obtuseness,
lack of self-control, and impulsiveness" [1] are not good enough to
remove the rights and responsibilities we have.

In  R. v. Hill m[2], the Objective Test covers "innate stupidity" as for
the "Ordinary person" standard -- Whether or not "ordinary person" means
ordinary person of same age and sex as accused -- Criminal Code, R.S.C.
1970, c. C-34, s. 215(1), (2). In this, although it may be deplorable,
there is a right to be stupid.

The law adopts an orthodox and politically liberal laissez faire
approach to corporate and commercial self-interest, stepping in only at
the extremes to prevent clear abuses of power which result from a
stronger party acting in their own economic self-interest, as in
conventional situations of unconscionability involving a stronger party
taking advantage of a weaker party's illiteracy, stupidity, language
difficulties, drunkenness, need for advice, or other personal indicia of
being under a 'special disadvantage' a la Amadio [3].

The result is that the rights of the stupid are upheld in true common
law tradition.

"Two things are infinite: the universe and human stupidity; and I'm not
sure about the universe." Albert Einstein

I may not like it. You obviously seem to dislike it, but it is a fact.
There is a right to "innate stupidity". We in the west have a
fundamental human right to stupidity, obtuseness, lack of self-control,
and impulsiveness. Like it or no, welcome to the world we live in.

There is also no right to stop another being stupid. Rather, there is a
tortious right to take action against the stupid person - AFTER the
event.

Being more stupid or careless than an ordinary person is not a defence,
true, but it is a right. Stupid people are liable for their torts, but
they have to do them first. In fact, stopping them from doing the stupid
action may be a violation of their legal rights and as such a tort
itself.

"Negligence Per Se" Doctrine: Most courts apply "negligence per se" that
says a violation of a statute is "negligence per se" and conclusively
establishes that D breached a duty to P.  You still have to prove
causation and damages.  [Osborne v. McMasters - poison sold from
drugstore did not have label as required by statute.  In fact P bears
the "burden of proof."   P must prove each element by a "preponderance
of the evidence."

The burden of proof is on P to show D was negligent.  Res ipsa just gets
you into court.  [Sullivan v. Crabtree - Son was riding in D's truck.
Truck swerved off a highway. P's son died.  Court said "in the ordinary
case...res ipsa loquitur merely makes a case for the jury].

Even following the event, there is still foreseeability. Ryan v. New
York Central R.R. Co.(1866) - D's railroad set fire to a woodshed.  P's
house, 130 ft away caught fire and a number of other houses burn down.
Only liable for first house.  [Others are not proximate.] The same
applies to the idea of a web server. The defacement is proximate, making
the assumption that the site will be further compromised is not - at
least until it occurs.

So to summarise, stupidity, ignorance, obscurity etc are all rights in a
free society. Welcome to the west ;) 

Regards,
Craig

[1]     K v Porter ([1936] 55 CLR 182 pp. 187-8) (UK)
[2]     R. v. Hill, [1986] 1 S.C.R. 313 (CA)
[3]     Commercial Bank of Australia Ltd v Amadio (1983) 151 CLR 447.

D = Defendant
P = Plaintiff



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Thursday, 31 May 2007 11:58 AM
To: security-basics () securityfocus com
Subject: Re: Disclosure of vulns and its legal aspects...

On 2007-05-31 Craig Wright wrote:
> In contradiction to the belief of many on the list, people have a
> right to be stupid and live in ignorance. I may not like this, but it
> is a fundamental tenant of freedom. To have freedom means the right to
> be daft. The right to be daft means the right to have an insecure
> site.

If you believe that people have the right to be stupid and insecure when
their stupidity and insecurity may cause damage to other people you're
mistaken.

> They will learn eventually.

No, unfortunately they don't.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq