Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
News

Nike Gets Sued Over Nike.com Hijack 219

Posted by emmett from the consider-the-following dept.
kwsNI writes: "Wired has this article on an ISP trying to sue Nike over the recent hijack of Nike.com. He claims that his ISP suffered when the hackers routed the Nike.com traffic through his servers. He claims that Nike is at fault for not having better security. This really scares me. Can you really be sued for having your domain hijacked?" I'm interested to see where this will go.
This discussion has been archived. No new comments can be posted.

Nike Gets Sued Over Nike.com Hijack. More

Nike Gets Sued Over Nike.com Hijack.

Comments Filter:
  • In this case at least, it doesn't seem right to be suing Nike over a hack. It's obviously NSI's fault for taking an email so seriously.

    What I had hoped to see was someone who had their box hacked for an attack on another domain, or email spoofing or whatever. Just like you can be sued for leaving a gun cabinet unlocked if a gun taken from it kills someone, why can't you be proven negligent if your box, which you have not attempted to provide adequate security for, is hacked and used against someone else?

    If you've provided adequate security, though or it's someone else's fault (NSI), then I don't think you should be held responsible..,
  • but that answer isn't fun! I wanna buy a new car! ;-)
  • I figured, I've just always been amused by the "Thinking Outside the Box" metaphor... I need a box, so I can think outside of it... of course, if I don't have a box, I'm at least outside of one... unless the Matrix is a big box, maybe being shipped UPS, and mis-routed through three continents... that would explain this past week.
  • Well who knows about a coincidence but Network Solutions is stepping up the Security of their service. We got an email yesterday at the company i work at about this.
  • Shame on Nike.com is hacked and a DOS is sent to nike.com? Will he be billed by Nike for crashing their server? "But..but.. the hacker did it, not me!!"
  • Either way, the woman spilled hot coffee on herself, then sued the restaurant for selling it to her. That's like suing a power tool company after you fire a nail-gun into the back of your hand, saying "they should have put a sensor on it so it could tell flesh from drywall".

    No, it's more like buying a nail-gun, loading it with studs, and having it launch one into your backside the minute you plug it in. Sure, you should have been careful not having it aimed at anyone while loaded, but at the same time there's a reasonable expectation that it's not going to injure anyone who isn't being careless.

    Jay (=
  • Personally I am sick an tired of everyone trying to pass the blame to scam a buck. This was a criminal act directed at Nike. If others got hit in the process, it is not the fault of Nike, it is the fault of the criminals who did the domain hijack.

    I mean, c'mon - if someone storms into your house to shoot someone, and in the process shoots you - are you going to go after the original target of the shooting or the shooter? In the immortal words of John Stossel - Gimme a Break!

    What a bunch of crap. This is nothing more than a money grab by the ISP. I may be conservative but I am all for the socialization of the legal profession. If you take the asinine amount of money out of it you would solve a significant amount of these problem.
  • Absolutely not. If such security measures are not written into the ISP contract with the company, then the ISP has no recourse at all. In a world with umpteen gazillion different things to know about, how can anyone keep up on absolutely every technology?
  • Tower wrote:
    If the Dept of Ed gets chucked out, do I have to pay back the last $16k of my student loans?
    Sure; the loan was from the Feds, not a department. If my mortgage loan officer gets fired, do I still have to pay back my mortgage? Of course I do!

    Jeff

  • How about this: A burglar uses my neighbor's lawn gnome to get into a first story window I inadvertently left unlocked. Am I accountable for the gnome's crushed cap?
  • I'm just waiting for someone to take a case like this and try the attractive nuisance approach.

    The analogy here would be a swimming pool (your web page). If you have a swimming pool, and this swimming pool is protected by a gate, and the gate has a large sign saying "stay the heck out" and a neighborhood kid climbs your fence, jumps in your pool and drowns, you can be sued by the kid's parents. Your pool represented an attractive nuisance, an entity that wasn't dangerous in and of itself, but could be dangerous if used in an unsafe manner. As long as a kid can overcome your precautions, you are responsible for that kid's behavior. And what kid doesn't love a swimming pool?

    In this case, the web site had minimal security, and some kid came along and used it for other than its intended purpose. But is the owner of the site still responsible for the consequences?

    It doesn't sound like the bozo doing the suing is thinking of this ploy, but it will probably just be a matter of time...

  • I wonder if Verisign realizes what a bastard child they bought, and the negative impact it'll have on their reputation ..

  • Re:What next? (Score:3)

    by kwsNI ( 133721 ) on Thursday June 29, 2000 @07:36AM (#968501) Homepage
    Yeah, NetSol did something wrong. This guy is suing Nike. Nike didn't do it. I think that's why this comment scored so high. The basis of the lawsuit is over something stipid. This guy is trying to sue Nike for being hacked and increasing the traffic on his servers. Nike didn't send the traffic to his servers. Hell, Nike would have loved for the traffic to have been on their own servers as if nothing had happened.

    What's funny is, his own site [shameonnike.com], admits that they were not only hacked but it was because they didn't have good security on their servers and that it wasn't hard for the hackers to compromise their servers too. This guy is so hypocritical, it's amazing.

    kwsNI

  • "sue the ass off of Network Solutions!"

    "Um, how can you sue a company for doing what you tell it to do???

    Nike: "Um, yea, thanks for the stuff and all, yea, we'll take 'Security for DimWits,' thanks...."
    No, this is just a bunch of hot air. A misdirected and leech-like lawsuit (from a guy who shamelessly tried to sell books from amazon.gk), a mega-corp that (frankly) deserved the hack, and a hapless NetSol that can't really be blamed (come on, do you think they *don't* explain the security levels???)

  • This is a silly lawsuite, but cool... (Score:3)

    by bellings ( 137948 ) on Thursday June 29, 2000 @07:44AM (#968503)

    IANAUKL (I am not a UK lawyer), but in the States you can be sued for pretty much anything. I could sue Taco for bad grammar, claiming that his awful prose has caused me to misunderstand technical issues that are important to my job, and hence Taco is responsible for damaging my wage earning ability.

    But remember, filling a lawsuit is significantly different than bringing a succsessful lawsuit in front of a judge.

    I can see three possible outcomes from this lawsuit:

    1. Nike is unable to find a competent judge, and quietly gives Mr. Greg Lloyd Smith some money, just to make him go away, hence saving a lot of bother for the Nike lawyers,
    2. Nike gets this in front of a competent judge as quickly as possible, and the judge just throws the whole thing out laughing,
    3. Or, Nike finds a judge that willing to bitchslap Mr. Greg Lloyd Smith very, very hard, making Mr. Smith pay Nike's legal bills (at a minimum). My (limited) understanding is that it is considerably easier for judges in the UK to do this than it is in the States.

    Things that will not happen include:

    1. Mr. Smith will not win this lawsuit. Not one article I've read about this episode has had a single nice thing to say about Mr. Smith -- Wired magazine clearly wanted to call Mr. Smith a slimey little worm who probably engineered the hijacking himself (and Wired decided not to say that because there's no concrete evidence, and Mr. Smith is happy to sue anyone he can find). Judges and Juries don't like slimey little worms who bring frivolous lawsuits without any demonstrable damages.
    2. Nike will not use this lawsuit to change intellectual property laws, or make NETSOL legally responsible for hijacking. No-one involved is going to want this to drag out for years, to eventually get a ruling in UK court that will probably be ignored by the rest of the world courts and lawmakers anyhow (regulations on e-commerce and e-property is probably an area for international treaties, akin to international intellectual property laws. This case doesn't is too bogus to influence anything, even if Nike wanted the questionable publicity of pushing it through the courts).

    I suspect we won't hear about this case again. If this was happening in the States, I'd expect to see Mr. Smith's name on the front pages in a few years, when he walks into an office building somewhere and starts shoot ing people [dilbert.com]. Since its the UK, I expect he'll just become a school teacher or some other profession where he can inflict damage on people with immunity. Or, perhaps he'll just continue being a totally irresponsible and technically incompetent system administrator for his own ISP, and just continue inflicting damages on his clueless customers.

  • Newsline: car owner sued after death of girl

    Robert Wilson -- a wealthy and respected professor at MIT -- was recently sued for damages after theives stole his BMW and killed a girl on their joyride. The theives broke through a sophisticated alarm system and took the BMW for a joyride through outer neighbourhoods of Boston while under the influence of alchohol. During the joyride, Samantha Caily was knocked over and killed - a tragic death for a young girl barely 15. Samantha's parents sued Robert Wilson for damages, claiming that he was responsible for their childs death. "If he'd employed a better alarm system, Samantha would be with us today. It's clearly his fault. Those boys are known theives, and they can't help themselves, but Robert should know better", said Martha Caily. The theives, who were later caught, have a history of car theft, they were released with a traffic infringement: they're poor and of no fixed abode - barely able to afford the bus ticket home.

    ^sarcastic humour

  • Actually I do believe that purpose has a large part to do with it.

    Yes, I know about the kubotan, infact I own one (wood version). I also know all about the martial arts weapons. Nunchaku's were used to bash rice, the Bo staff was used to carry water, so on and so forth.

    But today, unless you work in a rice field, nunchaku's are mainly a weapon. Infact, where I live (New York), nunchaku's are illegal to own. Its funny that it is more illegal to own nunchakus than it is to own a gun.

    Again, purpose and usefulness play a large part. Since cars need a key to start, it is harder for a kid to cause too much damage (although they can take it out of park and roll down a hill). So, ok, If you leave your keys in the car and running, you have some responsibility if a child gets in and hurts someone.

    There is a layer of responsibility that comes with things that can kill. Although I wouldn't say a car is more destructive then some guns. Maybe a .22 but its hard to get cars inside a school.

    As for me being more against guns. No, I believe they serve a purpose. I'm not against hunting or even just recreational shooting. But I'm for strict gun laws since they are the equalizer. Even though you can be killed by a knife, I much rather face someone who has a knife than someone who has a gun.

    My in-laws are big time hunters and I have no problems with that. But they take big responsibility for their guns. They always lock them up and they teach all their children to respect the power of a gun. I don't think of guns as evil, I think of guns as very powerful and dangerous in the wrong hands.

    And actually, I believe that a car is more evil than a gun. They hurt the environment more. They make people lazy (I know people who drive a quarter mile on sunny days and no hurry). And with the gas prices of today... Damn!


    Steven Rostedt
  • The thing people need to realize, is that this was not a hack due to low security, it was a hack due to human error. To me its the equivalent of locking yourself through 18" thick steel walls, with 100 doors that you need to go through, with card security, retina scans, thumbprints, and passwords, and then some idiot who works there lets the pizza guy all the way on the inside so he can go get his wallet. This same guy is the type of person who writes his login name and password on a sticky note and attaches it to his monitor. There is no way you can hold nike negligent, you need to hold the moron who accepted the spoofed id. There was nothing Nike could have possibly done to prevent this.
  • This was bound to happen, and, unfortunately, will probably proliferate. As ridiculous as it may sound, look at the current state of our civil law system and you can see *exactly* where this mentality comes from.

    A: Two boys go to a high school and proceed to shoot stuff up. Victims, demanding compensation, sue the gun manufacturers, althouth the gun manufacturers didn't pull the triggers. If you think that the gun manufacturers are liable, then you should also think that the manufacturers of computer components should also be sued, because computers are most certainly used to commit crimes.

    That's just one that ought to be stuck in your heads. Everyone knows that the criminal should be liable for damages, but most criminals don't have anything. Desperate, people will rationalize anything and sue everybody and just hope for a settlement.

    I'm waiting to see a class action lawsuit against Microsoft, Intel, AMD, Phoenix, Creative Labs, Matrox, etc, for being responsible for the ILOVEYOU email thingie. Forget the poor college kid who wrote it, he's poor. Let's get some real money....

  • I mean come on, I've see enough of that damn swoosh when I simply walk outside....
  • I've said this before, but this time I'll use bold:

    Who is at more fault? The intruder, or the person who left the door unlocked and didn't tell anyone?

    And IMHO it is almost always the negligence that I am more angry about. Selling a house to someone and keeping one of the keys, or making it so that if you turn the doorknob in a certain way also unlocks the house would get you sued and fired. Why do we put up with this crap in the Computer industry?!? Why is it permissible to leave backdoors, or to simply ignore security or privacy?
    But, to take up tyler's point of view, "But that's what I think, I could be wrong."

  • Look, the reason McDonald's coffee was hotter than the stuff you got out of your pot at home was not because of some nefarious corporate scheme to burn old ladies.

    No one said they were malicious, only derelict in their responsibility.

    It was hotter because most of their customers wanted it that way!

    Really? Their customers wanted coffee served at a temperature that becomes "extremely dangerous when it comes in contact with human body tissue"? (A part you neatly snipped off in your reply, I noticed.)

    The typical McCoffee drinker is a blue-collar 9-to-5er who buys the coffee on their way to work, and doesn't actually drink it until much later, sometimes a half hour or hour later. In order to prevent the coffee from being as cold as a witch's t?? by the time they drink it, the coffee was sold hotter than the temperature you would normally drink it at.

    Where did you get this information? Did McDonald's commission a survey as a response to this woman's lawsuit? Was an independant poll conducted by some news agency in relation to this case? Or are you making some totally unfounded assumption because this particular story annoys you?

    It may have been extremely hot, but this woman jammed the coffee cup into her crotch and drove off without even checking if the lid was secure; and when she spilled the molten stuff all over her groin, what did she do? She kept right on driving while the skin on her lap was being destroyed.


    Okay, now I'm sure you've just got an axe to grind. (Either that, or I'm being trolled.) In the article I quoted, it states quite clearly that she was a passenger in the car, and that the car was not moving when she spilled the coffee on herself.

    If you can't get the facts straight, why bother replying?

    Jay (=

  • Possibly the best outcome (Score:3)

    by Phroggy ( 441 ) <slashdot3@ p h roggy.com> on Thursday June 29, 2000 @04:46AM (#968511) Homepage
    What might be the best outcome here would be for Smith and Nike to arrange a settlement, and for Nike to sue NSI for damages which include the ammount paid to Smith as well as their own damages. Nike has a fair ammount of legal clout, and might actually get somewhere - and that would probably benefit everyone.

    --

  • It was hotter because most of their customers wanted it that way!

    Matters not; a liquid at 180 degrees Fahrenheit can give you serious full-depth (al through every skin layers) burns in less than five seconds of contact. It's one thing to serve coffee hot; it's another altogether to serve it so hot it's actually dangerous, particularly when it's served in a drive through and thus the company has reason to believe it will be drank in a moving vehicle with greater chance of spillage (even though this wasn't the case in this particular instance).

    Beyond that, the fact McDonalds had had already lots of complaints and had done nothing about them except for settling out of court points towards negligence. If it happens once, it's an accident; if it happens lots of times and McD does squat about it, it is not.

    The other part of the story, which the post neglects to tell, is that the woman originally went to McD and only wanted reimbursement for medical expenses ($20k or so). McD refused altogether, and this outraged the jury into giving the woman the punitive award.

    Now, what is a punitive award? It is, as the name implies, intended to punish and deter similar behavior in the future; because of its very nature, the size of such an award maps not only to the offense committed but also to the defendant's ability to pay. It's supposed to hurt. If the defendant can just shurg the award off because of deep pockets, then it's no deterrent. Thus the magnitude of the punitive award.

    It's easy to spout off without knowing the facts; the facts make it clear the decision was appropriate and correct, even though big-mouthed know-nothings blast it because they're uninformed.

  • He was damaged bandwidth and manpower is not free.
    NSI may hold some blame in this but if
    they do its up to Nike to sue them
    to recover any money spent recovering
    from this.
    I for one am sick of big companies making
    noise about security and not really doing
    anything about it. Remember all those
    credit card numbers that were stolen?
    The owners of those cards and the credit
    card companies should sue the online stores
    for every penny spent recovering from it!
    In the real world you are resonsible if you
    damage someones property or cost
    them money to repair stuff you damage.
    Why should the net be any different???
  • Instructions for making coffe:
    Step 1: Boil Water
    Step 2: Filter through coffee grounds
    Step 3: There's no step three.

    Coffee is hot. It is supposed to be hot. If steam is not coming off the cup, it must have sat out too long.

    Hot food is not safe. You need to use caution. Every time I make a chicken pot pie for myself, I know for a fact that the inside of it is like molton lava, so I am careful with it. I break the crust open and let all that gooey stuff cool a little. I blow on it. Most importantly, I don't dump it on my lap!

    In the event that I am clumsy enough to dump a steaming hot chicken pot pie on my lap (or hot grits down the pants, as the trolls would say), I would not sue swansons for marketing such a dangerous product. The accident would be my fault, therefore my problem.

    Were I on that jury, I would have ruled that McD's was right to tell that lady to buzz off and awarded no punative damages whatsoever. S* happens, that's why we pay for health insurance.

  • A UK lawyer writes...

    It's the same here. Any damn' fool with a Claim Form can start an action at law, and frequently does.

    The way it'll work is this:

    1. Smith takes his claim form, bearing particulars of spurious claim, to the court office for issue.
    2. Smith serves the resulting sealed Claim Form (we don't call 'em writs any more) on Nike.
    3. Nike's lawyer falls off his chair laughing, doesn't trouble to draft a defence, and makes an application pursuant to Part 3.4/Part 24 of the Civil Procedure Rules that the claim be struck out as disclosing no reasonable cause of action, or having no reasonable prospect of success at trial. The court has power to strike it out of its own motion as well, but this is reserved for the people who (real example) sue Prince Phillip for telepathically projecting his libidinous thoughts into their heads.
    4. Not less than 24 hours before the hearing, which will probably be listed within a couple of weeks or so, Nike's lawyer files a statement of costs at court, setting out in detail everything he's spent on the case so far. He also sends a copy to Smith.
    5. At the hearing, Nike wins. Costs follow the event (ie., it's not just easy for a UK judge to order a losing party to pay the winner's costs, it's all but mandatory) and are assessed by the judge on the basis of Nike's statement of costs. Basically, Smith is ordered to pay Nike's legal costs less some small margin so's the judge (in practice, a district judge or practice master rather than a full judge) can crack on like he cared how much it cost.

    Net result: Smith loses his case in somewhere less than three months (the record is, I believe, 9 days) and has 14 days to pay Nike what, for a no-brainer like this, should be around 1500 pounds sterling.

  • Well who knows about a coincidence but Network Solutions is stepping up the Security of their service. We got an email yesterday at the company i work at about this.
  • Imagine going to the supermarket. While going around and finding the things your going to buy, you slip and feel because the floor is dangerously slippery. You not just fall, but you also brake your arm. I wouldn't look at it as unreasonable if you decided to sue the supermarket for having a slippery floor. And just as in this case, you can compare Nike to the supermarket and "you" to the ISP.
  • A related article at segfault [segfault.org], not exactly the same thing....

    --

  • I mean - do you see any difference between "being hacked by bunch of hackers" and "being sued by bunch of sueing-addicted lawyers"? I don't see any difference. This is one of dark sides of democracy - being hacked and being sued ;)))
  • Can you really be sued for having your domain hijacked? I like the fact that these stories are posted, but it's really getting boring -- all of them ending with the same question, "Can you really be sued for X?" Come now, we're smarter than that... we know that there's a big difference between being sued and losing a suit. We are smart enough to know that anybody can be sued for anything. We are also smart enough to know that many lawsuits get thrown out because they are trivial or harrasing.
  • The most incredible thing about this whole mess is that the loser in question (the ISP operator) ADMITS that his server was cracked as well so that the crackers were able to add information to his named.conf and DNS database yet he is sueing Nike because of THEIR failure in security. Hypocrisy at it's finest. I hope someone mirrors his page where he freely admits this before he figured out how stupid he really is.

  • What do you mean, no other purpose? I use it for driving nails into a wall by repeatedly shooting them very accurately. It's faster than a hammer, really. Not only that, if you use hollow points, you end up with a neat shape on your wall afterwards.

  • I would say the differences is that a gun is a weapon and a car is a tool made for transportation.
    So where do you draw the line? What if it was a nail gun instead of a pistol? A nail gun is actually a tool that's meant to be used in construction, but if you put it up to someone's head and pull the trigger, it would easily kill them.

    Just something else to think about...

  • In the UK I recently had to deal with a similar situation - We were changing ISPs and we ran our own DNS servers so we had to get the registration updated with new server IPs. For the 2 domains I had registered there was no problem, but for one of them (registered way back by a couple of IT guys who hadnt worked there for over 5 years when I started!) we hit a brick wall.. Even though all 3 were registered to the same company, in order to change the 3rd one I had to get our CEO and company lawyer to send written confirmation (nothing electronic - they only accepted snailmail not email or fax) to the registrar that I was who I said I was and that they knew about this before they would update the registration info. It was a pain in the ass but overall I think it was a good thing.
    # human firmware exploit
    # Word will insert into your optic buffer
    # without bounds checking

  • through fault of his own (he leaves it until the end of his rant [shameonnike.com]), Smith's major contention is that he went through major difficulty to inform nike of what was going on, then they asked him to point his dns at their server, which he did, then they asked him to do the MX record as well, which he did, then millions of hits later he sent them a bill, and they were like "no sorry, we're not paying".

    so unless he actually created the situation in the first place (possible - this guy tried to do business with amazon.com when he fired up amazon.gr a year or so ago) i reckon he deserves to get a cheque from nike for his trouble!

    plenty of activists including s11.org would have loved to have seen 46 hours of nike email, which smith helped nike to get back into their grubby little hands by pointing his dns servers back at nike.com

    pay the man!
  • In the Beginning,
    The 'Net emerged from the primortial ooze of analog bit streams and flaky phone lines. The Denizens of this early 'Net learned about cooperation and fault tolerance, and it was good. As time progressed (fast forward) the uninitated, the normal citizens of the BBR, used to protection under the law and the burden of it's restrictiveness were unprepared for a world where there was no shelter for the expliotable under a omnipotent protector.
    Seriously folks, the laws regarding 'Net crime are both vauge and largely untested. I think that Nike might be liable. On the 'Net you have to take total responsibility for your presence. Like every tinker and his brother on @Home, putting up insecure servers, it's you (Give me a sword of burning code and the arrows of design.), your box and the forces of darkness. The artical yeaterday about the unfortunate lack of a "hacker threat" does demonstrate the pricipal 'The bigger the name the bigger the target.'. Nike has spent millions (billions?) becoming a brand name that every 4 year old in America knows, and in accordance should be persuing security with due vigilance. The big expliots that security pros tell their children at night, the 'Net age boogie man, DDoS on Yahoo.com and others, IExplore that shut down part of MCI, have all been perpetrated on big names.

    General System Fault:
    Please sacrifice two chickens and a goat to continue.

  • "Why didn't NSI think of this years ago?"

    Umm....They did.

    The email they send you has a tracking number, which you must include in the Subject field of any response you send.

    Here's the catch - the tracking number is made up of the date and a .blank.-digit number, for example .blank. The numbers used, other than the date, are sequential. Which means - guess what? - the numbers can be predicted with only a very little bit of work. Just include the predicted tracking number in the spoofed email, and there you go!

    For a better description, check here. [securityfocus.com]

  • The BugTraq discussion thread about this issue can be found here. [securityfocus.com]

  • What next? (Score:5)

    by Netsnipe ( 112692 ) <<moc.liamg> <ta> <epinsten>> on Thursday June 29, 2000 @04:30AM (#968529) Homepage
    What next? Slashdot getting sued for Slashdotting servers?
  • Truth is, most keys aren't very secure, even double-sided ones (unless they're asymmetrical). The standard Schlage or Kwickset 5-pin lock has about 100,000 possible combinations (when there are 10 pin lengths)... but it's not unsual for two locks with similar but different pin configurations to be accessable by the same key. Once I grabbed a key at random from the garbage key bin, and imagine my surprise when it opened not only my apartment, but also my parents' home. Though the two locks were different, they were only off by a couple of pins which varied in length by 1 (up or down).
  • I think one argument to that could be that the intended purpose of the swimming pool is for swimming (thus the name). So, the kid -though not invited to do so- is just doing what the pool is intended for: swimming!

    The web site hacker is not doing what the site is intended for. Though some might disagree, web sites are not made to be hacked. :)

    I don't think that argument would stand up in this (or similar) case.

  • I agree it seems like a slim chance, but, if it turns out the Nike
    had reprehensibly bad security, and poor maintenance of their domain,
    etc., it seems to me that could be indicative of negligence. I don't think
    we will see that not having a 24/7 ERT will qualify as being negligent,
    but I wouldn't mind if being just plain irresponsible with your computing
    systems and DNS and etc. could qualify.


    I know that my company's mail servers are queuing up a fair amount of
    D.O.A. mail due to companies that don't have the brains to set their MX
    records properly. It'd be nice if we could find a way to get those
    companies to make amends for that sort of thing; not just to compensate us
    for unnecessary use of our resources, but also to better encourage them to
    fix it and make sure they don't make stupid mistakes again.


    Think about it; we can't allow every damn fool ISP and dot-com to make
    stupid mistakes that have negative side effects on our own networks. The
    old social mechanisms of peer scorn and of retaliatory blockading don't
    work so well anymore, both mainly because there are already too many damn
    fools who aren't even aware of what they're doing wrong or thatanyone else has a problem. (Many of the new-skool dot-com admins treat
    old-school admins with the same snideness that jocks treated the geeks in
    high school with; e.g. of being "too picky" or "too anal" about network
    config issues. Or even worse, will insist that the old schoolers are the
    ones breaking things.)


    As for Nike, in terms of being negligent: Who is responsible for all the
    traffic going to the domain nike.com? It's Nike, who is the sole
    advertsier of the domain. Nike's target audience is a segment of the
    population that doesn't visit web sites unless (ironically) their URL has
    been advertised on TV. So the amount of traffic going to nike.com is no
    accident. I expect the plaintiff will argue that Nike is therefore
    accountable for where that traffic actually goes.
    If my dog, for example, gets loose and chews up the neighbor's azaleas, I
    can be found accountable for the damage, because I was negligible for not
    keeping him secured. Likewise, Nike.com may be held accountable for the
    traffic they have generated for the nike.com domain going to the wrongplace, if it turns out they didn't take sufficient measures to ensure that
    their domain wouldn't be rerouted.


    Yes, this could have bad side effects on the Slashdot effect. I don't have
    any ideas on that one, but there are differences between being negligent
    with your OWN domain and simply drawing traffic to another person's site.


    (Of course, if they rule this week that hyperlinks are illegal, that won't
    matter anyway.)
    --

  • You think that's a joke - but does anyone remember when Micros~1 tried to have a go at someone for publishing benchmarks about SQL Server performance?

  • I was attempting to point out another angle an "ambulance chaser" might take, not condoning it.

    I hope all suits like these are simply discarded by the courts before they waste too much of our time & money! :)

  • Security is definitely at question, but what's wrong with the ISP being bogged down. AFAIK, the ISP really doesn't put limits on how much bandwidth a customer can use. Unless it was in the terms of the contract somehow, I don't see how this ISP could possibly have a case against Nike!
  • When you buy coffee, do you expect it to be near-boiling? Do you expect it to cause third degree burns if spilled on you?
  • I mean this is a world of lawsuits now. If I can blame a problem on someone else regardless of whos at fault......LETS FILE SUIT, While Where at it I still need money for smoking cause the tabbaco companeys made me smoke, and Drinking I must sue BUSH cause they made me drink.

    Welcome to the New Golden Age
  • Will this be the first time a person or organization was sued for not having strong enough Internet security? If so, then I'm glad it's happening just for the reason of getting the precedent set. Personally, I think that such a suit is somewhat scary: what if someone cracks my FreeBSD box at home, uses it in a DDOS attack, and my ISP (who is currently very nice to me) decides not only to terminate my account, but sue me? If such a thing became common, it would be an anti-boon for many individuals or small groups who want to run their own servers and don't have a large IT staff to manage security for their site. ISP's could say "Use our hosting services or take the chance of being sued". Yikes!
  • This guy is in the U.K.

    ---
  • Nike has a fair ammount of legal clout
    which allows them to not be sued for crimes against little kiddies in sweatshops that work for food while I pay $90 for 'em

    This is my first troll, i have ten karma, be as mean as you like
  • how do we know it wasn't a set up and that it was the this Smith bloke who hijacked nike.com, or got someone else to do it for him.

    i mean - it's a nice and easy way to make money

    ------------------

  • What an idoit (Score:5)

    by Squirrel Killer ( 23450 ) on Thursday June 29, 2000 @04:54AM (#968542)
    Per this moron's own site [shameonnike.com]:
    To put it in simple terms, someone changed the information held by Network Solutions, Inc. (NETSOL) so that instead of the three DNS entries shown:

    DNSAUTH1.SYS.GTEI.NET
    DNSAUTH2.SYS.GTEI.NET
    DNSAUTH3.SYS.GTEI.NET

    ...new DNS values were provided to NETSOL which resulted in the domain name being 'pointed' to another NameServer. In this case, the domain was pointed to the primary and secondary NameServer for FirstNET Online (Management) Limited.

    Then (presumably) the same person or persons gained access to our boot file and added the following line of text: (the boot file tells the server which domains it is hosting or reporting DNS for)

    primary nike.com nike.com.dns

    So, let's get this straight...

    • Hax0rs fool NSI to change the domain
    • Haxors break into this guy's server to facilitate fooling NSI
    • And Nike is to blame for all of this!?

    This suit is patently ridiculous and should get thrown out as soon as Nike's lawyers say "We had nothing to do with this." Then the lawyers should say, "Here's our counter-suit for this bonehead aiding the hax0rs." Nike does have a legitimate suit against Smith and NSI.

    It is Smith (or his host) who is to blame for lax security on his own box, and NSI who is to blame for their incompetant SOP for domain transfers.

    -sk

  • I got an e-mail from NSI yesterday saying that they're offering a new authentication method: you e-mail them your request, they e-mail you back, and you have to reply to their e-mail. That would most likely solve this sort of problem. Why didn't NSI think of this years ago?

    --

  • I see a point in there...

    It's the case where a thief got into your car (by your lack of adequate security) and banged into the third person, then you are in some aspects partly responsible for the accident.
    Because it was with your "careless permission" (note the meaning), that the thief got into the car!

    The same applies to this case. You should choose your domain incharge carefully, otherwise all you may get is these lawsuits!

  • Think about it idiot. Nike can't be held responsible for this. It wasn't even their servers that were hacked. Someone changed the Domain Name database at NSI. NSI has a history of changing Domain information on request of hackers so how can Nike be blamed for that. This guy has no case and should be required to pay a fine for wasting the court's and nike's time.

  • Off topic, but since it was brought up... (Score:3)

    by TrentC ( 11023 ) on Thursday June 29, 2000 @08:35AM (#968546) Homepage

    Often when people launch frivolous lawsuits, the company will settle to avoid legal fees and embarrassment, in some situations, the person suing can play for sympathy (like that pathetic old lady that dumped coffee all over her lap, and sued McDonald's for the burns).

    I'm going to have to write this URL down, I keep looking for it so often.

    http://www.injurycases.com/coffee.html [injurycases.com]

    The McDonald's Hot Coffee Case
    Some Facts You Might Not Have Known

    Of the many injury cases that have been decided over the past ten years, none have received as much publicity as the case of Stella Lieback v. McDonald's Corp. In this case, a 79 year old New Mexico woman suffered third degree burns as a result of spilling a cup of coffee she had purchased at a McDonald's restaurant. the case has been endlessly criticized and made fun of in radio commercials, on talk shows and the like. In fact, if you ask the average person what they think of the case, the usual response is something like, "Can you believe a jury gave millions of dollars to a woman for simply spilling a cup of coffee? Isn't that ridiculous?"

    However, a closer look at the facts shows that this case was actually an example of where the system worked.

    At the trial of this case, it was revealed that while coffee served in your home, in a restaurant, on an airplane or in a fast food establishment is normally in the range of 135-145 degrees, McDonald's routinely sold its coffee nationwide at 180-190 degrees. Liquid heated to such a high temperature becomes extremely dangerous when it comes in contact with human body tissue. That is why on the date of her accident, after the car in which she was a passenger came to a full stop - and Ms. Lieback tried to lift the lid of the cup of coffee off while she held the cup between her knees and accidentally spilled the liquid on her thighs and genital area - the burns were immediate, painful, and serious.

    As a result of these burns, Ms. Lieback had to undergo skin grafts, required hospitalization for several weeks, and incurred medical bills in excess of $10,000. Later, when her family attempted to negotiate with McDonald's to at least have the medical bills paid, and McDonald's was not willing to do so, it is understandable why a lawsuit was filed.

    In pretrial discovery, Ms. Lieback's attorney learned that McDonald's had already been sued some 700 other times(!) for burn injuries caused by their hot coffee- and that they had routinely settled with the injured party, requiring each person to sign a confidentiality agreement, barring the person from talking about the nature of settlement. At the trial of the case, a McDonald's representative maintained that it was appropriate to continue to serve the coffee at 180 degrees, although people were going to get burned, because the numbers of burned people were "statistically insignificant."

    The jury, which was inclined at the beginning of the trial to laugh the case out of court, was so enraged by McDonald's attitude that they found for Ms. Lieback. They awarded $200,000 in compensatory damages, reduced to $160,000 after the jury concluded that 20% of the fault belonged to her. They also awarded punitive damages - to punish McDonald's and to deter other corporations from doing the same thing in the future - in an amount equal to what McDonald's earns from selling coffee in only two days nationwide, $2.7 million. This figure was widely publicized, so that radio commercials and other sources have reported that "the woman got millions." In fact, the judge later reduced the punitive damage award to $480,000 and the parties settled for a lesser amount - facts which the commercials fail to disclose.

    Importantly, as a result of this lawsuit, McDonald's eventually announced that it was going to begin serving coffee at a lower temperature - and reportedly that change has occurred. The McDonald's case is a good example of how the press and other interest groups can sometimes misreport an incident to serve their own purposes.

    (The emphasized parts above were done by me.)

    Jay (=

  • In that case your insurance company handles it and sues the criminal who stole the car for all he's got.
  • My point was to look at the issue more generally than our usually narrow computer-driven perspective, and to draw analogies in other places which might make the mess a little less murky, and a little less of a technical "did they have x and y and z procedures in place" without the benefit of a larger perspective. In this particular case, my intention was to demonstrate that while we could get bogged down in a bitter and detailed "blocked services" and "secure passwords" (and so on) discussion, it could be reduced to a simpler, albeit still familiar, problem by drawing a parallel with which we are all familiar.


    if ($user =~ m/shaldannon/i) {
    print "\n-- $user :)\n"
    }
  • Always use bold tags.
    To Karma Whore well you need
    Visibility.
    Negligence is an interesting issue. How secure does a server have to be before it is free from liability? I used to work for a law firm, and I've seen Nevada casinos sued many times for having inadequate numbers of security guards. (Do these suits win? I don't know, because we always, always, always settled. Trial is expensive.)

    I'm racking my brain for a good, solid analogy to a web server, but it really feels like apples and oranges. Should a corporation be liable and open to lawsuits simply because it uses Microsoft products?

    In conclusion, this suit is in some ways a good thing, because we really need to bring this sort of issue to the attention of the courts so they can formulate some kind of clear law on the matter.
  • That's the funniest thing I've read all day :)))

    (and no, you don't need to feel obliged to get me on their spam list ;) )


    if ($user =~ m/shaldannon/i) {
    print "\n-- $user :)\n"
    }

  • Re:The problem with analogies... (Score:5)

    by mcsnee ( 103033 ) on Thursday June 29, 2000 @09:14AM (#968556)
    Ok, here's what it's _really_ like.

    You buy a goat, 'cause you like goat milk. Then some guy shoots your goat with a gun that somebody else left lying around in some unnamed fourth party's unlocked car. But, get this... the GOAT DOESN'T DIE! So then the guy with the gun (Guy-sub-Alpha) sues the owner of the car, for leaving his door unlocked so that guy-sub-alpha could steal a gun that was incapable of killing a freakin' goat.

    And there you are with a bloody, wounded goat on your hands, wondering what happened.

    You see what I'm saying?

  • Re:Uh huh (Score:5)

    by kwsNI ( 133721 ) on Thursday June 29, 2000 @04:58AM (#968562) Homepage
    But Nike didn't DoS them. Hell, Nike didn't do anything. Someone else sent NetSol an (unencrypted) e-mail spoofed to look like the billing contact for nike.com asking to change Nike.com to their control. For one thing, this person wasn't supposed to be able to controll the domain name and for another, it was supposed to be an encrypted e-mail. NetSol screwed up on this one.

    Yes, he may have been inconvienenced by this. Now, if he wants to sue someone, sue the hackers that were responsible. Hell, sue Network Solutions for their screw up. Nike isn't the one that did something wrong.

    Personally, I think it's part of being on the internet. To me, this is the same thing as owning a store on a street and trying to sue the store down the road because protesters gather out in front of it and the traffic jam they cause hurts your business. Sorry. C'est la vie. It's life, get on with it.

    I've worked in customer service and tech support for an ISP before. Tell your clients what happened and most of them will understand. If you loose a few customers, that's business. They can go to another network and the next domain hijack can hurt them again. Most people realize that they can be hit by this anywhere on the net, regardless of their network.

    kwsNI

  • Please note the light mood in which the post was made, and the general responses (especially the 'Funny' moderation). Sit back, relax, and enjoy the show.

    Also, it's not quite certain that NSI didn't screw up - if the email came unencrypted and they made the change, NSI is at fault. It was supposed to be encrypted, and they claim that the forged mail was supposedly from the billing contact, who doesn't have authority to request those changes anyway. 0 for 2...

    I wouldn't put a lot of faith in the guy raising the suit (not clear whether he was the one who initiated this in the first place), but Nike should have a case against NSI if the other points hold true. I can't see how they 'deserved the hack'. NSI may be hapless (that's never been questioned), but in this case they may have been willfully negligent, and there are many reports of the same problem with other domains they control. We'll see what happens. Should be interesting.
  • I bet Smith thinks he's just purchasing a ticket in the American Legal Lottery. He probably doesn't realize that frivolous lawsuits aren't any more socially acceptable in the US than in the UK.

    People outside the US seem to think all US citizens are rude, poor listeners, carry guns, and sue each other at the drop of a hat. If Americans don't fit that image, they are assumed to be Canadian.

    Seriously, I was asked in Australia, "Did you bring your gun to Australia?" Pretty sad. I'm not a gun-control supporter, but I don't own any guns either.

  • ...if a kid falls in and drowns. Same principle.

  • The trouble is that it's usually pretty easy to pick a lock (As long as it has a single side, and a single tumbler) by the rake method; Put one thing in the lock, turn it in the direction it's supposed to go, and then rake something (like a bent pin) over the pins in the lock. If you get the pressure right, and the lock sucks (Like a master, for example) then the pins will get stuck down to the right degrees and you can open the lock.

    Also, as previously mentioned, some key sets just don't come in very many combinations. There are about twenty different key configurations for BMW motorcycles, which is abominable enough; But there are only about five different combinations on BMW motorcycle luggage, and they use the same keys as the ignition, just using a smaller number of pins. This equates to it being REALLY EASY for one BMW motorcycle owner to open a significant number of lockers on other peoples' bikes.

  • You can sue for anything. Winning is a different matter. Heck, getting the suit before a court is a different matter.

  • Haiku? (Score:2)

    by Tower ( 37395 )
    Nike Rerouted
    ISP is Hopping Mad
    NSI to Blame

  • Re:Well, the popular answer would be... (Score:3)

    by RobNich ( 85522 ) on Thursday June 29, 2000 @05:30AM (#968597) Homepage
    Dear Customer,

    IMPORTANT ACCOUNT ENHANCEMENTS SCHEDULED: SECURITY UPGRADES
    MAY REQUIRE ADDITIONAL STEP BEFORE CHANGES ARE MADE
    ************************************************ **
    Security for our customers has always been a top priority
    at Network Solutions. Now we are taking that even further
    as we merge with VeriSign, one of the industry leaders in
    Internet security. We all recognize information security is
    vital on the Internet, and we want to assure you that we
    constantly monitor security and maintain systems that help
    protect you and your information. This message is about
    changes in our guardian security system.

    WHAT DOES THIS MEAN FOR ME?
    ************************************************ **
    When you first registered your domain name you may have
    selected a security option. You then currently have one
    of three Guardian authentication methods: "Mail-From,"
    Password (Crypt-PW), and Secure Encryption (PGP).

    With our upcoming upgrade, customers who have not yet
    selected a security option will be migrated to "Mail-From"
    security. Customers who currently use the "Mail-From After
    Update" Guardian authentication method will now have to
    respond to an e-mail security check before the requested
    changes will be implemented. Customers who currently use
    existing Guardian security options do not have to make
    any changes at all.

    WHAT WILL HAPPEN WHEN I REQUEST A CHANGE?
    ************************************************ **
    NSI is enhancing "Mail-From" with an additional e-mail
    security check. Specifically, NSI will e-mail a validation
    request to the specific administrative and technical
    contact listed for a domain name before making any
    modification to that domain name. This means, if you have
    "Mail-From" security, NSI will no longer implement a
    requested change until we receive e-mail verification
    confirming authorization from either contact. It's an extra
    step, but it's worth it to protect your account.

    WHEN WILL THIS HAPPEN?
    ************************************************ **
    We have scheduled the modification for Saturday, July 8,
    2000, so you should check your account information to see
    if it is correct. Actually, it's a good idea to check your
    account periodically anyway.

    To make modifications easier, we provided easy-to-follow
    instructions on our web site at:
    http://info.networksolutions.com/go/t/security/g uardian/

    Additionally, we updated the contact form FAQs, which can
    be found at:
    http://info.networksolutions.com/go/t/security/c ontact1/

    Please note that we continue to enhance security. Future
    security plans include the use of VeriSign certificates
    for authentication. But don't worry; we will keep you
    completely informed about these upcoming changes.

    If you have further questions or concerns about this
    current security upgrade, please contact our Customer
    Service Department at:
    http://info.networksolutions.com/go/t/security/c ontact2/

    Sincerely,
    F. Michael Kyle
    Vice President, Customer Service
    Network Solutions(R)
    a VeriSign(R) company


  • At the trial of this case, it was revealed that while coffee served in your home, in a restaurant, on an airplane or in a fast food establishment is normally in the range of 135-145 degrees, McDonald's routinely sold its coffee nationwide at 180-190 degrees.

    (Gasp!) What a shocker!!!! I never heard that side of the story before, let alone have I heard it over and over and over by whiney crybabies who simply can't accept that a faceless corporation might not be the bad guy in every single case.

    Look, the reason McDonald's coffee was hotter than the stuff you got out of your pot at home was not because of some nefarious corporate scheme to burn old ladies. It was hotter because most of their customers wanted it that way! The typical McCoffee drinker is a blue-collar 9-to-5er who buys the coffee on their way to work, and doesn't actually drink it until much later, sometimes a half hour or hour later. In order to prevent the coffee from being as cold as a witch's t?? by the time they drink it, the coffee was sold hotter than the temperature you would normally drink it at.

    It may have been extremely hot, but this woman jammed the coffee cup into her crotch and drove off without even checking if the lid was secure; and when she spilled the molten stuff all over her groin, what did she do? She kept right on driving while the skin on her lap was being destroyed.

    I knew that the judge reduced the punative damages, and when he did so, it was because the original ruling was absolutely insane. The final judgement was still far more than she had a right to ask for, and I'm sure her ambulance-chasing lawyers collected most of it anyway.

    Thanks to this old bat not taking responsibility for her own actions, thousands of schlepps that can't afford the good stuff are chugging down their morning brew right away on the highway commute while it still is above body temperature, which can't be much less dangerous than hot liquid in a cup.

  • Netsol updated the nike.com NS records based on a bogus email.

    This ISP had their nameserver hacked, and the hacker created a nike.com zone.

    And.... nike is at fault? None of this had anything whatsoever to do with any system even remotely controlled by Nike...

  • The *real* gun liability rhetorical question.... (Score:3)

    by coyote-san ( 38515 ) on Thursday June 29, 2000 @06:32AM (#968602)
    I *really* hate it when people misquote the rhetorical questions used to illustrate legal principles....

    The original rhetorical question is "if one were to leave a loaded gun ON AN OPEN WINDOWSILL and a passerby picked it up..." The key phrase is "open windowsill" - it's at a location where the owner is nominally in control of it, but anyone passing on the street could easily grab it. Hell, it's at a location where it could be easily knocked out of house without deliberate effort. The gunowner is clearly acting negligently.

    (A modern analogue to this question is someone leaving a gun in plain sight in a locked car. This requires smashing a car window, but the risks of a parking lot "smash & grab" are less than a home burglary.)

    In contrast, put the gun more than an arm's length away from the window and it's *far* harder to claim that the owner is negligent. Put the gun out of reach and out of plain sight (e.g., in a closed nightstand or a locked glove compartment) and claims that the gunowner was negligent if the gun is subsequently stolen start to wear very thin - by that metric, some people will argue that their responsibility *requires* that they keep their gun on their person at all times!

    N.B., the cited quote doesn't even posit that the gun was stolen from a house or other area where the gunowner has a reasonable expectation of sole dominion - he's trying to bring to mind the image of a latter-day Johnny Appleseed prancing through a park tossing out loaded guns. Of course that's an unspeakably reckless act.

    For some reason most people here seem to assume that he's refering to home burglaries, and while it's true that some jurisdictions have vicarious liability laws the general principal remains - as a rule people aren't held responsible for reasonable omissions, and almost never when those omissions are required by reasonable actions.

    (E.g., you put a pie on the windowsill to cool, someone steals it, burns their fingers or mouth, and sues you. They'll have a *very* hard time winning since you had to put the pie *somewhere* to cool.)

  • Re:Using an analogy .... (Score:3)

    by Anonymous Coward on Thursday June 29, 2000 @05:08AM (#968615)
    If I left my parked car unlocked and someone hopped in and stole it - proceeded to drive down a freeway, had a accident and caused a major traffic pile-up where several people died, would I be responsible?

    I would say no.
    Actually, teh funny thing is that in New York (and until recently in Illinois), under a law known as vicarious liability, YOU are responsible for the actions of your vehicle, EVEN IF SOMEONE STEALS IT!!!!

    Rental car companies hate this law. I don't know if other states have it, but the rental car agency I used to work for had locations in Illinois and New York that were constantly getting sued... A great example is one that happened in New York. Lady rents a car from us and drives it home. She lets her SIXTEEN YEAR OLD son drive the car. Now, this is wrong in two ways. Our rental agreement says nobody under 25, AND if their name/driver's license isn't on the contract, they can't drive the car. So anyways, he takes this car around, and mows down a five year old kid on a street (The poor kid spent two months in the hospital, but is OK now.) The best part is, the cops wind up sending the kid home in the car, even though they found it was a rental. Even better is that this kid doesn't tell his mom what happened! Three months later, our rental agency gets a lawsuit for $3 Mill (BTW - The kid and his mom were named co-defendants, so this is when she found out about it!!). I never heard how the case wound up as I left the agency before it went to court...

    Anyway, the rental car agencies hate this law so much, that they banded togehter in Illinois and gave LOTS of money to the state legislature to get it removed there...

  • The ISP has this to say... (Score:3)

    by jtroutman ( 121577 ) on Thursday June 29, 2000 @05:12AM (#968618)
    This site [askfol.com] has the ISP's POV. Mostly it's a lot of "poor little me" crap, but they do give more information on how this actually occurred.

  • The problem with analogies... (Score:5)

    by Quintin Stone ( 87952 ) on Thursday June 29, 2000 @05:35AM (#968623) Homepage
    ...is that you can make up any shit you want and people never seem to ask themselves "Does this analogy make sense?"

    Nike left no loaded gun lying around. It wasn't their lack of security, it was Network Solutions. Even if Smith is right and Nike chose the lowest security model, so what? NSI is the ones who were offering it, right? Smith is basically saying that the low security model is itself criminal because it's too easy to break. And yet, it was Smith's system that was hacked, in order to introduce the Nike DNS info on his box. Who's security is actually at fault?

    You want an accurate analogy? Okay, here it is: I buy a car. Some guy goes to the manufacturer of my car, tells them that it's his and he needs another copy of my car key. The manufacturer just fucking gives it to him, he steals my car and drives it into some guy's store, smashing it and causing a lot of damage. The store owner sues me because I didn't buy the super deluxe model of the car that comes with a code-activated alarm system. Well, shit, what was I thinking?

    I ask you: which analogy is more accurate? Who is really at fault?

  • ...is that you can make up any shit you want. People never seem to ask themselves "Does this analogy make sense?"

    Nike left no loaded gun lying around. It wasn't their lack of security, it was Network Solutions. Even if Smith is right and Nike chose the lowest security model, so what? NSI is the ones who were offering it, right? Smith is basically saying that the low security model is itself criminal because it's too easy to break. And yet, it was Smith's system that was hacked, in order to introduce the Nike DNS info on his box. Who's security is actually at fault?

    You want an accurate analogy? Okay, here it is: I buy a car. Some guy goes to the manufacturer of my car, tells them that it's his and he needs another copy of my car key. The manufacturer just fucking gives it to him, he steals my car and drives it into some guy's store, smashing it and causing a lot of damage. The store owner sues me because I didn't buy the super deluxe model of the car that comes with a code-activated alarm system. Well, shit, what was I thinking?

    I ask you: which analogy is more accurate? Who is really at fault?

  • Uh huh (Score:3)

    by Stickerboy ( 61554 ) on Thursday June 29, 2000 @04:33AM (#968631) Homepage
    Exactly how did his ISP suffer? Emotional damages? Those big, bad packets scare customers away?

  • Interesting. It's like I have the right to do a full security audit on everyone else's servers since any one of them has the potential for being hacked, and thus could be used as a place to hack MY servers.

    Can you get sued if you leave your keys in your car, and someone goes out for a joyride in your Saturn and drives through a shopping mall(like the Blues Brothers)? If so, it's time to do a big security sweep, MY profits are at stake!

  • Nike shouldn't worry too much (Score:4)

    by Jon Erikson ( 198204 ) on Thursday June 29, 2000 @04:34AM (#968637)

    Shit, what's next? Will you be sued for having an angry mob smash your house up because they blocked the road you live on? This seems to me like a blatent attempt by an ISP to make a quick bit of cash off of a flimsy excuse, something which the US has a lot of unfortunately for it, and anyone that gets involved with it.

    This bloke seems like a bit of an arsehole anyway - setting up an online bookstore called Amazon.gr is not the actions of someone who is really dedicated to starting up an online business, it's the actions of someone trying to cash in on the dot-com craze.

    If I were Nike I wouldn't be too worried about this at all - the guy is an idiot out for easy money and any judge with half a brain will see that and throw the case out.


    ---
    Jon E. Erikson

  • Sue Microsoft... (Score:5)

    by Anonymous Coward on Thursday June 29, 2000 @04:34AM (#968638)
    ...for hijacking my servers. Slower than molasses. I guess I shouldn't have installed Win2000.
  • This has got to be the first lawsuit involving Nike in quite some time that hasn't had anything to do with exploitation of child labourers in sweatshops...

    kudos for finding something Original to sue Nike for!!!

    bet they didn't see that one coming!!

  • Well, the popular answer would be... (Score:3)

    by Tower ( 37395 ) on Thursday June 29, 2000 @04:34AM (#968640)
    sue the ass off of Network Solutions!

    "If anyone screwed up, said Casler, it was Network Solutions, which apparently allowed the hijacker to change Nike's registry information on the basis of a spoofed email from the Nike billing contact -- a person that did not have password authority to make changes to Nike's domain status."

    Yeah, everyone knows that they are a bunch of swindling, boorish jerks. We've heard it before, we'll hear it again...

    On a more realistic note, I don't think that Nike can/should be held repsonsible, if in fact, NSI made a change due to an email from an unauthorized account (the billing contact). More details need to be seen on this one - still not good, whatever happened...
  • No it's not.

    In most all localities (talking US here) it's against the law to not have a security fence around your pool

    Unless a lot of new legislation was passed while I was asleep last night it is still perfectly legal to have lax security on your server.

  • Sue NSI, not Nike (Score:3)

    by exploder ( 196936 ) on Thursday June 29, 2000 @04:34AM (#968643) Homepage
    This guy claims that Nike was negligent by only using mail-from authorization with Network Solutions, allowing anyone who can spoof an email to hijack their domain. Apparently, if Nike is to be believed, they had crypt-pw security, but NSI simply ignored it. The article claims that NSI has done this before. If all this is true, then I'd say the guy has a pretty good case against NSI, and that Nike probably does as well.
  • It appears to me that there are some parallels between domain hijacking and airplane hijacking :)

    It seems that if you take reasonable precautions to prevent hijacking, then you shouldn't be held liable for one that takes place. On the other hand, if you're wide open (e.g., no metal detectors at the terminal), then you deserve a lawsuit.

    Not being familiar with Nike's security precautions and procedures, I can't speak for whether they were reasonable or not.


    if ($user =~ m/shaldannon/i) {
    print "\n-- $user :)\n"
    }
  • This suit is patently ridiculous and should get thrown out as soon as Nike's lawyers say "We had nothing to do with this." Then the lawyers should say, "Here's our counter-suit for this bonehead aiding the hax0rs." Nike does have a legitimate suit against Smith and NSI.

    You know, that may be the best suggestion yet. If Smith can claim that Nike's security was lax, Nike can surely claim the same of Smith's ISP for letting his DNS servers get h4x0r3d (assuming he didn't do that himself, which he claims he didn't).

    In order for there to have been a major problem, he must have had nike.com in his nameservers pointing to the IP of one of his customers. If this was just about getting gazillions of DNS queries, well, that doesn't eat up that much bandwidth, and BIND should be able to handle the load just fine.

    --

  • But if he had secured his own server so that the crackers couldn't have broken

    It wasn't broken into. Just that packets were directed at him rather than at Nike.

    Apart from that your analogy is quite accurate. Although I'd say it was more like the bank suing the owner of the car that was stolen as a getaway vehicle.

  • Similarly... (Score:4)

    by GeekLife.com ( 84577 ) on Thursday June 29, 2000 @05:45AM (#968660) Homepage
    Can a pawn shop sue burglary-victims if the pawn shop's inventory is repossessed by the police?

    Can I sue the St. Louis Cardinals if the traffic created by people getting to the stadium causes the ambulance to my house to be late and my mom to die?

    Could I sue 1(900)Mix-A-Lot if the phone company accidentally switched the lines so I got all those phone calls?

    Seems like the ISP could legitimately sue the hijackers, but it's obvious he's just looking for the biggest pot of money and suing them, relevant or not.
    -----

  • Both sides (Score:3)

    by 2starr ( 202647 ) on Thursday June 29, 2000 @04:38AM (#968669) Homepage
    I can see two sides of this:

    1) He (Smith) has a point if Nike was negligent. Just like there are laws if someone gets hurt on your property because of negligence on your part, there should probably be some similar laws in cyberspace. Now exactly how you define those... I'm not sure. Maybe check to see if the people have kept reasonably up-to-date with bug patches?

    2) If someone steal a gun from your house and goes on a shooting rampage, are you responsible? (Well, probably again it depends whether you were negligable or not.) But, assuming that the person was responsible... how can you blame them?

    Bottom line - I do think web sites have a responsibility to be attentive to protecting their resources and ensuring that they don't hurt other with them... but beyond doing your best, you can't do any more.

  • A good lawsuit... (Score:5)

    by Picass0 ( 147474 ) on Thursday June 29, 2000 @04:39AM (#968671) Homepage Journal
    Wouldn't it be great if somebody sued the American Bar Association for allowing such frivolous lawsuits to choke our legal system?

  • A more likely story... (Score:3)

    by Natedog ( 11943 ) on Thursday June 29, 2000 @02:27PM (#968672)
    After reading this story, several other stories about this event, and Smith's web page (www.shameonnike.com) I think that one of 2 things actually happend.

    First, notice that this page calls Nike's buisness practices "shabby" and at the bottom of the page there is a "Boycott Nike" icon. This seems to me like someone that is emotionally connected to a movement against Nike (in and of itself this is not a bad thing) - the point is that this lawsuit sounds like it is based more on a bias than facts and laws.

    So I think one of two things is actually going on:

    1) Smith or his freinds are responsible for the crack and their plan was to redirect people going to www.nike.com to their own web sites against nike. I went to http://212.92.192.218 (from the dns file on Smith's web page) but this address no longer hosts any web pages. This crack caused negative press for the movement against nike so Smith is trying to divert the blame

    2) Smith was indeed a victom of the crackers but he is sympathetic to what they were trying to do and doesn't like nike himself so again he's trying to throw mud on nike hoping some of it will stick (I think this is the most probable)

    For all of you out there that think I might be saying this because I'm a nike fan - well I'm not. I haven't purchased anything from Nike for 3-4 years (only Dr. Martins) and I don't like the way they exploit forgien labor.

    BTW - I saw an Investigative Reports on A&E last night (I think that was the program) about passangers that tried to sue Amtrack for injuries that were caused by a sabatour that derailed the train. The Judge ruled that the derailment was caused by the sabatour and not Amtrack and Amtrack won the case and counter sued for legal costs and won.

  • Someone should initiate class action against NSI for their consumer practices. Ralph Nader could have a field day with DN registrations and other related matters.

  • Way I see it, it's a bit like a chain collision on the highway, you dont go after the guy waaaay down the back who first hit, your insurance comapny goes the vehicle that hit YOU, who in turn goes the vehicle behind etc...

    You've never been in one of those wrecks. From experience, the insurance companies all went after the original car because it was their fault. That went for my insurance and the guy in front of me when I was in the middle of a 3 car wreck. But, I appreciate the analogy - wrong as it was - you still proved my point.

    kwsNI

  • Nike's DNS records were hacked, yes yes, and maybe they used poor security,
    yes yes. However *HIS* systems were comprimised by the hacker, his OWN DNS
    was reconfigured, and his OWN server was rebooted.

    If the hacker logged in and did a mke2fs /dev/sda on his computer, would he
    still sue nike? [Your honor, Nike is responsbile on the grounds that
    because after the hacker changed their domain, he was angered by the nike
    swoosh into a destructive rage, and he destroyed my server.]

    Anyway, how much "server load" can be rendered by DNS lookups for nike.com?
    Has anyone ever BEEN to nike.com before? S11.org obviously had CONSIDERABLY
    more traffic then this guy; and he could EASILY have fixed his "traffic"
    problem, by removing his hacked DNS records

  • Re:Does this come as a shock? (Score:4)

    by Golias ( 176380 ) on Thursday June 29, 2000 @07:21AM (#968688)
    Often when people launch frivolous lawsuits, the company will settle to avoid legal fees and embarrassment, in some situations, the person suing can play for sympathy (like that pathetic old lady that dumped coffee all over her lap, and sued McDonald's for the burns).

    In this case, Nike has no reason to settle. Their case looks lead-pipe solid, and (from what I can see) the person suing them is a whining little bitch of an ISP sysadmin.

    Even though nothing is likely to come out of this lawsuit, it will be played up in the news because so many people hate Nike. They charge "too much" for their shoes, they use overseas labor for their manufacturing, and they paste that Swoosh-thing on every flat surface within 5 miles of every stadium and golf course. On top of that, they are playing those stupid "Mrs. Jones" comercials, where a cardboard blaxploitation character talks jive into a radio microphone about how women athletes should be paid the same absurdly-high salaries as the men, even though hardly anybody watches them.

    Yessiree, plenty of reasons for people of various political stripes to hate Nike... but this isn't one of them. I hope they win, and get counter-damages for having to waste their time on it.

  • The Bad Precedent is the Red Herring (Score:5)

    by Effugas ( 2378 ) on Thursday June 29, 2000 @05:51AM (#968693) Homepage
    Look.

    I'm fully of the opinion that if you have completely incompetent security policies, and those policies lead to direct monetary damage to another party, you should probably be somewhat liable, at least to the degree of your incompetence.

    The best example would probably be a fully loaded hospital intranet complete with patient charts and remotely writable data--with no firewall against the Internet. Somebody dies? Somebody is definitely liable.

    But this case is bizarrely inappropriate. Nike had a security policy that depended on a shared secret--the name of the user authorized to issue changes. The shared secret was not disclosed by Nike nor discovered by the attackers, but NSI allowed the switch anyway. I find it hard to believe that this was not an automated process--a request to change the domain of a transnational company comes in, and the new IP is to some tiny guy; you can bet no human approved THAT transaction--despite what NSI might have you believe. Therefore NSI is in breach all over the place, and they're liable.

    I think the real strategy here is to force Nike to sue NSI...by making Nike do all the legwork of proving that this was Network Solution's fault, suddenly NSI has a very big and very angry enemy indeed. It's co-option of a very large legal department, and in that context, it's a damn brilliant idea.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  • Using an analogy .... (Score:4)

    by dustpuppy ( 5260 ) on Thursday June 29, 2000 @04:42AM (#968702)
    cos sometimes its fun :) ....

    If I left my parked car unlocked and someone hopped in and stole it - proceeded to drive down a freeway, had a accident and caused a major traffic pile-up where several people died, would I be responsible?

    I would say no.

    However, if you use the analogy that Smith used: if one were to leave a loaded gun laying about and if another person picked it up and killed someone with it, the owner of that gun would be held responsible for negligence

    I would say yes.

    So what is the difference? I don't know myself - I just thought I'd provoke some thinking amongst everyone and hopefully someone else who is thinking straight at the moment (it late at night here) can give some insight! :)

Slashdot Top Deals

Lots of folks confuse bad management with destiny. -- Frank Hubbard

Close