product liability (was 'we should all be uncomfortable with the extent to which luck..')

• Previous message (by thread): product liability (was 'we should all be uncomfortable with the extent to which luck..')
• Next message (by thread): product liability (was 'we should all be uncomfortable with the extent to which luck..')
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 25 Jul 2001, William Allen Simpson wrote:

> Perhaps a different approach is in order -- product liability.
>
> When Firestone made a large number of bad tires, they compensated the
> purchasers by PAYING for replacement, including those that had not yet
> been injured.  That included the upgrade, and the installation cost.

The problem is, how many people believe MS puts out bad software?  It
never ceases to amaze me that no matter how many IT shops I go through for
various reasons and no matter how many problems they've had with MS
software, they still consider it to be top notch.  They don't even believe
there's a problem.

And with this latest threat of code red, Microsoft would have been covered
anyway, because a patch for this exploit existed well before CodeRed hit.
They released a patch for the indexing server on June 18, 2001, which as
you know is a full month before CodeRed.  So, people had a MONTH to
prepare for something like this, and it's a sad statement that they did
not.

> Network operators have been injured by the distribution of buggy
> software from M$.  We need to be compensated for our time and expenses.

And should Microsoft's "good name" be tarnished because you didn't update
with a security fix that they already had available a month in advance?

> A check in the mail would be a better incentive to administrators than
> "automatic" updates.

I think this is flawed.  And furthermore, let me state that we're trying
to make this a technological problem, when ultimately it's a human one.  A
human somewhere wrote some bad code.  It happens, and continues to happen
on a daily basis.  You'll find examples of it on sourceforge, on mailing
lists, and in commercial operating systems today, and I guarantee that
you'll see other examples tomorrow.  Because as long as humans write code
and make silly mistakes you will continue to see security vulnerabilities.
It's not just a Microsoft problem.  It's a Microsoft, Linux, *BSD,
Solaris, Cisco, <insert vendor name here> problem.

And then lets not forget that as previously stated, CodeRed exploits a
known bug and that a vendor provided patch was already in existence.  The
problem is that too many admins were too lazy or ignorant and didn't
install the patch or implement the workaround to make them immune to this
bug.  How would a check have helped thim in this case?

Security requires vigilence, and there seems to be too little of it out in
the world.

Regards,
--
Joseph W. Shaw II
Network Security Specialist/CCNA
Unemployed.  Will hack for food.  God Bless.
Apparently I'm overqualified but undereducated to be employed.

• Previous message (by thread): product liability (was 'we should all be uncomfortable with the extent to which luck..')
• Next message (by thread): product liability (was 'we should all be uncomfortable with the extent to which luck..')
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]