product liability (was 'we should all be uncomfortable with the extent to which luck..')

William Allen Simpson wsimpson at
Wed Jul 25 14:04:19 UTC 2001

Roeland Meyer wrote:
> > From: William Allen Simpson [mailto:wsimpson at]
> > A check in the mail would be a better incentive to
> > administrators than "automatic" updates.
> Now *there's* a thought. However, all software companies carry product
> liability insurance. It's sometimes called a shrink-wrap license. You might
> actually try reading it the next time you purchase and install software.

I'm not a party to the EULA.  

For the sake of argument, ISPs are the party that the SUV hit when it
rolled over after the tires exploded....

(actually, because of our proactive action and filtering, we had 
exactly zero customers that were still infected by Jul 20th.  But we 
had to spend the manpower and technical support -- that's worth 

Also, you may have noticed that shrink-wrap licenses are valid in only 
two places: Washington (state) and Virginia.  This would be a Federal 
class action.

Joe Shaw wrote:
> And with this latest threat of code red, Microsoft would have been covered
> anyway, because a patch for this exploit existed well before CodeRed hit.
> They released a patch for the indexing server on June 18, 2001, which as
> you know is a full month before CodeRed.  So, people had a MONTH to
> prepare for something like this, and it's a sad statement that they did
> not.
Actually, although the patch was released, M$ lied, saying it was only 
needed by web servers.  We have since learned that *ALL* W2K and XP 
systems were vulnerable.  Fraud and misrepresentation?

> human somewhere wrote some bad code.  It happens, and continues to happen
> on a daily basis.  

It's long past time that humans were held accountable.

Funny, the engine electronics in my car doesn't seem to be vulnerable 
to these failures....  Maybe it's the extensive (years) of testing and 
code review?

Why should I have to pay for the desire of M$ to be "first to market", 
or more usually, "last to market but cheaper".

There is no other industry where such bad practices would be 
acceptable.  It shouldn't be in ours, either!

> Security requires vigilence, and there seems to be too little of it out in
> the world.

William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

More information about the NANOG mailing list