product liability (was 'we should all be uncomfortable with theextent to which luck..')

Chris Rapier rapier at
Wed Jul 25 15:57:33 UTC 2001

> The problem is, how many people believe MS puts out bad software?  It
> never ceases to amaze me that no matter how many IT shops I go through for
> various reasons and no matter how many problems they've had with MS
> software, they still consider it to be top notch.  They don't even believe
> there's a problem.

I think part of it is because its a standard. Even if its a low standard
it still exists and that makes a big difference. Hell, I do a lot of
work to put on conferences several times a year (If any of you have been
to an I2 Joint Techs meeting I was the guy hassling people for
presentations) and am in charge of presentation wrangling. I decided
quite a while ago that presentations had to be in Powerpoint 97 format.
This wasn't because I love PP97 or because I don't know about magicpoint
or other presentation software. Its just that PP97 is relatively
universal, my admin staff can work on it (reviewing it from problems,
converting to HTML, whatever) without issues, and I know that in almost
all cases it will function as expected.

Its a crappy standard but standards are useful. I'm not saying this is
where things should be or that the excesses and failures of Microsoft
are excusable. I'm simply being pragmatic.

> > A check in the mail would be a better incentive to administrators than
> > "automatic" updates.
> I think this is flawed.

I'm also not sure how the logic works. If MS had to send me a check
everytime they screwed up and it possibly cost me some time I'd never
install a patch. 

> Because as long as humans write code
> and make silly mistakes you will continue to see security vulnerabilities.
> It's not just a Microsoft problem.  It's a Microsoft, Linux, *BSD,
> Solaris, Cisco, <insert vendor name here> problem.

Its also just a problem of *never* being able to plan for all
possibilities in a test environment. Its impossible to do this. Hell,
most of the people doing research in networking are really just trying
to figure out what the hell we've actually created. The behaviour we see
in a lab, test network, or elsewhere doesn't necessarily predict how a
given piece of code will interact when released into the wild.

More information about the NANOG mailing list