From: bfans at yahoo.com (Bryan Fansler)
Subject: RE: It takes two to tango

OK, I volunteer to keep the war chest.  I accept
PayPal.


-----Original Message-----
From: choose.a.username@...hmail.com
[mailto:choose.a.username@...hmail.com]
Sent: Thursday, August 01, 2002 11:00 AM
To: bugtraq@...urityfocus.com;
vuln-dev@...urityfocus.com;
full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] RE: It takes two to
tango




*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x97488C90
*** Signed: 8/1/2002 10:55:45 AM
*** Verified: 8/1/2002 11:42:31 AM
*** BEGIN PGP VERIFIED MESSAGE ***

Let's stop gossiping and do something about. Let us
create a war chest and raise $100 million, or $1
billion. Everyone chip in, customer's bitten by bugs
created by these vendors, security people and
companies alike.

Create a war chest and drag a vendor into court by the
ear and test all of this. Sue them! Create some new
law, set some precedence. A war chest of $1 billion
set aside solely to litigate one vendor until the
courts decide. Keep donating to the war chest so that
it never runs out. We'll see who gets tired first.

They cannot be allowed to hide behind their EULA
forever. Let us test this once and for.

I pledge $10,000 right now!

[SNIP]
> If the client was not notified, after the
vulnerability was published (not
> the exploit), businesses affected by the security
hole, could sue the
> vendor.  The vendor may have chosen not to inform
it's clients of the
> potential security problem, and thus did not do its
due diligence.
[SNIP]

I think you've hit a key point here. Think of all the
product
recalls that happen outside of the IT world. A case in
point was a baby
stroller that I purchased a few years ago. These
strollers could fold up and
trap a child if they were hit in a certain way. Once
it made the news the
manufacturer issued a fix (some plastic parts to
strengthen the latch) and
when we saw the story on the news, they also had
contact information on how
to get the pieces to fix this stroller.

It would be nice to think that this company did this
out of concern
for children, but, I'm kind of cynical, I think the
exec's of this company
looked closely at the potential liability they faced
and compared this with
the potential cost of producing/shipping these plastic
pieces. At the end of
the day, the potential cost of fixing the problem was
less than the
projected liability.

Unfortunately in software we have a different
situation. End User
License Agreements are so incredibly broad and seem to
protect the software
'manufacturer' from any potential liability. The end
result, it's cheaper,
easier and better for the bottom line to cover up the
defect or ignore it's
existence.

But due diligence. That's an interesting point. I
wonder if the
failure to follow due diligence can be used to strip
the software
manufacturer of their blanket indemnity clauses in the
End User License
Agreement. If it can be proven that Microsoft has not
followed due diligence
(not to say they haven't, just an example) in
protecting users of Outlook
from worms, could Microsoft be held liable for the
cost of cleaning up the
next "Love Letter" worm outbreak?

Very interesting point you have made with regards to
due diligence,
I wonder if it can be used.

O'Neil.

This message expresses only my personal opinion and
does not necessarily
represent the official opinion of my employer

*** END PGP VERIFIED MESSAGE ***


Communicate in total privacy.
Get your free encrypted email at
https://www.hushmail.com/?l=2

Looking for a good deal on a domain name?
http://www.hush.com/partners/offers.cgi?id=domainpeople

_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure@...ts.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

Powered by blists - more mailing lists