lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Microsoft Cries Wolf ( again )

Peter Busser <peter@...steddebian.org> wrote:

> Well, why should vendors do that? In fact, if you look at Microsoft's
> profit, I would say it is rewarded for not doing this.  ...

Indeed.

> ...  Vendors simply
> supply the kind of products people want. Aparently people love insecure
> programs. So that is what they get. 

I'm not sure that is quite correct though.

At least in "the West" the customers have experienced several decades 
of "consumer protection" legislation, where all manner of products 
that might be "unreasonably dangerous" were it not for government 
standards, compliance testing, etc have either not made it to market, 
been removed from sale for non-standards compliance, etc.  Further, 
in the increasingly uncommon cases where various forms of egregious 
negligence on the part of the manufacturer of some "dangerous" 
product can be reasonably shown the unfortunate customers (or their 
surviving relatives) often sue the pants off said incompetent 
companies.

Faced with computer software that is necessarily several orders of 
magnitude more complex than any other "product" a typical consumer 
ever purchases (and that will only increase in that complexity) and 
the lack of obvious threats to life, limb and other general safety 
(such as are present in your typical motor car, household electrical 
appliances, etc) the "typical software purchaser" is no position to 
make informed decisions about software quality in general, let alone 
about anything as esoteric as the quality of security considerations 
in the software's general design and specific implementation.

Lulled further into the "computers are now a necessary consumer 
electronics item" lie, your typical computer (software) buyer is 
simply left to _assume_ that the clever people that make these things 
and who understand the black magic under the covers really _must_ 
know what they are doing and surely must have "done the right thing" 
(in the sense that you do not have a new car's braking system 
laboriously checked and documented in minute detail before deciding 
to buy -- you trust that the vehicle designer and all the design and 
product testing that followed and fine-tuned the initial design "must 
have been done properly" because it is done by people who understand 
all that technical crap _AND_ who must meet certain legal 
requirements).

Thus, "typical computer purchasers" tend to end up buying the most 
popular thing, regardless of how large a crock it may be this year, 
and they do so "because that is what everyone buys and if everyone 
buys it it must be OK".  That doesn't necessarily mean they love, or 
in any meaningful market sense "prefer", the crock that they bought 
or that they have a preference for the fact it was designed from the 
ground up with deliberately security antagonistic goals (user 
friendliness over everything else, neat features over everything 
else, network everything to everything, etc, etc).  They assume, as 
you and I would not, that the software developer would have had to 
make the web browser "secure" so their credit card or Internet 
banking details cannot be stolen by the simple act of them reading an 
Email message or browsing a web page.

> The only way to change that is either vote with your dollars and euros

Well, that requires that the "victims" actually realize they have a 
choice and as the MS monopoly is today, that just doesn't seem very 
likely to happen in a very large slice of the market...

> or to take the vendor to court and demand compensation for the damages
> caused by badly designed or buggy software. Neither really happens, so
> what incentive is there for companies to change? 

Well, the second doesn't happen because most "Western" countries have 
kow-towed to pressure to follow the US in specifically exempting 
software developers from the normal "sue the maker's pants off" 
liability that has tended to keep the other large corporates in line 
through history.  Bereft of even the slightest threat that it just 
might get sued into non-existence, Microsoft (and most of the others) 
have _NO_ motivation whatever to do anything other than what the 
(largely ignorant) market seems likely to lap up.  Thus, if some 
competitive advantage seems, for example, likely to be wrung from 
allowing all kinds of embedded, active content to execute from the 
Internet as native code on the computer of someone browsing the web, 
you can bet some large software developer will do it, no matter how 
obviously bad the likely outcome will seem to the likes of you and 
me...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ