lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: live4java at stormcenter.net (Mister Coffee)
Subject: AV companies better hire good lawyers soon.

On Tue, Sep 14, 2004 at 10:40:17AM +0200, Jean Gruneberg wrote:
> Yes, I agree - but then don't bitch if the other software (be it AV  or any
> other software) does not work or breaks your software.  Surely it is the
> writers responsibility that the software is compatible with other stuff. Bit
> like reading your writing and making sure it isn't offensive to certain
> groups to people!
> 
In general, yes, it's an author's responsibility to make sure his stuff is compatible with other stuff out there - when it's released.  But that works both ways.  If my program works fine with yours, but your new version breaks my program, who's fault is it?  Is it mine for not updating to keep up with your new version?  Or is it yours for not being compatible with the existing version of mine?  To quote you here: "Surely it is the writers responsibility that the software is compatible with other stuff."  So, here, it was your fault for breaking my program.  Or, maybe "you" (I'm using the generic you/me here, obviously) don't care that your new version breaks anyone elses code?

Viscious circle.

In the specific case here, with the AV vendor, it was clearly the AV software that released an update that broke someone elses sofware.

Making it the other guy's fault doesn't wash.  It's more bad QC on the AV vendor's part.  But as you mentioned previously, they'll get pounced if zome 0day gets past them and some clown loses his data.  It's a thankless task.  But it's _far_ more reasonable for them to err on the side of "Physician, do no harm" and miss the first day of an outbreak than it is for them to rush out and -break existing programs- because they were in such a hurry to "Be first to recognize ScatMaster@....MM!!"

As for writing, the analogy doesn't really apply.  Writing is subjective, and it's impossible to be 100% inoffensive and still say anything.  Software, in this context, is objective.  It either plays nice, or it doesn't.

But we're straying a bit far from fully disclosing anything in this thread, so I bid you adiue.

Cheers,
L4J
> J2
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Florian Weimer
> Sent: 14 September 2004 09:26
> To: Micheal Espinola Jr
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] AV companies better hire good lawyers soon.
> 
> 
> * Micheal Espinola, Jr.:
> 
> > I disagree.  Programmer's should know to submit their code to the 
> > various AV companies in order to avoid false-positives.
> 
> This is a ridiculous proposition.  It's like suggesting that you have to
> submit your writings to the Department of Justice before you can exercise
> your free speech rights.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ