| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Dec 2006 10:21:18 +1300 From: Nick FitzGerald <nick@...us-l.demon.co.uk> To: full-disclosure@...ts.grok.org.uk Subject: Re: [WEB SECURITY] comparing information security to other industries Jason Muskat, GCFA, GCUX, de VE3TSJ wrote: > People, programmers, computers, software, design patterns, systems, and > infrastructure are constantly changing, often being reinvented. As such, > will never be stable. > > Concrete of a type is always the same and therefore predictable. One can > state with certainly that a concrete slab will perform to design. This will > ever be possible in IT. > > Many commercially produced software products donĀ¹t have any warranty. Many > even state that the software is not warranted for any function or purpose. That's _because_ software makers argued long and hard for a special exemption from most standard producer liability regulations and laws, and in many cases also for protection from consumer protection laws. They made this argument mainly along the lines you opened your comments with -- "everything is so complex and forever changing that if we had to do proper design, specification and testing we'd never produce anything and meeting those normal legal requirements would make everything ever so much less innovative and slower and only the very largest companies could ever afford to even think about writing software". This -- particularly the "cost will bury us" part -- is _still_ the main argument the OSS folk make against any and all suggestions that software liability rules should be tightened up. Thus, as NOT providing such guarantees is legally sanctioned, you cannot really use it as an argument supporting the "any old slop we put on the disk will do" approach we have sufferred from for far too long. > ... The fact that the software does something that one thinks it should do > is incidental. Yep. Given you seem so strongly in favour of the current "couldn't really give a shit" view of software "quality", you'll be rushing to sign my petition requiriung all university and other educational courses in "computer science" to change their names to "computer art & craft" or "computer guesswork" or something similarly accurately describing their professional endorsement of hit-and-miss, slop it all in a bucket then pour it through a compiler we especially dumbed down to not give a rats arse about quality approach, and for "software engineering" courses to similarly remove their abuse use of the term "engineering"... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists