| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: choose.a.username at hushmail.com (choose.a.username@...hmail.com) Subject: RE: It takes two to tango -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Let's stop gossiping and do something about. Let us create a war chest and raise $100 million, or $1 billion. Everyone chip in, customer's bitten by bugs created by these vendors, security people and companies alike. Create a war chest and drag a vendor into court by the ear and test all of this. Sue them! Create some new law, set some precedence. A war chest of $1 billion set aside solely to litigate one vendor until the courts decide. Keep donating to the war chest so that it never runs out. We'll see who gets tired first. They cannot be allowed to hide behind their EULA forever. Let us test this once and for. I pledge $10,000 right now! [SNIP] > If the client was not notified, after the vulnerability was published (not > the exploit), businesses affected by the security hole, could sue the > vendor. The vendor may have chosen not to inform it's clients of the > potential security problem, and thus did not do its due diligence. [SNIP] I think you've hit a key point here. Think of all the product recalls that happen outside of the IT world. A case in point was a baby stroller that I purchased a few years ago. These strollers could fold up and trap a child if they were hit in a certain way. Once it made the news the manufacturer issued a fix (some plastic parts to strengthen the latch) and when we saw the story on the news, they also had contact information on how to get the pieces to fix this stroller. It would be nice to think that this company did this out of concern for children, but, I'm kind of cynical, I think the exec's of this company looked closely at the potential liability they faced and compared this with the potential cost of producing/shipping these plastic pieces. At the end of the day, the potential cost of fixing the problem was less than the projected liability. Unfortunately in software we have a different situation. End User License Agreements are so incredibly broad and seem to protect the software 'manufacturer' from any potential liability. The end result, it's cheaper, easier and better for the bottom line to cover up the defect or ignore it's existence. But due diligence. That's an interesting point. I wonder if the failure to follow due diligence can be used to strip the software manufacturer of their blanket indemnity clauses in the End User License Agreement. If it can be proven that Microsoft has not followed due diligence (not to say they haven't, just an example) in protecting users of Outlook from worms, could Microsoft be held liable for the cost of cleaning up the next "Love Letter" worm outbreak? Very interesting point you have made with regards to due diligence, I wonder if it can be used. O'Neil. This message expresses only my personal opinion and does not necessarily represent the official opinion of my employer -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmYEARECACYFAj1JS/EfHGNob29zZS5hLnVzZXJuYW1lQGh1c2htYWlsLmNvbQAKCRDT 5JkCl0iMkI9bAKCTsorQOWGiNkO5IRTmMklIY/MZKQCeMLtGoF9AzP5RUIblkuDynq3D /Go= =wwVF -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
Powered by blists - more mailing lists