lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20020804161144.DA5DF8112A@member-mx1.crosswinds.net>
From: despot at crosswinds.net (despot@...sswinds.net)
Subject: RE: It takes two to tango

Commercial software entities, especially the larger ones, charge significant sums of money for 
their products. In turn, they spend money on developers, testers, marketers, lawyers, and 
insurance. They market their products as beneficial and, many times, secure. The source code is not 
freely available nor is the consumer, for the most part, allowed to dig into what is provided (e.g. 
EULA, DMCA), so the consumer depends on the word of the software vendor. (I am not arguing open vs. 
closed source, just citing facts.) Additionally, unless some work-around is available, the consumer 
must rely on the software vendor for fixes/patches. After charging money and restricting how well 
the consumer can examine/fix their products, the vendor then disclaims all responsibility for their 
products. (This seems flawed to me. Some of the responsibility should be placed on the vendor.)

The real question... What is the least cost solution to extremely buggy software? I think it lies 
with the commercial software entities to the extent that they should have strong processes in place 
to prevent, discover, and fix problems with their code. It is simpler and far less costly for the 
vendor to put methodologies in place during the development/testing of software to 
prevent/discover/fix problems with the software than it is for consumers to be hit with the 
consequences of these problems in software they widely deploy. I understand that code would still 
have bugs, but that is where proof of the strong methodologies employed (e.g., non-negligent 
behavior) and insurance would come into play.

So, if all fault continues to rest with consumers, what correction might happen? Consumers could 
start looking for companies that have a different EULA, strong track record, and demonstrated 
development/testing practices. Insurance companies might begin offering insurance to consumers 
against shoddy software, and with that, insurance companies would charge consumers less rates for 
those demonstrated products. At some point, this could lead to strong competition and stronger 
development/testing practices at software companies.

And, if some (certainly not all) fault rested with the commercial software industry, what 
correction would happen? Well, companies would increase their development/testing practice until it 
reached the appropriate cost-risk level. Part of the determination of this level would be the base 
rates charged by insurance companies.

To me, the ladder makes the most sense. But, I am no economist and I have performed no studies.

As it stands now, solely the software industry has made this decision. Perhaps a lawsuit 
challenging the EULA would spark the necessary examination of this decision.

-Andrew


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ