| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: despot at crosswinds.net (despot@...sswinds.net) Subject: RE: It takes two to tango Commercial software entities, especially the larger ones, charge significant sums of money for their products. In turn, they spend money on developers, testers, marketers, lawyers, and insurance. They market their products as beneficial and, many times, secure. The source code is not freely available nor is the consumer, for the most part, allowed to dig into what is provided (e.g. EULA, DMCA), so the consumer depends on the word of the software vendor. (I am not arguing open vs. closed source, just citing facts.) Additionally, unless some work-around is available, the consumer must rely on the software vendor for fixes/patches. After charging money and restricting how well the consumer can examine/fix their products, the vendor then disclaims all responsibility for their products. (This seems flawed to me. Some of the responsibility should be placed on the vendor.) The real question... What is the least cost solution to extremely buggy software? I think it lies with the commercial software entities to the extent that they should have strong processes in place to prevent, discover, and fix problems with their code. It is simpler and far less costly for the vendor to put methodologies in place during the development/testing of software to prevent/discover/fix problems with the software than it is for consumers to be hit with the consequences of these problems in software they widely deploy. I understand that code would still have bugs, but that is where proof of the strong methodologies employed (e.g., non-negligent behavior) and insurance would come into play. So, if all fault continues to rest with consumers, what correction might happen? Consumers could start looking for companies that have a different EULA, strong track record, and demonstrated development/testing practices. Insurance companies might begin offering insurance to consumers against shoddy software, and with that, insurance companies would charge consumers less rates for those demonstrated products. At some point, this could lead to strong competition and stronger development/testing practices at software companies. And, if some (certainly not all) fault rested with the commercial software industry, what correction would happen? Well, companies would increase their development/testing practice until it reached the appropriate cost-risk level. Part of the determination of this level would be the base rates charged by insurance companies. To me, the ladder makes the most sense. But, I am no economist and I have performed no studies. As it stands now, solely the software industry has made this decision. Perhaps a lawsuit challenging the EULA would spark the necessary examination of this decision. -Andrew
Powered by blists - more mailing lists