[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308271558.KAA28576@gen.by.despammed.com>
From: levinson_k at despammed.com (levinson_k@...pammed.com)
Subject: GOOD: A legal fix for software flaws?
Well, to be fair, Sobig.F does not take advantage of any security vulnerabilities in Windows or any Microsoft email products. Sobig.F only spreads on Windows because it is an executable compiled just to run on Windows. This makes perfect sense if you accept the hypothesis that Sobig.F was written for spam-related financial gain, because the spammer would want to target the largest audience.
The article's comparison to legal liability in cars and tires is illuminating. Windows 95 is now over 8 years old. If you used your car for 8 years until the brakes and tires were bald and then they failed, you'd have a pretty hard time suing the manufacturer. In fact, you'd be sued yourself for failing to keep your machine acceptably maintained.
You can't run Windows or Red Hat or OpenBSD for years and expect it to remain secure without some continuing effort and maintenance on your part. And yet that's what most people are expecting to be able to do. Because we're always going to have a large world population of users running old operating systems and not doing anything to keep them secure, we're always going to have worldwide problems like worms.
Would this kind of legal liability for software manufacturers have a chilling effect towards small mom and pop software shops? Would it halt smaller companies like Foundstone and Eeye.com from writing and releasing freeware utilities? Would OpenBSD, Linux distros, etc. also be sued? Would end users like you or me start being sued for becoming infected? Can you know for sure what would happen if this came to pass? Targeting Microsoft may sound attractive to some, but this kind of legislation could make every software author a target, while not necessarily doing anything to get rid of security issues like worms.
-----Original Message-----
From: dhtml@...h.com [mailto:dhtml@...h.com]
Sent: Tuesday, August 26, 2003 12:57 PM
To: full-disclosure@...ts.netsys.com
Subject: [despammed] [Full-Disclosure] GOOD: A legal fix for software
flaws?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We need to hear more of this type of noise. Unleash the repo man on the
puppy mill owner and his cohorts.
http://news.com.com/2100-1002_3-5067873.html?tag=fd_lede2_hed
A legal fix for software flaws?
By Declan McCullagh
Staff Writer, CNET News.com
August 26, 2003, 4:00 AM PT
Thomas Leavitt, a system administrator and veteran of three Silicon Valley
start-ups, has dealt with computer worms and viruses before.
But the severity of last week's Sobig.F and MSBlast.D attacks got him
thinking harder than ever about a cure. Finding and punishing their anonymous
authors would be a start. But shouldn't Microsoft also be partly to blame?
[snip]
"Unless someone is injured or dies, it is almost impossible to successfully
sue a software publisher for defective software," said Cem Kaner, an
attorney and professor of computer science at the Florida Institute of
Technology. "The serious proposals to change software law have primarily
been to reduce software vendors' liability even further. The most recent
battles involve embedded software. You might soon discover that when
you buy a car, the body is covered by one set of laws but the software
that controls your brakes, fuel injectors, etc., is covered by a different
set of laws that are more manufacturer friendly."
Microsoft's security practices have been in the spotlight before over
alleged lapses, but the astonishing speed with which Sobig.F and MSBlast.D
overwhelmed corporate networks has put the finest point on the problem
in years.
[snip]
Sonia Arrison, a technology policy analyst at the free-market Pacific Research Institute in San Francisco, says one reason the current state of the law is reasonable is that "software is inherently different from (physical products such as) tires since it's more difficult to know beforehand what vulnerabilities will occur."
Powered by blists - more mailing lists