lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3F4CDC52.9070700@adelphia.net>
From: hescominsoon at adelphia.net (William Warren)
Subject: GOOD: A legal fix for software flaws?]

however the fact that windows 2003 has code in it form NT4 makes this a
different story(this code is what blaster used to propagate in the first
place) so in that sense MS should be liable.

levinson_k@...pammed.com wrote:
> Well, to be fair, Sobig.F does not take advantage of any security vulnerabilities in Windows or any Microsoft email products.  Sobig.F only spreads on Windows because it is an executable compiled just to run on Windows.  This makes perfect sense if you accept the hypothesis that Sobig.F was written for spam-related financial gain, because the spammer would want to target the largest audience. 
> 
> The article's comparison to legal liability in cars and tires is illuminating.  Windows 95 is now over 8 years old.  If you used your car for 8 years until the brakes and tires were bald and then they failed, you'd have a pretty hard time suing the manufacturer.  In fact, you'd be sued yourself for failing to keep your machine acceptably maintained.  
> 
> You can't run Windows or Red Hat or OpenBSD for years and expect it to remain secure without some continuing effort and maintenance on your part.  And yet that's what most people are expecting to be able to do.  Because we're always going to have a large world population of users running old operating systems and not doing anything to keep them secure, we're always going to have worldwide problems like worms.
> 
> Would this kind of legal liability for software manufacturers have a chilling effect towards small mom and pop software shops?  Would it halt smaller companies like Foundstone and Eeye.com from writing and releasing freeware utilities?  Would OpenBSD, Linux distros, etc. also be sued?  Would end users like you or me start being sued for becoming infected?  Can you know for sure what would happen if this came to pass?  Targeting Microsoft may sound attractive to some, but this kind of legislation could make every software author a target, while not necessarily doing anything to get rid of security issues like worms.
> 
> 
> -----Original Message-----
> From: dhtml@...h.com [mailto:dhtml@...h.com]
> Sent: Tuesday, August 26, 2003 12:57 PM
> To: full-disclosure@...ts.netsys.com
> Subject: [despammed] [Full-Disclosure] GOOD: A legal fix for software
> flaws?
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> We need to hear more of this type of noise. Unleash the repo man on the
> puppy mill owner and his cohorts.
> 
> 
> http://news.com.com/2100-1002_3-5067873.html?tag=fd_lede2_hed
> 
> A legal fix for software flaws?
> 
> 
> By Declan McCullagh
> Staff Writer, CNET News.com
> August 26, 2003, 4:00 AM PT
> 
> 
> Thomas Leavitt, a system administrator and veteran of three Silicon Valley
> start-ups, has dealt with computer worms and viruses before.
> But the severity of last week's Sobig.F and MSBlast.D attacks got him
> thinking harder than ever about a cure. Finding and punishing their anonymous
> authors would be a start. But shouldn't Microsoft also be partly to blame?
> 
> [snip]
> 
> "Unless someone is injured or dies, it is almost impossible to successfully
> sue a software publisher for defective software," said Cem Kaner, an
> attorney and professor of computer science at the Florida Institute of
> Technology. "The serious proposals to change software law have primarily
> been to reduce software vendors' liability even further. The most recent
> battles involve embedded software. You might soon discover that when
> you buy a car, the body is covered by one set of laws but the software
> that controls your brakes, fuel injectors, etc., is covered by a different
> set of laws that are more manufacturer friendly."
> 
> Microsoft's security practices have been in the spotlight before over
> alleged lapses, but the astonishing speed with which Sobig.F and MSBlast.D
> overwhelmed corporate networks has put the finest point on the problem
> in years.
> 
> [snip]
> 
> Sonia Arrison, a technology policy analyst at the free-market Pacific Research Institute in San Francisco, says one reason the current state of the law is reasonable is that "software is inherently different from (physical products such as) tires since it's more difficult to know beforehand what vulnerabilities will occur." 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

-- 
May God Bless you and everything you touch.

My "foundation" verse:
Isaiah 54:17 No weapon that is formed against thee shall prosper; and
every tongue that shall rise against thee in judgment thou shalt
condemn. This is the heritage of the servants of the LORD, and their
righteousness is of me, saith the LORD.


-- 
May God Bless you and everything you touch.

My "foundation" verse:
Isaiah 54:17 No weapon that is formed against thee shall prosper; and 
every tongue that shall rise against thee in judgment thou shalt 
condemn. This is the heritage of the servants of the LORD, and their 
righteousness is of me, saith the LORD.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ