lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1062609056.5045.23.camel@zack.spectrumconsulting.net>
From: cdw at mylinuxguy.com (C. David Wilde)
Subject: Bill Gates blames the victim

On Wed, 2003-09-03 at 09:02, Robert Ahnemann wrote:
> > "Richard M. Smith" <rms@...puterbytesman.com> writes (quotes):
> >>    ;;    Q. "The buffer overrun flaw that made the Blaster worm 
> >>    ;;    possible was specifically targeted in your code reviews 
> >>    ;;    last year. Do you understand why the flaw that led to 
> >>    ;;    Blaster escaped your detection?"
> >>    ;; 
> >>    ;;    A. "Understand there have actually been fixes for all of 
> >>    ;;    these things before the attack took place. The challenge 
> >>    ;;    is that we've got to get the fixes to be automatically 
> >>    ;;    applied without our customers having to make a special
> effort."
> >> 
> >> "Don't trust our software. But do trust our patching/update 
> >> process..."
> >
> >Don't trust software but trust our software patches...
> >
> >We can continue the sentence by adding that the special effort is 
> >needed because new bugs are generated by these patches.
> 
> Let's relate this to real life (flame that line if you want).  Your car
> has a defect that causes the oil pan to leak.  Ford (I drive one, I can
> talk) issues a recall saying they know about the leak and are offering
> you a free fix, if you would just take the time to take the car to the
> shop.  You decide that you know better and that you would rather not
> invest the time.  You engine is lying on the ground three weeks later.
> Whose fault is it?  They told you it was a problem.  You neglected to
> address it.  I can tell you who will be paying for the engine.   Today's
> society is about dissolving accountability.  I'm all for changing this
> around.

While I agree with that argument to a point, I've had several parts on
several vehicles recalled, Ford does still hold some responsibility as
to the quality of the car that they released.  Take the Pinto for
example, since we're talking about Ford, Ford released a faulty product
that caused injury and death to some of their consumers, and they had to
pay for that mistake.  A company is liable for the damage that it's
product causes, even if they issue a recall or a fix.  I think that this
issue is a little different, system admins have a responsibility and an
obligation to patch their systems and it's their fault if they get
rooted, but the software vendor also must share in that responsibility. 
If Ford, or any car manufacturer for that matter, had been allowed to
escape punishment for some of the damage that they caused by selling a
faulty product then we could all be driving cars that explode when rear
ended.  If a company is hit where it hurts because they messed up then
they will be that much more careful the next time around to release a
product that is safer/better.

My second point is that in the car business certain models of cars can
be declared a Lemon if a certain percentage of that model is deemed
faulty.  Consumers are entitled to compensation for Lemon cars, why are
they not compensated for Lemon software?  Microsoft has a well
established  track record of releasing insecure and buggy software, many
software companies that we rely on also share that track record.  I for
one believe that it's time we start exposing and punishing those
companies for not keeping the wellbeing of their consumers in mind while
creating their products.  Other industries have that burden, why should
software be exempt?  I hold Microsoft especially accountable for this
because through their business practices they have maneuvered themselves
into nearly every industry in one form or another.  Their software,
whether we like it or not, affects a great majority of the worlds
population on a daily basis, and for them to blame the consumer is
utterly ridiculous.  Automatic patching is not the answer either,
creating a product that can withstand the test of time and pressure is. 
That's why I drive a 1963 Pontiac :)

> 
> (forgot to send to the list poo)
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ