lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Dec 2006 10:21:18 +1300
From: Nick FitzGerald <>
Subject: Re: [WEB SECURITY] comparing information security
 to other industries

Jason Muskat, GCFA, GCUX, de VE3TSJ wrote:

> People, programmers, computers, software, design patterns, systems, and
> infrastructure are constantly changing, often being reinvented. As such,
> will never be stable.
> Concrete of a type is always the same and therefore predictable. One can
> state with certainly that a concrete slab will perform to design. This will
> ever be possible in IT.
> Many commercially produced software products donĀ¹t have any warranty. Many
> even state that the software is not warranted for any function or purpose.

That's _because_ software makers argued long and hard for a special 
exemption from most standard producer liability regulations and laws, 
and in many cases also for protection from consumer protection laws.

They made this argument mainly along the lines you opened your comments 
with -- "everything is so complex and forever changing that if we had 
to do proper design, specification and testing we'd never produce 
anything and meeting those normal legal requirements would make 
everything ever so much less innovative and slower and only the very 
largest companies could ever afford to even think about writing 

This -- particularly the "cost will bury us" part -- is _still_ the 
main argument the OSS folk make against any and all suggestions that 
software liability rules should be tightened up.

Thus, as NOT providing such guarantees is legally sanctioned, you 
cannot really use it as an argument supporting the "any old slop we put 
on the disk will do" approach we have sufferred from for far too long.

> ... The fact that the software does something that one thinks it should do
> is incidental. 


Given you seem so strongly in favour of the current "couldn't really 
give a shit" view of software "quality", you'll be rushing to sign my 
petition requiriung all university and other educational courses in 
"computer science" to change their names to "computer art & craft" or 
"computer guesswork" or something similarly accurately describing their 
professional endorsement of hit-and-miss, slop it all in a bucket then 
pour it through a compiler we especially dumbed down to not give a rats 
arse about quality approach, and for "software engineering" courses to 
similarly remove their abuse use of the term "engineering"...


Nick FitzGerald

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists