On Wed, 25 Jul 2001, William Allen Simpson wrote:
Perhaps a different approach is in order -- product liability.
When Firestone made a large number of bad tires, they compensated the purchasers by PAYING for replacement, including those that had not yet been injured. That included the upgrade, and the installation cost.
The problem is, how many people believe MS puts out bad software? It never ceases to amaze me that no matter how many IT shops I go through for various reasons and no matter how many problems they've had with MS software, they still consider it to be top notch. They don't even believe there's a problem. And with this latest threat of code red, Microsoft would have been covered anyway, because a patch for this exploit existed well before CodeRed hit. They released a patch for the indexing server on June 18, 2001, which as you know is a full month before CodeRed. So, people had a MONTH to prepare for something like this, and it's a sad statement that they did not.
Network operators have been injured by the distribution of buggy software from M$. We need to be compensated for our time and expenses.
And should Microsoft's "good name" be tarnished because you didn't update with a security fix that they already had available a month in advance?
A check in the mail would be a better incentive to administrators than "automatic" updates.
I think this is flawed. And furthermore, let me state that we're trying to make this a technological problem, when ultimately it's a human one. A human somewhere wrote some bad code. It happens, and continues to happen on a daily basis. You'll find examples of it on sourceforge, on mailing lists, and in commercial operating systems today, and I guarantee that you'll see other examples tomorrow. Because as long as humans write code and make silly mistakes you will continue to see security vulnerabilities. It's not just a Microsoft problem. It's a Microsoft, Linux, *BSD, Solaris, Cisco, <insert vendor name here> problem. And then lets not forget that as previously stated, CodeRed exploits a known bug and that a vendor provided patch was already in existence. The problem is that too many admins were too lazy or ignorant and didn't install the patch or implement the workaround to make them immune to this bug. How would a check have helped thim in this case? Security requires vigilence, and there seems to be too little of it out in the world. Regards, -- Joseph W. Shaw II Network Security Specialist/CCNA Unemployed. Will hack for food. God Bless. Apparently I'm overqualified but undereducated to be employed.