On Sat, Jan 25, 2003 at 06:51:01PM +0000, steve@telecomplete.co.uk said:
True altho it does appear to affect MS more so than it ought to even considering their market lead.
What evidence do you have here? If I count the number of DDOS attacks from insecure Linux boxes that we've seen in the last year, I'd say that its on par.
I think you are on the right lines below in suggesting that products and services should be supplied safe and not require additional maintenance out of the box to make them so (additional changes should make them weaker)
"secure by default" is a wonderful goal that has, to date, failed to reach very many vendors, either commercial or otherwise. As the number of hosts connected to the Net continues to rise, and as broadband continues to spread, we can expect to see the damage caused by insecure software grow. When the damage reaches a certain critical mass (whatever that may be; I thought we'd have reached it already), those who are coughing up millions of dollars (if not now, that figure will certainly be realistic very soon) to deal with the effects of insecure software will eventually stop accepting this as merely "the way things are". At that point, the lawyers will get involved, and there will be a change in the way software liability is viewed, and a resulting change in the focus from vendors (commercial ones, anyway). ==== When the costs of releasing insecure and buggy software exceeds the profit from doing so, vendors will make security a priority. Not before. ==== (As far as free/open software goes ... figuring liability there could be significantly more tricky, if the lawyers decided it was worth it at all. Microsoft, for instance, makes a much more lucrative target (and a better public lesson) than suing, say, the Apache Group. Most commercial software licenses declaim any and all responsibility, as do their GPL/BSD counterparts, but commercial entities are easier to chase down legally.) IANAL, nor am I a fortune teller. I also admit to far less operational experience than most of the folks on this list. This is what I see coming. I suppose time will tell whether I'm a crackpot or a visionary. :) -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui