-----Original Message----- From: William Allen Simpson [mailto:wsimpson@greendragon.com] Sent: Wednesday, July 25, 2001 7:04 AM To: nanog@nanog.org Subject: Re: product liability (was 'we should all be uncomfortable with the extent to which luck..')
Roeland Meyer wrote:
From: William Allen Simpson [mailto:wsimpson@greendragon.com] A check in the mail would be a better incentive to administrators than "automatic" updates.
Now *there's* a thought. However, all software companies
liability insurance. It's sometimes called a shrink-wrap
carry product license. You might
actually try reading it the next time you purchase and install software.
I'm not a party to the EULA.
For the sake of argument, ISPs are the party that the SUV hit when it rolled over after the tires exploded....
(actually, because of our proactive action and filtering, we had exactly zero customers that were still infected by Jul 20th. But we had to spend the manpower and technical support -- that's worth something!)
Also, you may have noticed that shrink-wrap licenses are valid in only two places: Washington (state) and Virginia. This would be a Federal class action.
Please, do not confuse "governing law" and "jurisdiction" with applicability. With most commercial software, you don't own it. The actual owners retain full ownership rights. That makes a huge legal difference. BTW, MHSC shrink-wrap, and all other MHSC contracts, are under Delaware law, with alternative jurisdiction in Colorado, and neither of the other two jurisdictions that you mention. It has to do with where the corporate home is. Further, lawyers make big bucks arguing "comparative negligence". None of us gets paid well enough to do so here. FWIW, almost all commercial software developers carry "Errors and Omissions" coverage, as a second-level backup to the lawyers. That said and in most jurisdictions, the driver has primary responsibility. This is due to the fact that the driver has primary responsibility for maintenance and application. This is the primary reason for the "fitness of purpose" clause.
Joe Shaw wrote:
And with this latest threat of code red, Microsoft would
have been covered
anyway, because a patch for this exploit existed well before CodeRed hit. They released a patch for the indexing server on June 18, 2001, which as
Actually, although the patch was released, M$ lied, saying it was only needed by web servers. We have since learned that *ALL* W2K and XP systems were vulnerable. Fraud and misrepresentation?
Since ALL Win2K and XP packages contain IIS, where did they even mislead?
human somewhere wrote some bad code. It happens, and continues to happen on a daily basis.
It's long past time that humans were held accountable.
Now, there is something that I can agree with. Let's hunt down the script kiddie and their bunk-daddy (who wrote Code Red) and start hacking off appropriate appendages. I'll be glad to sharpen the knives.
Funny, the engine electronics in my car doesn't seem to be vulnerable to these failures.... Maybe it's the extensive (years) of testing and code review?
Why should I have to pay for the desire of M$ to be "first to market", or more usually, "last to market but cheaper".
There is no other industry where such bad practices would be acceptable. It shouldn't be in ours, either!
Have you ever done a function-point analysis, or path permutations analysis on your average GUI program? The simplest GUI is vastly more complex than the engine monitoring computer in your car. Just chasing all first-order paths would take decades. Second-order paths number in the billions. We won't go to third-order. Exhaustive testing is not even dreamable. If you even have a QA department available, ask them. While you're at it, do you QA your web-site?
Security requires vigilence, and there seems to be too little of it out in the world.
Agreed.
Yes.