Re: [ISN] Code Red is Not The Problem

From: InfoSec News (isnat_private)
Date: Wed Aug 08 2001 - 01:38:57 PDT

  • Next message: InfoSec News: "[ISN] Legal system, ALP will deal with hackers: Carr"

    Forwarded by: Darren Reed <darrenrat_private>
    In some email I received from InfoSec News, sie wrote:
    > But even with this latest major Internet security problem,
    > Corporate America and the government still don't get it, and
    > probably never will.
    > The most significant danger and vulnerability facing the Wired
    > World is continuing to accept and standardize corporate and
    > consumer computer environments on technology that's proven time
    > and again to be insecure, unstable, and full of undocumented bugs
    > ("features") that routinely place the Internet community at risk.
    > But nobody wants to talk about that - not the government, not
    > CERT, not many security vendors, or most of the mainstream media.
    > Such analysis, although true, runs contrary to the status quo and
    > the industry-favoring 'party line' groupthink leading to increased
    > profits for everyone.
    How about making providing software, with security bugs, for
    commercial use a felony or something that no disclaimer can waive
    responsibility for ? Maybe it should be a felony to release any
    software package with any known bugs or in doing so a software
    manufacturer voids any claim to hiding behind a disclaimer.
    What about going a step further and including deploying software with
    security bugs a felony, that way making system admins take more care
    in the software they install.
    I would not care if warranties that said "no buffer overflows" were
    only valid when used with specific hardware combinations (think ECC
    RAM, etc) specified by the software manufacturer.
    This should include BOTH Linux camps and Microsoft camps.
    It's becoming more and more clear that the industry itself is
    incapable of fixing these problems as it has no clear incentive.  
    Time to change the incentive part of the equation and make it a
    disincentive to release any software with a security bug.  Without
    creating a system whereby the manufacturer of the software is
    responsible for their own work, I do not see any way to improve the
    quality of software as a whole.
    I don't care if the cost of software increases ten fold or it takes
    five times as long to get it out the door, our current industry wide
    practices are simply not good enough.  It is time that was fixed.
    How much would it cost Microsoft to do extensive testing of Windows
    XP, prior to launch, searching for buffer overflows (for example) in
    every DLL routine, etc, vs how much it will cost the world to clean up
    later as the bugs get reported ?
    Look at all the i's which need dotting and t's which need crossing if
    you want to make a vehicle to drive on the roads, never mind sell to
    Why do we accept a complete lack of such standards in the software
    Unfortunately to get anything along these lines requires lobbying
    politicians to get them to understand and write the correct bill.
    (I'm in rant mode about this)
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 05:04:54 PDT