Re: [ISN] Should Microsoft be Liable for Bugs?

From: InfoSec News (isnat_private)
Date: Wed Sep 17 2003 - 22:31:35 PDT

  • Next message: InfoSec News: "[ISN] Windows & .NET Magazine Security UPDATE--September 17, 2003"

    Forwarded from: Mark Bernard <mbernardat_private>
    Dear Associates,
    This is a frustrating problem the recreates itself on a seemingly
    weekly basis.
    For years now the software industry has regulated itself doing a
    pretty decent job and then came along M$. Everything has changed and
    will continue to change, increasing the integration and inherent
    dependencies of business systems with business processes perhaps its
    time for our industry to evolve as well.
    For example; The FDA and Health Canada "strongly-encourages"
    Pharmaceuticals to validated the computers and systems that are use to
    develop drugs. The validation process although designed to 'control'
    the environment is very flexible allowing differences in
    configurations so long as they are recorded and validated. The
    validating process must include a formal change management
    process/document management. The practice in truly ISO or Deming's TQM
    and its sadly missing from software development in general.
    In my opinion, this process should be a best practise for software
    development, fully integrated. Furthermore, as a best practice it
    would satisfy the three principals of information security,
    Confidentiality, Integrity and Availability. I could define these for
    you, but it would take up a few more columns.
    As for being liable or not, any class action suit can tackle the
    problem but with a giant like M$, who probable has a few law firms on
    the retainer by now, what good would come from that? As for
    legislation, although its a possibility it might hurt the smaller
    software development firms and would probably take at least three
    years to push through and another three years to mature.
    Solution a global organization with a global mandate; Before software,
    designed for use over the internet, gets used over the Internet it
    should pass a validation process governed by industry not dominated by
    one company but a committee representing a cross section of the
    Internet community itself. Perhaps the UN of Internet Users (UNIU).
    ----- Original Message ----- 
    From: "InfoSec News" <isnat_private>
    To: <isnat_private>
    Sent: Monday, September 15, 2003 4:35 AM
    Subject: [ISN] Should Microsoft be Liable for Bugs?
    > Forwarded from: "Kirstan Beeson" <kbeesonat_private>
    > September 12, 2003
    > A defect is found in one of the world's most popular products. Less
    > than a month later, its consequences emerge -- idling workers around
    > the globe, causing huge losses for businesses and generally
    > inconveniencing hundreds of thousands of people.
    > Under different circumstances, this scenario might be a class-action
    > lawyer's dream. But the product in question is software, and the
    > companies that make it claim special protections from liability
    > through the licensing deals that come as a condition of using their
    > programs.
    > Those protections help shield Microsoft Corp. and other software
    > companies from paying what could conceivably amount to billions of
    > dollars in damages. But they're coming under increased scrutiny amid a
    > rising tide of computer viruses, many of which exploit known flaws in
    > popular Microsoft programs.
    > Consumer advocates and some computer users argue that the protections
    > should be ended or diminished to let businesses and people try to hold
    > software makers at least partially liable for the effects of product
    > flaws. Doing so, they say, would make companies such as Microsoft more
    > accountable, resulting in programs with fewer defects.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 18 2003 - 01:18:35 PDT