Forwarded from: Mark Bernard <mbernardat_private> Dear Associates, This is a frustrating problem the recreates itself on a seemingly weekly basis. For years now the software industry has regulated itself doing a pretty decent job and then came along M$. Everything has changed and will continue to change, increasing the integration and inherent dependencies of business systems with business processes perhaps its time for our industry to evolve as well. For example; The FDA and Health Canada "strongly-encourages" Pharmaceuticals to validated the computers and systems that are use to develop drugs. The validation process although designed to 'control' the environment is very flexible allowing differences in configurations so long as they are recorded and validated. The validating process must include a formal change management process/document management. The practice in truly ISO or Deming's TQM and its sadly missing from software development in general. In my opinion, this process should be a best practise for software development, fully integrated. Furthermore, as a best practice it would satisfy the three principals of information security, Confidentiality, Integrity and Availability. I could define these for you, but it would take up a few more columns. As for being liable or not, any class action suit can tackle the problem but with a giant like M$, who probable has a few law firms on the retainer by now, what good would come from that? As for legislation, although its a possibility it might hurt the smaller software development firms and would probably take at least three years to push through and another three years to mature. Solution a global organization with a global mandate; Before software, designed for use over the internet, gets used over the Internet it should pass a validation process governed by industry not dominated by one company but a committee representing a cross section of the Internet community itself. Perhaps the UN of Internet Users (UNIU). Regards, Mark. ----- Original Message ----- From: "InfoSec News" <isnat_private> To: <isnat_private> Sent: Monday, September 15, 2003 4:35 AM Subject: [ISN] Should Microsoft be Liable for Bugs? > Forwarded from: "Kirstan Beeson" <kbeesonat_private> > > http://seattlepi.nwsource.com/business/139286_msftliability12.html > > By TODD BISHOP > SEATTLE POST-INTELLIGENCER REPORTER > September 12, 2003 > > A defect is found in one of the world's most popular products. Less > than a month later, its consequences emerge -- idling workers around > the globe, causing huge losses for businesses and generally > inconveniencing hundreds of thousands of people. > > Under different circumstances, this scenario might be a class-action > lawyer's dream. But the product in question is software, and the > companies that make it claim special protections from liability > through the licensing deals that come as a condition of using their > programs. > > Those protections help shield Microsoft Corp. and other software > companies from paying what could conceivably amount to billions of > dollars in damages. But they're coming under increased scrutiny amid a > rising tide of computer viruses, many of which exploit known flaws in > popular Microsoft programs. > > Consumer advocates and some computer users argue that the protections > should be ended or diminished to let businesses and people try to hold > software makers at least partially liable for the effects of product > flaws. Doing so, they say, would make companies such as Microsoft more > accountable, resulting in programs with fewer defects. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Sep 18 2003 - 01:18:35 PDT