[Full-Disclosure] RE: It takes two to tango

• Previous message: Georgi Guninski: "Re: [Full-Disclosure] Re: it's all about timing"
• Next in thread: choose.a.usernameat_private: "Re: [Full-Disclosure] RE: It takes two to tango"
• Reply: choose.a.usernameat_private: "Re: [Full-Disclosure] RE: It takes two to tango"
• Reply: Bryan Fansler: "RE: [Full-Disclosure] RE: It takes two to tango"
• Reply: choose.a.usernameat_private: "Re: [Full-Disclosure] RE: It takes two to tango"
• Reply: Bryan Fansler: "RE: [Full-Disclosure] RE: It takes two to tango"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[SNIP]
> If the client was not notified, after the vulnerability was published (not
> the exploit), businesses affected by the security hole, could sue the
> vendor.  The vendor may have chosen not to inform it's clients of the
> potential security problem, and thus did not do its due diligence.
[SNIP]

	I think you've hit a key point here. Think of all the product
recalls that happen outside of the IT world. A case in point was a baby
stroller that I purchased a few years ago. These strollers could fold up and
trap a child if they were hit in a certain way. Once it made the news the
manufacturer issued a fix (some plastic parts to strengthen the latch) and
when we saw the story on the news, they also had contact information on how
to get the pieces to fix this stroller.

	It would be nice to think that this company did this out of concern
for children, but, I'm kind of cynical, I think the exec's of this company
looked closely at the potential liability they faced and compared this with
the potential cost of producing/shipping these plastic pieces. At the end of
the day, the potential cost of fixing the problem was less than the
projected liability.

	Unfortunately in software we have a different situation. End User
License Agreements are so incredibly broad and seem to protect the software
'manufacturer' from any potential liability. The end result, it's cheaper,
easier and better for the bottom line to cover up the defect or ignore it's
existence. 

	But due diligence. That's an interesting point. I wonder if the
failure to follow due diligence can be used to strip the software
manufacturer of their blanket indemnity clauses in the End User License
Agreement. If it can be proven that Microsoft has not followed due diligence
(not to say they haven't, just an example) in protecting users of Outlook
from worms, could Microsoft be held liable for the cost of cleaning up the
next "Love Letter" worm outbreak?

	Very interesting point you have made with regards to due diligence,
I wonder if it can be used.

O'Neil.

This message expresses only my personal opinion and does not necessarily
represent the official opinion of my employer.


_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosureat_private
http://lists.netsys.com/mailman/listinfo/full-disclosure

• Next message: choose.a.usernameat_private: "Re: [Full-Disclosure] RE: It takes two to tango"
• Previous message: Georgi Guninski: "Re: [Full-Disclosure] Re: it's all about timing"
• Next in thread: choose.a.usernameat_private: "Re: [Full-Disclosure] RE: It takes two to tango"
• Reply: choose.a.usernameat_private: "Re: [Full-Disclosure] RE: It takes two to tango"
• Reply: Bryan Fansler: "RE: [Full-Disclosure] RE: It takes two to tango"
• Reply: choose.a.usernameat_private: "Re: [Full-Disclosure] RE: It takes two to tango"
• Reply: Bryan Fansler: "RE: [Full-Disclosure] RE: It takes two to tango"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 07:57:53 PDT