RE: CRIME FW: @Stake pulls pin on Geer: Effect on research and publication

From: Andrew Plato (aplato@private)
Date: Sun Oct 12 2003 - 19:16:30 PDT

Next message: Crispin Cowan: "Re: CRIME ADMININSTRATOR:"

Previous message: Carter Ames: "CRIME ADMININSTRATOR:"
Next in thread: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and publication"
Reply: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and publication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> My parents would be shocked to discover that you think the 31
> unpatched vulnerabilities in internet explorer are THEIR fault:
>  http://xev.us/dg (google cache of PivX's list, which seems to be
>  down at the moment.)
 
I don't think users are responsible for the vulnerabilities, they're
responsible for their machines. 

How about an analogy: You walk into a public space with a radio that is
softly playing music and not bothering anybody. The radio malfunctions
and changes the station to some obnoxious music and blares it full
volume. You just sit there and ignore the radio and the pain it is
causing others around you. That is irresponsible behavior. The fact that
the radio had a malfunction is incidental. Its your radio, and you have
to be responsible for it. 

Let's say you buy a Dell. And you plug it in and never patch it and do
nothing to secure it. A worm comes out, hacks your machine, and then
tries to hack your neighbor's machine. That is irresponsible computer
ownership. If you are going to own a powerful piece of equipment, it is
your responsibility to use it in a safe manner. This is true of
chainsaws, firearms, automobiles, etc. 

Now...if the product is DEFECTIVE and causes you to hurt yourself or
others, then clearly the manufacturer needs to take care of that. But as
many people have pointed out, virtually every single software
manufacturer has an explicit release of liability in their EULAs.
Microsoft is not unique in this way. Almost ALL software companies do
this. 

Hence, the logical way to resolve the "monoculture risk" is:

1. Encourage responsible computer usage. 
2. Push for changes in EULAs that do not allow software manufacturers to
escape liability. 

1. Is already being done. Home users ARE taking security seriously. This
is why there are zillions of downloads of ZoneAlarm everyday and those
Linksys firewalls sell like crazy. Business users are also taking
security more seriously and purchasing third-party technologies that
reduce the risk of intrusion/misuse. 

2. Is not easy. It would require a fundamental shift in the software
industry. I am reasonably certain that pushing software liability on
manufacturers won't be easy. And not only Microsoft would be affected.
Virtually ALL software licenses exclude liability. Even the open-source
licenses limit liability. You would also see a huge spike in the cost of
software, since now manufacturers had to account for liability issues. 

Since #2 is not likely to happen soon, the logical answer to the
monoculture risk is to encourage people to make use of the myriad of
third party technologies that can mitigate and eliminate risk. 

___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security 
 
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________

Next message: Crispin Cowan: "Re: CRIME ADMININSTRATOR:"
Previous message: Carter Ames: "CRIME ADMININSTRATOR:"
Next in thread: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and publication"
Reply: Crispin Cowan: "Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and publication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Oct 12 2003 - 19:51:11 PDT