Re: Security and EOL issues (was RE: WMF Exploit Patch released)

["Jeffrey F. Bloss" <jbloss () tampabay rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 10 January 2006 02:41 pm, Steveb () tshore com wrote:
> Hi all,
>
> I must weigh in on this with an analogy.  Asking software companies to
> offer free patches to software whose core technologies are considered
> out of date by the mainstream industry is like asking Ford Motor company
> to offer free airbag installations in all 1920 vintage automobiles.

Not really, for a couple of reasons.

If a flaw exists in a piece of software a "core" technology must exist too. 
1920 era vehicles lack the modern electrical systems and physical features 
that allow air bag installation without extensive modification to the 
automobile itself. A software patch or bug fix, by definition, is something 
that only modifies an existing "part". Your analogy would be more like 
expecting Microsoft to upgrade Notepad so that it was identical to Word.

Installing air bags requires that the automobile manufacturer design, test, 
and produce the upgrade. As does a software patch. But in the automobile 
scenario no typical end user is going to be able to order the parts and 
perform the work themselves. Unlike software patches. There's an entire 
"implementation" phase of fixing automobiles that simple does not exist in 
the world of software. In fact, as we just saw first hand the fix can be 
manufacturered, packaged, and implemented at little or no cost at all. Even 
by third parties. ;) 

> The rest of the capitalist world protects themselves from such
> expectations in the form of limited time warranties.  Why should the
> software world be any different?

This too is a flawed analogy. We're not talking about adding features or 
functionality, or fixing something that wears out through normal use. We're 
talking about fixing flaws and errors. The capitalist world most definitely 
does find itself liable for problem in products that are no longer supported. 
A glaring example would be asbestos.

If a significant number of people still drove 1920's era vehicles, and a major 
design miscalculation like wheels falling off due to the usage of superballs 
instead of ballbearings were discovered, it's a pretty safe bet Ford would be 
"patching" a significant number of their 1920's era automobiles.

Yes, it's a silly example, but the point is that product vendors are 
accountable for their mistakes long after their advertised warranties expire. 
If a flaw that impacts the end user's "safety" is discovered, a manufacturer 
is almost always held accountable and required to make things right.

Why should the software world be any different? :)

- -- 
Hand crafted on January 12, 2006 at 19:35:31 -0500

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
                                  -Groucho Marx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDxv90RHqalLqKnCkRAhXCAJ0SjrITxOk1F9QR6hF09EJS0lshMACeMtEP
15QXrab8r5FA4cw/jR9d3rk=
=TpIK
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------