Security Basics mailing list archives
Re: Security and EOL issues (was RE: WMF Exploit Patch released)
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Thu, 12 Jan 2006 20:16:31 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 10 January 2006 02:41 pm, Steveb () tshore com wrote:
Hi all, I must weigh in on this with an analogy. Asking software companies to offer free patches to software whose core technologies are considered out of date by the mainstream industry is like asking Ford Motor company to offer free airbag installations in all 1920 vintage automobiles.
Not really, for a couple of reasons. If a flaw exists in a piece of software a "core" technology must exist too. 1920 era vehicles lack the modern electrical systems and physical features that allow air bag installation without extensive modification to the automobile itself. A software patch or bug fix, by definition, is something that only modifies an existing "part". Your analogy would be more like expecting Microsoft to upgrade Notepad so that it was identical to Word. Installing air bags requires that the automobile manufacturer design, test, and produce the upgrade. As does a software patch. But in the automobile scenario no typical end user is going to be able to order the parts and perform the work themselves. Unlike software patches. There's an entire "implementation" phase of fixing automobiles that simple does not exist in the world of software. In fact, as we just saw first hand the fix can be manufacturered, packaged, and implemented at little or no cost at all. Even by third parties. ;)
The rest of the capitalist world protects themselves from such expectations in the form of limited time warranties. Why should the software world be any different?
This too is a flawed analogy. We're not talking about adding features or functionality, or fixing something that wears out through normal use. We're talking about fixing flaws and errors. The capitalist world most definitely does find itself liable for problem in products that are no longer supported. A glaring example would be asbestos. If a significant number of people still drove 1920's era vehicles, and a major design miscalculation like wheels falling off due to the usage of superballs instead of ballbearings were discovered, it's a pretty safe bet Ford would be "patching" a significant number of their 1920's era automobiles. Yes, it's a silly example, but the point is that product vendors are accountable for their mistakes long after their advertised warranties expire. If a flaw that impacts the end user's "safety" is discovered, a manufacturer is almost always held accountable and required to make things right. Why should the software world be any different? :) - -- Hand crafted on January 12, 2006 at 19:35:31 -0500 Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read. -Groucho Marx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDxv90RHqalLqKnCkRAhXCAJ0SjrITxOk1F9QR6hF09EJS0lshMACeMtEP 15QXrab8r5FA4cw/jR9d3rk= =TpIK -----END PGP SIGNATURE----- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) jeff (Jan 10)
- <Possible follow-ups>
- RE: Security and EOL issues (was RE: WMF Exploit Patch released) Steveb (Jan 11)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Jeffrey F. Bloss (Jan 15)
- RE: Security and EOL issues Donald N Kenepp (Jan 16)
- Re: Security and EOL issues Matthew Schiros (Jan 16)
- RE: Security and EOL issues Donald N Kenepp (Jan 17)
- RE: Security and EOL issues Leif Ericksen (Jan 20)
- RE: Security and EOL issues Donald N Kenepp (Jan 20)
- RE: Security and EOL issues Leif Ericksen (Jan 21)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Jeffrey F. Bloss (Jan 15)
- Re: Security and EOL issues Robert Newton (Jan 21)
- Re: Security and EOL issues (was RE: WMF Exploit Patch released) Austin Murkland (Jan 15)