FW: It takes two to tango (or samba for that matter)

["Gibby McCaleb" <gibby () tabasco net>]

As much as corporate liability makes sense, I doubt it will ever come to
fruition.  I think it will be near impossible to prove "negligence."  It
will be a matter on interpreting the raw code and showing that the
programmers intentionally cut corners.  That won't be an easy thing to
prove.

Chris ponders if vendor V has the "right" to sue researcher R.  Remember
that in this country, you have the right to sue anyone for anything (like
the guy suing McDonald's because he's fat
http://www.cnn.com/2002/HEALTH/diet.fitness/07/26/fast.food.lawsuit.ap/index
.html ) or people who sue the tobacco companies, as if you thought lighting
something on fire and inhaling it was GOOD for you?  Jeez.  It is now vital
for everyone, especially small companies, to keep a paper trail of
everything to protect themselves to show that they exerted a reasonable
effort to contact the offending software manufacturer, although that may not
matter.  Were my company to go head to head with an HP caliber opponent,
we'd lose hands down.  We couldn't afford to win.  Legal expenses would
choke us.  Anyone remember Microsoft vs. Stacker?

There is an interesting talk on this very subject at Defcon this weekend
that I am looking forward to called "The Politics of Vulnerabilities."
Should be interesting.

I think the systems works for now and hopefully it will stay that way.
Sooner or later though, one of the big boys will get an itchy legal trigger
finger and go after (and probably bury) some small security company.  The
security community will go nuts. Dogs and cats, sleeping together.  People
will yell and point fingers then they'll create a government agency that
will handle all vulnerabilities and liaison between the security guys and
the software vendors, which will suck and I'll get out of the security
business and sell Tupperware in the Caymans.

My last two cents: don't always blame the programmers.  I recall a 2 million
dollar development project I led years ago that had to be completed in 6
weeks (including QA) because the marketing dept. of the company I worked for
had already spent huge $$ on ads.  Never mind if anyone thought we could
actually complete the project in that time frame.  We had to cut a lot of
corners to pull that off and had planned on going back and fixing them after
the fact.  Of course, the marketing guys came up with all new stuff for us
to build and sell.  You get the idea.  Blame the marketing and sales folks.
They're evil.

OK. I'm off my soap box.  Hope to see you at DefCon this weekend!  Buy me a
beer...or two.  I'll be happy to rant on for days.


Gibby McCaleb

www.covertsystems.net

Covert Systems, Inc.