Security Incidents mailing list archives
Re: Nimda esponsibility - Laying appropriatel - implied warranty of sale
From: "fosterd " <fosterd () airshow net>
Date: Fri, 28 Sep 2001 10:39:18 -0400
I see one problem as how to recompense those who have been harmed. Fred has the answer for that, as impractical as it may seem. A second problem is how to make the Internet safer. While not purchasing one vendor's products may seem a quick and easy way to enforce quality, the vendor's products are selected by each user because, flaws and all, they provide a better way to accomplish the individual's mission. To the individual user, the harm their using the product causes to others (transit point for malicious actions) and the chance that their work will be corrupted just isn't as important as ease of use and meeting their output goals. There are several ways to deal with that issue. All have different degrees of palatability. If we put our minds to it, we can generate a long list. Here are just a few ideas: 1) Increase the cost of using the products that cause harm to others. Sue the users to recover the costs of damage. Increase insurance premiums. By legislation, make the software manufacturers pay the cost of implementing necessary security fixes. By increasing the cost, the alternate products look more appealing. 2) Regulate the quality of the products sold. We don't have minimum security standards for anything. 3) Use government's purchasing and contracting power to force market change. What if the government didn't allow the offending products inside it's doors, and didn't allow the use of those products on its contracts? -- Doug ---------- Original Message ---------------------------------- From: namor () att net Date: Fri, 28 Sep 2001 12:32:14 +0000
Fred, et all, Don't bother with a class action. We have seen how effective the legal system was in spanking the monopoly to begin with. You really want to put them out of business? STOP USING THEIR PRODUCTS. How many other ways can it be said? It is not like there aren't alternatives out there. There are other OSes (free & non), other browsers, other free media players, other free office suites, etc. And in many cases they are compatible with the current MS file formats (ie: StarOffice can read and save as MS office formats). But as consultants, contractors, and vendors we are not pushing our customers to make the change. It's the same in the Anti-Virus industry, who by the way is the real culprit here. We keep using that ineffective, reactive signature-file based garbage when there are clearly better alternatives out there to offer our customers (like behavior-based solutions such as InDefense's Achilles Shield and Mail Defense products I use -- infectionless since 1999!). Time for a better solution. If you are serious about this effort, then education and proof are the keys to making it work. Build two boxes, one MS and one Linux for example. Lock them down as best you can then attack them while your customer watches. The proof is in the results. When the dust settles, which box is still operational? Which one over time has more "uptime"? Uptime = money and mission success, and THAT is where the victory will be won. Just my $0.02 RobIn my view, the responsibility for NIMDA lies clearly in Microsoft's lap and the lap of the author, but there is plenty of blame to go around. I say forget about telling the ISPs what to do - start a class action suit against Microsoft for putting this crap into the market knowing full well how it might be exploited and knowing full well that it was choosing time to market over quality. The class is all users of Microsoft IIS servers and every person who has a system that has been affected by the virus. The dmages are the total cost of all actions taken to defend against or monitor this infection, in cluding all time taken by all parties involved. Put them out of business unless and until they can act responsibly.You should read the agreement you (and everyone else) just clicks "Agree" to whenever you install a piece of software (not just MS). I am not a lawyer but as far as I can tell it means "You accept that you are paying for this product as is and we make no guarantee that it will be secure, reliable, compatible, works as advertised or will even work at all" This is standard throughout the software industry, and no other industry in the world is allowed to operate under these terms. Anyone know whether clicking that Agree button removes all your rights to legal recourse? I would've thought it would; that's why they put it in. S. :)What many people fail to understand is that there is something called an implied warranty of sale that cannot be voided, even under contracts such as these. It is typically defined in terms of 'suitability for purpose'. Thelegal issues surrounding the non-warranty for software has never been setteld - and it should - and this would be a great case to do it with. FC --This communication is confidential to the parties it is intended to serve-- Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171 fc () all net The University of New Haven.....http://www.unhca.com/ http://all.net/ Sandia National Laboratories....tel:925-294-2087 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Nimda esponsibility - Laying appropriatel - implied warranty of sale Fred Cohen (Sep 27)
- <Possible follow-ups>
- Re: Nimda esponsibility - Laying appropriatel - implied warranty of sale namor (Sep 28)
- Re: Nimda esponsibility - Laying appropriatel - implied warranty of sale fosterd (Sep 28)
- Re: Nimda esponsibility - Laying appropriatel - implied warranty of sale Chip Mefford (Sep 28)
- Re: Nimda esponsibility - Laying appropriatel - implied warranty of sale Jay D. Dyson (Sep 28)
- Re: Nimda esponsibility - Laying appropriatel - implied warranty of sale Chip Mefford (Sep 28)