Re: Should Microsoft be Liable for Bugs?

[InfoSec News <isn () c4i org>]

Forwarded from: Mark Bernard <mbernard () nbnet nb ca>

Dear Associates,

This is a frustrating problem the recreates itself on a seemingly
weekly basis.

For years now the software industry has regulated itself doing a
pretty decent job and then came along M$. Everything has changed and
will continue to change, increasing the integration and inherent
dependencies of business systems with business processes perhaps its
time for our industry to evolve as well.

For example; The FDA and Health Canada "strongly-encourages"
Pharmaceuticals to validated the computers and systems that are use to
develop drugs. The validation process although designed to 'control'
the environment is very flexible allowing differences in
configurations so long as they are recorded and validated. The
validating process must include a formal change management
process/document management. The practice in truly ISO or Deming's TQM
and its sadly missing from software development in general.

In my opinion, this process should be a best practise for software
development, fully integrated. Furthermore, as a best practice it
would satisfy the three principals of information security,
Confidentiality, Integrity and Availability. I could define these for
you, but it would take up a few more columns.

As for being liable or not, any class action suit can tackle the
problem but with a giant like M$, who probable has a few law firms on
the retainer by now, what good would come from that? As for
legislation, although its a possibility it might hurt the smaller
software development firms and would probably take at least three
years to push through and another three years to mature.

Solution a global organization with a global mandate; Before software,
designed for use over the internet, gets used over the Internet it
should pass a validation process governed by industry not dominated by
one company but a committee representing a cross section of the
Internet community itself. Perhaps the UN of Internet Users (UNIU).

Regards,
Mark.



----- Original Message ----- 
From: "InfoSec News" <isn () c4i org>
To: <isn () attrition org>
Sent: Monday, September 15, 2003 4:35 AM
Subject: [ISN] Should Microsoft be Liable for Bugs?


> Forwarded from: "Kirstan Beeson" <kbeeson () telebyte net>
>
> http://seattlepi.nwsource.com/business/139286_msftliability12.html
>
> By TODD BISHOP
> SEATTLE POST-INTELLIGENCER REPORTER
> September 12, 2003
>
> A defect is found in one of the world's most popular products. Less
> than a month later, its consequences emerge -- idling workers around
> the globe, causing huge losses for businesses and generally
> inconveniencing hundreds of thousands of people.
>
> Under different circumstances, this scenario might be a class-action
> lawyer's dream. But the product in question is software, and the
> companies that make it claim special protections from liability
> through the licensing deals that come as a condition of using their
> programs.
>
> Those protections help shield Microsoft Corp. and other software
> companies from paying what could conceivably amount to billions of
> dollars in damages. But they're coming under increased scrutiny amid a
> rising tide of computer viruses, many of which exploit known flaws in
> popular Microsoft programs.
>
> Consumer advocates and some computer users argue that the protections
> should be ended or diminished to let businesses and people try to hold
> software makers at least partially liable for the effects of product
> flaws. Doing so, they say, would make companies such as Microsoft more
> accountable, resulting in programs with fewer defects.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.