Re: Microsot Liability for vulnerabilities

[Ranjeet Shetye <ranjeet.shetye2 () zultys com>]

Tim, let me give a simple analogy.

Let us assume that both Windows and Linux are like tyres, and exploits 
are like tyre punctures. And the PHB is replaced by the Wife.

In the case of Windows, you purchase a brand name tyre, which you put 
on your car. When a puncture happens, your wife will not nag you about 
your mistake, since you purchased a well known brand i.e. you did not 
make a mistake in the eyes of the Powers That Be. However you are not 
allowed to carry an extra tyre, because of the EULA you agreed to when 
you bought the tyres. Also, you can only get tyre replacements (read 
update/patch/fix) ONLY according to the wishes of the Windows Tyre 
company. In the meantime, until you reach a designated tyre update 
station, you have drive with a flat tyre which can/will damage your 
car. Of course, the EULA has deprived you of all rights to sue in case 
of such damages.

Linux is like a lesser-known brand used by a lot less number of people. 
This tyre is used primarily by sports-car enthusiasts, and people in 
the "know". If there is a puncture, your wife will nag you cos you 
didn't buy your tyres from a well known company. However, replacement 
Linux tyres are available *everywhere* for **FREE** and by air-drop too 
(xlation: 0day exploits are fixed in 3 hrs, GPL ensures world-wide 
availability of the fix)! Amazingly, you can carry 10 spares in your 
glove box (xlation: no worries about licencing or imaging). Moreover, 
these tyres incorporate run-flat technology so your car does not have 
to grind to a halt and you can even replace punctured Linux tyres on 
the move (xlation: no reboots are necessary). 
So, can the Linux tyre ever puncture ? Yes, it will, that's Real Life
(TM) for you. However, the Linux tyres are statistically a hack lot 
more stable and reliable, whereas the Windows tyres benefit primarily 
from the marketing big bucks.

Me. I would go with the Linux tyres.

As for your statements,
1) "All of the ***** lovers will instantly be shocked by the 
attacks...", and
2) "...fixes for the exploits as hackers run rampant through their 
systems.",
they seem more applicable to the latest Cisco and Windows exploits than 
to any recent OSS exploit. And who would have thunk that Windows ME 
would be the only secure OS from MS ? I dont know whether to laugh or 
to cry.

--
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
--
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.

On 2003.07.22 11:43, "Dozal, Tim" wrote:
> This is a very old question and most people are entrenched on one side
> or the other already but for what its worth.....
>
> MS first gives you the chance to not accept its EULA so when you click
> "I Accept" you should have read that MS is no longer liable for what a
> virus or hacker is able to do to your system.
>
> This leads to the real issue, is MS code any more buggy than Linux or
> Oracle or any other major software maker.  Probably not, but the
> nature
> of MS and its massive success in the market makes them the target of
> choice.  You end up with the vast majority of hackers and virus
> writers
> targeting MS products since they have the largest market % and the
> coder
> can hence have the most impact.
>
> I'm waiting patiently for the day when Linux in some form or another
> has
> a large enough market share to become the new target.  All of the
> Linux
> lovers will instantly be shocked by the attacks found in the open
> source
> they have come to love so much.  The companies who deployed the open
> source will have to internally fund patches and fixes for the exploits
> as hackers run rampant through their systems.
>
> From a corporate perspective that paints a pretty scary and expensive
> picture.  Patches released from a single source look pretty attractive
> and the time needed to deploy a corporate wide patch becomes much less
> daunting when compared to keeping a fully staffed programming team
> only
> to deal with coding fixes and patches for your internal open source
> deployment.
>
> With MS and the other large software/hardware vendors come a massive
> support infrastructure and the piece of mind that when problems are
> discovered they will be fixed by the experts who wrote the code in the
> first place.  It's for this reason you will see very few large scale
> deployments of open source into enterprise level companies.
>
> So to end my rant: No MS is not liable and I don't believe they should
> be.  Why not hang (or better yet HIRE) the hackers and virus writers
> who
> create the destructive code, but don't blame MS for being the target
> of
> the efforts of the hacker community.
>
> Tim
>
> -----Original Message-----
> From: Ronish Mehta [mailto:sf_mail_sbm () yahoo com]
> Sent: Monday, July 21, 2003 3:19 AM
> To: security-basics () securityfocus com
> Subject: Microsot Liability for vulnerabilities
>
>
> Hi all,
> As we all know, M$ licences are very expensive (both
> one-time & recurring cost).
>
> We also know that new vulnerabilities are discovered
> regularly (we may say monthly just to be kind)
>
> These vulnerabilities are exploited by viruses and
> hackers, and these may cause damage to our computer
> systems, and may involve additional cost
>
> to protect ourselves against these threats, we have to
> apply latest patches, use uptodate antiviruses.
>
> In a large organisation deploying patches may be a
> real headache (I know because I'm in this situation ;)
> and may involve additional cost
>
> I was just wondering if Microsoft does not have a part
> of responsibility in all this? After all we are paying
> this company a fortune for OS and applications that
> contain vulnerabilities/bugs.
>
> Should we continue to pay Microsoft for its buggy
> software packages? Can we sue it for the damages that
> it can potentially cause to our company (interms of
> cost, reputation, etc)?
>
> Thanks for your views
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
> ------------------------------------------------------------------------
> ---
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
> analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote access
> in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ------------------------------------------------------------------------
> ----
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------