Security Basics mailing list archives
Re: Microsot Liability for vulnerabilities
From: Ranjeet Shetye <ranjeet.shetye2 () zultys com>
Date: Wed, 23 Jul 2003 14:06:12 -0700
Tim, let me give a simple analogy.Let us assume that both Windows and Linux are like tyres, and exploits are like tyre punctures. And the PHB is replaced by the Wife.
In the case of Windows, you purchase a brand name tyre, which you put on your car. When a puncture happens, your wife will not nag you about your mistake, since you purchased a well known brand i.e. you did not make a mistake in the eyes of the Powers That Be. However you are not allowed to carry an extra tyre, because of the EULA you agreed to when you bought the tyres. Also, you can only get tyre replacements (read update/patch/fix) ONLY according to the wishes of the Windows Tyre company. In the meantime, until you reach a designated tyre update station, you have drive with a flat tyre which can/will damage your car. Of course, the EULA has deprived you of all rights to sue in case of such damages.
Linux is like a lesser-known brand used by a lot less number of people. This tyre is used primarily by sports-car enthusiasts, and people in the "know". If there is a puncture, your wife will nag you cos you didn't buy your tyres from a well known company. However, replacement Linux tyres are available *everywhere* for **FREE** and by air-drop too (xlation: 0day exploits are fixed in 3 hrs, GPL ensures world-wide availability of the fix)! Amazingly, you can carry 10 spares in your glove box (xlation: no worries about licencing or imaging). Moreover, these tyres incorporate run-flat technology so your car does not have to grind to a halt and you can even replace punctured Linux tyres on the move (xlation: no reboots are necessary). So, can the Linux tyre ever puncture ? Yes, it will, that's Real Life (TM) for you. However, the Linux tyres are statistically a hack lot more stable and reliable, whereas the Windows tyres benefit primarily from the marketing big bucks.
Me. I would go with the Linux tyres. As for your statements,1) "All of the ***** lovers will instantly be shocked by the attacks...", and 2) "...fixes for the exploits as hackers run rampant through their systems.", they seem more applicable to the latest Cisco and Windows exploits than to any recent OSS exploit. And who would have thunk that Windows ME would be the only secure OS from MS ? I dont know whether to laugh or to cry.
-- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye2 at Zultys dot com http://www.zultys.com/ -- The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys. On 2003.07.22 11:43, "Dozal, Tim" wrote:
This is a very old question and most people are entrenched on one side or the other already but for what its worth..... MS first gives you the chance to not accept its EULA so when you click "I Accept" you should have read that MS is no longer liable for what a virus or hacker is able to do to your system. This leads to the real issue, is MS code any more buggy than Linux or Oracle or any other major software maker. Probably not, but the nature of MS and its massive success in the market makes them the target of choice. You end up with the vast majority of hackers and virus writers targeting MS products since they have the largest market % and the coder can hence have the most impact. I'm waiting patiently for the day when Linux in some form or another has a large enough market share to become the new target. All of the Linux lovers will instantly be shocked by the attacks found in the open source they have come to love so much. The companies who deployed the open source will have to internally fund patches and fixes for the exploits as hackers run rampant through their systems. From a corporate perspective that paints a pretty scary and expensive picture. Patches released from a single source look pretty attractive and the time needed to deploy a corporate wide patch becomes much less daunting when compared to keeping a fully staffed programming team only to deal with coding fixes and patches for your internal open source deployment. With MS and the other large software/hardware vendors come a massive support infrastructure and the piece of mind that when problems are discovered they will be fixed by the experts who wrote the code in the first place. It's for this reason you will see very few large scale deployments of open source into enterprise level companies. So to end my rant: No MS is not liable and I don't believe they should be. Why not hang (or better yet HIRE) the hackers and virus writers who create the destructive code, but don't blame MS for being the target of the efforts of the hacker community. Tim -----Original Message----- From: Ronish Mehta [mailto:sf_mail_sbm () yahoo com] Sent: Monday, July 21, 2003 3:19 AM To: security-basics () securityfocus com Subject: Microsot Liability for vulnerabilities Hi all, As we all know, M$ licences are very expensive (both one-time & recurring cost). We also know that new vulnerabilities are discovered regularly (we may say monthly just to be kind) These vulnerabilities are exploited by viruses and hackers, and these may cause damage to our computer systems, and may involve additional cost to protect ourselves against these threats, we have to apply latest patches, use uptodate antiviruses. In a large organisation deploying patches may be a real headache (I know because I'm in this situation ;) and may involve additional cost I was just wondering if Microsoft does not have a part of responsibility in all this? After all we are paying this company a fortune for OS and applications that contain vulnerabilities/bugs. Should we continue to pay Microsoft for its buggy software packages? Can we sue it for the damages that it can potentially cause to our company (interms of cost, reputation, etc)? Thanks for your views __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ------------------------------------------------------------------------ --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Microsot Liability for vulnerabilities JAVIER OTERO (Jul 23)
- <Possible follow-ups>
- Re: Microsot Liability for vulnerabilities Ranjeet Shetye (Jul 23)
- RE: Microsot Liability for vulnerabilities dave kleiman (Jul 24)
- RE: Microsot Liability for vulnerabilities James Lee Gromoll (Jul 24)
- Re: Microsot Liability for vulnerabilities ~Kevin DavisĀ³ (Jul 25)
- Re: Microsot Liability for vulnerabilities James Lee Gromoll (Jul 28)
- SCO vs. Linux Users (Was: Microsoft Liability for vulnerabilities) Ansgar Wiechers (Jul 28)