Firewall Wizards mailing list archives
RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)
From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Tue, 7 Aug 2001 16:29:24 -0500
<snip> Darren Reed wrote:
How much does it cost the world to patch these problems up vs the developer to put in place proper testing to find and eliminate these problems before it goes out the door? How can we allow such a critical piece of modern
life
to be such a pile of rubbish?
<snip> Seatbelts were not mandatory until the 1960's. Shoulder straps didn't come in until the 1970's, and airbags in the 1980s/90s. In the late 1970's Lee Iaccoca, the CEO of General Motors, said that they would never put airbags in their cars because customers wouldn't pay for them. So, for the first 20-30 _years_ of the history of personal automobiles, it must have been _accepted_ and even taken for granted that when you ditched your car at speeds approaching 50MPH you _were_ going to eat that big bakelite steering wheel and you _were_ going to need reconstructive surgery. Bummer that reconstructive surgery hadn't been invented, yet... For some reason this was considered "acceptable." Actually, it wasn't just acceptable it was legal. Hence we can buy cars that top out at 200mph, but there are laws to deal with people who do. <snip> Well, I would just like to pose that the missing item that made what Marcus mention relevant is the government legislation that forced "safety". This enabled the car industry to a legal contract or specification that they had to meet. Just like doctors or lawyers are obliged by certain legislation, I think so must computer scientists, developers of industrial software and hardware. Take for example the simple buffer overflow, very simple, but as deadly when exploit. If legislation was passed they said to some effect..... "Any piece of code, that is used for industrial purposes, that takes as input some value, that is unbound, it must limit the input or make safe calculation of addition storage medium to safely handle the data" Now, the software and hardware industry would have as a rule something to measure up against, it's very clear and must be implemented. Businesses wouldn't be able to rush things through to market, without risking a monetary loss from prosecution. Thus, test plans would incorporate checks for use of poor functions such as strcpy et al, and developers would need to ensure themselves that they follow the law..... higher salaries go to those who can.......... I think no risk disclaimers on software only goes to push the tech industry in to cheap money making arena rather than a professional one. Richard Scott Information Security ? Tel: (001) -952-995-5432 ? Fax: (001) -952-996-4830 ? Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA The views expressed in this email do not represent Best Buy or any of its subsidiaries. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Balazs Scheidler (Aug 11)
- <Possible follow-ups>
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 10)