Full Disclosure mailing list archives
Re: Microsoft Cries Wolf ( again )
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 04 Jul 2003 22:59:15 +1200
Peter Busser <peter () trusteddebian org> wrote:
Well, why should vendors do that? In fact, if you look at Microsoft's profit, I would say it is rewarded for not doing this. ...
Indeed.
... Vendors simply supply the kind of products people want. Aparently people love insecure programs. So that is what they get.
I'm not sure that is quite correct though. At least in "the West" the customers have experienced several decades of "consumer protection" legislation, where all manner of products that might be "unreasonably dangerous" were it not for government standards, compliance testing, etc have either not made it to market, been removed from sale for non-standards compliance, etc. Further, in the increasingly uncommon cases where various forms of egregious negligence on the part of the manufacturer of some "dangerous" product can be reasonably shown the unfortunate customers (or their surviving relatives) often sue the pants off said incompetent companies. Faced with computer software that is necessarily several orders of magnitude more complex than any other "product" a typical consumer ever purchases (and that will only increase in that complexity) and the lack of obvious threats to life, limb and other general safety (such as are present in your typical motor car, household electrical appliances, etc) the "typical software purchaser" is no position to make informed decisions about software quality in general, let alone about anything as esoteric as the quality of security considerations in the software's general design and specific implementation. Lulled further into the "computers are now a necessary consumer electronics item" lie, your typical computer (software) buyer is simply left to _assume_ that the clever people that make these things and who understand the black magic under the covers really _must_ know what they are doing and surely must have "done the right thing" (in the sense that you do not have a new car's braking system laboriously checked and documented in minute detail before deciding to buy -- you trust that the vehicle designer and all the design and product testing that followed and fine-tuned the initial design "must have been done properly" because it is done by people who understand all that technical crap _AND_ who must meet certain legal requirements). Thus, "typical computer purchasers" tend to end up buying the most popular thing, regardless of how large a crock it may be this year, and they do so "because that is what everyone buys and if everyone buys it it must be OK". That doesn't necessarily mean they love, or in any meaningful market sense "prefer", the crock that they bought or that they have a preference for the fact it was designed from the ground up with deliberately security antagonistic goals (user friendliness over everything else, neat features over everything else, network everything to everything, etc, etc). They assume, as you and I would not, that the software developer would have had to make the web browser "secure" so their credit card or Internet banking details cannot be stolen by the simple act of them reading an Email message or browsing a web page.
The only way to change that is either vote with your dollars and euros
Well, that requires that the "victims" actually realize they have a choice and as the MS monopoly is today, that just doesn't seem very likely to happen in a very large slice of the market...
or to take the vendor to court and demand compensation for the damages caused by badly designed or buggy software. Neither really happens, so what incentive is there for companies to change?
Well, the second doesn't happen because most "Western" countries have kow-towed to pressure to follow the US in specifically exempting software developers from the normal "sue the maker's pants off" liability that has tended to keep the other large corporates in line through history. Bereft of even the slightest threat that it just might get sued into non-existence, Microsoft (and most of the others) have _NO_ motivation whatever to do anything other than what the (largely ignorant) market seems likely to lap up. Thus, if some competitive advantage seems, for example, likely to be wrung from allowing all kinds of embedded, active content to execute from the Internet as native code on the computer of someone browsing the web, you can bet some large software developer will do it, no matter how obviously bad the likely outcome will seem to the likes of you and me... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Microsoft Cries Wolf ( again ), (continued)
- Re: Microsoft Cries Wolf ( again ) mattmurphy () kc rr com (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Karl DeBisschop (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Geoincidents (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Justin Shin (Jul 02)
- Vote with your dollars (Was: Re: Microsoft Cries Wolf ( again )) Peter Busser (Jul 02)
- Re: Microsoft Cries Wolf ( again ) andrewg (Jul 02)
- Re: Microsoft Cries Wolf ( again ) Karl DeBisschop (Jul 01)
- Re: Microsoft Cries Wolf ( again ) mattmurphy () kc rr com (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Karl DeBisschop (Jul 01)
- Re: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 03)
- Re: Microsoft Cries Wolf ( again ) Peter Busser (Jul 04)
- Re: Microsoft Cries Wolf ( again ) morning_wood (Jul 04)
- Re: Microsoft Cries Wolf ( again ) Nick FitzGerald (Jul 04)
- Re: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 12)
- RE: Microsoft Cries Wolf ( again ) Scott (Jul 13)
- RE: Microsoft Cries Wolf ( again ) Ron DuFresne (Jul 13)
- RE: Microsoft Cries Wolf ( again ) Scott (Jul 13)
- Re: Microsoft Cries Wolf ( again ) Roy S. Rapoport (Jul 14)
- Re: Microsoft Cries Wolf ( again ) Mark Lowes (Jul 14)