Re: Support the Sasser-author fund started

[Nick FitzGerald <nick () virus-l demon co uk>]

merlyn () stonehenge com (Randal L. Schwartz) wrote:

<<snippage>>
> So why is it, with Microsoft and all of their billeeeunnss of dollars,
> that they wouldn't spend at least SOME MORE of that BEFORE they
> release their code?  OpenBSD manages a decent security review and a
> right mindset towards security on the annual amount of money that Bill
> Gates makes every time he takes a dump.
>
> This is what irks me about Microsoft.  It's irresponsible.
> Continuously and apparently knowingly. Does that justify actual
> malicious acts?  No.  The Sasser Worm guy deserves punishment.  But
> when I spend hours and days trying to defend my paid-for bandwidth
> from the incoming onslaught of Microsoft-enabled worm mail, I've got
> to think that I'm due some payment for damages, both from the worm
> writers, *and* from Microsoft.  If this were indeed a fair world.

The issue here though is one of liability.

And by definition, MS is not liable because of the completely 
iniquitous exception only sofwtare developers enjoy under (US) law (and 
extensively copied most everywhere, often following extensive lobbying 
from the major software developers themselves).

It's nice -- perhaps even "quaint" -- that the BSD folk (and especially 
OpenBSD) expend so much effort on perfecting the implementation of such 
lofty computer security ideals as they hold so dear, but the market 
reality is that, at least sans strong liability expectations, "flying 
pink elephants" are clearly much more desirable than security, so 
companies like MS which have put all their idealistic fervour into 
becoming disgustingly, unethically and largely illegally rich at almost 
any cost have "won" over the BSDs of the world. Further, because 
machines running MS products can just as easily as any others connect 
to the open sewer model of internetworking we have adopted, of course 
we all pay the bandwidth tax levied by the worms, viruses and so on of 
the most popular OSes and applications.

Perhaps back in 1995 we should have all been praying for MSN (remember, 
it was originally more of what you would consider an ISP service than 
what it is now) to succeed in tackling CompuServe and AOL, and "the 
Internet" could have remained "pure" of all that negative influence 
from MS products of which you complain...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html