RE: Code Red is Not The Problem

[InfoSec News <isn () c4i org>]

Forwarded by: William T. Barrett <wtb () uhaul com>

Interesting thoughts. I thought I would just comment on some of the
more salient points.  I tried to use humor to point out the
absurities, but it probably just comes across as being a asshole.

> How about making providing software, with security bugs, for
> commercial use a felony or something that no disclaimer can waive
> responsibility for ? Maybe it should be a felony to release any
> software package with any known bugs or in doing so a software
> manufacturer voids any claim to hiding behind a disclaimer.

<sarcasm>

Oh great idea.  And we know what a great job those people in
Washington do writing laws for the computer industry.  I mean with the
widespread succes of the DMCA and the so called Child Online
Protection Act and of course the 1996 comunications decentcy act.

</sarcasm>

> What about going a step further and including deploying software
> with security bugs a felony, that way making system admins take
> more care in the software they install.

Were you dropped on your head as a child? It's stressful enough to do
this job without the threat of going to jail for fogeting to install a
patch.  Of course there wouldnt be a patch to put on because that
would mean that a flaw exists in the firstplace and therefore you are
admiting guilt to the first one.

> I don't care if the cost of software increases ten fold or it
> takes five times as long to get it out the door, our current
> industry wide practices are simply not good enough.  It is time
> that was fixed.

well bully for you.  personally I have a hard enough time squeezeing
pennies out for the stuff we use now.  While you aperently have a
unlimited budget to work with in the real world most companies cant
afford that.

> How much would it cost Microsoft to do extensive testing of
> Windows XP, prior to launch, searching for buffer overflows (for
> example) in every DLL routine, etc, vs how much it will cost the
> world to clean up later as the bugs get reported ?

Oh yes the "billons" of dollars these incedents cost.  You know I
would like to see somebody be able to explain exatly how they come up
with these numbers. I'm pretty sure it includes the terms "pulling"
and "ass".

> Look at all the i's which need dotting and t's which need crossing
> if you want to make a vehicle to drive on the roads, never mind
> sell to others.

I have yet to hear of anyone getting killed in a computer crash.  (he
was surfing under the infulence and formated a family of six!! right.)

> Why do we accept a complete lack of such standards in the software
> industry?

Probably because it is virtualy impossable to check billons of lines
of complex code and find every single possable error.  But that's just
my oppinion.

> Unfortunately to get anything along these lines requires lobbying
> politicians to get them to understand and write the correct bill.

goto <sarcasm>


-WTB



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.