Re: off-topic rant Re: product liability (was: Virus Update)

[Valdis.Kletnieks () vt edu]

On Tue, 09 May 2000 19:16:52 EDT, brad reynolds <brad () cow org>  said:
> microsoft doesn't hold a gun to anyone's head, microsoft seems to provide 
> patches for their software when bugs are found.  

The problem is not that they provide or don't provide patches when
a bug is found.

The problem is that although the MIME working group *SAW* the
danger of executable attachments in 1991, a decade later, we still
have software that ignores the specific recommendations the original
MIME spec made (namely, the default setting is to allow execution).

The biggest problem is that although it can be a pain in some
assorted body parts to fix a bug in the implementation of a 
secure design, the pain of trying to patch a broken design
is worse - that's just simple Software Design 101.  The earlier
in the design cycle a problem is found, the easier it is to fix.

Case in point:  How many Java security bugs have there been? And
how many JavaScript security bugs?  Which package was designed
from the ground up to be secure and sand-box-able?

In today's Internet, there is no excuse for trying to substitute
patch-upon-patch as a valid security model instead of starting
from a known secure design. No Excuse. None. Zip.

And for the record, a federal court judge has ruled that
Microsoft *did* in fact hold a gun to somebody's head.  That's
what the entire anti-trust suit was about....

We now return you to your regularly scheduled backhoe or misconfigured
router incident....

                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech