Re: The problem is that user management doesn't demand security

[Michael Cassidy <cassidy () panix com>]

At 2:47 PM -0600 12/9/03, Stephen Galliver wrote:

> Buying from the competition is the most obvious idea, but with a market
> segment [1] in a race to the bottom (the cheapest set of the most
> features), there may not be a secure alternative.

This only works if there is a real choice.
Until recently the only choice for publishing was QuarkXpress and QPS.
There was no other product.
For OS in desktop computers its been Windows; only publishing is using MAC;
and Linux is really not ready for end users.

> Once you have chosen the best product you can, the vendor has your money.
> How then to apply pressure to squash bugs and fill holes?  The current
> model uses a mix of extortion (fix this hole or I release it to the world)
> and loss of brand value or reputation (fix this bug or everyone will know
> you don't support your customers).  Without passing judgment on the current
> model, is there another way?

This assumes that the end users knows its a bug as oppose to a mistake he made.
When you're talking about Photoshop, QuarkXpress, Word, Windows, MAC OS,
Lotus Notes and other big programs how does and end users who is only
trying to write a letter or clean up a image know wherther its him, the
program the OS or the hardware?

As for management, how many actually handle the software?
Most relie on the end user; and then how many really know enough to
distinguish between user mis-use, and software, OS and hardware bugs?

[Ed. Let's close out this thread, please -- or at least bring it back to the 
topic of _developing_ secure software.  KRvW]

------------------------------------------------------------------
                  Jazz is freedom. - T. Monk
                 http://www.panix.com/~cassidy
                      [Public key available.]