Re: Software liability

[Joseph Miller <joseph () tidetamerboatlifts com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew,
In regards to how much spam you receive, it may be worthwhile to check out 
www.bluesecurity.com.  It is different from any other anti-spam measures that 
I've seen in that it is proactive.  Blue Security keeps track of how many 
spams that its customers receive from a particular company, then sends 
complaints for every single spam email that each of its customers receive 
until the spammer stops sending the emails.  Thousands of complaints an hour 
convinces the companies that it is too *expensive* to send out spam emails.  
Check it out.

- -Joseph


On Thursday 17 November 2005 6:56 am, Andrew van der Stock wrote:
> On an average day, I get about 20-30 spam to webappsec, which of
> course I reject. Today, I received about 80, including many which
> managed to get around Mail.app's usually excellent spam filtering.
> Typically, I only see such massive spikes in spam when a new piece of
> malware is out there.
>
> I can't say for sure that the Sony DRM rootkits caused this immense
> jump, but it has to be related; I know of no other major exploit out
> there which is as easy to exploit as the root kit, and the subsequent
> vulnerable removal ActiveX script which is even easier to exploit.
> I'm not going to get into an anti-Sony bash here (although they
> richly deserve their rewards for their inexplicable hostile
> activities against paying customers - pirates and copyright
> infringers will never see the root kit and thus not need to terminate
> it with extreme prejudice. Way to go Sony.)
>
> Instead, I'd like to discuss the issue of damages when you just shove
> software out the door. With any other consumer good, most countries
> have reasonable trade practices laws which require the goods to be
> merchantable and fit for purpose, which includes "safe". Imagine if
> baby clothes and cot manufacturers could "license" flammable and
> dangerous goods which decry all liability in case your first born is
> burnt to a cinder at the first sign of a hot day?
>
> My personal view is that companies cannot simply pump vulnerable
> software out there without any possibility of recovering damages (as
> per EULA fairy tale land). I think that there has to be a reasonable
> effort taken at securing software prior to its release, and if not,
> damages and liability has to be assumed. Even for open source
> software, otherwise vendors have an out.
>
> What do you think? What should constitute "reasonable efforts"? If
> you stick a big engine in your car, you need an engineer's report and
> the engineer has to be an actual engineer. Is the world hostage to
> our field being a nascent industry with nascent tools and standards?
>
> thanks,
> Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDfOi0mXZROF+EADURApgEAJ9I544aoykNj0DZpYtZgc9Z27EvDwCfZ9+0
mLRd19y+aEhEgTjil8tOTTg=
=0B2M
-----END PGP SIGNATURE-----