From: William Allen Simpson [mailto:wsimpson@greendragon.com]
Sent: Wednesday, July 25, 2001 7:04 AM
To: nanog@nanog.org
Subject: Re: product liability (was 'we should all be
uncomfortable with
the extent to which luck..')Roeland Meyer wrote:
>
> > From: William Allen Simpson [mailto:wsimpson@greendragon.com]
> > A check in the mail would be a better incentive to
> > administrators than "automatic" updates.
>
> Now *there's* a thought. However, all software companies
carry product
> liability insurance. It's sometimes called a shrink-wrap
license. You might
> actually try reading it the next time you purchase and
install software.I'm not a party to the EULA.
For the sake of argument, ISPs are the party that the SUV hit when it
rolled over after the tires exploded....(actually, because of our proactive action and filtering, we had
exactly zero customers that were still infected by Jul 20th. But we
had to spend the manpower and technical support -- that's worth
something!)Also, you may have noticed that shrink-wrap licenses are
valid in only
two places: Washington (state) and Virginia. This would be a Federal
class action.
Please, do not confuse "governing law" and "jurisdiction" with
applicability. With most commercial software, you don't own it. The actual
owners retain full ownership rights. That makes a huge legal difference.
BTW, MHSC shrink-wrap, and all other MHSC contracts, are under Delaware law,
with alternative jurisdiction in Colorado, and neither of the other two
jurisdictions that you mention. It has to do with where the corporate home
is. Further, lawyers make big bucks arguing "comparative negligence". None
of us gets paid well enough to do so here. FWIW, almost all commercial
software developers carry "Errors and Omissions" coverage, as a second-level
backup to the lawyers.
That said and in most jurisdictions, the driver has primary responsibility.
This is due to the fact that the driver has primary responsibility for
maintenance and application. This is the primary reason for the "fitness of
purpose" clause.
Joe Shaw wrote:
>
> And with this latest threat of code red, Microsoft would
have been covered
> anyway, because a patch for this exploit existed well
before CodeRed hit.
> They released a patch for the indexing server on June 18,
2001, which as
Actually, although the patch was released, M$ lied, saying it
was only
needed by web servers. We have since learned that *ALL* W2K and XP
systems were vulnerable. Fraud and misrepresentation?
Since ALL Win2K and XP packages contain IIS, where did they even mislead?
> human somewhere wrote some bad code. It happens, and
continues to happen
> on a daily basis.It's long past time that humans were held accountable.
Now, there is something that I can agree with. Let's hunt down the script
kiddie and their bunk-daddy (who wrote Code Red) and start hacking off
appropriate appendages. I'll be glad to sharpen the knives.
Funny, the engine electronics in my car doesn't seem to be vulnerable
to these failures.... Maybe it's the extensive (years) of
testing and code review?Why should I have to pay for the desire of M$ to be "first to
market", or more usually, "last to market but cheaper".There is no other industry where such bad practices would be
acceptable. It shouldn't be in ours, either!
Have you ever done a function-point analysis, or path permutations analysis
on your average GUI program? The simplest GUI is vastly more complex than
the engine monitoring computer in your car. Just chasing all first-order
paths would take decades. Second-order paths number in the billions. We
won't go to third-order. Exhaustive testing is not even dreamable. If you
even have a QA department available, ask them. While you're at it, do you QA
your web-site?
> Security requires vigilence, and there seems to be too
little of it out in
> the world.
>
Agreed.
Yes.