Re: Nimda esponsibility - Laying appropriatel - implied warranty of sale

From: fosterd (fosterd@airshow.net)
Date: 09/28/01


Date: Fri, 28 Sep 2001 10:39:18 -0400
Message-Id: <200109281039.AA679936592@mail.airshow.net>
From: "fosterd " <fosterd@airshow.net>
To: <fc@all.net>, <namor@att.net>
Subject: Re: Nimda esponsibility - Laying appropriatel - implied warranty of sale

I see one problem as how to recompense those who have been harmed. Fred has the answer for that, as impractical as it may seem. A second problem is how to make the Internet safer. While not purchasing one vendor's products may seem a quick and easy way to enforce quality, the vendor's products are selected by each user because, flaws and all, they provide a better way to accomplish the individual's mission. To the individual user, the harm their using the product causes to others (transit point for malicious actions) and the chance that their work will be corrupted just isn't as important as ease of use and meeting their output goals.

There are several ways to deal with that issue. All have different degrees of palatability. If we put our minds to it, we can generate a long list. Here are just a few ideas:

1) Increase the cost of using the products that cause harm to others. Sue the users to recover the costs of damage. Increase insurance premiums. By legislation, make the software manufacturers pay the cost of implementing necessary security fixes. By increasing the cost, the alternate products look more appealing.
2) Regulate the quality of the products sold. We don't have minimum security standards for anything.
3) Use government's purchasing and contracting power to force market change. What if the government didn't allow the offending products inside it's doors, and didn't allow the use of those products on its contracts?

-- Doug

---------- Original Message ----------------------------------
From: namor@att.net
Date: Fri, 28 Sep 2001 12:32:14 +0000

>Fred, et all,
> Don't bother with a class action. We have seen how
>effective the legal system was in spanking the monopoly
>to begin with. You really want to put them out of
>business? STOP USING THEIR PRODUCTS. How many other
>ways can it be said?
> It is not like there aren't alternatives out
>there. There are other OSes (free & non), other
>browsers, other free media players, other free office
>suites, etc. And in many cases they are compatible with
>the current MS file formats (ie: StarOffice can read and
>save as MS office formats). But as consultants,
>contractors, and vendors we are not pushing our
>customers to make the change.
> It's the same in the Anti-Virus industry, who by
>the way is the real culprit here. We keep using that
>ineffective, reactive signature-file based garbage when
>there are clearly better alternatives out there to offer
>our customers (like behavior-based solutions such as
>InDefense's Achilles Shield and Mail Defense products I
>use -- infectionless since 1999!). Time for a better
>solution.
> If you are serious about this effort, then
>education and proof are the keys to making it work.
>Build two boxes, one MS and one Linux for example. Lock
>them down as best you can then attack them while your
>customer watches. The proof is in the results. When
>the dust settles, which box is still operational? Which
>one over time has more "uptime"? Uptime = money and
>mission success, and THAT is where the victory will be
>won.
>
>Just my $0.02
>Rob
>> > > In my view, the responsibility for NIMDA lies clearly in Microsoft's lap
>> > > and the lap of the author, but there is plenty of blame to go around. I
>> > > say forget about telling the ISPs what to do - start a class action suit
>> > > against Microsoft for putting this crap into the market knowing full
>> > > well how it might be exploited and knowing full well that it was
>> > > choosing time to market over quality. The class is all users of
>> > > Microsoft IIS servers and every person who has a system that has been
>> > > affected by the virus. The dmages are the total cost of all actions
>> > > taken to defend against or monitor this infection, in cluding all time
>> > > taken by all parties involved. Put them out of business unless and
>> > > until they can act responsibly.
>> >
>> > You should read the agreement you (and everyone else) just clicks "Agree" to
>> > whenever you install a piece of software (not just MS). I am not a lawyer
>> > but as far as I can tell it means "You accept that you are paying for this
>> > product as is and we make no guarantee that it will be secure, reliable,
>> > compatible, works as advertised or will even work at all"
>> >
>> > This is standard throughout the software industry, and no other industry in
>> > the world is allowed to operate under these terms. Anyone know whether
>> > clicking that Agree button removes all your rights to legal recourse? I
>> > would've thought it would; that's why they put it in.
>> >
>> > S. :)
>>
>> What many people fail to understand is that there is something called an
>> implied warranty of sale that cannot be voided, even under contracts
>> such as these. It is typically defined in terms of 'suitability for
>> purpose'. Thelegal issues surrounding the non-warranty for software has
>> never been setteld - and it should - and this would be a great case to
>> do it with.
>>
>> FC
>> --This communication is confidential to the parties it is intended to serve--
>> Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171
>> fc@all.net The University of New Haven.....http://www.unhca.com/
>> http://all.net/ Sandia National Laboratories....tel:925-294-2087
>>
>>
>> ----------------------------------------------------------------------------
>> This list is provided by the SecurityFocus ARIS analyzer service.
>> For more information on this free incident handling, management
>> and tracking system please see: http://aris.securityfocus.com
>>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: PDL anti-spam blacklist
    ... >:> This list is provided by the SecurityFocus ARIS analyzer service. ... >:> For more information on this free incident handling, management ... >:> and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: how often do 0-days REALLY happen?
    ... case with the Honeynet project were a "fresh" worm hit one of our ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Bind 9.2.X exploit???
    ... >>> This list is provided by the SecurityFocus ARIS analyzer service. ... >>> For more information on this free incident handling, management ... >>> and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Ip spoof from 0.0.0.0
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Possible System Compromise
    ... Sign up for SBC Yahoo! ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)