RE: product liability (was 'we should all be uncomfortable with t he extent to which luck..')

[Roeland Meyer <rmeyer () mhsc com>]

> -----Original Message-----
> From: William Allen Simpson [mailto:wsimpson () greendragon com]
> Sent: Wednesday, July 25, 2001 7:04 AM
> To: nanog () nanog org
> Subject: Re: product liability (was 'we should all be 
> uncomfortable with
> the extent to which luck..')
>
>
>
> Roeland Meyer wrote:
> > > From: William Allen Simpson [mailto:wsimpson () greendragon com]
> > > A check in the mail would be a better incentive to
> > > administrators than "automatic" updates.
> >
> > Now *there's* a thought. However, all software companies 
> carry product
> > liability insurance. It's sometimes called a shrink-wrap 
> license. You might
> > actually try reading it the next time you purchase and 
> install software.
>
> I'm not a party to the EULA.  
>
> For the sake of argument, ISPs are the party that the SUV hit when it
> rolled over after the tires exploded....
>
> (actually, because of our proactive action and filtering, we had 
> exactly zero customers that were still infected by Jul 20th.  But we 
> had to spend the manpower and technical support -- that's worth 
> something!)
>
> Also, you may have noticed that shrink-wrap licenses are 
> valid in only 
> two places: Washington (state) and Virginia.  This would be a Federal 
> class action.

Please, do not confuse "governing law" and "jurisdiction" with
applicability. With most commercial software, you don't own it. The actual
owners retain full ownership rights. That makes a huge legal difference.
BTW, MHSC shrink-wrap, and all other MHSC contracts, are under Delaware law,
with alternative jurisdiction in Colorado, and neither of the other two
jurisdictions that you mention. It has to do with where the corporate home
is. Further, lawyers make big bucks arguing "comparative negligence". None
of us gets paid well enough to do so here. FWIW, almost all commercial
software developers carry "Errors and Omissions" coverage, as a second-level
backup to the lawyers.

That said and in most jurisdictions, the driver has primary responsibility.
This is due to the fact that the driver has primary responsibility for
maintenance and application. This is the primary reason for the "fitness of
purpose" clause.

> Joe Shaw wrote:
> > And with this latest threat of code red, Microsoft would 
> have been covered
> > anyway, because a patch for this exploit existed well 
> before CodeRed hit.
> > They released a patch for the indexing server on June 18, 
> 2001, which as

> Actually, although the patch was released, M$ lied, saying it 
> was only 
> needed by web servers.  We have since learned that *ALL* W2K and XP 
> systems were vulnerable.  Fraud and misrepresentation?

Since ALL Win2K and XP packages contain IIS, where did they even mislead?

> > human somewhere wrote some bad code.  It happens, and 
> continues to happen
> > on a daily basis.  
>
> It's long past time that humans were held accountable.

Now, there is something that I can agree with. Let's hunt down the script
kiddie and their bunk-daddy (who wrote Code Red) and start hacking off
appropriate appendages. I'll be glad to sharpen the knives.

> Funny, the engine electronics in my car doesn't seem to be vulnerable 
> to these failures....  Maybe it's the extensive (years) of 
> testing and code review?
>
> Why should I have to pay for the desire of M$ to be "first to 
> market", or more usually, "last to market but cheaper".
>
> There is no other industry where such bad practices would be 
> acceptable.  It shouldn't be in ours, either!

Have you ever done a function-point analysis, or path permutations analysis
on your average GUI program? The simplest GUI is vastly more complex than
the engine monitoring computer in your car. Just chasing all first-order
paths would take decades. Second-order paths number in the billions. We
won't go to third-order. Exhaustive testing is not even dreamable. If you
even have a QA department available, ask them. While you're at it, do you QA
your web-site?

> > Security requires vigilence, and there seems to be too 
> little of it out in
> > the world.
> Agreed.

Yes.