WebApp Sec mailing list archives
Re: Software liability
From: Joseph Miller <joseph () tidetamerboatlifts com>
Date: Thu, 17 Nov 2005 15:31:46 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew, In regards to how much spam you receive, it may be worthwhile to check out www.bluesecurity.com. It is different from any other anti-spam measures that I've seen in that it is proactive. Blue Security keeps track of how many spams that its customers receive from a particular company, then sends complaints for every single spam email that each of its customers receive until the spammer stops sending the emails. Thousands of complaints an hour convinces the companies that it is too *expensive* to send out spam emails. Check it out. - -Joseph On Thursday 17 November 2005 6:56 am, Andrew van der Stock wrote:
On an average day, I get about 20-30 spam to webappsec, which of course I reject. Today, I received about 80, including many which managed to get around Mail.app's usually excellent spam filtering. Typically, I only see such massive spikes in spam when a new piece of malware is out there. I can't say for sure that the Sony DRM rootkits caused this immense jump, but it has to be related; I know of no other major exploit out there which is as easy to exploit as the root kit, and the subsequent vulnerable removal ActiveX script which is even easier to exploit. I'm not going to get into an anti-Sony bash here (although they richly deserve their rewards for their inexplicable hostile activities against paying customers - pirates and copyright infringers will never see the root kit and thus not need to terminate it with extreme prejudice. Way to go Sony.) Instead, I'd like to discuss the issue of damages when you just shove software out the door. With any other consumer good, most countries have reasonable trade practices laws which require the goods to be merchantable and fit for purpose, which includes "safe". Imagine if baby clothes and cot manufacturers could "license" flammable and dangerous goods which decry all liability in case your first born is burnt to a cinder at the first sign of a hot day? My personal view is that companies cannot simply pump vulnerable software out there without any possibility of recovering damages (as per EULA fairy tale land). I think that there has to be a reasonable effort taken at securing software prior to its release, and if not, damages and liability has to be assumed. Even for open source software, otherwise vendors have an out. What do you think? What should constitute "reasonable efforts"? If you stick a big engine in your car, you need an engineer's report and the engineer has to be an actual engineer. Is the world hostage to our field being a nascent industry with nascent tools and standards? thanks, Andrew
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDfOi0mXZROF+EADURApgEAJ9I544aoykNj0DZpYtZgc9Z27EvDwCfZ9+0 mLRd19y+aEhEgTjil8tOTTg= =0B2M -----END PGP SIGNATURE-----
Current thread:
- Software liability Andrew van der Stock (Nov 17)
- Re: Software liability Joseph Miller (Nov 17)
- Re: Software liability Jonathan Angliss (Nov 18)
- Re: Software liability Joseph Miller (Nov 17)