Re: [WEB SECURITY] comparing information security to other industries

[Nick FitzGerald <nick () virus-l demon co uk>]

Jason Muskat, GCFA, GCUX, de VE3TSJ wrote:

> People, programmers, computers, software, design patterns, systems, and
> infrastructure are constantly changing, often being reinvented. As such,
> will never be stable.
>
> Concrete of a type is always the same and therefore predictable. One can
> state with certainly that a concrete slab will perform to design. This will
> ever be possible in IT.
>
> Many commercially produced software products don¹t have any warranty. Many
> even state that the software is not warranted for any function or purpose.

That's _because_ software makers argued long and hard for a special 
exemption from most standard producer liability regulations and laws, 
and in many cases also for protection from consumer protection laws.

They made this argument mainly along the lines you opened your comments 
with -- "everything is so complex and forever changing that if we had 
to do proper design, specification and testing we'd never produce 
anything and meeting those normal legal requirements would make 
everything ever so much less innovative and slower and only the very 
largest companies could ever afford to even think about writing 
software".

This -- particularly the "cost will bury us" part -- is _still_ the 
main argument the OSS folk make against any and all suggestions that 
software liability rules should be tightened up.

Thus, as NOT providing such guarantees is legally sanctioned, you 
cannot really use it as an argument supporting the "any old slop we put 
on the disk will do" approach we have sufferred from for far too long.

> ... The fact that the software does something that one thinks it should do
> is incidental. 

Yep.

Given you seem so strongly in favour of the current "couldn't really 
give a shit" view of software "quality", you'll be rushing to sign my 
petition requiriung all university and other educational courses in 
"computer science" to change their names to "computer art & craft" or 
"computer guesswork" or something similarly accurately describing their 
professional endorsement of hit-and-miss, slop it all in a bucket then 
pour it through a compiler we especially dumbed down to not give a rats 
arse about quality approach, and for "software engineering" courses to 
similarly remove their abuse use of the term "engineering"...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/