Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nimda esponsibility - Laying appropriatel - implied warranty of sale

From: namor () att net
Date: Fri, 28 Sep 2001 12:32:14 +0000
Fred, et all,
     Don't bother with a class action.  We have seen how 
effective the legal system was in spanking the monopoly 
to begin with.  You really want to put them out of 
business?  STOP USING THEIR PRODUCTS.  How many other 
ways can it be said?
     It is not like there aren't alternatives out 
there.  There are other OSes (free & non), other 
browsers, other free media players, other free office 
suites, etc.  And in many cases they are compatible with 
the current MS file formats (ie: StarOffice can read and 
save as MS office formats).  But as consultants, 
contractors, and vendors we are not pushing our 
customers to make the change.  
     It's the same in the Anti-Virus industry, who by 
the way is the real culprit here.  We keep using that 
ineffective, reactive signature-file based garbage when 
there are clearly better alternatives out there to offer 
our customers (like behavior-based solutions such as 
InDefense's Achilles Shield and Mail Defense products I 
use -- infectionless since 1999!).  Time for a better 
solution.  
     If you are serious about this effort, then 
education and proof are the keys to making it work.  
Build two boxes, one MS and one Linux for example.  Lock 
them down as best you can then attack them while your 
customer watches.  The proof is in the results.  When 
the dust settles, which box is still operational?  Which 
one over time has more "uptime"?  Uptime = money and 
mission success, and THAT is where the victory will be 
won.

Just my $0.02
Rob

In my view, the responsibility for NIMDA lies clearly in Microsoft's lap
and the lap of the author, but there is plenty of blame to go around.  I
say forget about telling the ISPs what to do - start a class action suit
against Microsoft for putting this crap into the market knowing full
well how it might be exploited and knowing full well that it was
choosing time to market over quality.  The class is all users of
Microsoft IIS servers and every person who has a system that has been
affected by the virus.  The dmages are the total cost of all actions
taken to defend against or monitor this infection, in cluding all time
taken by all parties involved.  Put them out of business unless and
until they can act responsibly.


You should read the agreement you (and everyone else) just clicks "Agree" to
whenever you install a piece of software (not just MS).  I am not a lawyer
but as far as I can tell it means "You accept that you are paying for this
product as is and we make no guarantee that it will be secure, reliable,
compatible, works as advertised or will even work at all"

This is standard throughout the software industry, and no other industry in
the world is allowed to operate under these terms.  Anyone know whether
clicking that Agree button removes all your rights to legal recourse?  I
would've thought it would; that's why they put it in.

S.   :)


What many people fail to understand is that there is something called an
implied warranty of sale that cannot be voided, even under contracts
such as these.  It is typically defined in terms of 'suitability for
purpose'.  Thelegal issues surrounding the non-warranty for software has
never been setteld - and it should - and this would be a great case to
do it with. 

FC
--This communication is confidential to the parties it is intended to serve--
Fred Cohen            Fred Cohen & Associates.........tel/fax:925-454-0171
fc () all net         The University of New Haven.....http://www.unhca.com/
http://all.net/               Sandia National Laboratories....tel:925-294-2087


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: