Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Bad System Architecture, Accountability
June 14, 2005, 12:14 pm
rate this thread
If you can class action sue a tobacco company for the results of
smoking cigerettes, why has there been no class action suite against
software companies for all the haneous system architecture that has
gone into network applications?
I mean if Identity theft is truly such a big deal, and so much of it is
going on because a out-of-the-box installed operating systems runs a
dozen different network servers none of which were code-audited for
security, then it would seem reasonable that a lawyer might be inclined
to organize all this into a billion dollar lawsuit.
It seems to me that A certain software vendor is continuing to do
everything they can to blur client server architecture and thereby any
decernable boundary between -yours- and -mine-. I am guessing this is
to make make infosec an OS feature and not the domain of network
traffic shaping or statefull inspection. Anybody else notice this
Re: Bad System Architecture, Accountability
:smoking cigerettes, why has there been no class action suite against
:software companies for all the haneous system architecture that has
:gone into network applications?
That question has been asked a number of times by a number of
different people; there hasn't really been a definitive answer.
Another way of phrasing the matter is, "Why isn't software like
engineering, with manufacturers being held liable for faults?",
and "Why can't software be made as robust 'parts' that can be
selected from and put together, like the way machines are built?".
One of the several fora in which these discussions have taken
place is RISKS-DIGEST, which has the newsgroup instantiation
comp.risks . I suggest, for example, that you examine the
'Component Architecture' thread in Risks 23.73 and the followups
in Risks 23.74,
There were a number of very interesting replies. Amongst them,
a point made by Ray Blaak is the one that struck me as being
most realistic: that it would cost too much.
Studies show that the average reader ignores 106% of all statistics
they see in .signatures.
Re: Bad System Architecture, Accountability
Thanks for the refs,
I read the whole thread. The argument seems to be that software
companies essentially deny liability on the basis of being dependent on
other peoples work.
I have to question whether this point is applicable though. Prior work
does not prevent current empirical testing. I mean boeing can't put a
bird in the air without testing it first, and they must have hundreds
of subcontracters who would qualify as "somebody else built it". But
they test because they know it's their ass if the plane fails.
The current state of affairs in commercial software seem to indicate
that the vendors have assumed the consumer is too dumb to figure out
who is responsible, and that judges are too dumb to make them pay for
I would bet against that assumption.
I'm sure network security testing is expensive, but redisigning the
Pinto was probably pretty expensive too. Of course you couldn't prove
that by the folks who got burned up in them.
released without adequate testing, just that it is. If a rivet fails
and a ship sinks, the riveter is fired, the shipbuilder is sued. Deep
pockets and plausible liability are all that is really needed.
I think a hell of case could be made just from publically available
Judge: "You mean you experienced HOW MANY root level exploits in your
core products between 2000 and 2004?".
Judge: "You just released a new version of the same products that got
exploited HOW MANY DAYS after their release?"
Vendor: "four or five"
Judge: "HOW MANY people were effected?".
Vendor: "50 to 100... thousand".
Judge: "And you don't feel at all responsible for the mass increase in
infosec related crimes that have occured in the last few years?"
Vendor: "Well you see, it's not an application, it's an operating
system. We can't remove it, and so we're not responsible for what
Judge: "WTF does that have to do with anything?"
Vendor: "I don't know, but it worked the last time, so I figured I'd
give it a shot."
The current state of affairs just seems bizarre. It is like everybody
is just asleep. What other industry could you seld matches to children
and get away with it?
_designed_ to be exploited. Forget the code, the default configuration
of the applications out_of_the_box is configured to permit snooping,
without actually breaking any protocols or overrunning any typed
variables in memory. And nobody seems to notice, or even care. WTF?