On Wed, Dec 8, 2010 at 8:02 PM, JC Dill <jcdill.li...@gmail.com> wrote: > On 08/12/10 1:38 PM, valdis.kletni...@vt.edu wrote: >> >> The second issue is that if you *do* establish a legal precident that >> software vendors are liable for faults no matter what the contract/EULA >> says, > > It doesn't matter what contract an auto maker makes with someone who > purchases the car, if the brakes fail and the car hits ME, I can sue the > auto maker due to the defective brakes. If they design the car in a way > that a 3rd party can easily tamper with the brakes, and then the car hits > me, I can also sue the auto maker. They are legally required to take due > care in how they design the car to ensure that innocent bystanders aren't > injured or killed by a design defect. IMHO, there's no difference in the > core responsibility that software makers should be held to, to ensure that > their software isn't easily compromised and used to attack and injure 3rd > parties. The EULA is a red herring, as it only applies to the purchaser > (who agrees to the EULA when they purchase the computer or software), not to > 3rd parties who are injured. > > If the software doesn't work as designed and the purchaser is unhappy, > that's between them and the company they bought the software from. But when > it injures a 3rd party, that's a whole different ball game. I truly don't > understand why ISP's (who bear the brunt of the burden of the fall-out from > the compromised software, as they fight spam and have to provide customer > support to users who complain that the "internet is slow" etc.) haven't said > ENOUGH. > > jc
If you look at the national vulnerability database listings, though, it's really not clear who you'd need to go after: http://blogs.technet.com/b/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx Granted, that was two years ago; but it sure seems that just vilifying Microsoft, satisfying though it might be, would be to ignore the breadth of the problem. Matt