Slashdot Mirror
Cryptogram Judges MS Security
johnfoobar writes "The latest issue of Bruce Schneier's Cryptogram has a section entitled 'Judging Microsoft' which aims to "provide a list of measurable recommendations, so that the community can judge Microsoft's sincerity."
Required reading if you use Microsoft products." Update: 02/15 18:15 GMT by M : A better link is Schneier's first essay this month, which is about Microsoft's "Trustworthy Computing" initiative.
Earth to Slashdot - that Counterpane article was discussed on Slashdot last week.
I think one major thing that will be lost in all the flaming about how MS sucks and is so unsecure is this:
They are making an effort now. I firmly believe that this is a good thing. Of course, there will be the usual rebuttals:
what took them so long
why are they caring about security now, etc.
Hey who cares why or how, just consider this a good thing that they are more involved in security now. Btw, remember the last time MS went after something with a vengeance? I do.
*shudder*
Sent from your iPad.
a friend of mine once said, "trust is a funny thing. you never really know if you can trust someone, till you find out you can't."
microsoft, right now, is in that stage. people have just started discovering that they can't trust microsoft. wheather they can or not is not the issue, but the perception of trust is ruined. it will take a long period of dilligence and commitment to prove themselves worthy of trust again. on the other hand, i kind of wish many other companies would make an honest attempt to regain our trust
I believe sex is highly over rated... unless it involves me
The story points back to a story previously on slashdot
mp3's are only for those with bad memories
Nobody wants to have a secure product in which you have to manually enable all the great features because of which you bought it in the first place! Secondly, no-one has time to keep up with all the security alerts. That's why an automatic patch system is absolutely necessary.
Microsoft is being realistic. The author of this article is not.
The owls are not what they seem
This was the first I'd heard of it, though I've gone to microsoft.com and asked to be put on Microsoft's mailing list for security alerts. About three hours later, the email finally arrived from Microsoft, four days late:
What Microsoft didn't mention was that, before I got its security alert, someone had posted to bugtraq this assessment of their patch:
'Trustworth Computing' and Microsoft in the same sentece is an oxymoron.
That said it is much easier to innovate wihtout regard to security even at a basic level, MS has been doing just this for quite sometime, and it looks like it may finally be catching up to bite em in the ass.
MS has made great strides in interface usablitiy, and some disasters, some minor security annoyance, and some bungles of a scale unseen before. Quantity, not Quality has been the MS creed for a long while, blowind the doors off their prior interface and capablities of 3.1 to win95 was a major leap, and they ran like a thief with it.
Its easy to innovate and produce LOTS of stuff fast if security isnt a concer, unfortunatley for MS that mindset became standard at MS, Bill's Memo is proof in itself,
Sig went tro...aahemmm.....fishing........
From the article :
"Originally, e-mail was text only, and e-mail viruses were impossible. Microsoft changed that by having its mail clients automatically execute commands embedded in e-mail. This paved the way for e-mail viruses, like Melissa and LoveBug, that automatically spread to people in the victims' address books. Microsoft must reverse the security damage by removing this functionality from its e-mail clients and many other of its products. "
Amen. Give me pine anyday and get rid of the crappy HTML formatted e-mails with pics and crud, If I want to see that send me a link to a web page and I'll look at it if I feel like it. Don't send me huge bloated e-mails that look like shite when I read em on pine.
Couldn't have been covered last week. It was posted today.
Best Slashdot Co
he's asking Microsoft to undo most of their desktop / system intergration. Isn't all that intergration what the general public likes about Windows(tm)? I don't see this happening, they will just patch around or disable by default all / most of the problem areas.
This "research" is way too unrealistic. Security doesn't necessarily play along with getting an edge over competitors, which is (and will always be) a primary goal of any company. Yet the authors are so detached - they seem to want all of it short of making Microsoft opening the Windows and Office source code and handing it over to Richard Stallman.
It's been pointed out to Microsoft so many times now, maybe they're just leaving security loopholes in their code so you have to pay them to upgrade? I mean, c'mon, they can't garuantee new ideas and innovations for the next version, they can't risk making one perfect! Security flaws are a marketing strategy!
The trick is, as the author points out ... how honest are they being ? Is this a dog & pony show ? or do they REALLY mean to change the way they work.
.. and almost all my programming experience was on a mainframe.] It was considered a basic concept of design to keep your data abstract from your code ..
.. it wasn't as simple as clicking 'view source' back then either *grin*
.. M$ is still got everyone [cept apple .. but i dont have one] beat in the 'average american' user market.
.. and cant program her VCR .. but if she can figure out how to use AOLIM for instance, then its probally safe to say its easy.
.. and that would be great .. if it wasn't so easy to break. every time it breaks .. the 3rd tier tech support guru's at microsoft tell her to re-install the software. Not exactly instilling confidence that they know what the hell they are talking about.
..will become a much better product.
Almost all the concepts presented were ones I learned in college [I graduated a few years before windows 95 came out
of course
As much as I love *NIX for a server environmet, I have to say
I always use the "My Mom" theory when determining if something is easy to use. My mom is almost 80 years old
Windows passes the My Mom test
If M$ can get actually accomplish even these seven steps, they honestly
The real telling point would be , if they had to evolve far enough to MAKE these changes, would they grow up as a company ?
--Ne auderis delere orbem rigidum meum, non erravi pernicose!
See this story in the San Jose Mercury. Even now, Microsoft is still treating security as a public relations problem. Their response to the discovery of security holes in their products is still, in too many cases, to deny it.
is that MS is a corporation. in the business for making money. and anything that doesn't make money is a loss. for the longest time security was something behind the scenes and never a 'feature' that would generate any money. that hasn't changed. what has changed is that with more and more bad press MS has been getting for insecure software, 'security' has started to cost them money. people use MS software but rarely trust it. that's the only reason why they're interested in 'security'. for people to buy into .NET in all it's different interpretations people need to be able to trust it with their personal info (passport comes to mind.) without this trust, .NET would == .NOT. notice the careful use of the word 'trustworthy computing' by mister gates -- not 'secure software' or 'bulletproof agains all eveldoers' but 'trustworthy computing'. what he is doing is lining up a PR campaign to promote .NET. nothing more nothing less. it has nothing to do with a secure operating system. it has to do with a 'trustworthy computing' ala .NET.
Yes, Counterpane just came out, but this article previously appeared in SecurityFocus.
Everything in the article is sounds advice for security minded software and not just for Microsoft. Seperation of "data" and "code". Seperation of "package" and "protocol". Extra software is bad. Etc.etc.etc.etc.
.Net then they have the embrace the possibility they'll have to delay releasing it. How many are willing to believe MS will do this?
The overwhelming point is that this stuff is often contrary to what MS has in mind for its future software development. If they are really serious about putting security 1st in
When it comes to business vs design decisions, MS has always gone for biz.
So which is it? Microsoft's Security, or Microsoft's Sincerity?!?
--
Gargle me blass
Hoo boy, this is a good article, but these guys are spending waaay too much time in a vacuum.
While that's nice and all, it's hard for an operating system to do operating system things from within a sandbox, and with the single exception of a guy getting a Verisign key with the name Microsoft on it (nominally a Verisign problem, not a Microsoft Problem) I haven't seen a problem lately with microsoft signed code.
The NonM$ loving folks will LOVE that soundbite, unfortunately, it's got all the likelihood of happening as having everybody shift from IIS to Apache. In any production environment, security is balanced havily with cost of implementation. NO company with any amount of entrenched custom code is going to pitch it because a security guy say they oughta. The fact that you cannot overwrite a system DLL in XP seems to be ignored. (There's a Key library, a backup directory of DLL's and the DLL in the system folder, if any of those are mucked with, the OS reacts trying to restore a safe version of the DLL, if a safe version isn't available, it prompts for a CD.)
Granular auditing exists now! The problem with enhanced auditing is the storage requirements for that auditing. I get 'the application log is full' messages NOW, what happens when every bit written generates five bits of log? Are YOU going to have a Terabyte server to store 200 mb of data and 800 mb of granular logs?
Microsoft's been in bed for YEARS with the W3C. The protocols are generated there, and Microsoft is often the first to market to implement them. Asking them to hold off a year before using a new protocol is business suicide and not something they'll be willing to do.
"Draco dormiens nunquam titillandus."
If your application gets labeled a "public nuisance," it doesn't matter how much the users like those features. Not if they want to interoperate with others.
This may seem like a harsh judgement, but the cost of Outlook and IIS bugs is rapidly getting to the point where a lot of admins are ready to take drastic measures to protect their own networks. That's why many sites are stripping executable attachments - and the crap like that "begin" bug discussed a few weeks ago are pushing some sites to outright Outlook bans because it's proving too costly to try to work around Microsoft's ongoing indifference to security.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
"In addition to making its protocols and interfaces public, we suggest that Microsoft consider making its entire source code public. We're not advocating that Microsoft make its products open source, but if they really want to impress everyone about their newfound security religion, they will make their code available for inspection."
The whole article was easily summed up with this statement near the end.
I'm sorry, but MS releasing the code for anything just ain't gonna happen. They'll lose too much of their business.
peon out..
Software liability would be a disaster for free software, right? Okay, everyone wants Microsoft to have to pay for Nimda/CodeRed/Melissa/ILOVEYOU, but I don't suspect that the authors of Sourceforge (for example) would want to be liable for someone losing his code due to a buffer overflow. Schneier is right on many things, but he is 100% wrong on this one.
sulli
RTFJ.
One would think that wanted to put solid security into a product would not be an act of "marketing spin" or " profit ", but as an act of "pride". It make me wonder if M$ has lost that important development value... Maybe that is what keeps opensource alive...the ideal of creating something truly useful and something of a high quality...
just some thoughts..
--rpr
Microsoft is going to have to say things like: "We're going to put the entire .NET initiative on hold, probably for years, while we work the security problems out."
First of all.... Microsoft said they were going to prioritize security. That doesn't necessarily mean put all new features on hold until they are 100% secure. You can make security a priority without doing the OpenBSD nothing but security route.
Analysts like Gartner have recommended that enterprises switch away from Microsoft IIS and delay installing Windows XP, both because of security concerns.
I would like to point out that the precipitating reason they changed their recommendation was due to MS's new licensing policy. Security problems are just more fuel to the fire.
MS's security policies annoys the hell out of me but lets at least hold our points to realistic ones.
-pos
The truth is more important than the facts.
-Frank Lloyd Wright
You'll get:
Of course, Microsoft won't make it too hard to have third-party software (as long as it doesn't compete with Office). You'll just have to pay a small fee for a MS-certified crypto signature. (Oops, free software can't pay the fee? Gee.)
If a thing is not diminished by being shared, it is not rightly owned if it is only owned & not shared. S. Augustine
Windows NT 4.0
/q"
It crashes less than anything else Microsoft.
Internet Explorer doesn't have install on demand turned on by default, doesn't have default searching through MSN (Shyeah! like I trust Microsoft to give me information back if I do a search that isn't skewed towards them or their affiliates) and it doesn't have MSN as the default web page or check for new frigging updates every time you run it by default. Microsoft must know exactly when certain company's employees log in and out. Useful stuff! Your average AOL graduate with a new PeeSee isn't going to turn this crap off! Hell are Joe Regular and his workmates even going to. Hell! Does IT even know that these are the defaults ?
XP is just a joke. I can't wait for somebody to get past the driver signing auto-update nonsense and auto-update everyone running XP with Sub7 or "echo y | format c:
*sigh*
Ack! Vapul's Razor "caught" and redirected my Feb Crypto-Gram! This is NOT funny. I was really happy with Razor until this happened.... now what do I do?
Don't you think it's time to start communicating?
REDMOND, WA - Today in a press conference Microsoft Corp. unveiled the
latest version of its Windows operating system, Windows(R)
XPSecure(TM) "It is the easiest to use and most secure version of
Windows ever to be released," touted the former chairman Bill Gates.
At the press conference the company performed a live installation of
XPSecure(TM) to demonstrate the simplicity of installation. "Our
customers have let us know that security is a foremost concern," said
Gates. "We have listened to their concerns, and we have designed our
software to fully and securely reinstall their favorite operating
system." Windows(R) XPSecure(TM) also features a Secure Live
Update(TM) option that will automatically connect customers' computers
to the internet to download late-breaking security updates. "We
realize there is much confusion out there about which security
features are truly secure. We have taken care of that with our
customers in mind," Gates continued. Windows(R) XPSecure(TM) is
scheduled to retail at $249.99 and is expected to begin to ship to
vendors in North America as early as next week. "We highly recommend
that customers of any previous version of Microsoft(R) Windows(R)
install this version to obtain an unprecedented level of user
experience in performance and reliability."
To-do List: Receive telemarketing call during a tornado warning. Check.
Semi-off-topic?
An equally interesting article in Mr. Schneier's newsletter this month concerns Oracle's "Unbreakable" Database.
It seems Oracle put forth a good faith (albeit flawed) effort to secure Oracle9i. They enlisted the services of TCSEC, ITSEC, Common Criteria, Russian Criteria, and FIPS
140-1 to test for security holes. None of them detected a simple buffer overflow problem.
These security companies are a sham (or at least should be ashamed).
Remember... ZG9uJ3QgZm9yZ2V0IHRvIGRyaW5rIHlvdXIgb3ZhbHRpbmU=
Who cares how well she acts? It's the "endless stamina" part that has my attention....
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
MS is in a very hard position.
They've already gotten a reputation for putting security and stability last. New features, fluff always come first. Virtually everyone knows that MS lives by marketing, marketing, marketing.
Now MS realizes that Security is becoming "the issue." "It's the security stupid."
Now consider the difficulites.
MS has an enormous codebase to now fix - after the fact. Adding in security is WAY hard after the fact. Things break, testing must be redone etc. It's a whole lot easier to put in anything if it was part of the origional design. Super costly and painful afterward.
MS has "integrated" all of its' products. So, now they have to not only test the separate products, but also in every combination. Ouch!
From Firewalls and Internet Security (the God book of security IMHO)
- All programs are bugy
- Large programs are even buggier than their size would indicate.
- If you do not run a program, it does not matter whether or not it is buggy.
- Exposed machines should run as few programs as possible; the ones that are run should be as small as possible.
Now MS has what most would consider code bloat, and not only that integration. That's going to be an ugly task (securing the code)
MS has always fudged the truth before. Marketing before substance. So people will be very skeptical about MS's claims about anything.
MS's stance about security was always lax. Combine this with the prior point, and we have skeptical^2.
MS can't really use this as a marketing tool - or at least not until they can prove they've done something significant. This will be hampered by points 1 + 2, and continuing security lapses, when trying to secure that code and missing things.
MS can't really make money off security - again, at least not until it has serious results to show. Thus this will become a massive cost center without any revenue. Ouch^2. That will have the bean-counters breathing down the throats of the development/QA people to keep costs down. You're not producing new products, and thus revenue - salary will suffer etc.
Lastly, it will be a unglamorous job, and project. It will be hard work. You'll be unappreciated. You'll be expected to be a miricle worker, and double quick too. When you miss something, you'll get lots of heat, and few kudo's (Provided this _really_ _is_ somthing MS is _really_ serious about - if not the heat won't be there, but that's the point.)
Thus, to summarize.
- MS has a MASSIVE task to fix - both in size and complexity.
- MS has integrated all these things together. I would bet that the mutual distrust model between different modules/products hasn't been used, adding to the difficulty/complexity.
- MS has a reputation for producing fluffy software with lots of features, but not much security - it's always an afterthought. Ship early fix bugs later.
- MS has never been known for its' honesty and plain talk, thus making the credibiltiy of its' proclaimation that much more doubtful.
- This strategy won't be done quick, or cheap. The task will be difficult both technically and politically.
- MS won't be able to milk this decision for extra revenue anytime soon.
- The very fact that this effort exists, tends to point out a problem in the first place.
My conclusions are these.
MS may really intend to do this. I don't really believe it, but I'll give them the benefit of the doubt. But even if they are committed, how long will they remain committed. They won't be able to show results for some time. They will certainly have failures. These will undermine the confidence of both internal staff, and the public they're "selling" it to. It will cost a massive amount. It won't generate revenue.
It's going to be really easy to just splash it out there, and crow about it. Later, when the trench warfare sets in, it's going to be tempting to forget about it. It's out of the limelight, and we can just let it go quietly into the night.
We'll see - I don't doubt that MS _could_ do it. I just don't think they will for many reasons. And there will be _so many reasons_ no to.
Cheers!
I'm not knocking the author. However, when I read this, I was litrally chuckling. Why? MicroSoft has, and always will, put getting the next version out in stores so they can get their money before anything else. Including security, I'd even go as far as to say ESPECIALLY security, when you think about SOAP.
If after all these years of their dancing and releasing of memos/initiatives that sound good but are never acted on, you still think this is, or WILL be, a secure environment at work... Boy, you've been had. You almost deserve what you've got coming at you.
Cheers.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
I mean, I could set up a procmail rule to send the cryptogram to /. on the 15th of the month when I receive if it would get my name in lights.....
When I worked at Lotus Development, it took weeks to get the small team I worked on to change directions. This initiative from Microsoft is the equivalent of steering the aircraft carrier in the middle of a battle at full speed.
.NET rollout for years if "security over features" is a sincere goal.
The article tells the hard-ass truth, that it may mean halting the
Microsoft's products strive to be "highly visible," so they tout features the way People Magazine puts cleavage on their covers. For example, the strange advertising notion that WindowsXP users can fly, even though the multimedia features shown in those ads have been easy to obtain on Macs and Windows for, literally, years.
So, I think that this is a good article because it asks the big question: "How serious are you, Microsoft? Serious enough to stop shipping for a while?"
I mean, if anyone can take the revenue hit that would involve, its Microsoft with its huge cash reserves. But with the continuing allegations that they use reserve cash to illegally pad their financial results (and please shareholders), I just don't know if they can stomach the fact that they might take a Wall Street beating for a while.
My Mom's windows installation has been broken for over 3 years (but not so badly that the PC is unusable). She doesn't lack the expertise to reinstall the OS; rather, she lacks the expertise to (1) systematically back up all of her documents; (2) reinstall the OS; (3) then reinstall all of the apps into the new Registry; then (4) reinstall all of her documents into the new folders.
In any OS other than Windows, only (2) is necessary.
Windows IS NOT EASY.
"Security works best when it's designed into the system from the beginning, so a lot of what they've already done is going to have to be rewritten."
This is false. XP, based on NT, has security built in. The vulnerabilities discovered so far basically seem to be in two camps:
1) Buffer overflows left in the code -- rewriting won't help these, it will likely just introduce more. They just need to be found and fixed. Microsoft is in fact going over all its code line-by-line, but I can't imagine that glassy-eyed developers spending a month doing that is actually going to find all the overflows.
2) Bad design, in particular allowing foreign code to execute. I.e. the various Outlook email viruses. These need to be removed, which is a basic change in how Microsoft thinks (security over nifty features) but again you don't need to rewrite Outlook to stop if from executing scripts by default.
Methinks Schneier might be fantasizing a bit about Microsoft *having* to do this, of saying, as he puts it, "We're going to put the entire .NET initiative on hold, probably for years, while we work the security problems out." It seems like he would like to see Microsoft fall behind in the market because they have to throw all their current code away. Plus he hates SOAP (since it sneaks past firewalls inside HTTP), which is one of the technologies .NET is based on.
Personally I think this is basically more marketing hype from Microsoft. Because they are still not going to penalize developers who write insecure code (something that was bandied about but not adopted) -- it will still be, "Oops, we did it again". So with no real connection between good code and stock options, developers at Microsoft won't change.
- adam
The lone beneficiary of software liability will be Microsoft.
Are you SURE there are zero bugs in Linux? No. Could Linus afford Micrsoft's legal team for even 5 minutes? No. Could VA Software afford the malpractice insurance premiums for even one month? No.
The scenarios are endless. Bill Gates PRAYS for software liability every day.
and they do dominate the market.I'm with ya, the only thing stopping M$ from owning the world is their products have some severe problems. If they actually get up and do some credible coding, put out a good product what then will we have to BIATCH about ?
I really dislike their business practices but if they make a good product...someday they might...
errr....umm...*whooosh* *whoosh* Is this thing on ?
Propally mentioned before but this site is still up. Go to www.trustworthycomputing.com and you get redirected to a google search results listing the thousands of articles on Microsft's history of security breaches.
.net set to secure by default but it will be an uphill battle for them. Today at the same time as secure by default came out there was another story about another vulnerability in Outlook Express
Mean while, Microsoft has started a public marketing campagn and even plans to have
Today's vices may be tomorrow's virtues.
If Microsoft truly means what they say, and that they really are going to try to develop products and services that are "available, reliable, and secure", then this is a Good Thing. But, in order for them to achieve "Trustworthy Computing" (something that various other people already do, IMHO), it seems to me that Microsoft needs to do two things:
/.er, and possibly the average techie in general. However, I don't believe that this changes what MS needs to do to be trustworthy. On the other hand, if MS is only interested in looking trustworthy (rather than being trustworthy), then that's a different story.
*) develop trustworthy products and services
*) become a trustworthy company
And that will be no easy task. I agree that security in their products is something that they need to improve, but I think becoming trustworthy will require much more than that. If I were to describe all of the things that I think Microsoft needs to do to accomplish these things, I'd be here all day. So, I'll describe only a few examples not related to security.
1) Improve the quality of their products. In my current job, I have the singular pleasure of developing applications in MS Access 2000. Unfortunately, the documentation provided with the software is poorly indexed, incomplete and (in some cases) inaccurate. For example, in one place in the documentation, it claims that the maximum number of levels of nested forms allowed is 3. Elsewhere it claims the limit is 10. Both are wrong. It's difficult to trust software when its own documentation is incorrect. This doesn't mean that their products have to be perfect. But right now, it often feels like they're not even trying.
2) Abandon the new licensing strategy, which essentially dictates when companies need to upgrade their software. Having to go through a massive upgrade because of licensing is no different than having to go through a massive upgrade because of a bug or security vulnerability. The end result is the same, and I do not consider such software to be "available" or "reliable".
3) Adopt more ethical business practices. A number of the comments posted here speculate on what Microsoft true motives are. Given MS's history of Machiavellian business practices, it's not surprising that people don't believe Microsoft, even if they are telling the truth. And I'm one of those people. I tend to believe the adage that you can't build a straight house with crooked boards. So, if Microsoft really wants to promote trustworthy computing, then they must become a trustworthy company first.
Some folk have noted that the General Public's view of MS is much different than the average
Anyway, if MS is serious about this new directive, then good for them (and it's about time!). But I'll believe it when I see it (and maybe not even then).
</soapbox>
-- D
I think, is that Microsoft has made a promise almost impossible, or as you say, unrealistic to say the least, to fulfill. Thus, it is nothing more than another PR "flim-flam".
According to him, Windows is almost hopeless from the security viewpoint. That's what he wants to say.
FIPS 140-1 is Federal Information Processing Standard 140-1. It's a document describing how the U.S. Government requires itself to do things. Read it here You can be certified compliant, but the process is done by independent labs, not NIST (home of FIPS).
TCSEC is also not a company. TCSEC, or Trusted Computer System Evaluation Criteria, is a book. "The Orange Book", to be specific. It can be found here as well.
The orignal poster's point is well taken, though. Whichever companies provided the certification might consider examining their process.
I haven't read these books/standards, so feel free to ignore me.
But, before you complain about how these companies should examine their processes, consider that they might be doing exactly what is required by the standards.
Schneier was mostly complaining about buffer overflows in 9i. Before you go complaining about the security review process, check if these standards actually say "code should have no buffer overflows." If they do say that, check how they say it. No use no "known-insecure" functions? Bounds checking on all inputs? Only on user inputs? (Is there such a thing as a trusted input?)
I suspect you can pass these 5 standards completely, and still be insecure.
This is my sig. There are many like it but this one is... Oops. Frank, I've got your sig again! Where's mine?
The only reason Microsoft is focusing on security is because of the wording of the DOJ settlement. Microsoft can keep secret all OS programming API's which have to do with security. By adding extra parameters having to do with security to their currently secret API's, they can keep them private for their own use. This is why MS is focusing on security all of a sudden. Every API they want to keep exclusively for their own use will get tied in with security features. It's not like someone will be allowed to audit their code for compliance anyway. Just MS business as usual!
How odd. *smile* Given all her talk about VT-xxx terminals, pine/elm, and scads of users on each box, I would never have guessed that my friend's site was running MsDos.
-- MarkusQ
And somebody has surely mentioned it before, but doesn't the whole article sum up to "we recommend that Microsoft starts making Linux operating systems" ? ;)
Not that it would be a bad thing, of course...
Karma cannot be described by words alone.
There's a sort of implicit warranty whenever you sell something: namely, you're warranting that it's useful for a particular purpose (said purpose being one that you, the seller, reasonably believe the buyer intends). If I sell you a car and I neglect to tell you that it'll blow up spectacularly if you happen to turn the engine over before fastening your seatbelt, well, that car's not fit to drive--hence, I (the seller) am in a whole stewpot full of trouble.
When you purchase software, there's an automatic warranty involved. Namely, that the software doesn't suck. That it's not going to be an open invitation to haX0rs. That using it isn't going to expose you to enormous risk, unless the seller has first advised you of specific enormous risk and you choose to buy it anyway.
When you license software... well, that's not a sale, is it? And hence, the legal protections that you get when you buy things don't apply to you. I can count on one hand and have fingers leftover all the times I've seen shoddy software be held accountable in court.
So this push to software-liability law is more of a push to make software a sold good, not a licensed one. The theory being, if I plunk down $200 for Windows XP, it shouldn't have a UPnP back-door in it. Software-liability laws would permit affected users to sue manufacturers to recover lost damages.
However, common law says that if you pay a nickel for something and it breaks, you can't make twenty million bucks off a lawsuit over it. Twenty bucks, maybe, twenty million, no way. There is an implicit limitation on the assumption of risk, and this implicit limitation is related to the price paid.
If I pay Red Hat $50 for Red Hat Linux and there's a horrible bug that makes my Linux box an inviting target for 1337 haX0rz, then Red Hat's liability is a factor of the $50 I paid them.
If I pay you $0 for a piece of GPLed software you wrote, and there's a horrible bug, your liability is a factor of the $0 I paid you.
Err... wait. I didn't pay you. I got something for nothing--I literally received a good at no price whatsoever above the price of media. The courts would not look favorably upon me suing you for $20 million because you gave me something, for free, out of the goodness of your heart, and made it clear to me that it was a work in progress and might not work as I expect it to.
Personally I find this stuff immensely boring. There's a suspicion of a needed symbiosis here. And there is no way in heaven anyone with a brain can expect Microsoft to ever get better or want to get better. All this pussy-footing around that this guy and others do is just such a waste of time and space.
Rickster/
radsoft.net