let's hear your argument that different treatment is what is being proposed
It's not argument, it's fact : software manufacturers don't accept liability for their products. The silly example you give is irrelevant - this is about what a software manufacturer can reasonably be expected to consider when designing software, and what constitutes negligence. I'll say it again - eighteen months on from MS's much fanfared security epiphany, what excuse can there be for buffer overflows in software developed since then? I don't think anyone can argue that that is at least incompetence; many argue it is negligent.
If your code isn't properly split into many small, specific tasks, then you're doing something wrong.
If you make statements like this, you obviously don't have a clue about programming anything more than little helper utilities.
Forget helper utilities; take as an example, MTAs. qmail comprises small modules dedicated to specific tasks; sendmail is a monolithic do-it-all single program. Which is more secure? The interactions and complexity you describe certainly pertain to sendmail. Meanwhile, qmail has a near-perfect security record (the cash prize for finding a bug is still unclaimed after 6 years). I would argue that the difference is due largely to the underlying approach to development - small, free-standing modules versus monolithic spaghetti code. I absolutely agree with you that it is (provably) impossible to fully know the implication of interactions in a complex system, in advance. But the approach that compartmentalises tasks into small modules significantly mitigates the scope and scale of failures compared to the monolithic approach.
I agree that this analogy, like many, is not especially useful. In mitigation - it was the submitter that started it, and that stupid flamebait OP just egged me on
I take your point that software does have qualities that make it a "special case", but I still don't think it's special enough for vendors to disclaim any and all liability, especially if we're talking about proprietary binaries. You talk about shared responsibility, but who, really, bears the costs of continuing software failures? Do the individuals and businesses that incur real costs ever see any kind of recompense? Where's the sharing?
The clincher for me is that we are a year and a half on from MS's security shakedown, during which we were assured that the software was given the most rigorous assessment with a particular emphasis on security. All work supposedly was suspended whilst everyone was trained and then spent a month reviewing their code. And yet software developed after that is still breaking. Seriously - is there any excuse whatsoever for a buffer overrun to still exist? That, to me, is approaching negligence, so I can understand why those with a litigous bent would be keen to have a go.
Software is written by error-prone humans.
Software is maliciously used by people who concoct creative ideas.
Linux may be more secure by default, but it's still a human error away from having the same type of problem hit it.
All true, but we can take your list and substitute "software" with just about any product created by people. The key is what constitutes due-diligence and what is negligence. Yes of course we get into court issues, with lawyerese over what constitutes "reasonableness" and so on, but the ultimate question is : why should software be treated differently than other products? And I have yet to see a lucid argument that it should.
If it doesn't meet the Philips spec for a CD, then it can't be called a CD. Has anyone actually seen this disc yet? I sincerely hope it doesn't carry the CD logo, since that would be a breach of the license
Pharmaceuticals are a totally different story. First, it's *far* more expensive to test and get a new drug okayed for consumer use than to write a piece of software
It's always important to remember, when parmcos bleat about recovering their development costs, that they actually spend twice as much on marketing as they do on R & D. Using pharmcos as an example of why patents are necessary is specious at best (not that you did, but others do all the time).
In the past, ICANN has always made a song and dance about the crucial need for DNS stability, yet now, in the face of a unilateral move that causes great instability, they meekly ask Verisign to please stop. If ICANN are too spineless to act, then the Department of Commerce needs to step in. Despite the contractual complexities (see Karl Auerbach's blog), Verisign have committed a fundamental breach of trust, and the DoC should reallocate responsibility for.net and.com as soon as practically possible.
After X comes XI, not X 2.
You start doing sequels in Final Fantasy, you blow the whole thing.
More annoying for me is the "Final" in "Final Fantasy". If a sequel is made to "Final Fantasy", surely that means the first one was "Penultimate Fantasy" ?
The organization responsible for providing ISPs with the accurate identification information (possibly TruSecure Corporation, or maybe the new US-CERT) would determine the point at which fines will be imposed.
There must be a strong smell of pork wafting out of the DHS, as first Symantec and now TruSecure try to outdo each other's arslikhan.
Amit Yoran is of course, a VP at Symantec. That would be the same company whose COO, John Schwartz, recently caused a storm by calling for laws to make it a criminal offence to share information and tools online which could be used by malicious hackers and virus writers.
Am I alone in putting two and two together and becoming alarmed at the implication?
if every message to come from Yahoo was signed with yahoo's key, you could automatically deny every message from yahoo that didn't have that signature
This won't work, for the same reason that other "anti-spam" measures based on MX-lookups don't work - valid email "from" an email account doesn't necessarily come from the mail server(s) listed as the MX for that domain.
Example : I have users on the road, with email addresses of the form user1@example.com. They're dialling in to the net using an ISP that has the policy of blocking all outbound tcp connections to port 25 (to "prevent spam"). There is no way the user can send email messages via the registered MX host for the domain example.com - the ISP forces you to send email via *their own* mail system. So you get a perfectly valid email coming from the mail server for the ISP, but whose "from" address is in example.com.
I had to explain ports and firewalls to one of our Account Services people yesterday. My analogy was a company with oine main number and everyone else on extensions behind that number
When explaining IP addresses and ports, I always use an analogy with a large building. The IP address is the equivalent of the building's postal address; the port number is the "room" within the building. So for example, you can talk about "room number 25" is where email is handled, room 80 is where web services live etc. I realise that this analogy doesn't handle the distinction between different protocols (TCP, UDP etc), but I've still found it useful for networking neophytes.
An abacus! We dreamed of having an abacus. We had to stand in't lake with our hands in the air, and me dad would toggle in t' boot code, in binary, by breaking us fingers. If we were lucky!
The article submission did give the impression that Taylor said those words
Sorry, but I still don't agree. I'm looking at the sentence right in front of me : "Taylor says his goal is to change Microsoft's competitive strategy by pursuing a fact-based approach instead of continuing the previous discredit-and-undermine strategy that was characterized by calling open source and Linux software 'a cancer'...". The strategy referred to belongs to MS, not to Taylor (note the apostrophe in "Microsoft's"). I'll agree that it could have been better worded (this is Slashdot, after all), but isn't it a given that when an MS exec talks to the press about strategy, he's speaking about MS's position, not his own personal view. When Ballmer called Linux a cancer, even after the ensuing furore, not even MS tried to pretend that this was just Ballmer's view and not reflective of MS position.
As for quips : they're the main reason that many of us are here;)
I disagree. The submission doesn't say that Taylor used the word "cancer", merely that he is going to discontinue the previous strategy "...that was characterised by..." using that word.
Or are you trying to convince me that MS's strategy since 2001 hasn't been to spread FUD? Good luck with that one...
Taylor may not have used the word "cancer", but Steve Ballmer certainly did, in an interview with the Chicago Sun-Times, June 2001. Unfortunately, I can't find the otiginal article on the CS-T website, but a quick google for "Ballmer Linux cancer" yields more than 200 hits, of which this is a typical sample.
Ballmer said, "Linux is a cancer that attaches itself in an intellectual property sense to everything it touches."
What was that you were saying about legitimate debate and argument?
I don't believe the UK has juries like we do in the US
The UK does have juries (I think that's where the US originally got the idea). However, the Home Secretary, David Blunkett, is still trying hard to restrict the right to trail by jury
In case you hadn't noticed, few virus writers are developing malicious code.
While it's generally true that historically, most viruses have had feeble or non-existent payloads, the evidence is strong that some of the waves of infection this year have been created by spam gangs, using viral infections to install proxy software.
Slashdot Mirror
It's not argument, it's fact : software manufacturers don't accept liability for their products. The silly example you give is irrelevant - this is about what a software manufacturer can reasonably be expected to consider when designing software, and what constitutes negligence. I'll say it again - eighteen months on from MS's much fanfared security epiphany, what excuse can there be for buffer overflows in software developed since then? I don't think anyone can argue that that is at least incompetence; many argue it is negligent.
Forget helper utilities; take as an example, MTAs. qmail comprises small modules dedicated to specific tasks; sendmail is a monolithic do-it-all single program. Which is more secure? The interactions and complexity you describe certainly pertain to sendmail. Meanwhile, qmail has a near-perfect security record (the cash prize for finding a bug is still unclaimed after 6 years). I would argue that the difference is due largely to the underlying approach to development - small, free-standing modules versus monolithic spaghetti code. I absolutely agree with you that it is (provably) impossible to fully know the implication of interactions in a complex system, in advance. But the approach that compartmentalises tasks into small modules significantly mitigates the scope and scale of failures compared to the monolithic approach.
I agree that this analogy, like many, is not especially useful. In mitigation - it was the submitter that started it, and that stupid flamebait OP just egged me on
I take your point that software does have qualities that make it a "special case", but I still don't think it's special enough for vendors to disclaim any and all liability, especially if we're talking about proprietary binaries. You talk about shared responsibility, but who, really, bears the costs of continuing software failures? Do the individuals and businesses that incur real costs ever see any kind of recompense? Where's the sharing?
The clincher for me is that we are a year and a half on from MS's security shakedown, during which we were assured that the software was given the most rigorous assessment with a particular emphasis on security. All work supposedly was suspended whilst everyone was trained and then spent a month reviewing their code. And yet software developed after that is still breaking. Seriously - is there any excuse whatsoever for a buffer overrun to still exist? That, to me, is approaching negligence, so I can understand why those with a litigous bent would be keen to have a go.
All true, but we can take your list and substitute "software" with just about any product created by people. The key is what constitutes due-diligence and what is negligence. Yes of course we get into court issues, with lawyerese over what constitutes "reasonableness" and so on, but the ultimate question is : why should software be treated differently than other products? And I have yet to see a lucid argument that it should.
Is it the driver's fault for using a car that explodes when rear-ended?
I think the polite term for them is "lobbyists".
If it doesn't meet the Philips spec for a CD, then it can't be called a CD. Has anyone actually seen this disc yet? I sincerely hope it doesn't carry the CD logo, since that would be a breach of the license
Pharmaceuticals are a totally different story. First, it's *far* more expensive to test and get a new drug okayed for consumer use than to write a piece of software
It's always important to remember, when parmcos bleat about recovering their development costs, that they actually spend twice as much on marketing as they do on R & D. Using pharmcos as an example of why patents are necessary is specious at best (not that you did, but others do all the time).
Good point. I would hope the Department of Commerce would step in and exterminate Verisign before the situation actually escalated into such a war.
In the past, ICANN has always made a song and dance about the crucial need for DNS stability, yet now, in the face of a unilateral move that causes great instability, they meekly ask Verisign to please stop. If ICANN are too spineless to act, then the Department of Commerce needs to step in. Despite the contractual complexities (see Karl Auerbach's blog), Verisign have committed a fundamental breach of trust, and the DoC should reallocate responsibility for .net and .com as soon as practically possible.
And where have we heard that before? **cough*ralsky*cough**
More annoying for me is the "Final" in "Final Fantasy". If a sequel is made to "Final Fantasy", surely that means the first one was "Penultimate Fantasy" ?
From Cooper's page about this:
There must be a strong smell of pork wafting out of the DHS, as first Symantec and now TruSecure try to outdo each other's arslikhan.
Amit Yoran is of course, a VP at Symantec. That would be the same company whose COO, John Schwartz, recently caused a storm by calling for laws to make it a criminal offence to share information and tools online which could be used by malicious hackers and virus writers.
Am I alone in putting two and two together and becoming alarmed at the implication?
This won't work, for the same reason that other "anti-spam" measures based on MX-lookups don't work - valid email "from" an email account doesn't necessarily come from the mail server(s) listed as the MX for that domain.
Example : I have users on the road, with email addresses of the form user1@example.com. They're dialling in to the net using an ISP that has the policy of blocking all outbound tcp connections to port 25 (to "prevent spam"). There is no way the user can send email messages via the registered MX host for the domain example.com - the ISP forces you to send email via *their own* mail system. So you get a perfectly valid email coming from the mail server for the ISP, but whose "from" address is in example.com.
That's Pete TownsHend
When explaining IP addresses and ports, I always use an analogy with a large building. The IP address is the equivalent of the building's postal address; the port number is the "room" within the building. So for example, you can talk about "room number 25" is where email is handled, room 80 is where web services live etc. I realise that this analogy doesn't handle the distinction between different protocols (TCP, UDP etc), but I've still found it useful for networking neophytes.
An abacus! We dreamed of having an abacus. We had to stand in't lake with our hands in the air, and me dad would toggle in t' boot code, in binary, by breaking us fingers. If we were lucky!
Sorry, but I still don't agree. I'm looking at the sentence right in front of me : "Taylor says his goal is to change Microsoft's competitive strategy by pursuing a fact-based approach instead of continuing the previous discredit-and-undermine strategy that was characterized by calling open source and Linux software 'a cancer'...". The strategy referred to belongs to MS, not to Taylor (note the apostrophe in "Microsoft's"). I'll agree that it could have been better worded (this is Slashdot, after all), but isn't it a given that when an MS exec talks to the press about strategy, he's speaking about MS's position, not his own personal view. When Ballmer called Linux a cancer, even after the ensuing furore, not even MS tried to pretend that this was just Ballmer's view and not reflective of MS position.
As for quips : they're the main reason that many of us are here ;)
I disagree. The submission doesn't say that Taylor used the word "cancer", merely that he is going to discontinue the previous strategy "...that was characterised by..." using that word.
Or are you trying to convince me that MS's strategy since 2001 hasn't been to spread FUD? Good luck with that one...
What was that you were saying about legitimate debate and argument?
You're thinking of another company that siezes to exist. Chilliware has merely ceased to exist.
The UK does have juries (I think that's where the US originally got the idea). However, the Home Secretary, David Blunkett, is still trying hard to restrict the right to trail by jury
While it's generally true that historically, most viruses have had feeble or non-existent payloads, the evidence is strong that some of the waves of infection this year have been created by spam gangs, using viral infections to install proxy software.