Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] [WEB SECURITY] comparing information security to o

from [Nick FitzGerald] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] [WEB SECURITY] comparing information security to other industries
Date: Fri, 22 Dec 2006 10:21:18 +1300 
Jason Muskat, GCFA, GCUX, de VE3TSJ wrote:


People, programmers, computers, software, design patterns, systems, and
infrastructure are constantly changing, often being reinvented. As such,
will never be stable.

Concrete of a type is always the same and therefore predictable. One can
state with certainly that a concrete slab will perform to design. This will
ever be possible in IT.

Many commercially produced software products don¹t have any warranty. Many
even state that the software is not warranted for any function or purpose.


That's _because_ software makers argued long and hard for a special 
exemption from most standard producer liability regulations and laws, 
and in many cases also for protection from consumer protection laws.

They made this argument mainly along the lines you opened your comments 
with -- "everything is so complex and forever changing that if we had 
to do proper design, specification and testing we'd never produce 
anything and meeting those normal legal requirements would make 
everything ever so much less innovative and slower and only the very 
largest companies could ever afford to even think about writing 
software".

This -- particularly the "cost will bury us" part -- is _still_ the 
main argument the OSS folk make against any and all suggestions that 
software liability rules should be tightened up.

Thus, as NOT providing such guarantees is legally sanctioned, you 
cannot really use it as an argument supporting the "any old slop we put 
on the disk will do" approach we have sufferred from for far too long.


... The fact that the software does something that one thinks it should do
is incidental. 


Yep.

Given you seem so strongly in favour of the current "couldn't really 
give a shit" view of software "quality", you'll be rushing to sign my 
petition requiriung all university and other educational courses in 
"computer science" to change their names to "computer art & craft" or 
"computer guesswork" or something similarly accurately describing their 
professional endorsement of hit-and-miss, slop it all in a bucket then 
pour it through a compiler we especially dumbed down to not give a rats 
arse about quality approach, and for "software engineering" courses to 
similarly remove their abuse use of the term "engineering"...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, Alexander Sotirov
Next by Date:  [TOOL] untidy - XML Fuzzer, Andres Riancho
Previous by Thread:  Re: [Full-disclosure] [WEB SECURITY] comparing information security to other industries, Jason Muskat, GCFA, GCUX, de VE3TSJ
Next by Thread:  Re: [Full-disclosure] comparing information security to other industries, Michael Zimmermann
Indexes:  [Date] [Thread] [Top] [All Lists]