Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Software liability

from [Joseph Miller] Network Security [Permanent Link]
Subject: Re: Software liability
Date: Thu, 17 Nov 2005 15:31:46 -0500 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew,
In regards to how much spam you receive, it may be worthwhile to check out 
www.bluesecurity.com.  It is different from any other anti-spam measures that 
I've seen in that it is proactive.  Blue Security keeps track of how many 
spams that its customers receive from a particular company, then sends 
complaints for every single spam email that each of its customers receive 
until the spammer stops sending the emails.  Thousands of complaints an hour 
convinces the companies that it is too *expensive* to send out spam emails.  
Check it out.

- -Joseph


On Thursday 17 November 2005 6:56 am, Andrew van der Stock wrote:

On an average day, I get about 20-30 spam to webappsec, which of
course I reject. Today, I received about 80, including many which
managed to get around Mail.app's usually excellent spam filtering.
Typically, I only see such massive spikes in spam when a new piece of
malware is out there.

I can't say for sure that the Sony DRM rootkits caused this immense
jump, but it has to be related; I know of no other major exploit out
there which is as easy to exploit as the root kit, and the subsequent
vulnerable removal ActiveX script which is even easier to exploit.
I'm not going to get into an anti-Sony bash here (although they
richly deserve their rewards for their inexplicable hostile
activities against paying customers - pirates and copyright
infringers will never see the root kit and thus not need to terminate
it with extreme prejudice. Way to go Sony.)

Instead, I'd like to discuss the issue of damages when you just shove
software out the door. With any other consumer good, most countries
have reasonable trade practices laws which require the goods to be
merchantable and fit for purpose, which includes "safe". Imagine if
baby clothes and cot manufacturers could "license" flammable and
dangerous goods which decry all liability in case your first born is
burnt to a cinder at the first sign of a hot day?

My personal view is that companies cannot simply pump vulnerable
software out there without any possibility of recovering damages (as
per EULA fairy tale land). I think that there has to be a reasonable
effort taken at securing software prior to its release, and if not,
damages and liability has to be assumed. Even for open source
software, otherwise vendors have an out.

What do you think? What should constitute "reasonable efforts"? If
you stick a big engine in your car, you need an engineer's report and
the engineer has to be an actual engineer. Is the world hostage to
our field being a nascent industry with nascent tools and standards?

thanks,
Andrew

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDfOi0mXZROF+EADURApgEAJ9I544aoykNj0DZpYtZgc9Z27EvDwCfZ9+0
mLRd19y+aEhEgTjil8tOTTg=
=0B2M
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Blind SQL Injection / Stored procedures, Evans, Arian
Next by Date:  Re: limits of end-user "testing", byte_jump
Previous by Thread:  Software liability, Andrew van der Stock
Next by Thread:  Re: Software liability, Jonathan Angliss
Indexes:  [Date] [Thread] [Top] [All Lists]