At the risk of taking this off on a tangent and/or getting kicked out of the group, but managing this sort of thing is perhaps best handled by insurance and other risk transfer/finance vehicles--like what is available from AIG and other carriers.
Take the risk off the balance sheet just like your company does with other liability. ------ Original Message ------ From: Mike Duncan Sent: 7/22/2003 12:52:36 PM To: Ronish Mehta Subject: Re: Microsot Liability for vulnerabilities Ronish Mehta wrote: > These vulnerabilities are exploited by viruses and > hackers, and these may cause damage to our computer > systems, and may involve additional cost ... > to protect ourselves against these threats, we have to > apply latest patches, use uptodate antiviruses. > As a coder, hacker, and systems admin, I see this comment made everyday making the impression that it is the fault of the people who are actually out there doing the work to find these vulnerabilties. True, many are out to just make name for themselves, one way or another. But think about it, they DO NOT have to tell us about the problems they find with software/hardware (and I use that generally; not just windows). Think about this: the amount of trouble you are going though (perceived or actual) to patch systems because someone is reporting the problems...you can almost double the amount of problems found that are NOT EVEN KNOWN to the public for various reasons (i.e. Microsoft won't release details, the author does not want everyone to know, etc). Although I am trying to steer around the chaos vs. we-are-good-and-do-not-need-hackers-reporting-software-bugs debate, I would really appreciate it if you g[al|uy]s really thought about the other side of the story. I mean, you are at the whim of several groups here because you have made several choices early-on about software/hardware (whether this be you or your company). Why would you think that we can live in a world where human intuition and curiousity (and dare I say it: kindness) of others are stiffled? Do you really think that blaming it on the hackers is going to stop all software bugs? Even if it made it so that no bugs ever hit the media, do you think you are really safer at night (not really you but the machines in which house your important infrastructure -- but I bet you got that)? Would you own a house (software) in a neighborhood (Internet) where the doors had no hings, no locks, no windows, and no security system (just wide open), just because the police told you there are no criminals out there? Would you feel right putting your valuables (company assets) in this house and leaving for the weekend on vacation? Just remember, because the hackers are telling you (or a company) about a bug, does not make them a criminal, just a kind neighbor (white-hat) that is trying to tell you you have no windows or doors and something bad is going to happen (probably) if you don't build some quickly. > In a large organisation deploying patches may be a > real headache (I know because I'm in this situation ;) > and may involve additional cost > > I was just wondering if Microsoft does not have a part > of responsibility in all this? After all we are paying > this company a fortune for OS and applications that > contain vulnerabilities/bugs. > > Should we continue to pay Microsoft for its buggy > software packages? Can we sue it for the damages that > it can potentially cause to our company (interms of > cost, reputation, etc)? Its like cars, you get what you pay for. Only this time you paid enough for a Mercedes and got a Dodge's worth of problems. But you still have a choice as to what brand and model you want to buy next time. --------------------------------------------------------------------------- ----------------------------------------------------------------------------