[Dailydave] The monetization of information insecurity

Dominique Brezinski dominique.brezinski at gmail.com
Wed Sep 10 15:37:42 EDT 2014


Michal, I think you give fantastic counter-points with regard to liability
and doing everything possible to prevent incidents. My gut tells me it is
foolish to rely on third parties for your own security, and that extends to
software you purchase and run. To extend stupid physical world analogies,
think of a modern warrior -- though firearms are relatively simple
mechanical devices, even the best engineered ones fail, and any good
operator does not solely rely on just a firearm for their defense. Gear
fails. Software is gear. Good defense requires good gear, good planning,
good training, and good execution. The latter three anticipate gear
failures. The quality and maturity of planning, training and execution is
what sets apart good defenders from the rest -- not the gear. Yes, spend
your money wisely on the gear that serves your needs, but you can't expect
that it won't fail.

Liability law and insurance just push the impact of failure around, but
someone always pays for it, and that is almost always the consumer.

Dom


On Wed, Sep 10, 2014 at 8:10 AM, Michal Zalewski <lcamtuf at coredump.cx>
wrote:

> > You want to know what would work? Holding software producers legally
> liable
> > for their software bugs, because only if they have consequences for their
> > actions will they ever start taking things seriously!
>
> It's a fairly persistent argument, but there is also a range of
> counterpoints. Perhaps most importantly, liability for damages puts
> the open source community and small, emerging companies at a distinct
> disadvantage, whereas large businesses would be likely to just factor
> it in as a cost of doing business.
>
> In that context, it may be also informative to look at the credit card
> & banking industry; liability for fraudulent charges hasn't really
> pushed them toward developing particularly safe payment technologies -
> instead, the cost is just factored in and ultimately passed on the
> customer in the form of higher payment processing fees.
>
> I abhor physical-world analogies, but if we're going down that path,
> it's also worth noting that we seldom hold people accountable for not
> doing absolutely everything within their power to stop abuse. The
> builders of your home or the designers of your car are usually not on
> the hook if somebody breaks in, even though they could have built more
> of a fortress. The company that makes your cereal is not on the hook
> if somebody poisons your food down the supply chain, even though they
> could have used tamper-resistant packaging.
>
> /mz
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140910/469b29ea/attachment-0001.html>


More information about the Dailydave mailing list