-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
A Conversation on Due Care
Written on October 8, 2005
Leave a Comment
|
Taken from a discussion this week between myself and a student:
Student:
The risk of having no controls or auditing going on is that you are a potential victim to virtually every kind of system attack.
This can be compared to the relatively few people who keep their doors unlocked. Even in a small town this is not a good idea. Someone will eventually break in – it is just a matter of time.
Add to this the potential security holes that frequently occur in complex systems, and you have a recipe for disaster.
This situation is definitely NOT “due care.”
Russell Mickler:
This is true. But let me ask you this. Let’s say Grannie Gertrude uses a computer to store recipes and book club information and somebody exploits a vulnerability in the o/s to steal Grannie Gertrude’s PPI (Personal Private Information).
Who is at fault: Grannie, or, the o/s OEM? At what point should we draw a line between personal responsibility and accountability for defective manufacturing?
Unfortunately, our legal system has yet to really answer this question or effectively challenge EULA disclaimers. I believe software manufacturers _should_ be held liable for defects and that if defects contribute to mass exploit – think Blaster Worm for a minute – then the losses experienced by a firm because of the OEM’s negligence should be compensated for. This, in turn, would lead crappy software manufacturers to leave the industry because of the cost of securing software prior to release, and, consumers get better quality of products. (Nobody wants to do this because of the negative effect it would have, surely, on the software industry, but still…)
As consumers, are we all _required_ to become security experts because of the defects released by a company, or, should we demand higher forms of accountability from OEM’s? Who is the real victim here? I say the consumer in general, not just Grannie Gertrude (grin).
snapsnp says:
Commented posted on: October 23, 2005
Yo, you have a Terrific blog here! Lots of content means more readers, more readers means more interaction!
I’m definitely going to bookmark you!
I have a
dvd player for window xpsite/blog. It pretty much covers dvd player for window xp related stuff.
Come take a Look when you get a chance. 
E-A says:
Commented posted on: October 25, 2005
Hey, nice blog! I’m definitely going to bookmark you!
Check out my ascii site if you have time: http://www.ascii.ws
Have Fun.
Infactahost.com says:
Commented posted on: October 25, 2005
Hey, you have a great blog here! I’m definitely going to bookmark you!
I have a form mail php script site/blog. It pretty much covers form mail php script related stuff.
Come and check it out if you get time
Rick G says:
Commented posted on: October 9, 2005
This raises an interesting viewpoint. In the corporate world your argument would allow a CTO or IT Manager the right to say a security weakness was the fault of a the operating system manufacturer. After all, the network security positions can only address the security weaknesses they know about.