You analogy seems a bit skewed.

Chevrolet doesn't continue to sell the 1974 vehicle.

When you buy a vehicle from a Chevrolet dealer if something is determined dangerous or unsafe, Chevrolet is expected to issue a recall and or replacement. This is due to market changes, larger competitive environment, etc.

I doubt that anyone has a problem with a software product bought in 1974 not being secure, but one that is currently being sold should be.

Microsoft doesn't have to upgrade or patch their product. They recognize that the market requires it.

I somehow doubt that the current model of deployment of software without security and responsibility will continue to work as the market becomes more of a truly competitive one and rapidly changing.

If a builder sells a strip mall, there are certain understood components. Operating systems have always had similar components and security was one of them.

Would a builder of a strip mall be held responsible to fix things like missing glass, the inability to lock the front door, etc.

Now these are visually simple to detect failures, and the consumer who chose to move in shouldn't hold the builder liable for loss in that instance.

But what if you are told you are getting a high quality locking mechanism, a solid wall in the back, and bullet proof glass in the windows.

You move in believing that you and your merchandise is safe.

Then you find that the locking mechanism is easily broken into, there is a back door with no lock, and the glass is crystal-thin.

If you are then broken into is the builder now liable for not only the correction of the failed lock, eliminating the back door, and replacing the crystal-thin glass, but also for the lost content, lost revenues, cost of temporary or permanent corrections, etc.

Analogies are interesting.

--christine

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/254/27468#27468