Yeah, good idea!! I would love to sue BIND for that bug last year. Once they are out of business I can buy a Redhat 6.1 book cheap and install the RH 6.1 OS in the back of it. Once I get broken into I can then sue them! What a wonderful moneymaker this would be! After that would get Linus for kernel bugs, then the group that makes gcc as they are letting me write bad code!! I think this is whom we should go after. It is the programming language that lets us write bad code. Why aren’t they to blame? Well intention idea, but falls short of reality.

So what should we do? (lets help solve the problem not just complain.) One idea I have heard of is third party companies, licensed by government, to do software audits before release. Problem is that this would need to happen on ALL SOFTWARE to be effective. Open source/free should not exempt of the same guidelines. Just because software is free does not mean that they should be absolved of legal responsibility. If I gave someone a gun and it blew up in their face it would not matter if they paid me for it or not as they could still sue me for a defective product.

Why doesn’t M$ sue websites that were broken into after the patches were release. They are causing M$ bad press for not installing a simple patch. Could be slander for claiming that there product was insecure when it was only there setup. I like the idea of certifications, but not for the programmers… Lets make people be security certified to place any computers on a network. Most break-ins that happen are for know problems that the fix is already released for. Let hold people responsible for security.

The author has great intentions, but it is one of the ideas that sounds a lot easier then it is. Kind of like the world would be a better place if everything was free. Maybe he can tackle this question on his next article.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/47/9590#9590