At 10:31 AM 10/17/96, ericw @
>> Michael S. Fischer allegedly said:
>> > I hate to be so supercilious, but anyone who cares so little about the
>> > strength of a security-related product that he/she forgets about the
>> > implications of peer source code review probably shouldn't be in charge
>> > of purchasing such software.
>> I hate to be supercilious, but anyone who cares so little about the
>> safety of their family that doesn't personally inspect the blueprints,
>> design documents, and construction facility for any automobile they
>> purchase shouldn't be allowed to reproduce.
>> One would be stupid to buy a car from a manufacturer that doesn't make
>> all this public.
>> One is, of course, free to hold any mindlessly idealistic opinon one
>> may chose.
>Hmm, if I buy a car and it blows up on me because of a design fault,
>you KNOW I (or my survivors) will sue the $ @
#% out of the car company,
>and most likely win. The car companies know this, so they design
>their cars to be very safe.
>If I buy a firewall, and it blows up on me (ie, it has a glaring
>error that allows a hacker to get into my site and wipe all my
>disks) then I would also sue the # @
$% out of the vendor. The
>big difference here though is that I would probably lose, even though
>the disks were wiped because the product I purchased was defective.
>People design products to the point where they won't lose a lawsuit
>(among other criteria). If I can't win a lawsuit against a daangerously
>defective product, then you know I want source code.
Well...maybe it's different now, but back in the dark ages in order for
developers to become rich they had to design and build products that
offered a better result. If the design goals were to avoid law suits then
all companies, particularly those in the security business, would be run by
lawyers, every product would cost $40 million dollars to bring to
market...and someone will sue anyway.
Second, the implication that having source code would somehow indemnify one
from loss or damage by virtue of a prefered position in court may be
betraying the mentality of those who feel that it is the responsibility of
"the product" to insure the security of the enterprise. That way we can
just blame it and the company that built it, when there is a failure.
Third, if I were the CEO of the company that got got hacked, because we
installed a swisscheese firewall, I would really be interested in knowing
how in the hell my highly skilled and compensated IT staff came upon the
decision to allow "a dangerously defective product" to enter the
organization and create such a mess. We live in an age where it's alot
easier to beat-up on some product manufacture, than it is to face the fact
that some organizations and their staffs are just not up to task of dealing
with the fundamental responsibilities inherent in their jobs...risk
If anyone is having that kind of a crisis in confidence about ANY product
let alone a commercially developed security device then for god's sake
don't buy the product, go hackup your own, or pull the damn ethernet cable
out of the wall. But to those who would suggest that life on electronic
road will be safe and secure again if only the product developers would
pull down their pants, I suggest that they might want to seek out an
occupation where the issues are a bit less of a challenge.
uh...more tea anyone?
Cypress Systems Corporation
(757) 425-4195 Voice
(757) 425-4196 FAX
(757) 422-0888 STU-III