Re: Debian Investigation Report after Server Compromises
From: Vineet Kumar (vineet_at_doorstop.net)
Date: Wed, 3 Dec 2003 13:58:11 -0800 To: firstname.lastname@example.org
* Paul Johnson (email@example.com) [031202 23:01]:
> On Tue, Dec 02, 2003 at 04:11:33PM -0500, Paul Morgan wrote:
> > Ther is always a conflict between security and openness. MS's approach
> > has always been not to say anything until a fix has been propagated; they
> > are often criticized for that, but I'm sure they'd be deluged in lawsuits
> > from compromised system owners if they advertised the exploit to bad guys
> > before they had a fix.
> Microsoft could easily sidestep those by pointing to their EULA: You
> agree not to sue them due to faults in their software.
Sidestepping lawsuits from a million angry customers isn't really a
"win". They are, after all, a business -- one with customers, no less.
The way to keep your customers paying for upgrades isn't to piss them
off and then hide behind your EULA; it's to keep their customers happy.
If their customers can hear about a problem only when it's been fixed,
it makes Microsoft look like the good guys: "Hey, by the way, we fixed
this problem you didn't even know about." If there's an exploit in the
wild before a fix is available, the PHBs hear it on the local news
first, which is not good. It's not about lawsuits, it's just simple
business sense -- you have to keep your customers happy.
-- http://www.doorstop.net/ -- One nation, indivisible, with equality, liberty, and justice for all.
-- To UNSUBSCRIBE, email to firstname.lastname@example.org with a subject of "unsubscribe". Trouble? Contact email@example.com
- application/pgp-signature attachment: Digital signature