SECURITY BUG IN INTERACTIVE UNIX SYSV386

uunet!bria!mike uunet!bria!mike
Thu Feb 21 04:02:05 AEST 1991


In an article, mjhammel at Kepler.dell.com (Michael J. Hammel) writes:
>This is a poor analogy but...
>
>If Ford buys 1000 bolts to hold its motors in its cars and the bolts
>break do you blame Ford or the bolt manufacturer?  Remember (in this
>case), testing bolts to see if they will break under pressure is
>destructive testing, thus not every bolt could be tested, either by Ford
>or the bolt manufacturer.  

It matters not who is to _blame_.  It does matter who's _responsible_.
You bought your car from Ford.  The motor flies out of the hood because
of defective bolts.  You go to Ford, and they say "Sorry, but you'll have
to talk to ``XYZ Bolt''.  It's not our problem because _we_ didn't make
the bolts."  I personally wouldn't sit still for this, and I doubt you
would either.

Consider that I buy a flavor of UNIX from Dell, and your version has a major
bug which compromises the security of the system.  I could care less that
you originally got the code from AT&T.  You modified it, you put your name on
it, and you sold it to me for a goodly chunk of change.  It isn't going
to be AT&T's door I go banging on.  It's going to be yours.

>The point is that if the reseller of the product does not have the
>resources to retest what was delivered by the original developer then
>the reseller isn't going to do so.  Why can't the reseller expect that
>the original developer had fully tested the original product?  The
>reseller should only have to be responsible for what the reseller
>modifies (and anything that might get broke because of those
>modifications).  However, if the reseller wishes to save face, it will
>make every attempt to fix things that it didn't break anyway.  :-)

The reseller should be responsible for what is sold.  When I buy a flavor
of UNIX, I am buying a complete package, not just modifications.  (Those
who thrive on the legal aspects of this will point out that all you're
really buying is diskettes.  Fine, but a company who treats its customers
accoring to that criteria won't be in business very long.)

>> How about forcing them to give prior disclosure of all known bugs, _outside_
>> of the shrink wrap?  How about forcing them to provide _free_ bug-fixes on
>> a regular basis?  How do you force them?  Don't buy until they do it.  No
>> company is motivated to change unless it socks 'em in the wallet.
>> 
>
>I'm not sure about the bug lists, but I do believe some companies offer
>free bug-fixes for current customers.  Major revisions might be at cost
>for current customers.  The question is how much can you give away
>before you start losing money?  (That is, unfortunately, the reason most
>companies are in business.  *sigh*)

As a consumer, I could quite honestly care less about what your cost is
to insure a working system.  That is your problem, not mine.  If you find
that you can't turn a buck because of an inferior product, then you'll
go out of business.  That's the joy of capitalism.

Cheers,
-- 
Michael Stefanik, MGI Inc., Los Angeles| Opinions stated are not even my own.
Title of the week: Systems Engineer    | UUCP: ...!uunet!bria!mike
-------------------------------------------------------------------------------
Remember folks: If you can't flame MS-DOS, then what _can_ you flame?



More information about the Comp.unix.sysv386 mailing list