[Sussex] User vs Vendor Liability

Geoff Teale tealeg at member.fsf.org
Mon Aug 25 10:05:01 UTC 2003


Two things:

1. 
Yes, this is very interesting.  One criticism often levelled at Linux is
that it doesn't do things "out-of-the-box" like Windows.  As this
Washington post article points out, security is something that Windows
doesn't do out of the box.  I'd contend that the reason for this is
because they want everything else to work "out-of-the-box".  

The real problem is Microsoft sell their software on the "Ease of use"
dream.  Worse still they extend that idea to Database servers, Mail
servers and the like.  Now you may argue that for home users things need
to be this easy, I'm inclined to agree , but I wouldn't go to the extent
of having users auto-login with root privileges by default.  

For servers though this is criminal - IT departments love things like
SQL Server and Windows Networking because it's easy to get them up and
running - what a lot of them don't take account of is that it isn't easy
to get any of these things correctly (i.e., secure, stable, and fast).  
Don't even get me started on the fact that a lot of Microsoft security
advisories require sys-admins to hack the registry (and whoops, here we
are doing something less user friendly than a trip with vi to /etc land!

So in that respect what is wrong here is not that Microsoft have bad
technology - it's that they're ruled by the the profit motive, they sell
people what they _think_ they want, not what they actually need. 
Somewhere along the line they worked out that its easier to sell a
sugary placebo than a foul tasting medicine, and the poor suckers on the
street fell for it.

Now before we let Linux off the hook I'd say that it's track record
isn't perfect, and you really need to know you distro to be sure it's
secure.  If we're looking for a secure default install, I'd want to
build my technology on top of OpenBSD - one remote hole in 6 years in
the default install and kernel level protection against buffer overflow
attacks.

2.
You mention EULA's excusing large proprietary vendors from liability. 
The GPL (for instance) puts all liability with the user.  I'm willing to
accept this in a business sense because it's basically the same as
proprietary vendors, and usually I'm getting a lot more in terms of
rights for a lot less in terms of money.  If proprietary vendors did
offer to take responsibility for failures in their software (and I know
one vendor who does - QNX) then CTO's would have a lot more trouble
making the move to open source. 

Turns out that Microsoft know this and are now offering legal protection
to any[1] customer who is sued as a result of using Microsoft software. 
This of course is a double edged sword, they are saying "OK, we've got
problems, but we'll rub it better if you get burned".

[1] When I say 'any' (Microsoft's word not mine) what I actually mean is
any government or large organisation who was considering switching to
Linux.

-- 
GJT
tealeg at member.fsf.org
gteale at cmedltd.com





More information about the Sussex mailing list