| | |
|
AndreiVoinigescuFirstPaper 12 - 15 Apr 2009 - Main.EbenMoglen
|
| |
| META TOPICPARENT | name="FirstPaper" |
|---|
Making Microsoft Pay for Windows' Shoddy Security | | | After Microsoft patched some of the NetBIOS? vulnerabilities the Conficker worm was using to spread, the worm modified its behavior to take spread via USB drives. Windows sets the autorun on by default for USB drives, though users can disable it manually. Changing the default to off seems like the kind of design decision that would increase security at minimal cost. Should Microsoft be able to ignore changes like that by merely warning users about the danger of autorun?
-- AndreiVoinigescu - 14 Apr 2009 | |
>
> |
- As a lawyer for people who make software, I'm not sure why I want compulsory warranties. As you make clear yourself, the task of security-testing and patch distribution can be a third-party service generating value and therefore compelling payment, for FOSS. Third-party warranties are worth allowing for, in a market where no vendor warrants mass-market software with respect to security. Imposing warranties on a market that uniformly shuns them is likely to have some pretty substantial side-effects, which you don't make any attempt to estimate or allow for.
- From Microsoft's point of view, requiring publication of Windows source code would be to take the predominant part of the product's value. That's obviously excessive even in relation to the harm done, unless you have somehow decided that software unlike everything else should be sold on terms that prohibit limitation of liability for consequential economic harms, which is an eye-popping act of legal discrimination against software industries. This is about Adobe, too, after all, and--in light, for example, of the OpenSSL fiasco over at Debian--about us.
- At the end of the day, it seems to me, you are making an antitrust complaint: MS as monopolist has produced low-quality goods, and has deprived the consumer at every turn of the opportunity to use interoperable software of higher quality that MS could find any way, fair or foul, to drive out of the market. Now you are trying to impose liability for the resulting low security of the network on MS. I'm not sure why you aren't also trying to impose the lost worktime costs, global warming costs, the landfill costs, and many other costs arising from the poor performance, instability, bloat, unnecessary hardware obsolescence and other similarly expensive and disgraceful features of monopoly software. Maybe you too over-emphasize the whole cyberwar schtick?
- From my point of view, the question of policy should be made on the assumption that the Free World, not MS, will be the dominant supplier of software at the end of the next decade. The solution is not tort liability for economic harms arising from security breaches, but a system of scecurity laboratories funded as all educational activity is funded and as commercial activities are funded, all providing patches to the copyleft commons, thus ensuring rapid and effective immunological adaptation. Getting there is not about making and destroying tort rules to distort the market against MS, but rather about urging people to replace insecure software, like MS products, with securer software, made by freedom.
| | | |
|
|
|
|
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
|
|
| | |