Returning to the original proposition - Everyone here who has ever filled out an application for business insurance may recall where the questionnaire asked whether they ran AV software. No doubt there was a time when the actuarial data showed a definite inverse correlation between AV utilization and real, actual losses.
A couple of decades later, insurers still hold customers negligent when they don't run AV. Point #1 being, there actually was a time when the monetization strategy of infosec produced good results. Point #2 being, today's successful infosec industry is tomorrow's worthless vestige. pty On Sep 11, 2014 8:45 AM, "Dominique Brezinski" < [email protected]> wrote: > Michal, I think you give fantastic counter-points with regard to liability > and doing everything possible to prevent incidents. My gut tells me it is > foolish to rely on third parties for your own security, and that extends to > software you purchase and run. To extend stupid physical world analogies, > think of a modern warrior -- though firearms are relatively simple > mechanical devices, even the best engineered ones fail, and any good > operator does not solely rely on just a firearm for their defense. Gear > fails. Software is gear. Good defense requires good gear, good planning, > good training, and good execution. The latter three anticipate gear > failures. The quality and maturity of planning, training and execution is > what sets apart good defenders from the rest -- not the gear. Yes, spend > your money wisely on the gear that serves your needs, but you can't expect > that it won't fail. > > Liability law and insurance just push the impact of failure around, but > someone always pays for it, and that is almost always the consumer. > > Dom > > > On Wed, Sep 10, 2014 at 8:10 AM, Michal Zalewski <[email protected]> > wrote: > >> > You want to know what would work? Holding software producers legally >> liable >> > for their software bugs, because only if they have consequences for >> their >> > actions will they ever start taking things seriously! >> >> It's a fairly persistent argument, but there is also a range of >> counterpoints. Perhaps most importantly, liability for damages puts >> the open source community and small, emerging companies at a distinct >> disadvantage, whereas large businesses would be likely to just factor >> it in as a cost of doing business. >> >> In that context, it may be also informative to look at the credit card >> & banking industry; liability for fraudulent charges hasn't really >> pushed them toward developing particularly safe payment technologies - >> instead, the cost is just factored in and ultimately passed on the >> customer in the form of higher payment processing fees. >> >> I abhor physical-world analogies, but if we're going down that path, >> it's also worth noting that we seldom hold people accountable for not >> doing absolutely everything within their power to stop abuse. The >> builders of your home or the designers of your car are usually not on >> the hook if somebody breaks in, even though they could have built more >> of a fortress. The company that makes your cereal is not on the hook >> if somebody poisons your food down the supply chain, even though they >> could have used tamper-resistant packaging. >> >> /mz >> _______________________________________________ >> Dailydave mailing list >> [email protected] >> https://lists.immunityinc.com/mailman/listinfo/dailydave >> > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > >
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
