Re: Final pass on BOF issues for -01

[Dan Hollis <goemon@anime.net>]

On Tue, 19 Aug 2003, George Jones wrote:
> > On Mon, 18 Aug 2003, George Jones wrote:
> > > >From a vendor perspective, I can see this as a series of open-ended
> > > expenses (read: unprofitable).
> > vendors should profit from defects? i categorically disagree.
> > is it ok for e.g. ford to manufacture defective product, then charge you
> > money to get it fixed? the courts say no.
> OK.  I've added most of your original language.  It will stay unless
> someone can poke a hole in the analogy.

btw it is ok for the vendor to release patch that fixes ONLY the exploit. 
they do not have to bundle it with other features.

in fact it is preferable that they do it that way. vendors have bad 
reputations to release patches that fix one bug but introduce 10 new ones. 
:-)

also -- it is OK for the vendor to request the customer's 
firmware/media/etc for confirmation/deletion/destruction so that the patch 
firmware can be matched to the customer's feature set (eg so they dont get 
new features for free).

security shouldnt be restricted to only those who can afford it. if we go 
down this path, then the script kiddies have already won.

imho it is also OK for EOL'd products to be exempt from this requirement. 
eg its unreasonable to require cisco to release fixed IOS for AGS routers 
:-)

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]