Note: This column represents the opinions
of the writer and as such, is not purported as fact
Sponsor's Message
|
At long, long last, Microsoft is going to fix the exploit in Internet Explorer
that has allowed evil sods to launch phishing expeditions that snag valuable
information such as Net users online banking, Paypal and eBay login details.
One could argue that it's better late than never -- although I doubt that anyone
who has lost a fistful of money to one of these exploits would agree.
And this raises the issue of who's liable if money is lost when criminals
exploit known exploits in software.
Take, for example, the case of the Westpac Bank which has surely lost a wad
of cash to these phishers after reimbursing customers who fell foul
of such scams.
I found this story (Stuff)
rather interesting because it makes the point that ignorance is no excuse
when online crime is involved.
The Aardvark PC-Based Digital
Entertainment Centre Project
Yes, at last, this feature
has been updated again! (31 Mar 2003)
One could argue that such a perspective is fair enough -- after all, nobody
with even half a brain could enter into a money-laundering transaction such
as the one described without being at least slightly suspicious.
But Microsoft has known about the URL exploit that allowed these scammers
to steal passwords and gain access to peoples' bank accounts for quite some time
-- so how come nobody's suing them for damages?
I mean let's face it -- Microsoft's negligence in knowingly shipping a product
that allowed such spoofing of URLs must be considered a major factor in these
crimes.
If I sold a padlock that, unknown to those who purchased it, be opened using
*any* key, don't you think I'd have a pretty good case to sue the manufacturer
if someone who knew about the vulnerability came along and stole whatever it
was that the padlock was supposedly protecting?
The average Net user is told that login details are protected by a powerful 128-bit
encryption scheme which ensures their details remain secret -- so they use their
copy of IE in the assumption that it's a safe tool which is protecting
their valuable data.
But the reality is, that due to the URL spoofing flaw, their details may not
be safe -- they may actually be going straight to the gangster who wants
their hard-earned cash.
Now I've used IE as an example, because it's very topical right now -- but
Microsoft isn't the only company that must take some responsibility for
the robustness and reliability of their products.
Okay, software can, and usually does, have bugs.
After all, there's a little remotely controlled buggy sitting on the surface
of Mars right now that seems to have fallen victim to a piece of code that
perhaps wasn't properly designed or tested. As a result, the creation of
too many files in its flash-memory has thrown it into a spin -- something that
should never happen -- but it did.
So is it fair to say that all software vendors should be held accountable
for losses associated with any bugs in their code?
Hell no -- that'd be clearly ridiculous -- nobody would dare release any
software if that were the case.
However, where a company refuses to fix a known vulnerability (such as the
IE URL spoofing hole) then I strongly believe that those who suffer loss should
be entitled to claim that loss from the vendor.
You don't have to build perfect software -- but you do have to fix it when
you know it has a flaw that threatens your clients' security or the integrity
of their systems. This is where Microsoft, until now, has been grossly
negligent.
Let's hope it's not a situation they'll alow to be repeated.
If any Aardvark readers want to share an opinion on today's column or
add something, you're invited to chip in and have your say in
The Aardvark Forums or, if you prefer,
you can contact me directly.
Yes, You Can Gift Money
I've published this website for the past nine years as a service to the
local internet and IT industry and during all that time it has been 100%
free to access. It is my intention to ensure that it remains completely
free and free of charge and contains only the most sparse levels of advertising.
Aardvark is not a business, it is a free resource.
If you feel that this is a good thing -- then you are welcome to gift me some
money using the buttons provided. In gifting this money you accept that no goods,
service or other consideraiton is offered, provided or accepted in return for this gift.
Just click on the button to gift whatever you can afford.
NOTE: PayPal bills in US dollars so don't accidentally gift twice
what you were intending :-)
Contacting Aardvark
I'm always happy to hear from readers, whether they're delivering brickbats,
bouquets or news tip-offs.
If you'd like to contact me directly, please
this form. If you're happy for me to republish
your comments then please be sure and select For Publication.
Other media organisations seeking more information or republication rights
are also invited to contact me.
Add Aardvark To Your Own Website!
Got a moment? Want a little extra fresh content for your own website or
page?
Just add a
couple of lines of JavaScript
to your pages and you can get
a free summary of Aardvark's daily commentary -- automatically updated
each and every week-day.
Aardvark also makes a summary of this daily column available via XML using
the RSS format. More details can be found
here.
Contact me if you decide to use either of these feeds and
have any problems.
Linking Policy
Want to link to this site? Check out Aardvark's
Linking Policy.
|
Did you tell someone else about Aardvark today? If not then do it
now!
|
|
| 
= open in new window