[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability



On Wed, Dec 10, 2003 at 12:07:21PM -0800, Daniel H. Renner wrote:
> They simply don't want it fixed.  We can guess why, but they know why -
> and they aren't telling.  Not a good sign...

You don't have to make it sound like a consipracy. It isn't. Here's why,
and it's perfectly obvious. Corporations are in the business of
maximizing profits. Contrary to what some might think, this does not
mean releasing perfect products. It means balancing customer demand (the
amount of money to be made) against the cost of fulfilling that demand
to varying degrees and delivering. If a corporation's paying customers
do not demand that flaws be fixed, or if they gain more paying customers
by adding new features than they do by fixing flaws things go unfixed.

So the answer is not "They simply don't want it fixed." The answer is
"It is more profitable not to fix all the flaws than it is to fix them."
Microsoft estimates that they lose more money by spending it to fix some
problems than from people choosing alternative products as a result of
those problems. So if you want them to fix it, the way to get them to do
so is to vote, en masse, with your dollars. They will then lose more $$
from not fixing these problems than they will spend to fix them.

It is immaterial whether they "want" to fix them. They are not in the
business of doing what they want but what is profitable. Make it
unprofitable to ship a broken product, and that will change.

One of the ways to make it unprofitable to ship a broken product is to
post flaws like this in public places. In fact, it's one of the most
effective ways. Telling them quietly without notifying the public does
not accomplish that.

Regards,

petard

-- 
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html