Monthly Archives: August 2005

Open Source LLoyds

For a year or more now, there have been some attempts to insure risks of open source, mostly attempts to protect against lawsuits claiming intellectual property infringement, such as the SCO lawsuits. Most of this protection has been organized by indivdual open source vendors, such as Red Hat, HP, or Novell.

Now Lloyds is announcing plans to offer wider coverage that is not tied to any particular vendor, in conjunction with an organization called Open Source Risk Management (OSRM). According to an article by Gavin Clarke in the Channel Register:

OSRM will assess both the risk of the software in use and the individual company, before passing on the risk to the appropriate insurance company on the Lloyds market.
According to OSRM’s web pages, such coverage will go beyond the specific code sold by open source vendors, to also cover code modified by users. That is, it will cover open source as open source, not just as a specific vendor’s product. Continue reading

What Not To Insure

The $7 million settlement Microsoft won against spammer Scott Richter is all over the news, as it should be. Microsoft says it will dedicate $5 million of that to further spam fighting. Go Microsoft!

One story says that the spammer’s insurance company will help pay. If there was ever anything that should be excepted from insurance coverage, deliberately spamming (as opposed to your computers being used without permission by somebody else) should be it.

Continue reading

Good Intentions Are Not Security

Cringely has a PBS column of 4 August 2005 about The New Robber Barons that revolves around the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX) and other recent legislation. The key to his argument is that:

These laws, especially the Gramm-Leach-Bliley Act of 1999 (GLBA), now make the victim of cyber theft into a criminal. And under Sarbanes Oxley, directors are held liable and can be sent to jail.
So suppose you’re a small financial institution, such as a credit union. It’s hard to keep track of everything, and eventually you’re likely to have some information stolen. You can try to keep it from the public, but you can’t keep it from your accounting firm. Continue reading

Vulnerability Bounties

TippingPoint (owned by 3Com) and iDefense (owned by Verisign) are both offering bounties for disclosure of vulnerabilities. Both firms apparently intend to reveal the disclosures to the affected vendors, rather than to the public. Mozilla has for some time been paying $500 per bug found.

And of course there are numerous other organizations looking for flaws in everyone’s code; many of these organizations won’t tell the vendor first.

Maybe it’s better to encourage as many friendly eyes to look at your code so they’ll tell you before somebody else uses a vulnerability as an exploit or tells the public before they tell you. Hm, this sounds a lot like open software.

-jsq