Slashdot Mirror

← Back to Stories (view on slashdot.org)

Laws to Punish Insecure Software Vendors?

Posted by ryuzaki0 on from the and-the-land-of-the-free dept.

Gambit Thirty-Two writes "An influential body of researchers is calling on the US Government to draft laws that would punish software firms that do not do enough to make their products secure." Yeah that'll work.

10 of 581 comments (clear)

  1. Join the Libertarian Party by squarooticus · · Score: 3, Informative

    Be careful what powers you give to the government.

    --
    [ home ]
  2. What about the click-thru EULA? by jarodss · · Score: 3, Informative

    Anyone ever read their full End User Licence Agreements, especially MS?

    It always has a limit that anything bad that happens while using their product is not their fault.

    Now IANAL but I thought that by clicking I Agree, that you were actually agreeing to that.

  3. Oh but they NEVER have security problems.... by Anonymous Coward · · Score: 0, Informative

    BWAHAHAHAHAHAHAHA! http://www.sans.org/topten.htm

  4. I agree (Sort of...) by GSloop · · Score: 3, Informative

    Laws that make a vendor produce a secure and safe product should apply to software too.

    Ford and GM shouldn't be allowed to produce cars that kill people, simply because they couldn't be bothered to make them safer - like exploding gas tanks - ok, so that's not such a great example... (grin)

    But really, but the responsibility where it lies. If I put a system out on the net, and don't take some steps to make it secure, I should be liable for damages it causes when it's compromised. Same for SW companies. If you produce a product that doesn't meet the "reasonable" man test for care in producing the product, the maker should be liable for negligence.

    I might go even further though, and add some criminal penalties too.

    Software can be more reliable and bug-free and secure. (Go read the "Software Conspiaracy") Sure it will cost more, but what do you think all the virus outbreaks costs business and individuals. It's just a hidden tax. MS (and others) are just shifting the burden of producing software that works to the users. It's cheaper for MS to produce the software, but lots more expensive for the user to use them.

    Finally, the legal system _IS_ part of the free market. The threat and actual loss of damages to a plaintiff balance the system of the market. It's not just buyers and sellers - and a wild wolly mess...
    It just bugs me when "free market" proponents want to proclaim that the courts are unneccessary in the free market - bull! They are important and the market will not function correctly without them!

  5. links Open Src&liability proposals Re:open so by leuk_he · · Score: 3, Informative
    Also interesting to read:

    Open source developers face new warranty threat
    Rosen and Kunze were attempting to secure an exemption from implied warranties of merchantability, fitness, or non-infringement for a computer program, "provided under a license that does not impose a license fee for the right to the source code, to make copies, to modify, and to distribute the computer program."
    The proposal would have brought the rest of the States in line with Maryland.
    The replacement version, which reads "or to distribute..." is joined by a provision that nullifies the exception for software licensed to consumer

    The complete text can be found here....
    a) Except as provided in subsection (b), the warranties under Sections 401, and 403 do not apply to a computer program if the licensor makes a copy of the program available to the licensee in a transaction in which there is no contract fee for the right to use, make copies of, modify, or distribute copies of the program.
    (b) Subsection (a) does not apply if the copy of the computer program is contained in and sold or leased as part of goods or if the transaction is with a consumer licensee that is not a software developer.

  6. Re:open source by gus+goose · · Score: 3, Informative

    I am afraid that you are mistaken ... Redhat makes no money off it ... they make money from selling manuals, CD's, and support. Re-read the GPL, Redhat IS Free (as in Beer) except for delivery charges, P&P, Printing, Paper, CD's, etc, but the software itself is Free (as in Beer).

    gus.

    --
    .. if only.
  7. White Hats by Merry_B.Buck · · Score: 4, Informative

    If companies faced lawsuits and financial penalties when vulnerabilities were found and exploited, they would strongly discourage white-hat hacking, independant vulnerability testing, etc. It would be in Microsoft's best interests to immediately sue anyone who reports a flaw. (White hat hacking violates US law just as black hat does.)

    Lawyers would start to be accused of Bugtraq chasing.

  8. The report by rde · · Score: 3, Informative

    The NAS, god bless 'em, tend to make their books available to the great unwashed; you have signed on for email updates, haven't you?
    Well, just in case you haven't the draft report is available for online perusal here

    PS I said NAS, not NSA. Just to be clear.

  9. Re:open source by sheldon · · Score: 3, Informative

    Well first of all the exemption would never get into the law because those who have the money have the lobbying power. Despite their hatred, not one of Microsoft's competitors would step up in support of this law. Oracle, Sun, Apple, etc. would all be lobbying against it as hard as Microsoft.

    Second of all, it wouldn't matter anyway. If I walk into a business suggesting they buy a warrantied product from a reputable manufacturer, and my competition walks in suggesting they use a free product with no warranty.

    I will win the contract, I guarantee it.

  10. Unlike most, I read the report by Zeinfeld · · Score: 4, Informative
    I have read the report. The BBC article is very misleading.

    It certainly does not claim that Microsoft is responsible for most security issues. If it had I would have expected Butler Lampson to have resigned from the board. It is not usual for NAS reports to target particular companies. It is not likely that David Clark would attack Butler in that way given that they are both LCS computing profs.

    The statement about Microsoft is actually introduced from other sources but in such a way that the casual reader assumes it was a recomendation from the report. The only occurrence of the string 'Microsoft' in the text is Butler's accreditation.

    Likewise I find it hard to find any recomendations. The majority of the report is simply a post 9-11 rehash of three previous reports by the same board. The nearest the report comes to suggesting legislation is:

    Consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge. Possible options include steps that would increase the exposure of software and system vendors and system operators to liability for system breaches and mandated reporting of security breaches that could threaten critical societal functions

    That is quite a way from endorsing legislation, which is hardly surprising given the makeup of the panel.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/