Slashdot Mirror
Laws to Punish Insecure Software Vendors?
Gambit Thirty-Two writes "An influential body of researchers is calling on the US Government to draft laws that would punish software firms that do not do enough to make their products secure."
Yeah that'll work.
If companies faced lawsuits and financial penalties when vulnerabilities were found and exploited, they would strongly discourage white-hat hacking, independant vulnerability testing, etc. It would be in Microsoft's best interests to immediately sue anyone who reports a flaw. (White hat hacking violates US law just as black hat does.)
Lawyers would start to be accused of Bugtraq chasing.
It certainly does not claim that Microsoft is responsible for most security issues. If it had I would have expected Butler Lampson to have resigned from the board. It is not usual for NAS reports to target particular companies. It is not likely that David Clark would attack Butler in that way given that they are both LCS computing profs.
The statement about Microsoft is actually introduced from other sources but in such a way that the casual reader assumes it was a recomendation from the report. The only occurrence of the string 'Microsoft' in the text is Butler's accreditation.
Likewise I find it hard to find any recomendations. The majority of the report is simply a post 9-11 rehash of three previous reports by the same board. The nearest the report comes to suggesting legislation is:
Consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge. Possible options include steps that would increase the exposure of software and system vendors and system operators to liability for system breaches and mandated reporting of security breaches that could threaten critical societal functions
That is quite a way from endorsing legislation, which is hardly surprising given the makeup of the panel.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/