Slashdot Mirror
Laws to Punish Insecure Software Vendors?
Gambit Thirty-Two writes "An influential body of researchers is calling on the US Government to draft laws that would punish software firms that do not do enough to make their products secure."
Yeah that'll work.
What will this mean for open source? OSS companies/programmers will be just as liable as closed source ones.
So this means that if i configure my computer without a password i can sue the manufactuere for defective security in their software if it gets hacked.... Cool
</SARCASM>
I will bend your mind with my spoon
How do you quantify what is doing enough? If they release a patch in two weeks is that enough? How about 4? Is releasing a patch not enough? Should they actually call people and tell them to install a patch that has been out for months? I mean there is no doubting that Microsoft software has holes but they do patch them. The question is do the do it fast enough and do they make it required for users.
It's always interesting when those who call for freedom and security for themselves can only figure out how to do it by reducing the freedom of others. Now they want to legislate software standards? Come on, you have to be against that.
I think I'll stop here.
This raises some constitutional issues - Do I have the right of freedom of speech ( as code has been found to be in some cases ) to utter an incorrect program?
An additional question would be should all software now come with a warrently that specifically disclaims the implied warrenty and states that there is no warrenty? Would it be legal under the proposal?
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
Any computer anywhere can be hacked by anyone. The only difference between Grandma's computer holding her apple pie recipie and NORAD's computers storing the nuclear launch codes are accessibility.
Think about that the next time you champion the cause of punishing the programmers that make a piece of software...
I'm the tasty treat nobody can resist!
IM Me! AOL IM:Tasty Beef Jerky
Seems to me this will have the least impact on those who need to pay attention to security the most(large software companies) while having the potential to make it harder for the "little guy" to write and publish software.
No, Thursday's out. How about never - is never good for you?
I suspect that this would ensure far less software gets produced by smaller vendors and individuals who can't afford the liability.
Another good move for corporate America.
Microsoft is able to defend itself against the government. Are you?
My poetry site welcomes the unusual.
Do they really think more regulation is going to improve software? All this will do is make companies put time and effort into "compliance" instead of fixing problems users are asking for
Free cell phone tracking
While the concept to "punish" vendors for flawed products is a good one, trying to get the _government_ to do it is a bad one. For one reason, the government is very easily corrupted, and often looks the other way.
A better solution is to allow people to sue software companies that produce software that does not do what it is supposed to do. For example, if Microsoft says they have the most secure servers on the market, they damn well better be that.
As soon as a few lawsuits are filed, things will change for the better. There's too much being "protected" by microsoft software for them to continue business-as-usual for long if they get sued for every nimda/code red/etc out there doing damage.
However, if the company puts out patches (such as through windowsupdate) and the user fails to apply them in a timely manner, it's the user that screwed the pooch, not the producer.
Do you really think that if this becomes a Bill with any serious chance of passing Microsoft won't have lobbied sufficiently to get it to pose a threat to its most serious competition? (Linux and OSS)
That's ridiculous, how many times have you heard of a commercial company being liable for crappy products? How many products have MS released that have NOT worked as advertised, yet required consumers PAY to upgrade to a version that should have worked to begin with?
Besides that, all the software licenses (shrink wrap or no) basically say "we're not responsible".
Stupid sexy Flanders.
. . . we might want to consider that while "security" can mean keeping your machine from being 0wn3d, it can also mean "security" as in the Security Systems Standards and Certification Act, otherwise known as the "Enforced Copy Control and Free Operating System Elimination Act."
CEE5210S The signal SIGHUP was received.
The Ford Pinto.
We have laws that tell auto manufacturers how they can build cars. Not in detail, no, but they have to meet certain standards or they just aren't legal to make. Note that business concerns don't enter into it. Making the Ford Pinto the way they did originally was a good business decision. It really did cost Ford less to pay out the death claims than to improve the car. It even arguably benefitted the consumers, because lower costs to Ford meant a lower price on the car and consumers were still buying them even after the problem became public so people obviously wanted them. The courts still held Ford criminally liable for building a car that blew up and killed people when they could easily have built one that didn't.
So why should we treat software any differently?
A law like this would benefit two camps. One would be large software companies, since the smaller competetition would be squashed as the cost of doing business reaches prohibitive levels. The other benefactor would be the insurance agency. They would increase premiums for software businesses greatly, since this would be the best way for businesses to protect themselves. Consumers would only suffer.
M$ and Big Software would love this law. It would effectively kill the free/open-source software movement. Who besides MS, Sun, Oracle, et al. can afford to take a chance on getting hit for $10k for each bug? I wouldn't be surprised if Larry, Bill, and Bill are behind this...
Comment removed based on user account deletion
Um, yeah, that makes sense.
My beliefs do not require that you agree with them.
Many people don't probably realize it but this would be the best thing that could happen to Microsoft. To illustrate the point, consider the fact that US government institutions use almost exclusively Microsoft products but many people don't know that this is actually enforced by law.
There is a law that states that government may only use software, which has certain accessibility features (usable by vision impaired, for example). There is a big bunch of standard requirements that the software products must follow to be in compliance with this law. Now Microsoft is one of the very few companies that can afford compliance with this law.
Now consider what would happen with this proposal when it gets passed. Most probably it will be transformed into an arbitrary set of rather stupid standards and guidelines by our legislative bodies, and again, Microsoft would be the only one able to follow these standards.
When men used to be men
For instance, am I liable if I use the standard C function gets() in a program? I, as the program vendor, can argue that that's what was taught in my undergrad CS course, or I could point the finger at the language designer or C library vendor.
What about a program I write that communicates w/ other software via a standard protocol, and works perfectly if the other software adheres strictly to that protocol but fails in combination with another program which implemented that protocol incorrectly; am I to blame, or is the other vendor? What if the spec is vague?
As I've said in other posts, the potential for good legislation along these lines is there, but only with *heavy* involvement of people who understand issues such as these, along side of the industry lobbyists, consumer advocates and politicians.
It's never a good idea to formalize issues like these into laws. Consumer preference and freedom of the market allows consumers to create a self correcting system. If there is a major problem with a product (not necessarily software), the consumers vote with their purchases or lack thereof. This can be seen in people turning away from firestone towards good year or corporations turning away from Windows servers towards Linux.
However, if corporations were to be fined because of vulnerabilities in their system, they would most likely pass the cost down to the consumers. Large corporations would probably purchase business insurance to cover these potential problems (the same way doctors have Medical insurance). However, it is the small companies that will suffer. Unable to afford insurance, the first major problem in their software could bankrupt a company leading to a small number of large corporations rather than a large number of small corporations.
Lastly, to be able to produce secure software, it is almost mandatory to understand computer science theories such as computability or complexity. This could lead to a requirement (not necessarily a law but a social requirement) for a programmer to be a licensed engineer. This is much in the same way that you need a civil engineer license to build bridges. I mean, just about anyone could build a bridge, but you need to understand civil engineering principles to ensure that the bridge functions to specifications.
_______________________________
"I'm not Conceited...I'm just a realist..."
I see a lot of parallels to the patent process in this topic. Why is it that intellectuals, of all people, think that passing legislation that would lead to grossly subjective enforcement is good for an industry?
What will inevitably happen is that those who can demonstrate that they have procedures in place to remedy security holes (through patches, alerts, etc.) will be immune to enforcement efforts. The actual quality or security of the software itself will become irrelevant because no government funded operation will be able to measure quality appropriately. In other words, the evaluation process turns into the question: "How much are you spending in relation to your sales to ensure security of your products?", not "How secure are your products, and how important is security within your application?"
This terrorism argument is getting stale. How long will we let our government act as if intellectual property, private data, etc., are all our nation's collective interests. If the government wants to establish standards for software they purchase internally, fine. IMHO, that's a procurement issue, not one of industry regulation.
Let's let capitalism handle the rest naturally. Bottom Line:
- if a company promises that certain actions are secure, they're subject to civil suit if they fail
- if a company demonstrates a good track record for security and reliability and gives the greatest piece of mind, they will be the choice of enterprise business (i.e. Oracle, Sun, etc.)
I'm getting sick of the sentiment that government involvement in technology will improve the industry. The only industry this type of legislation helps is the legal industry, and having a massive legal industry for internal matters certainly does not promote economic growth.Great. A law that will punish developing companies who make a seldom used product that happens to have a security flaw that virtually no one knows about. It'd be great if we took away all their revenues while keeping their costs the same.
And for the real problems? Relax! IE is free.
> I'm not sure it's fair to hold Microsoft responible for making
> possible the actions of a malicious hacker. Is it Honda's fault a
> slimjim opens the door of my Civic?
Well, to get a realistic comparison, you'd need to compare on even ground. Pretend for a moment that your car door locks went to "locked" when you pushed the lock button, and "unlocked" when you pushed the unlock. However, they didn't actually engage the tumblers in the door, so when it's locked, the handle still opens the door. Now, there's a switch inside the door that you can get to by pulling the door side off, and when you throw it the tumblers connect and when the door says "locked" it now really means it.
Now, would you blame Honda if they didn't set the switch to "on" at the factory, and didn't tell anyone about the switch, and only acknowledged that it exists when someone in the field finds it and threatens to tell the general public?
I'd bet you would. That's a fairer comparison, and so yes, I think the companies that produce easily exploitable software should be forced to reckoning for it.
Virg
Second, if any laws are written, my guess is they would merely extend already existing more generic laws regarding false advertisement. Under such circumstances, software vendors would not be *required by law* to produce secure software. But, if their advertising campaign, sales representatives, software packages blatantly lead potential consumers to believe that their product is of "enterprise-level", "mission-critical-caliber", "secure", "reliable" or any such wording which implies "secure software", then the law could provide for some serious compensations to the harmed consumer.
To avoid endless legal battles over wording, the government should define an entity whose role would be to design, draft and maintain a *very specific* scale of security levels which defines strong standards for security features within software packages. The scale could not only provide very precise security requirements for software, but also standards type of compensation to the consumer for failure to meet each of its levels' standards.
Such scale should be massively advertised thru all media so consumers would know to look for a software package's rating on such scale before purchasing it for any mission-critical purpose.
We could let software vendors rate their own software packages according to this scale. If the scale is *specific-enough* and clearly defines levels of security, then consumers should have very strong cases to bring to class-action law-suits to seek compensation in the case such software should fail to meet all of the requirements defined by their advertised grade on the scale.
Such model would keep the government's involvment minimal and place all of the liabilities on the software vendor, so consumers don't ever have to seek compensation from some government-sanctioned entity which would assign ratings to software packages. We must keep in mind that computer software is by nature a highly volatile, constantly evolving, and rarely flawless type of product, as every new piece of software written is by nature "cutting-edge".
Extraordinary Vacations. Exceptional Prices
Though the article mentions Microsoft because of their security record, I think that the drafters of the proposal are "thinking of" consumers, not the fortunes of any one company/group of developers. And, I believe it is the ethical duty of software developers, whether Open Source or proprietary, to think of the users of our software as well. Which is why, as I've said, if drafted correctly I'm not neccessarily opposed to such a law.
With regard to the specific example of IE, well, if IE has a security flaw that exemplifies gross negligence, then the fact that it's free won't mitigate against liability. If the flaw is in an OS component (as much of the functionality previously offered in IE is now embodied), then it wasn't free, was it?
WRT to the "seldom used" product, well if the company charged money for it, and if it had a security hole which caused actual damages to one of their customers, why shouldn't they be liable?
I said this a while back and I'm saying it again:
There should be criminal and civil penalties for withholding information about security risks. Right now I do not have the legal right to know about security risks that are discovered in systems I use, the creators of those systems are not legally required to inform me when a new risk is discovered. This means that I can not make an informed decision about how to protect myself from the problem. I can't even use a list of currently unresolved risks to help me decide what systems to use and/or purchase.
To me, the withholding of security risk information is a form of fraud. It is the same as rolling back the odometer on a used car. It is the same as selling Pintos with exploding gas tanks and the same as selling flammable pajamas to children. Companies must be required to release security risk information about their systems in a timely manner. They must be legally liable for damages that result from security issues between the time they discover the problem and the time they warn users of the problem. These kinds of penalties will force companies to create secure systems in the first place. And, to warn people in a timely manner so that they can take action to protect themselves. Although it is tempting I don't think the developers should be required to fix the system. But, a list of all outstanding security problems must be included in advertising and on the packaging of any system. People have to be able to make an informed decision about what systems to use. We put warning labels on beer and cigarettes, we require people to wear seat belts, we require the disclosure of the ingredients of all our food, we have lemon laws to protect us from unscrupulous car salesmen, and we have product liability laws that cover every physical thing we purchase. But, we have no equivalent legal protection from the purveyors of software snake oil.
The only way a company should be able to get out from under these penalties is to declare the product "dead", notify all customers of record that no more security support will be given for that product. Declaring the software dead should also require that the source code and/or system designs as well as any patent and copyrights to the system be released to the customers so that customers can arrange for other sources of security support for the system. At that point the company would not be allowed to sell, distribute, or accept any sort of payment including royalties and support payments for the software.
Stonewolf
Though, I don't know what a real law would look like...
Consider, say, the hotel I was at years ago... they had an indoor pool. Before you used the pool, you had to sign a waiver... they had a stack of them in the pool room.
The waiver basically said using the pool was at your own risk, etc, etc.
Now... Dad asked his lawyer later, for kicks.
Say you drowned becuase you couldn't swim.. and they had no lifeguard. This document would protect them... it was fairly clear there was no lifeguard.
But.. say the diving board was in disrepair, and broke off while you were about to dive, causing you to fall and break leg... guess what? That contract doesn't absolve them of responsibility. Why? Because... it was reasonable to expect that the diving board worked.. the owner still had a duty to keep the area safe for it's users, regardless of their waiver. (If they wanted a waiver to protect them against that, they would have to clearly state the risks.. state that the facilities are in bad repair and broken.
Now.. software, we have these horrible EULAs... but still. I can understand how it's okay for a company to, say, protect itself from being sued over some little bug.. of COURSE they have to. Like.. say Excel crashes while you are in the middle of some work.. and you have to re-do it, so you are late for a meeting, so you lose the deal, etc.
Just as in the real world, where even a disclaimer can't generally release you of all obligation, so should it be with software. I don't know what the wording would be, or what would be fair... but software vendors should have a certain level of accountability for what they do.
Now.. how does this affect OSS? I don't know. Do I think OSS authors should be responsible for what they do? Yes, to a degree.. but there is a problem.. I don't think someone should be sued just because they shared some code with the world and it didn't work.
While punishing companies for writing insecure software is a start, how many times has it been that a poorly configured server is at fault (ie, not setup correctly or not up to date on patches)?
While a certain level of responsibility lies inside of the software vendor, a still larger majority is with the server administrator.
The patch for Code Red was released in June. CR didn't come until July, iirc. However, millions of people did not patch their systems. Or shutoff the silly thing (IIS or ISAPI, take your pick) in the first place.
It is both groups fault in this scenario: Microsoft for having IIS on by default with it and the end user for not shutting it off.
However, I think it does lie with the end user to be responsible ultimately in maintaining their equipment.
Ask any pharmaceutical or biotech company what happens when one of their products fails and someone is injured. They'll tell you often times there are criminal as well as civil penalties. If Ford had to make a safe Pinto, why shouldn't software vendors be forced to make secure software?
Many will argue that bad software isn't life threatening, and therefore doesn't require stiff penalites, I say baloney! If the firmware that controls the hydraulic systems on an aircraft fails in flight you probably won't survive. If your database on your e-commerce site gets hacked due to a "buffer overflow" error, and all your credit cards get out on the web, shouldn't someone be held liable for the damages...or are we going to let the insurance industry just mop up the dammage and pay for it with higher premiums.
There has to be some accountablity for negligent behavior.
-ted