Slashdot Mirror
Laws to Punish Insecure Software Vendors?
Gambit Thirty-Two writes "An influential body of researchers is calling on the US Government to draft laws that would punish software firms that do not do enough to make their products secure."
Yeah that'll work.
So, if a law like this is passed, will the people who break it be branded IT Terrorists? I mean, everything else is terrorism now, why stop here?
Linux, Solaris, HP-UX, MS WIndows and a bunch of other products have holes in them that SANS tells others about. Has there ever been a piece of software with no security holes?
This is definately a double edged sword. This could bite anyone on the ass. MS doesn't hold a monopoly on crap code (arguable). What happens to people who don't sell the software, but wrote and make money on its support? (I'm thinking of Apache here).
So.. if a company lobbies against this law, wouldn't that open them up to criticizm? I mean, it'd essentially be like them saying "we don't want to be responsible for our insecure software."
With open source you didn't pay and its a matter of trust between the user and developer that the program is secure... and if you're really worried about it you have access to the source
if Open Source developers have no liability as you say, the business world will have a very difficult embracing it.
I know this will get some dissenting responses, but I feel I should say it.
I have administered WindowsNT 4 and Windows 2000 systems. I have *NEVER* been cracked, hacked, or otherwise seen any ill effects from the security flaws that do exist in any of the Microsoft products we use on our server platforms.
I have written WSH scripts that automatically update and spread any updates to all of my systems. All I have to do is approve the update, which is done after I test it. I stay on top of their security patches and simply followed their recommended guidelines for locking down a server. I also disabled several things I know are exploitable.
The funny thing is, I end up doing the same thing with the latest and greatest from RedHat. They make it a little easier out of the box to keep up with the updates etc. I have to turn off services I don't want and follow the "common sense" guide of things like turning off services I don't need.
I am not saying my boxes are uncrackable, or that I am all knowing, or even that great at securing systems.... Anyways.
Not to sound insensitive to the software security issue, but going down this path simply encourages massive efforts at hacking one camp's software to further one's own favorite.
Yes, people already do this, but to bring in the Gov't to be manipulated by these whims seems silly. Be responsible for your own security.
Ya Sure! You Betcha!, The_THOMAS
This raises some constitutional issues - Do I have the right of freedom of speech ( as code has been found to be in some cases ) to utter an incorrect program?
Do you have the right of freedom of speech to utter other potentially hazardous comments? Yelling "FIRE!" in the middle of a crowded theatre is dangerous, and illegal. If you're engineering a bridge, does "freedom of speech" give you the right to design it so that it will collapse when people try to use it?
There is a wide legal history for freedom of speech ending when it causes harm to others.
Tarsnap: Online backups for the truly paranoid
The software producer's liability should be limited to the amount of their financial return on the software, except in cases where gross negligence is apparent. If I never made a dime of the sale of the software, I should be liable only for that $0.
So if I buy Redhat 7.2 or Suse and it is later found out to be full of security holes then I can't sue them under this proposed law? Why not? They sold it. MS Windows is full of third party apps that MS licensed and included as part of the package. Look at IE, most of it is written by someone else and licensed by MS.
This is another one of those catch-all blanket decisions that seem alright at first thought but if you apply to all cases, you see that it is just disastrous. Let's look who it affects the most
BETA SOFTWARE
Well of course that has bugs. So we exempt this? OK, all (Microsoft) software will be beta
NEWBIE / EDUCATIONAL
Some newbie developer or uni student writes a piece of toy software and makes it available on his home page to boost his ego. Some other newbie academic downloads it and a bug in the "file manager" software deletes his C: drive.
Exempt educational software??
FREE BEER
Some people make software out of the goodness of their hard. "YMMV, maybe you like it maybe you don't. No warranty". Maybe it is superb. But it might have a horendous bug. So people will no longer release freeware
OPEN SOURCE
Same as above but with source open, people can deliberately find bugs and cry out. Worse, there is plenty of open source software in commercial use (Apache etc). What if in some new iteration of Apache, there is a security hole and this will happen. Can people sue for this?! Can people sue the developers who worked on it for free? What exemption do you want now?
MICROSOFT
Well, by now, OSS has dried up because everyone is too scared to give work away. Maybe top projects that have been so heavily scrutinised in the past might be ok (Apache, Linux Kernel). Microsoft might just last a little longer than expected due to security through obscurity but of course they too will perish
The end of software =)
Think carefully... how do you make software secure in the first place? Microsoft try to go through extensive software testing to detect bugs. Who knows, maybe if test software is good enough, they can catch most bugs
How does the OSS world make its software so secure? Through peer review. People find bugs and report them. With OSS these bugs are found fast. And these bugs get fixed fast. But what would be ludicrous would be to sue for bugs since at V1.0.0 there are bound to be bugs. Suing would kill the project. Peer review has made OSS strong and that is the way it should be.
main_function(){u serinput());
if(stdlib.getuserid() != "root") then exit "You need to have root priveleges to run this program.";
else stdlib.execute_arbitrary_external_prog(stdlib.get
}
But the following I would not:
main_function(){
// running as root
integer buflen = 5000;
stdlib.bounds_checked_read_input (stdlib.getuserinput(), buflen);
drop_root_privs();
}
even though the latter may represent a format string vulnerability.
(Entered in pseudocode lest someone get the cute idea to actually sue me)
I used to support the Libertarians. Why should The Man have the right to tell idiots to wear helmets? Just make motorcycle riders carry enough insurance to cover their costs when they get non-fatal brain injuries (so I don't have to pay for their mistakes) and let them have fun.
But then there's the impaired drunk drivers (not to trivialize the 0.08 crowd, but I'm far more worried about Bubba with a 0.24 BAC than the 0.08 crowd). They tend to take out other people as well. When they drive impaired, they're at threat to all of us. I don't think we should ban alcohol, but I don't see a problem the state having the right to crack down on repeat drunk drivers because there are documented cases of some drunk drivers who have been in multiple accidents resulting in death.
Taking it one step further, I remember being poor and in college and resenting the mandatory vehicle checks my state required. Then I moved to a state that didn't have mandatory vehicle checks... and heard some horror stories of what those vehicle inspections found in other states. Again, I don't give a damn if some moron wants to jack up his pickup with ice hockey pucks... until he takes it on the road and they suddenly shear, forcing his vehicle to roll/tumble into my oncoming traffic lane.
Now let's revisit the software issue. Once again, I really don't give a damn what people do on their own systems that are not attached to the net. But I do care when I can't use my cable modem because NIMBA a NIMBA stupid NIMBA coding NIMBA bug NIMBA NIMBA left NIMBA many NIMBA NIMBA NIMBA systems NIMBA NIMBA open NIMBA NIMBA NIMBA NIMBA NIMBA.
The Libertarians have a point when they argue that the state should rarely, if ever, protect an individual from themselves. And that the state should rarely, if ever, protect people from inconsequential behavior of their neighbors. (You don't like the fact that your neighbors are gay? It's your problem, not theirs, unless they're doing stuff that would be a problem regardless of their sexual orientation.)
But once you get into behavior that demonstratively harms others, or could reasonably result in harm to others, it's a whole new game. Unfortunately far too many Libertarians don't get this.
In this particular case, we need to see the proposals. But there is absolutely no way you can argue that Microsoft's sloddy practices have not harmed many innocent people. If it takes a law to force them to accept that their indifference demonstratively harms others, so be it.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
It's really very basic: ensuring better security is costly, and handling the threat of liabilities too (for example by buying insurance to cover the risk). These are costs and risks a large corporation (like Microsoft) may be able to handle, but for small outfit, or small open source projects it's much harder. Something the size of mozilla, or the linux kernel can afford good QA and will find backers to handle the risks, but small projects would be forced under the cover of some larger organisation or the distributors. Also, in the case of open source projects, the sponsors would demand some say in the development process, or maybe even licensing of the software. But small software makers are in a similar position: To handle the risk of litigation they'd need a backer, they won't have the resources until their Software sells well.
By charging higher premiums to insure companies using software with a bad track record, there are already market forces in place: include that difference in premiums in the TCO-calculations microsoft is so fond of to prove that Windows is cheaper than any competition, and make management aware of it (and make them wonder why that insurance company wants higher premiums for insuring against damages from security holes in that software).
Legislation could hurt many a small software maker, and it would also be subject to heavy lobbying from Microsoft to see to it that their interests are hurt the least, a better idea would be an independant (that's the hard part) organisation providing certification of software. Once that is established there could be legislation demanding minimum standards for software used in certain critic areas.
That way each software maker could choose how much to invest in security and QA, and it would be more transparent for customers how secure a product really is, so they wouldn't have to rely on the software-makers advertising for that kind of information. In effect the insurance conditions and premiums for different kinds of software are already an indicator for its security, and the insurance companies probably have a high interest in accurately estimating the risks, so probably they should play some part in ensuring the proposed organisations independance.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
It took legislation to make cars safe. The auto companies hated it. They fought every inch of the way. But it made the auto industry grow up and make their products really work, no matter what.
Every major industry goes through this transition, where society insists that the technology work safely. Railroads did. Steam boilers did. Autos did. Civil engineering did. Electric power did. It's time for computing to do it.
It's time for the software industry to grow up and stop hiding behind one-sided licensing agreements. Software is too important in modern life to be as crappy as it is.
I'm sure that this is targeted at Microsoft, but there'd be a lot of $$$ made off of the folks that developed/distributed BIND and SendMail. Couldn't it also punish sites like Download.com?
... bits and bytes are insignificant when compared to the needs of the world and future generations, and anyone who thinks otherwise needs to re-examine their humanity) I seriously doubt you'd see any improvement for the consumer - the government is the only one who stands to gain, and that kind of greed puts them on the same level as Microsoft.
I know the argument is, "If it's free, it's not liable". So Microsoft reworks its liscense in such a way that all linked libraries are free (that's an oversimplification) or that you're paying for the right to install, but not the operating system itself. If they were still liable in that instance, then RedHat/Mandrake/Debian/etc would be in deep do-do.
So how do you prove that the software vendor is liable? If you're brakes fail because you never filled your fluid, then the manufacturer is liable. If your operating system fails because you didn't patch it (and a patch was reasonably available), how different would the situation be?
What about modification? If I put aftermarket rims on my car, that will likely void my warranty and some issues of liability (oversimplification, again). So, a software vendor could make claims that "unauthorized" software (probably open to their interpretation) could have "unexpected" interaction, possibly releasing them from liability.
Another thought: safety recalls. Most of the time, there are not fines for "unsafe" products - there are voluntary or government mandated recalls. If you choose not to return the product, that's your fault. So, when there's a new "security flaw", MS recalls Windows, and you have to uninstall it from your computer and return your media for a refund or replacement. How would that fly? (Many "simple" consumers have a hard time differentiating between the computer and the software: they bought a "Dell": further complicating things)
Retrospective? Would this only apply to new shipments, or to all of the copies of Linux, Mac, and Windows already out there? That's be a tough sell.
The bottom line: this is motivated by politics and money. It would do nothing to enhance security and consumer rights. Many large companies will freely dump their waste, knowing that it's cheaper to pay the fine than it is to dispose "the right way". They just consider the fine an operating cost, which usually gets integrated into their pricing structure. So MS raises their prices to accomodate fines. I seriously doubt the fine would be significant. (Go back to the dumping example: if software flaws result in a bigger fine than destroying the environment, we're all in trouble
The best thing about a boolean is even if you are wrong, you are only off by a bit.
I think its sad because in most industries the market (consumer intelligence) reflects the success of a product - and if Microsoft manufactured cars they would've been out of business a while back due their flawed and undertested designs (obviously car crashes are more severe than computer crashes).
My opinion may be harsh on this topic but I feel that governement intervention should be avoided in this situation - let the Microsoft users suffer the result of their decisions.
If someone was warned not to cross a highway and they did, well they suffer the consequences of their own actions.
Eventually, most people will switch products or run out of money supporting their flawed (hackable) ones.
Lets not create an organisation that will end up being Microsoft's beta team.
With open source, the source code is there for others to fix. That's the whole point of open source. With companies like Microsoft, you get someone sending them an exploit, and them taking 4 months to fix the damn thing because they don't want to hurt christmas sales. I think that a company, especially someone who is charging you for upgrades, and you assuming that it's going to be more secure, be liable to a certain extent. Many companies are pushing for you to upgrade your software, but what are we really getting? I don't need a clipboard buddy, I want something more stable, and more secure.
I have no signature