Laws to Punish Insecure Software Vendors?

Gambit Thirty-Two writes "An influential body of researchers is calling on the US Government to draft laws that would punish software firms that do not do enough to make their products secure." Yeah that'll work.

open source

[kz45]

What will this mean for open source? OSS companies/programmers will be just as liable as closed source ones.

Re:open source

[glitch!]

OSS companies/programmers will be just as liable as closed source ones.

It does not have to be that way. Why not put in exemption for software that comes with source code? The presumption could be that releasing source code allows the user to take responsibility for the correct operation of the software. Also consider that the OSS writer has little or no control over changes the user might make (and that's one of the main points, isn't it?)

Re:open source

[athakur999]

The presumption could be that releasing source code allows the user to take responsibility for the correct operation of the software.

That's a bit like saying a car company shouldn't be held responsible for putting faulty brakes on a car, since after all, the car owner could have replaced the brakes with something that worked.

Re:open source

[kin_korn_karn]

It does not have to be that way. Why not put in exemption for software that comes with source code? The presumption could be that releasing source code allows the user to take responsibility for the correct operation of the software. Also consider that the OSS writer has little or no control over changes the user might make (and that's one of the main points, isn't it?)

What needs to be made illegal are EULAs that absolve the software creator of guilt for flaws. Ford is liable for putting the wrong tires on SUVs and causing people to die. Ask Explorer owners (if you can talk to people that would buy one nowadays) how they would have reacted to such a license, and imagine how the courts would have reacted.

You've also made an excellent point about the futility of the GPL, but I digress.

Everyone would be in violation

[alen]

Linux, Solaris, HP-UX, MS WIndows and a bunch of other products have holes in them that SANS tells others about. Has there ever been a piece of software with no security holes?

Re:Everyone would be in violation

[stilwebm]

A law like this would benefit two camps. One would be large software companies, since the smaller competetition would be squashed as the cost of doing business reaches prohibitive levels. The other benefactor would be the insurance agency. They would increase premiums for software businesses greatly, since this would be the best way for businesses to protect themselves. Consumers would only suffer.

Boon to Corporate America

[Mr_Perl]

I suspect that this would ensure far less software gets produced by smaller vendors and individuals who can't afford the liability.

Another good move for corporate America.

Microsoft is able to defend itself against the government. Are you?

Other Microsoft Failings...

[Rothfuss]

But Windows XP is not the only Microsoft product with security failings.

For example Microsoft Bob.

I've been waiting for a service pack for it for years. I'm just not as comfortable hooking Bob up to the internet as I once was. Bob has gotten more viral infections than an old French Whore in a port town.

-Rothfuss

Just like a LLP

[Mr.+Fred+Smoothie]

The software producer's liability should be limited to the amount of their financial return on the software, except in cases where gross negligence is apparent. If I never made a dime of the sale of the software, I should be liable only for that $0.

Before we decide this is such a great idea . . .

[acceleriter]

. . . we might want to consider that while "security" can mean keeping your machine from being 0wn3d, it can also mean "security" as in the Security Systems Standards and Certification Act, otherwise known as the "Enforced Copy Control and Free Operating System Elimination Act."

Re:Bad Idea

[Todd+Knarr]

The Ford Pinto.

We have laws that tell auto manufacturers how they can build cars. Not in detail, no, but they have to meet certain standards or they just aren't legal to make. Note that business concerns don't enter into it. Making the Ford Pinto the way they did originally was a good business decision. It really did cost Ford less to pay out the death claims than to improve the car. It even arguably benefitted the consumers, because lower costs to Ford meant a lower price on the car and consumers were still buying them even after the problem became public so people obviously wanted them. The courts still held Ford criminally liable for building a car that blew up and killed people when they could easily have built one that didn't.

So why should we treat software any differently?

Re:Freedom of Speech

[sam_handelman]

There is a wide legal history for freedom of speech ending when it causes harm to others.

You don't need to open that whole kettle of worms at all, in this case. The right to say something does not equate with the right to sell it - unless it is sold for the purpose of communication (which commercial software is not.)

People who write software and then sit on it, or only give it to a few friends, cannot and should not be able to be held accountable for their software not working - unless (like yelling "FIRE!" in the middle of a crowded theatre) there is clear evidence of malicious intent (computer viruses.)

Someone who distributes software for free ought to be required to disclaim any warranties, which they allready do, and that is fine.

On the other hand, when you sell a piece of software there is an implied warranty of merchantability that you cannot disclaim. Extending that warranty to include security is not a free speech issue. Your right to write any code you want is still protected, you just cannot necesarilly sell it.

By extension, however, code written for the purpose of communication - including "here is how you write DeCSS" or the example code in a CS textbook - would still be protected, and you'd still have a right to sell it, whether or not it worked or was secure.

A Certain Level

[virg_mattes]

> I'm not sure it's fair to hold Microsoft responible for making
> possible the actions of a malicious hacker. Is it Honda's fault a
> slimjim opens the door of my Civic?

Well, to get a realistic comparison, you'd need to compare on even ground. Pretend for a moment that your car door locks went to "locked" when you pushed the lock button, and "unlocked" when you pushed the unlock. However, they didn't actually engage the tumblers in the door, so when it's locked, the handle still opens the door. Now, there's a switch inside the door that you can get to by pulling the door side off, and when you throw it the tumblers connect and when the door says "locked" it now really means it.

Now, would you blame Honda if they didn't set the switch to "on" at the factory, and didn't tell anyone about the switch, and only acknowledged that it exists when someone in the field finds it and threatens to tell the general public?

I'd bet you would. That's a fairer comparison, and so yes, I think the companies that produce easily exploitable software should be forced to reckoning for it.

Virg

Unsafe at any speed

[Animats]

I've been proposing this for years. What's needed is to require commercial software companies to provide a "full warranty", as defined in current Federal law.

It took legislation to make cars safe. The auto companies hated it. They fought every inch of the way. But it made the auto industry grow up and make their products really work, no matter what.

Every major industry goes through this transition, where society insists that the technology work safely. Railroads did. Steam boilers did. Autos did. Civil engineering did. Electric power did. It's time for computing to do it.

It's time for the software industry to grow up and stop hiding behind one-sided licensing agreements. Software is too important in modern life to be as crappy as it is.