Slashdot Mirror
Cryptogram Judges MS Security
johnfoobar writes "The latest issue of Bruce Schneier's Cryptogram has a section entitled 'Judging Microsoft' which aims to "provide a list of measurable recommendations, so that the community can judge Microsoft's sincerity."
Required reading if you use Microsoft products." Update: 02/15 18:15 GMT by M : A better link is Schneier's first essay this month, which is about Microsoft's "Trustworthy Computing" initiative.
Wrong. This article came out today, in the Cryptogram, which comes out Monthly on the 15th. As such, it was not reported last week. :)
I think one major thing that will be lost in all the flaming about how MS sucks and is so unsecure is this:
They are making an effort now. I firmly believe that this is a good thing. Of course, there will be the usual rebuttals:
what took them so long
why are they caring about security now, etc.
Hey who cares why or how, just consider this a good thing that they are more involved in security now. Btw, remember the last time MS went after something with a vengeance? I do.
*shudder*
Sent from your iPad.
a friend of mine once said, "trust is a funny thing. you never really know if you can trust someone, till you find out you can't."
microsoft, right now, is in that stage. people have just started discovering that they can't trust microsoft. wheather they can or not is not the issue, but the perception of trust is ruined. it will take a long period of dilligence and commitment to prove themselves worthy of trust again. on the other hand, i kind of wish many other companies would make an honest attempt to regain our trust
I believe sex is highly over rated... unless it involves me
The story points back to a story previously on slashdot
mp3's are only for those with bad memories
Nobody wants to have a secure product in which you have to manually enable all the great features because of which you bought it in the first place! Secondly, no-one has time to keep up with all the security alerts. That's why an automatic patch system is absolutely necessary.
Microsoft is being realistic. The author of this article is not.
The owls are not what they seem
This was the first I'd heard of it, though I've gone to microsoft.com and asked to be put on Microsoft's mailing list for security alerts. About three hours later, the email finally arrived from Microsoft, four days late:
What Microsoft didn't mention was that, before I got its security alert, someone had posted to bugtraq this assessment of their patch:
From the article :
"Originally, e-mail was text only, and e-mail viruses were impossible. Microsoft changed that by having its mail clients automatically execute commands embedded in e-mail. This paved the way for e-mail viruses, like Melissa and LoveBug, that automatically spread to people in the victims' address books. Microsoft must reverse the security damage by removing this functionality from its e-mail clients and many other of its products. "
Amen. Give me pine anyday and get rid of the crappy HTML formatted e-mails with pics and crud, If I want to see that send me a link to a web page and I'll look at it if I feel like it. Don't send me huge bloated e-mails that look like shite when I read em on pine.
he's asking Microsoft to undo most of their desktop / system intergration. Isn't all that intergration what the general public likes about Windows(tm)? I don't see this happening, they will just patch around or disable by default all / most of the problem areas.
I remember when we said the same thing about their commitment to the web. "But IE 2 sux!, they'll never be serious about it!" When MS decides something is Important, watch out.
Best Slashdot Co
The trick is, as the author points out ... how honest are they being ? Is this a dog & pony show ? or do they REALLY mean to change the way they work.
.. and almost all my programming experience was on a mainframe.] It was considered a basic concept of design to keep your data abstract from your code ..
.. it wasn't as simple as clicking 'view source' back then either *grin*
.. M$ is still got everyone [cept apple .. but i dont have one] beat in the 'average american' user market.
.. and cant program her VCR .. but if she can figure out how to use AOLIM for instance, then its probally safe to say its easy.
.. and that would be great .. if it wasn't so easy to break. every time it breaks .. the 3rd tier tech support guru's at microsoft tell her to re-install the software. Not exactly instilling confidence that they know what the hell they are talking about.
..will become a much better product.
Almost all the concepts presented were ones I learned in college [I graduated a few years before windows 95 came out
of course
As much as I love *NIX for a server environmet, I have to say
I always use the "My Mom" theory when determining if something is easy to use. My mom is almost 80 years old
Windows passes the My Mom test
If M$ can get actually accomplish even these seven steps, they honestly
The real telling point would be , if they had to evolve far enough to MAKE these changes, would they grow up as a company ?
--Ne auderis delere orbem rigidum meum, non erravi pernicose!
See this story in the San Jose Mercury. Even now, Microsoft is still treating security as a public relations problem. Their response to the discovery of security holes in their products is still, in too many cases, to deny it.
is that MS is a corporation. in the business for making money. and anything that doesn't make money is a loss. for the longest time security was something behind the scenes and never a 'feature' that would generate any money. that hasn't changed. what has changed is that with more and more bad press MS has been getting for insecure software, 'security' has started to cost them money. people use MS software but rarely trust it. that's the only reason why they're interested in 'security'. for people to buy into .NET in all it's different interpretations people need to be able to trust it with their personal info (passport comes to mind.) without this trust, .NET would == .NOT. notice the careful use of the word 'trustworthy computing' by mister gates -- not 'secure software' or 'bulletproof agains all eveldoers' but 'trustworthy computing'. what he is doing is lining up a PR campaign to promote .NET. nothing more nothing less. it has nothing to do with a secure operating system. it has to do with a 'trustworthy computing' ala .NET.
The article in Cryptogram may be new, but the section in question was published elsewhere and was discussed in an earlier slashdot article.
Yes, Counterpane just came out, but this article previously appeared in SecurityFocus.
Everything in the article is sounds advice for security minded software and not just for Microsoft. Seperation of "data" and "code". Seperation of "package" and "protocol". Extra software is bad. Etc.etc.etc.etc.
.Net then they have the embrace the possibility they'll have to delay releasing it. How many are willing to believe MS will do this?
The overwhelming point is that this stuff is often contrary to what MS has in mind for its future software development. If they are really serious about putting security 1st in
When it comes to business vs design decisions, MS has always gone for biz.
not really childish ..
.. would YOU want your bank running a windows server to keep track of your $$ ? how about one hooked up to the internet so they can communicate with their other branches ?
.. just a cold shock of reality here .. but you should be very worried, not only does microsoft WANT this to happen, they have been agressivly trying to GET it to happen for the last 2-3 years.
they are asking them to make good on the promises they have been telling the general public (and Wall street btw)
I mean
well
imagine how quickly ONE security flaw in a bank server could render you broke.
--Ne auderis delere orbem rigidum meum, non erravi pernicose!
Hoo boy, this is a good article, but these guys are spending waaay too much time in a vacuum.
While that's nice and all, it's hard for an operating system to do operating system things from within a sandbox, and with the single exception of a guy getting a Verisign key with the name Microsoft on it (nominally a Verisign problem, not a Microsoft Problem) I haven't seen a problem lately with microsoft signed code.
The NonM$ loving folks will LOVE that soundbite, unfortunately, it's got all the likelihood of happening as having everybody shift from IIS to Apache. In any production environment, security is balanced havily with cost of implementation. NO company with any amount of entrenched custom code is going to pitch it because a security guy say they oughta. The fact that you cannot overwrite a system DLL in XP seems to be ignored. (There's a Key library, a backup directory of DLL's and the DLL in the system folder, if any of those are mucked with, the OS reacts trying to restore a safe version of the DLL, if a safe version isn't available, it prompts for a CD.)
Granular auditing exists now! The problem with enhanced auditing is the storage requirements for that auditing. I get 'the application log is full' messages NOW, what happens when every bit written generates five bits of log? Are YOU going to have a Terabyte server to store 200 mb of data and 800 mb of granular logs?
Microsoft's been in bed for YEARS with the W3C. The protocols are generated there, and Microsoft is often the first to market to implement them. Asking them to hold off a year before using a new protocol is business suicide and not something they'll be willing to do.
"Draco dormiens nunquam titillandus."
If your application gets labeled a "public nuisance," it doesn't matter how much the users like those features. Not if they want to interoperate with others.
This may seem like a harsh judgement, but the cost of Outlook and IIS bugs is rapidly getting to the point where a lot of admins are ready to take drastic measures to protect their own networks. That's why many sites are stripping executable attachments - and the crap like that "begin" bug discussed a few weeks ago are pushing some sites to outright Outlook bans because it's proving too costly to try to work around Microsoft's ongoing indifference to security.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Just to back you up, here's the old article
Security Community Reacts to Microsoft Announcement
by Hemos with 471 comments on Friday January 25, @11:25AM
The Counterpane article is the same as the earlier Security Focus article.
Software liability would be a disaster for free software, right? Okay, everyone wants Microsoft to have to pay for Nimda/CodeRed/Melissa/ILOVEYOU, but I don't suspect that the authors of Sourceforge (for example) would want to be liable for someone losing his code due to a buffer overflow. Schneier is right on many things, but he is 100% wrong on this one.
sulli
RTFJ.
One would think that wanted to put solid security into a product would not be an act of "marketing spin" or " profit ", but as an act of "pride". It make me wonder if M$ has lost that important development value... Maybe that is what keeps opensource alive...the ideal of creating something truly useful and something of a high quality...
just some thoughts..
--rpr
Microsoft is going to have to say things like: "We're going to put the entire .NET initiative on hold, probably for years, while we work the security problems out."
First of all.... Microsoft said they were going to prioritize security. That doesn't necessarily mean put all new features on hold until they are 100% secure. You can make security a priority without doing the OpenBSD nothing but security route.
Analysts like Gartner have recommended that enterprises switch away from Microsoft IIS and delay installing Windows XP, both because of security concerns.
I would like to point out that the precipitating reason they changed their recommendation was due to MS's new licensing policy. Security problems are just more fuel to the fire.
MS's security policies annoys the hell out of me but lets at least hold our points to realistic ones.
-pos
The truth is more important than the facts.
-Frank Lloyd Wright
You'll get:
Of course, Microsoft won't make it too hard to have third-party software (as long as it doesn't compete with Office). You'll just have to pay a small fee for a MS-certified crypto signature. (Oops, free software can't pay the fee? Gee.)
If a thing is not diminished by being shared, it is not rightly owned if it is only owned & not shared. S. Augustine
Knowing Microsoft, the approach they will take to "get serious" about security will mirror their previous approaches when they decide they need some new technology. It will likely play out as follows:
1) Purchase a technology leader in security. (Maybe RSA. Hey, maybe Schneier's outfit!)
2) Cannibalize their product and incorporate it into Windows.
3) Screw it up royally.
N4st0r, trixx0r h0bb1tz0rz! Th3y st0l3 0ur pr3c10uzz!
Security doesn't necessarily play along with getting an edge over competitors, which is (and will always be) a primary goal of any company.
You just outlined the primary reason that Open Source is the superior method of software design. A programmer crafting software because it scratches his personal itch will ensure that it is stable, secure, and reliable. A company will put lots of flashy glitz on it and get security/reliability up to "good enough" and ship.
-- When a fool hears of the Tao, he will laugh out loud.
REDMOND, WA - Today in a press conference Microsoft Corp. unveiled the
latest version of its Windows operating system, Windows(R)
XPSecure(TM) "It is the easiest to use and most secure version of
Windows ever to be released," touted the former chairman Bill Gates.
At the press conference the company performed a live installation of
XPSecure(TM) to demonstrate the simplicity of installation. "Our
customers have let us know that security is a foremost concern," said
Gates. "We have listened to their concerns, and we have designed our
software to fully and securely reinstall their favorite operating
system." Windows(R) XPSecure(TM) also features a Secure Live
Update(TM) option that will automatically connect customers' computers
to the internet to download late-breaking security updates. "We
realize there is much confusion out there about which security
features are truly secure. We have taken care of that with our
customers in mind," Gates continued. Windows(R) XPSecure(TM) is
scheduled to retail at $249.99 and is expected to begin to ship to
vendors in North America as early as next week. "We highly recommend
that customers of any previous version of Microsoft(R) Windows(R)
install this version to obtain an unprecedented level of user
experience in performance and reliability."
To-do List: Receive telemarketing call during a tornado warning. Check.
Look, as much as I hate Microsoft, it's not easy to write secure code, and it's impossible to write bug-free code. Because they're not currently generating revenue with bugfixes, I have a hard time believing they're intentionally writing crappy code just to reap the bugfix revenues. Yes, they always claim every new version of Windows is more stable and secure than the last, but almost nobody ever believes them anymore..
Their business model requires them to get people like us to upgrade our existing products to the latest versions every couple of years. Since you're not really getting a more stable product when you upgrade, and since features aren't the upgrade-enforcers they used to be, MS is trying to find a way to force you to upgrade. Witness their newest licensing/protection racket: Upgrade to the current version, or when the next version comes out, you'll pay full price to upgrade to it.
Until they change their business model to allow them to generate revenue for producing secure, stable code, they will never succeed in generating secure, stable, well-architected products.
Semi-off-topic?
An equally interesting article in Mr. Schneier's newsletter this month concerns Oracle's "Unbreakable" Database.
It seems Oracle put forth a good faith (albeit flawed) effort to secure Oracle9i. They enlisted the services of TCSEC, ITSEC, Common Criteria, Russian Criteria, and FIPS
140-1 to test for security holes. None of them detected a simple buffer overflow problem.
These security companies are a sham (or at least should be ashamed).
Remember... ZG9uJ3QgZm9yZ2V0IHRvIGRyaW5rIHlvdXIgb3ZhbHRpbmU=
MS is in a very hard position.
They've already gotten a reputation for putting security and stability last. New features, fluff always come first. Virtually everyone knows that MS lives by marketing, marketing, marketing.
Now MS realizes that Security is becoming "the issue." "It's the security stupid."
Now consider the difficulites.
MS has an enormous codebase to now fix - after the fact. Adding in security is WAY hard after the fact. Things break, testing must be redone etc. It's a whole lot easier to put in anything if it was part of the origional design. Super costly and painful afterward.
MS has "integrated" all of its' products. So, now they have to not only test the separate products, but also in every combination. Ouch!
From Firewalls and Internet Security (the God book of security IMHO)
- All programs are bugy
- Large programs are even buggier than their size would indicate.
- If you do not run a program, it does not matter whether or not it is buggy.
- Exposed machines should run as few programs as possible; the ones that are run should be as small as possible.
Now MS has what most would consider code bloat, and not only that integration. That's going to be an ugly task (securing the code)
MS has always fudged the truth before. Marketing before substance. So people will be very skeptical about MS's claims about anything.
MS's stance about security was always lax. Combine this with the prior point, and we have skeptical^2.
MS can't really use this as a marketing tool - or at least not until they can prove they've done something significant. This will be hampered by points 1 + 2, and continuing security lapses, when trying to secure that code and missing things.
MS can't really make money off security - again, at least not until it has serious results to show. Thus this will become a massive cost center without any revenue. Ouch^2. That will have the bean-counters breathing down the throats of the development/QA people to keep costs down. You're not producing new products, and thus revenue - salary will suffer etc.
Lastly, it will be a unglamorous job, and project. It will be hard work. You'll be unappreciated. You'll be expected to be a miricle worker, and double quick too. When you miss something, you'll get lots of heat, and few kudo's (Provided this _really_ _is_ somthing MS is _really_ serious about - if not the heat won't be there, but that's the point.)
Thus, to summarize.
- MS has a MASSIVE task to fix - both in size and complexity.
- MS has integrated all these things together. I would bet that the mutual distrust model between different modules/products hasn't been used, adding to the difficulty/complexity.
- MS has a reputation for producing fluffy software with lots of features, but not much security - it's always an afterthought. Ship early fix bugs later.
- MS has never been known for its' honesty and plain talk, thus making the credibiltiy of its' proclaimation that much more doubtful.
- This strategy won't be done quick, or cheap. The task will be difficult both technically and politically.
- MS won't be able to milk this decision for extra revenue anytime soon.
- The very fact that this effort exists, tends to point out a problem in the first place.
My conclusions are these.
MS may really intend to do this. I don't really believe it, but I'll give them the benefit of the doubt. But even if they are committed, how long will they remain committed. They won't be able to show results for some time. They will certainly have failures. These will undermine the confidence of both internal staff, and the public they're "selling" it to. It will cost a massive amount. It won't generate revenue.
It's going to be really easy to just splash it out there, and crow about it. Later, when the trench warfare sets in, it's going to be tempting to forget about it. It's out of the limelight, and we can just let it go quietly into the night.
We'll see - I don't doubt that MS _could_ do it. I just don't think they will for many reasons. And there will be _so many reasons_ no to.
Cheers!
How can you laugh at that? Obviously a feature needs to be secure all by itself and also be secure in the way it interacts with other features. Having a feature not be installed at all simply makes it even more secure. In fact, a feature that isn't installed is by default 100% secure. It can't be used, accesed, smurfed, or kidnapped for nefarious purposes. Thus, it's completely secure. Microsoft's practice of installing everything under the sun is probably it's biggest insecurity. Yes, you can choose not to install some stuff, but how many Joe Users install their own operating system?
--- Think of it as evolution in action ---
My main gripe is that they really don't seem to be trying to offer even moderately secure systems. Here's one recient nasty example;
This level of security is implicit in Unix-style systems and has been for decades. I can't even imagine how they missed this. What other things did they miss that are infinately more obscure?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
"Security works best when it's designed into the system from the beginning, so a lot of what they've already done is going to have to be rewritten."
This is false. XP, based on NT, has security built in. The vulnerabilities discovered so far basically seem to be in two camps:
1) Buffer overflows left in the code -- rewriting won't help these, it will likely just introduce more. They just need to be found and fixed. Microsoft is in fact going over all its code line-by-line, but I can't imagine that glassy-eyed developers spending a month doing that is actually going to find all the overflows.
2) Bad design, in particular allowing foreign code to execute. I.e. the various Outlook email viruses. These need to be removed, which is a basic change in how Microsoft thinks (security over nifty features) but again you don't need to rewrite Outlook to stop if from executing scripts by default.
Methinks Schneier might be fantasizing a bit about Microsoft *having* to do this, of saying, as he puts it, "We're going to put the entire .NET initiative on hold, probably for years, while we work the security problems out." It seems like he would like to see Microsoft fall behind in the market because they have to throw all their current code away. Plus he hates SOAP (since it sneaks past firewalls inside HTTP), which is one of the technologies .NET is based on.
Personally I think this is basically more marketing hype from Microsoft. Because they are still not going to penalize developers who write insecure code (something that was bandied about but not adopted) -- it will still be, "Oops, we did it again". So with no real connection between good code and stock options, developers at Microsoft won't change.
- adam
and they do dominate the market.I'm with ya, the only thing stopping M$ from owning the world is their products have some severe problems. If they actually get up and do some credible coding, put out a good product what then will we have to BIATCH about ?
I really dislike their business practices but if they make a good product...someday they might...
errr....umm...*whooosh* *whoosh* Is this thing on ?
Propally mentioned before but this site is still up. Go to www.trustworthycomputing.com and you get redirected to a google search results listing the thousands of articles on Microsft's history of security breaches.
.net set to secure by default but it will be an uphill battle for them. Today at the same time as secure by default came out there was another story about another vulnerability in Outlook Express
Mean while, Microsoft has started a public marketing campagn and even plans to have
Today's vices may be tomorrow's virtues.
If Microsoft truly means what they say, and that they really are going to try to develop products and services that are "available, reliable, and secure", then this is a Good Thing. But, in order for them to achieve "Trustworthy Computing" (something that various other people already do, IMHO), it seems to me that Microsoft needs to do two things:
/.er, and possibly the average techie in general. However, I don't believe that this changes what MS needs to do to be trustworthy. On the other hand, if MS is only interested in looking trustworthy (rather than being trustworthy), then that's a different story.
*) develop trustworthy products and services
*) become a trustworthy company
And that will be no easy task. I agree that security in their products is something that they need to improve, but I think becoming trustworthy will require much more than that. If I were to describe all of the things that I think Microsoft needs to do to accomplish these things, I'd be here all day. So, I'll describe only a few examples not related to security.
1) Improve the quality of their products. In my current job, I have the singular pleasure of developing applications in MS Access 2000. Unfortunately, the documentation provided with the software is poorly indexed, incomplete and (in some cases) inaccurate. For example, in one place in the documentation, it claims that the maximum number of levels of nested forms allowed is 3. Elsewhere it claims the limit is 10. Both are wrong. It's difficult to trust software when its own documentation is incorrect. This doesn't mean that their products have to be perfect. But right now, it often feels like they're not even trying.
2) Abandon the new licensing strategy, which essentially dictates when companies need to upgrade their software. Having to go through a massive upgrade because of licensing is no different than having to go through a massive upgrade because of a bug or security vulnerability. The end result is the same, and I do not consider such software to be "available" or "reliable".
3) Adopt more ethical business practices. A number of the comments posted here speculate on what Microsoft true motives are. Given MS's history of Machiavellian business practices, it's not surprising that people don't believe Microsoft, even if they are telling the truth. And I'm one of those people. I tend to believe the adage that you can't build a straight house with crooked boards. So, if Microsoft really wants to promote trustworthy computing, then they must become a trustworthy company first.
Some folk have noted that the General Public's view of MS is much different than the average
Anyway, if MS is serious about this new directive, then good for them (and it's about time!). But I'll believe it when I see it (and maybe not even then).
</soapbox>
-- D
FIPS 140-1 is Federal Information Processing Standard 140-1. It's a document describing how the U.S. Government requires itself to do things. Read it here You can be certified compliant, but the process is done by independent labs, not NIST (home of FIPS).
TCSEC is also not a company. TCSEC, or Trusted Computer System Evaluation Criteria, is a book. "The Orange Book", to be specific. It can be found here as well.
The orignal poster's point is well taken, though. Whichever companies provided the certification might consider examining their process.
I haven't read these books/standards, so feel free to ignore me.
But, before you complain about how these companies should examine their processes, consider that they might be doing exactly what is required by the standards.
Schneier was mostly complaining about buffer overflows in 9i. Before you go complaining about the security review process, check if these standards actually say "code should have no buffer overflows." If they do say that, check how they say it. No use no "known-insecure" functions? Bounds checking on all inputs? Only on user inputs? (Is there such a thing as a trusted input?)
I suspect you can pass these 5 standards completely, and still be insecure.
This is my sig. There are many like it but this one is... Oops. Frank, I've got your sig again! Where's mine?
~shiny
WILL HACK FOR $$$
Can anyone explain to an old hardware engineer why "it's impossible to write bug-free code", but we design bug-free hardware all the time. And don't tell me "complexity". Is an OS more complex than a car, which includes several embedded controllers and thousands of mechanical parts? But quite often, the manufacturer's get the cars right the first time -- or they get to pay for fixing every single one. It's pretty unusual to get two recall notices on the same car, and I don't think any car since the 1950's has had design defects counted in more than one digit. Most software packages ship with known defects in the 100's, or even 10,000's.
Can anyone explain to an old hardware engineer why "it's impossible to write bug-free code", but we design bug-free hardware all the time.
I wouldn't be so sure.
A) Take a look at the errata list for any microprocessor sold in the last 20 years. It's quite an eye-opener. However, most/all the problems are worked around by the compiler writers and kernel developers, so you never hear about them.
B) With cars, they only issue recall notices for show-stopping, car-catches-on-fire design bugs. There's lots of minor bugs with cars all over the place. Things like the front suspension design on my '92 Mazda. I've had the mounting plates on top of the struts replaced 3 times now. You can stop by your dealership to look at all the notices that have been issued for your car model over the years.
What's the least secure part of a bank vault?
The big, heavy, impressive door to the vault.
Adding stuff won't help if the side windows are open or broken.
How odd. *smile* Given all her talk about VT-xxx terminals, pine/elm, and scads of users on each box, I would never have guessed that my friend's site was running MsDos.
-- MarkusQ
There's a sort of implicit warranty whenever you sell something: namely, you're warranting that it's useful for a particular purpose (said purpose being one that you, the seller, reasonably believe the buyer intends). If I sell you a car and I neglect to tell you that it'll blow up spectacularly if you happen to turn the engine over before fastening your seatbelt, well, that car's not fit to drive--hence, I (the seller) am in a whole stewpot full of trouble.
When you purchase software, there's an automatic warranty involved. Namely, that the software doesn't suck. That it's not going to be an open invitation to haX0rs. That using it isn't going to expose you to enormous risk, unless the seller has first advised you of specific enormous risk and you choose to buy it anyway.
When you license software... well, that's not a sale, is it? And hence, the legal protections that you get when you buy things don't apply to you. I can count on one hand and have fingers leftover all the times I've seen shoddy software be held accountable in court.
So this push to software-liability law is more of a push to make software a sold good, not a licensed one. The theory being, if I plunk down $200 for Windows XP, it shouldn't have a UPnP back-door in it. Software-liability laws would permit affected users to sue manufacturers to recover lost damages.
However, common law says that if you pay a nickel for something and it breaks, you can't make twenty million bucks off a lawsuit over it. Twenty bucks, maybe, twenty million, no way. There is an implicit limitation on the assumption of risk, and this implicit limitation is related to the price paid.
If I pay Red Hat $50 for Red Hat Linux and there's a horrible bug that makes my Linux box an inviting target for 1337 haX0rz, then Red Hat's liability is a factor of the $50 I paid them.
If I pay you $0 for a piece of GPLed software you wrote, and there's a horrible bug, your liability is a factor of the $0 I paid you.
Err... wait. I didn't pay you. I got something for nothing--I literally received a good at no price whatsoever above the price of media. The courts would not look favorably upon me suing you for $20 million because you gave me something, for free, out of the goodness of your heart, and made it clear to me that it was a work in progress and might not work as I expect it to.