Slashdot Mirror
Who Is Liable For Software With Security Holes?
securitas writes "Interesting article over at eWEEK that asks who is and should be legally responsible for insecure software. Some say it's the manufacturer. Currently software is exempt from product liability as we've come to know it in the physical world. Others say the software licenses should make users responsible if they don't install patches and updates. Infosecurity czar Richard Clarke said in his speech at RSA that Nimda cost US companies an estimated $2 billion. Imagine if Microsoft was legally liable and a $2 billion suit was filed. Now extend that to the other jurisdictions outside the US. What does this mean to open source software, which is being used to a greater extent in corporate environments? Food for thought."
"Imagine if Microsoft was legally liable and a $2 billion suit was filed."
Yes, now imagine if Linux Torvalds or the FreeBSD Foundation were liable for that same $2 Billion. They would be SOL. Microsoft would just be annoyed.
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
Just like a car or a bike, if the equipment is faulty, I think the company that made it should be liable. However, if you got that car or bike for free and knew before hand that hey, this thing may not work because I'm giving this to you out of the goodness of my heart, then I don't think that independent developer should be liable.
;) Having the big boys like Microsoft liable while we get off easy. There's no way in hell those dirty politicians would see that that would make the most sense for the consumer. But hey, that's democracy for you.
I suppose that's only a dream for us OSS kids
Just my US$0.02
Hargun
Think nothing is impossible? Try slamming a revolving door.
The users should be responcible if they run insecure software. That said, good manufacturers should provide guarauntees against this. This would allow OSS developers to write code without risk of lawsuits, while making good software worth something more in the users eye's than it already is. (more users would go with linux if they got sued for using insecure windows :)
Yes, it is the software manufacturer's fault if they make buggy software and don't ever put a hold on new features to fix bugs. The customer is responsible for installing bugfixes, when released.
Still, they aren't legally responsible for the bugs. If you read most licenses, they say "this software is provided as is." Everybody makes mistakes and even though software creators should make more effort to stamp out bugs, no code of a certain level's complexity is perfect.
The important thing here that needs to happen is that businesses and consumers say "features are nice, but fix the bugs first." At the moment though, they say "features first! bugs aren't displayed on the box." They speak with their wallets by buying buggy software. I don't mean to be one of those typical anti-MS people (even though I dislike their software), but the fact is, they produced extremely buggy software and most people still bought it. That says something.
The question should not be who is responsible for insecure code but rather what can be done to discourage people from vandalism and how to track down and punish those who choose to break the law.
its the contract for the use of software - this is where something like this should be stated. :) the user must accept the license before using the software - however, when a computer is provided pre-installed with software, it makes you wonder if users really do have a choice.
Why should software be any different than any other product on the market? But I do think software makers should be able to protect themselves somehow.
If someone is mowing the lawn and a stick flies up and takes out an eye the lawn mower company isn't liable if there is a warning somewhere saying "must wear eye protection while operating". Maybe a "must back up all data" in the software agreement would cover the software companies somewhat.. but then again, who reads the agreements in the first place?
for what we create. that may give our profession a little more formality of a "true" engineering profession, and force developers to fully think out designs instead of just saying "it'll be addressed in the next version".
Any piece of software should not be expected to be inherently secure.
You can't sue the builder of a house if the owner doesn't but locks and gets robbed and sodomized.
The idea is preposterous.
Their points were terrifying: Get hacked, become a jumping off point for hackers to hack others, and watch your nice, corporate deep pockets attract security malpractice lawsuits from whomever was a victim of the hacker.
The other terrifying idea that this raised was that in 5 years or so, everyone would have hacker insurance, and the insurance companies would be dictating your security measures--much like how they give you better rates if you have working smoke detectors in your home today!
What does this mean to open source software...
buh bye sendmail!
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
What are the consequences ? Hard to predict.
Current software prices are in part based on the fact that the software producers don't expect to be held liable for their products' defects. Hence MS can price their products at $X, basically because they don't have to factor in "insurance" costs (notionally - not that any major software company would be able to obtain this sort of insurance). So if MS is now held liable, price of products must go up by $Y, being the cost of paying the damages awarded in litigation.
When price of software spirals even higher, many businesses may decide not to go with closed-source software after all - i.e. they decide to "self-insure" by using software for which no one has liability if there is a problem (i.e. open source).
So, if software producers are held liable for such costs (based on the sale and purchase contract), then that's another competitive advantage that open source software gets.
Funny that Nimda was mentioned; I seem to remember that @Home.net and AT&T were pulling the plugs on their customers because they were saturating the bandwidth due to Nimda. This seems to be directed towards the users' negligence/lack of knowledge about what they're doing, and so one can argue "why blame them? They did exactly what MS said they could do: plug and play."
Now I also remember when the commercial version of SSH released v3.0, there was a HUGE security hole (passwords of length 2 or less would always work...), and SSH developers took the heat; rightfully so. They 'fessed up, and they fixed it. As far as I know, there were no incidents because of it, because the problem was fixed before it was used widespread. But if it did create an issue (like Nimda, Code Red 1/2, etc.) before a fix was made (proactive vs. reactive), they should be held liable, not the users. If a fix exists, and a user says "oh, I don't have *that* problem," well, I think we all know who should get the blame. Just my $0.02 worth though...
I know - the rebuttal is typically "have you looked at a shrinkwrap license, do you realize that you can't sue them either" and so forth, but that "nobody to sue" perception carries a lot of weight in manager-land.
One of the most important questions that I hope will be resolved soon is exactly that: whether or not a shrinkwrap license is legally binding, either in the client's inability to own the product or the manufacturer's exemption from liability, or any of the other restrictions.
Either way, it'll be important. Either you can't sue anybody, so everybody's on a level playing field where quality, one hopes, wins out. Or, other way, you can sue the fuck out of everybody - if those exemption clauses suddenly aren't applicable, then all the major distros are going to be on the hook for the quality of their product just as quickly as MS will - no small thing, either way the stakes for secure and reliable software suddenly get very much higher than they are. (Assuming, of course, that these actual costs are real costs, not just fictional ones - saying it costs half a gazillion dollars in sysadmin salaries to do what they'd be doing anyway, patching and updating systems and so on, if Nimda had never been written is a bit disingenuous.)
Mike Hoye
-- Dan
The users don't know they are running insecure software. Are they still responsible?
What if the manufactures don't know that their software is insecure. Are they still liable?
I am Slashdot. Are you Slashdot as well?
Of course no company can exempt themselves from personal liability. For example, if Windows caused me to die (who knows), then my family could sue M$ on my behalf and would likely win. If Windows caused my computer to start on fire and burned downed my house, I'm SOL and a house.
Your problems are always someone else's fault.
Click here
I'll take the mod hits to point out that the parent nailed it.
-- @rjamestaylor on Ello
How can users know about holes, where a company charges for tech support calls? Then if there is a hole, the user must pay for the upgrade.
Fight Spammers!
Liability is an individual thing. Liability is based on making statements that are not true, or the deliberate cause of harm.
The supposed $2B in "damages" are a liability on those who wrote and launched the worms, directly.
By connecting to the net, just like stepping outside your door, you are assuming risk.
That said, Microsoft should be liable if they represent their product as "safe" and it isn't. I believe their representation of XP as the "Most Secure Windows Ever" does open the company to prosecution for misleading advertizing, but who has the resources to prosecute it?
There is a great deal of difficulty with trying to assign liability to those who are in the wrong place at the wrong time. Someone who gets wet because they weren't wearing a long coat when a truck splashed them doesn't expect to sue the truck driver, do they?
The systems owners who were "damaged" by the worms are indeed guilty of not securing their systems. Who will prosecute them? And for what?
Liability is based on two things: Intent and negligence. False advertizing and misrepresentation are the former, the success of virii is the latter.
Personally, I think a few false-advertizing claims against Microsoft would be great, and from a theoretical standpoint they certainly are misrepresenting their products when they call them "secure" or "safe". Who's got a million or two for the legal fees when we lose?
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
"What does this mean to open source software, which is being used to a greater extent in corporate environments? Food for thought."
Who exactly would you sue?
When you use open source you have the opportunity to inspect yourself. If something is wrong with it, you should have checked.
With closed source you don't have that option.
Example you buy a tv at a pawn shop (open source). You plug it in, and it doesnt work. Or maybe you were dumb and didnt plug it in at all. You choose to take it home anyway and try to fix it.
Example two you buy a TV all sealed up in a box and arent alowed to check it (closed source)and you get home and it doesn't work. Then the person who sold you the TV is responsible.
Veramocor
I would have to say that under normal circumstances, the manufacturer would not be liable. If the hole was intentionally put in, that is a different story, but it's not like any company is going to willingly put a security hole in its software.
Bad PR due to security holes again and again are enough of an effect (liability) for companies to wise up, one should hope (how many times have you heard from respected experts and, at times, Microsoft itself, to have IIS disabled on Win2k?).
If you contract a company to design specific software to suit your specific needs, and that software does not perform adequately (security holes, or what have you) then I believe that it is acceptable to blame the software manuf.
Face it, security holes exist. No one likes them, everyone wants to blame someone else for them, but you just have to accept that they do exist.
Weigh your options and choose the option that has proven itself. Be it number of security problems, speed in which they were fixed, or severity (proven and potential)of these vulnerabilities.
Oftentimes this points in the direction away from Microsoft, but that's in the eye of the beholder.
-kwishot
As a matter of law,in Australia, goods including software have to be "reasonably fit for the purpose" they have been purchased for, of "merchantable quality", and must fit the "description" they are sold under. If a good fails to comply with any or all of the above conditions, the disgruntled purchaser can sue for damages or a suitable replacement.In Queensland the relevant legislation is the 1896 Sales of Goods Act, which all Australian and New Zealand jurisdictions, has analogues of.
Many Commonwealth jurisdictions have similar regulatory regimes.
It is arguable that software which doesn't work very well fails all of the above requirements. A former law school acquaintenance of mine has even sued a car distributor, for a fleet of Lada Samaras, claiming that they didn't fit the description of a "motor vehicle" (ie a moving machine !) because they spent all their time in the shop !
What needs to be remembered is that all software producers can be liable under such a regime, Linux or Winduhs.
It's too much liability on small companies...
Think about how many companies form as little one or two man shops that have great ideas.
Sure they have bugs and security holes and hopefully they're fixed before any damage is done, but to sue a small shop a million dollars because you didn't test something you installed on production servers is a joke.
Instead, you could pay another company to test your security all the way around including all software installed on a server.
Also, if there were something that says the software maker is liable, open source should be exempt as everyone has the oppourtunity to review exactly what the code does or doesn't do.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Color me pink if this sort of frivolity is exactly the sort of thing that makes such prolix and intimidating EULAs necessary. Imagine if Slashdot were liable if someone clicked a goatse.cx link and had a heart attack (lord knows I nearly did--until I learned to love it).
The legal system is in place to uphold justice. Unless you can prove that Microsoft did it on purpose (or were grossly negligent--which even Slashdotters should be able to realize they were certainly not), this will remain a GNU/Wet Dream.
visit the hwky website for a lyrical genius infusion.
Well, if license agreements did protect companies we would probably end up with the equivlanent of malpractice insurance for software projects. Effectively increasing development costs by millions or billions. So it would stifle small projects. As fun as it would be to sure Microsoft, the costs and precidents would rebound and damage opensource and GPL.
I'm a professional software developer. I work for a very large computer company (not ms). We all try pretty hard to get rid of bugs in programs, hell as programmers we do care that our code is as bug free as possible, it's a pride thing - as well as being good for business. :) However it is possible to lower the amount of problems you are willing to invest a lot more money into testing which in turn ends up costing the users a lot more money (yes I'm sure there will be replies saying open source can solve this problem; more eyes find bugs quicker etc etc etc but a lot of people are still not going to consider open source solutions).
Unfortunately there's no way to produce software which is bug free, just not possible today. Well perhaps with the exception of hello world
I don't think software producers should be responsible unless it's shown they are grossly neglegent and even then they are not neccessarily responsible. Otherwise amer^H^H^H^H people are probably just going to start suing people stupid leading to massive rises in software prices. OTOH when I use windows it pisses me off when it crashes, it I upgraded from 95 to Xp a few months ago. MS says XP is rock stable, hardly ever crashes, bullshit. The lies in advertising piss me off more than the crashes themselves - false advertising that is something I'd like to see them punished for.
He who defends everything, defends nothing. -- Fredrick The Great
First, In the real world, you buy a physical good. Be that a bike (as the previous poster said), a car, baby care stuff, or a house. You buy that certain standards are met. In the case of the house, all saftey standards are met to the people living in the house. With aspect of the baby care products, infant death lawsuits are quite expensive. The "hunt" down possible problems, as fixing is cheaper than the publicity and suits possibly filed.
However, this is the software world, so we mush change our views to what makes sense "HERE".
First, a reasonable assumption is of a "Good Faith" rule. Simply put: Say Oracle puts hole in all products login/password = admin/user . Evidently, Oracle had bad faith (in this example) as to put this hole in there. Server/database damage was done to systems. They should pay court decided costs.
Second, how do you target Open Source Projects? The do not operate in bad faith as they open thier code as so all can see. Those on free updating systems can upload snippets/revisions as so the community can decide what to choose. Bad faith lies in the hands of the compiler of the source (eg USER) if he/she doesnt check it.
Third: Since software companies SELL code, so Open Source checking (as explained in the second point) is not viable. Perhaps a group of professionals (that sign non-software-job agreements) could check on disputes of bad faith. Simple "cause I dont wanna" is automatic dismissal/win.
Stores on the internet, that use real store rules, seem not to live. Pratcies must be changed to adapt and live. The same with responsibility rules when compared to the internet.
If you want liability, you should expect to pay more money. A lot of the users don't need that kind of liability, only few users need that. Those need reliable software, as like NASA, should expect to pay more money, and those not could enjoy cheaper software. So, anyway, what's so wrong with the current practice?
Who's to say that those security holes aren't supposed to be there? No license covers every possible function of a software product, and no user manual every possible use. So that's a feature, not a bug. ;)
This is a standard legal theory. Manufacturers get third-party liability claims all the time, and carry insurance to deal with them. Except in the Y2K area, though, this doesn't seem to have been litigated yet.
who is and should be legally responsible for insecure software?
A. The Author/Publisher
B. The User
C. CowboyNeil
'Same speed C but faster'
Think about it... the commerical software company pays liability whereas no payment from OSS software... if you're a big company you want to know that if your stuff blows up you'll get money in a settlement.
So they'll buy the commercial stuff.
Now, this might just sound like one of those zany, out from left field ideas, but "what if" we decided to hold the actual criminals who are breaking in through security holes liable? I know, I know, I must sound like a kook, but hey, you never know what might work!
"Your superior intellect is no match for our puny weapons!"
Correct answer is: Cowboy Neal!
If party A licenses software from Microsoft, and agrees not to hold Microsoft liable for any bugs in their code, than MS may be safe from suit from party A. However, if party A's sevevers start attacking party B's servers, and party B never had a contract with Microsoft, there's nothing legally stopping them from trying to sue Microsoft. In that, I think, is why issues like this are important.
Be the Ultimate Ninja! Play Billy Vs. SNAKEMAN today!
development isn't easy. It's kinda like building a space-shuttle - nothing is guranteed. Sure you can check it over 1000 times, but there is always gonna be something wrong... somewhere.
I think the key is to have consumers demand more "security oriented" software. After all, it's not about which product is better, it's about which product sells. So got buy OpenBSD dammit!
--pingu
Perhaps the money involved in purchasing licensed copies of non-free software should be considered a sort of contract. When I pay for an item (any item) at a store, I expect the item not to be shoddy, or at the very least I expect that there will be compensation should shoddiness be present. This compensation usually comes in the form of a refund, although manufacturers of consumer products often are held liable for product defects and any damages that might result from them. The same principle could easily be extended to software. If I pay for a piece of software, I expect it to work. If you certify to me via the implied contract of sale that your product works and it does not (e.g. if I purchase a piece of software which, through some defect, corrupts my data or causes loss), you are liable for the damages.
Free software is a separate case, IMO. If, for example, I download a Linux ISO, then there has been no sale. Accordingly, no contract has been entered into either by myself or the creator of the software. I may have obtained the product legally, but since no contract of sale is present, I am SOL if anything bad happens.
I pledge allegiance to the flag...
of the Corporate States of America...
Does anyone get the feeling sometimes, that MS might be employing people to try and stir up linux communitys?
Just ive noticed lots of very weird trolling type posts that even a bored, twisted person would not bother writing.
That gets into a gray area where you really have to define faulty. For instance, when it comes to system faults vendors should be required to offer a guaranteed uptime (they can set the value at whatever they want, so you could sell your software with a guarantee of no more than 20 critical faults a minute, but that might hurt your sales somewhat... As it is, organizations make very few commitments to their systems, allowing Microsoft, as an example, to simply push each new OS as "way more stable that that last piece of software which we sold you under the pretense that it was super duper stable..."). Is that bicycle fault if the rider drives irresponsibly and gets hit in traffic? Is that bicycle faulty if it gets stolen or is otherwise maliciously used?
Security robustness is a marketing function (it's a feature, if you will, just like a Volvo withstands impacts better than most other cars), and insofar as vendors don't outright lie about the security of their systems, they should not be held responsible: The responsible parties are the hackers/DOS attackers/etc, and no one should ever fool themselves into anything otherwise. For all of the talk comparing software to the "real" world, the reality is that the window maker isn't responsible if someone throws a brick through it, and the lock company isn't legally responsible if someone drives a tow truck through the door: As long as it withstood at least the marketed capabilities there is no vendor fault.
its a cute concept, but how do you regulate/enforce it? We going to have an FDA of computing where a federal/state/local institution makes sure our software is fit for human use? Everything we decide has liability also comes with a governing body in charge of determining fair use, manufacturer liability, and accepted liability of the user. Auto industry has the department of transportation and ntsb, aircraft has the FAA, food has the FDA, firearms and liquor have the ATF, businesses have the FTC and state or local better business bureaus etc etc
Maybe software will end up with a self governing body like movie's MPAA or music's PMRC
Once again, IANAL, but at this stage we should rather discuss how things ought to be than how they currently are according to the law. When talking about security, a good analogy would be the doors (including locks, steel grilles, alarm switches etc.) of your house. Any door can be compromized but the used method makes all the difference when it comes to liability. If the least intrusive way to compromize your door is to push it in with a wrecking ball, bulldozer or 5 sticks of dynamite, I would assume that the door works as intended and in the case of a security breach the manufacturer should not be held liable for the damage, direct or indirect. If, however, all the doors manufactured by a vendor can be opened without a trace simply by inserting a stick in the keyhole and yanking the door handle three times in quick succession, the product is clearly defective. The question thus is, which level of security one should reasonably expect to obtain through the use of a security product X. IMHO the current line of MS products does not meet this criterion.
Anyway, there won't be true online security without a radical paradigm change in OS design. I would tend to go for VM instancing and genetic antibodies similar to biological immune systems.
Comic-not
Existence usually comes as a surprise (Idem)
In the case of Microsoft, you can demonstrate a pattern of negligence in the way they test and release their product. The company also publically denies that there are problems until it is too late for users to do much of anything to protect themselves and their networks. The last thing MS wants is administrators migrating their operations off MS products in favor of more controllable risk(like Open Source or a different and better tested proprietary one). I say controllable risk, because no software is bug-free and it is the job of the administrator to manage the technical arena and minimize risks to their networks.
With the Redmond mis and disinformation machine, you can never be sure of what the truth is in terms of real support from the vendor. Afterall, this latest round with UPnP pretty much proved that the company puts profits over security. I mean, only Microsoft would try to tell the FBI that a security disaster waiting to happen wasn't one. It IS how they maintain their 'edge'.
Death by a 1000 cuts.
In space, no one can hear you moo.
Don't give me this "If.." crap.....if I feed a bird, and it shits on your windshield, and you get distracted and change lanes, and a truck load of fish food shifts, and the driver throws out his back fighting the steering wheel, and his doctor fails to fill the prescription, and the pharmacy has to make an extra phone call, but the number is busy, and the girl has to work late, so her babysitter has to stay longer, and she gets a parking ticket.....
If I pay for something that causes me grief in a set of circumstances beyond the contract, I have a right to recourse. If it breaks, I can take it back and get a refund, or if it fails, I can seek damages in court.
None of this extended fractal he-said, she-said madras crazy quilt responsibility legal dodge crap.
If MS ever takes responsibility for it's garbage software in a manner that is inline with it's fees, we will all be better off...that's the only 'if' that matters.
If I buy a knife a cut myself, it's my problem. If I buy a knife and it won't cut, it's the manufacturer's problem...not mine.
If assholes had wings we wouldn't need cars.
How about this:
At the discovery of a serious bug/vulnerability, the company would be forced to show documentation of the development process and prove that they have taken reasonable care about avoiding programming mistakes. If it shows that the company hasn't taken care of quality control, and no patches have been released at a reasonable time after discovering the problem, the company will be liable for the bug.
On the other hand, if there is evidence that the bug was an unfortunate accident or the customer hasn't taken care of installing patches or updates, the company will not be liable for the bug.
I know, sounds a bit naive, but this could work...
Does anyone get the feeling sometimes, that MS might be employing people to try and stir up linux communitys?
No, MS and other corporate types like to use astroturf: Paid shills who boost a product, not put another down. At least, that's what they're known to do. Simple extension of advertising, after all.
Just ive noticed lots of very weird trolling type posts that even a bored, twisted person would not bother writing.
Then you don't know how bored and twisted some people can get. Why do you think Slashdot has such a great moderation system? Why do you think we have a way to identify friends and foes now? They're not just good ideas, they're damn near essential in an open forum as large as this one.
Look at Usenet. Huge forum, completely open. What do all good newsreaders have? Killfiles. A way to make certain people disappear. A constant level of annoying BS is completely anticipated by design. Think about that for a while. Nobody I know of has ever astroturfed Usenet. Not enough average lusers make use of it for corps to spend ad money painting billboards on it, fly-by-night spammers notwithstanding. The BS those well-developed killfiles filter is the BS lonely, bored, disturbed private individuals create.
This is as close to Usenet as a webpage can be. No censorship. No deletion. Free access. Therefore, it must emulate the killfile system as well as it possibly can or it will surely collapse under the BS. The BS created by private morons for their own purposes.
MS does not need to spend cash to get people to rile the Penguinistas. Moronic trolls do it for free.
How can you use my intestines as a gift? -Actual Hong Kong subtitle.
Most people seem to be missing two important distinctions here. You pay for commercial software, but not for free software.
:-), the latter is practicing medicine without a license.
This totally changes the nature of the beast. As a specific, non-tech example, I can give a friend a ride. I can even graciously accept gas money, or a free lunch for my troubles. I could even be a good Samaritan and offer a lift to total strangers.
But the instant I actively charge people for this, even if it's a token amount, I become a "for hire" limosine service and am required to obey a large number of laws. Some are "on point," others seem to exist solely to eliminate competition.
There are other, more subtle differences. I can refuse to give a friend a lift without explanation. Once I become "for hire" I can't (legally) refuse to accept a passenger without a good reason. E.g., someone showing a weapon can be refused, but someone who stinks because they haven't bathed in weeks can't be refused.
An even more extreme example is the difference between my friend asking me if I've ever experienced certain medical symptoms and a stranger paying me for advice. The former is a casual conversation between friends (or not so casual, if it involves a possible STD
In the software realm, I would expect to see a similiar difference in the treatment of amateur efforts (where people develop software for the love of the craft) and commercial efforts. If someone is grossly negligent, it won't matter whether they're compensated or not. But for routine oversights, I would expect to see far more severe penalties for commercial vendors than OSS providers.
The second difference is that when you get software from Microsoft, you can't change it. Any errors *have* to be due to Microsoft's (in)action. In contrast, free software is released in source form and patches are routinely assigned. It's not morally acceptable to hold people accountable for the (mis)actions of others, so it's much harder to justify penalties against parties that provide source code.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Once upon a time, I bought a safe for my guns. I even locked the door in the safe. Still, somebody broke in and stole my guns. So, now the manufacturer is liable for the harm done? I mean, the safe was not safe afterall! Hey, get real. I bet MS or anybody else don't make security holes on purpose, just as the company that made my safe did not intend it to be breakable - oh, sorry, that safe was NOT made by Oracle.
Yes, now imagine if Linux Torvalds or the FreeBSD Foundation were liable for that same $2 Billion. They would be SOL. Microsoft would just be annoyed.
People often tend to forget a very important factor when talking about Microsoft. Microsoft is a *monopoly*, it's official now.
With that monopoly power they have killed off a lot of the competition by creating proprietary standards.
And here is the important fact: People/companies no longer have any *choice* but to use Microsoft's products if they want to share information with someone else. And what companies don't share information today ? None !
So please, don't compare the Microsoft user-license/responsabilities/whatever, that you have no choice but to accept or get out of business, to the open-source ones that people can very easily walk away from if they dislike it.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
1) House: you can use enginering practices to decide whether the house is strong enough to support the expected load, etc. (Hopefully this is encorporated into the building codes, so you don't need real engineers if the house follows a conventional plan). Engineering brings people with various initial opinions to the same conclusion, at least in cases where the engineering has been worked out.
2) Software: the referenced articles state that software correctness is one of the properties of software that is outside the realm of any objective engineering-like estimate, and mathematical proof of this.
So house falls down, someone should have known better. Computer program crashes is a qualitatively different situation, no one other than a scam consultant would claim that the program is correct in the first place. (As Connell says, no "serious researcher" believes that software estimates with engineering objectivity are possible).
As for open source, "As is" is very much implied before you even start using it. It's impossible for anyone to be at fault in either case, from a legal standpoint. Therefore, this story is completely bogus.
I like your choice of offenses, gender neutral sexual assault. Oh, no, wait, that implies that a man must be the offender. My bad. Sexist Pig!
And this begs the question of whether or not it's possible to make bug free software in the first place. Given the complexity of software, 100% bug free software might not be a realistic goal and this seems to make it unfair to punish software companies for every bug. Making software companies liable could severely hinder software development due to the high risk involved.
It's very hard to assess liability when software fails. I haven't the solution and I imagine it'll be a while before anything concrete is determined.
It's all about me, I did it all. Blame me. Go ahead.
Thanks,
Al Gore
> The question should not be who is responsible for insecure code but rather what can be done to discourage people from vandalism and how to track down and punish those who choose to break the law.
I agree, in principle. A similar concept applies to copy protection; we should concentrate on punishing theft rather than on limiting the fair-use capabilities of our electronics.
But in this case, I've been wondering whether society's best interest lies in a different strategy, more pragmatic if less idealistic.
I'm normally adamantly against blaming the victim for crimes, but consider this. What if we legalized hacking? Within a few weeks, incompetent sysadmins/secadmins would be out on the street. Within a few months, software that was not patched promptly would be replaced by software that was. Within a few years, software that was not essentially secure would be off the market.
Publishing the criminal is certainly just, but it doesn't do a heck of a lot of good to spank someone after the damage has been done. Society is going to be more dependent on computers in the future, and more at risk to insecure softare. We need to take radical action to fix the problem before it grows from inconvenient to devastating.
Admittedly this would cause a great deal of short-term disruption, but at least the problem would get fixed.
It's possible to build secure software; developers and vendors just have to care enough.
Sheesh, evil *and* a jerk. -- Jade
If one ships open source, one can tell the customer to look at the source and don't use the program unless it's correct for their purpose. Can't do that with closed source. Maybe that should put more liability on closed-source vendors.
This will be a tough business in which to survive if someone is liable for every fault.
If a patch exists, it's the customer's problem, but if one doesn't, then it's the vendor who's at fault. However, this should only be in the case of software paid for and closed (source). There's other forces at work with free/open software that make things work a lot differently.
Currently I have no ideas of who's to blame for what in free/open cases.
If your car gets stolen, the lock on your door/window (the security features) was obviously not perfect. But when your car gets stolen, do you sue Ford/Lambourghini/stc.? No...they implemented security as best they could (in a price/security ratio). I think this is an analogy for security.
However, if your auto-manufacturer has a sub-standard lock, you still couldn;t sue them...you would just have to not buy that brand.
I have to say that these continual security alerts are nothing but a major headache.
If my job were to simple admin a couple of systems - and thats all I did all day - then I wouldnt have a problem.. I would just check by every morning at the Windows Update site, or on Red Hats up2date site and patch my systems.
But being as I am the only techie in our group who is concerned about system security, for our 15+ servers it becomes a problem. And also seeing that I have other techie jobs to do throughout the day (like reinstalling machines, installing software, end user support)..
It just makes the job a nightmare. And then you get held responsible if those systems get hacked from a vulnerability.. how can that be your fault?
Companies need to take responsilbility, without a doubt.
"Hey! Unless this is a nude love-in, get the hell off my property!!"
Selling software is great. Compared to someone selling a real physical product like spark plugs, you legally retain much more extensive control over how your product can be used even after you've sold it. This is because of the enhanced rights you get as a holder of intellectual property as opposed to real property. But even though you can dictate to people the conditions under which they can use your software, if anything goes wrong, the product liability risk you expose yourself to as a seller of software is zero!
Why does anyone even try to sell anything else?
The software industry heavly-lobbied for legislation (and got it, of course) that basically makes its products legally without warranty.
Which legislation are you talking about? The only law I know of that would accomplish this for them is UCITA, and that's only been adopted by 2 states.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Its shameful, the way we try to pin the crimes of computers on people. A man buys a computer, the computer hacks into the Federal Reserve and and he goes to jail. Another man writes an operating system, a computer using that operating system smurfs AT&T but he goes to jail. The computers remain free to strike again... when will society hold computers accountable for their actions? When will we stop persecuting man for the crimes of his possessions? Perhaps some day... in the Twilight Zone. (insert cheesy dramatic music followed by annoying roll-credits music)
Pleas, United Trolls, count me in !!!
Or I'll do your Moms until one of them give birth to the AntéKatz !!!
Smile, don't click...
Just curious--what's your sig about? "Central planning"? Gun control? 9/11? I don't get the connection.
Here's an interesting read : Linux SUCKS! Slowaris too, but more so Linux!
Propz to all dead homiezz, hobbits, and hot grits.
I'm sorry I caused all those security problems.
I won't do it again.
There is an article on news.yahoo.com about this. I'm pretty sure that it mentions in the EULA that Microsoft (or whoever) is not responsible if your house explodes, smoke comes out of your computer, you catch AIDS from your computer, etc... due to 'faulty' software.
But of course, if bugfix is available but not installed buy customer, liability for that particular unadressed problem should be voided.
That way people get what they paid for, who wish can sell software, who wish can give the software for free, ... and freedom remains.
hany
Are these 2 billions worth of bread and first aid kits for the third world country that you yankee bastards bomb with a doubtless feeling of industrialization or are these 2 billions only worth meetings, consultancy and... well : bullshit ?
Smile, don't click...
...so if some DUI dork kills my [mother-in-law,lawyer,CowboyNeal] in a car accident, I go after Seagram and Toyota, right? That's ridiculous! Well, in California maybe not...
Use The Source, Luke!
Here is some food for thought. Assume for a moment that software companies can be held monetarily responsible for bugs in their software. If we hold these companies liable all that will happen is they will raise their prices to offset the cost of litigation. Imagine a piece of software (i.e. windoze) that frequently has gaping security flaws uncovered. Each one of those holes could cost M$ billions. That adds up to is a $1000+ license for Windows 2005. All that manages to do is shift the costs to the consumer. You're damned if you do, and damned if you don't.
Scott
Microsoft does have people actively working to discredit Linux. I went to a presentation by a Microsoft representative at a Microsoft user's group meeting that was discussing Linux.
It basically amounted to "Linux isn't as popular as you might think so you better stick with Microsoft." (They didn't really discuss a comparison of quality of the products).
As for the weird trolling type posts, don't be too quick to ignore the possibility of a bored, twisted person but I would be extremely surprised if Microsoft doesn't have at least one employee assigned to Slashdot monitoring and responding full time.
Coding Blog
and are no less dangerous than car defects. Think about software to treat cancer patients, or keeping track of child molesters. Please don't be naive.
First of all, IANAL and this is not legal advise.
What I want to know is when the country will make contractual law a part of the high school curriculum? Every dumb shit in America believes every stupid document put in front of them is law.
It does not matter what they write in their license, contract, etc. They cannot violate the law with their document. They cannot absolve themselves of the law by writing it in a document and say you must follow it.
This is similar to those signs that say not responsible for blah blah blah. Bullshit. If they are responsible, then they are responsible. Period. They just hope your dumb ass will not follow through with a lawsuit.
Wake up, smell the coffee and shut up unless you know something about contract law.
If you don't publish the source, you're liable. Hiding the inside of a program is perfectly OK - assuming that you take full responsibility for the manner it works.
If you publish the source, you can be extempted. Exposing the inner workings, anyone can verify the suitability of the software for a given purpose.
MS plays safe by not being responsible (sueable) for their bugs. If they where requested to either FIX them holes before release or publish the source, they'd concentrate on security before feature count, which would be double good.
Only problem is, this way of cutting things would hardly feed the lawyers :)
I'm in a Unix state of mind.
Whilst the thought of seeing Microsoft taken to the cleaners for product liability would fill me with a certain amount of malicious glee, I do not believe that software companies should be liable for the security of their products.
As others have pointed out, if someone breaks into your car, then you cannot sue the car manufacturer (at least it is difficult to do so successfully!) for the theft of your vehicle. Similarly if someone steals your hi-fi from your house, you do not sue the manufacturer of your locks and windows, or even the hi-fi maker.
I do believe that software should be reliable and perhaps there is a case for liability if the operation of the software causes a major disaster without malicious outside interference. The problem with that, however, is we're all to aware of what will be the result; software prices will skyrocket to cover the immense legal costs that will result defending and settling these claims.
The only people who would benefit from this will not be the software developers, regardless as to whether it's Micorsoft of open source developers; it would be the legal profession aiming to take 10-50% of your damages award when you did settle.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Who is liable if a lock on my front door does not work? The company who made the lock? Or me for not being able to afford a good lawyer?
I would really like to know what some lawyers have to say.
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
I firmly believe that the creator of the code is directly/entirely responsible for any and all liabilities brought on by exploits/security holes/vulnerabilities in their product including but not limited to hacking, bugs, viruses and worms.
It bothers me that there is this mentality that software designers are responsible for including security in there products. If I buy a peice of software, I am paying for a peice of code that is designed to perform a specific task, not neccescarly for a peice of code that will protect me from illegal activities.
If I buy a car, I'm paying for transportation. It would seem silly to sue the manufacturer because somebody stole my car and I found out the locks on it were easy to pick.
I use Outlook as my mail program at work. I paid for it, and I expect it to be able to send and receive mail. If somebody illegally exploits that program to do malicious things, I don't blame Microsoft, I blame the person who wrote the virus.
On the other hand, I also own a virus scan program. This is a security measure I pay for. If my computer is attacked by a virus, I expect my virus scan program to detect it and remove it. After all, thats what I'm paying for.
Yet the mentality is, if somebody illegally affects my mail program, Microsoft is at fault. While the virus scanner, which I also pay for and keep updated, which failed to do it's task, remains blameless.
It's nuts.
The Internet is generally stupid
... this only really applies to commercial software.
And by "Commercial Software", I mean software you pay for, with hard earned cash.
That means that Open Sauce doesn't count. You can't seriousely expect to be able to sue or whatever anyone that writes a piece of software for free (die opensource). They wrote it - you use it for free - it breaks - tough shit.
However, when you spend oodles of cash with the likes of Microsoft, Oracle, or whoever - sure, if their software is faulty in any way (bugs, holes etc.), then they have an obligation to fix it or to compensate you for the inconvenience. Obviousely, not of the bigwigs are going to voluntary compensate you, so that's when you take them to the cleaners. But the option is still there - how successful you are is another story.
Another argument though, is that how severe can the ruling be - can you really base it on how popular the company is? I mean, you have two software companies, company A only sold 1000 copies of it's software and company B sold 1,000,000 copies. They both have a similar security hole. I don't think it's really fair to give these different rulings or figures because, at the end of the day, it's a single piece of software - the userbase is not in their control.
"Never let the truth get in the way of a good story..."
In addition, there should perhaps be restrictions on what can be sold: for the sale to be legal, consumer software should perhaps have to conform to some basic safety standards, analogous to UL standards for electrical devices. (Since this is a restriction on sales, it would obviously not apply to free software.)
Large commercial customers are presumed to be competent, and they should be responsible for this themselves; they don't need regulations or legislation to protect them. For example, if a company exposes 10000 people to identity theft through an unsecure computer system, the company should be legally liable for that. The company will then insure against that risk (possible directly through the software vendor). The insurer will assess the risk and compute the cost of the insurance. The company then can take the cost of the insurance into account when selecting software. I.e., it comes down to the question of: is Apache plus insurance more or less expensive than IIS plus insurance?
When I buy something I expect it to be functional, secure, nice and shiny. Hell, I spent money on the damn thing. Ofcause you/they should be responsible for the things you/they sell.
Open source or closed, if I spend money on it then they would have to give me my money back if it doesn't perform as it should.
.haeger
Football on the web? Hattrick is good fun.
Cancer is not fun. Help here. Join Team Sweden (249) and show that you care.
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
I suggest the proper way would be to force the marketing fix bugs (they said the software was perfect and crap) while the programmers should be send to some exotic islands and punished to stay in luxury hotels and have lots of chicks and booze around...
Or maybe I'm just frustrated...
__________
Don't belong. Never join. Think for yourself. Peace!
Here are some of my thoughts on why we have buggy and insecure softwares.
* Human Nature
People in general don't like to admit that they are wrong. Companies small and large are not much different. Even when they distribute the patch, there is rarely accurate or complete information about the problem or the severity of the problem being addressed. We think apologizing is a sign of weakness.
* Corporate Image
By admitting fault, company loses credibility. Company is always willing to live with few unhappy customers to protect it's overall image. It's one of the reason why software defects, security or otherwise, get hushed up and buried. You all know that the euphemism for this policy when it is applied to security is called "security through obscurity". You also know how well that works. Admitting fault is the last thing company will do. Even when they do admit it publicaly, they will always play down the severity of the problem.
* Monopoly
When a company is a monopoly, there is almost no incentive to admit to a problem and fix it. If you know that you can't get fired and you will get paid the same if you work one hour a day or eight hours a day, which would you choose? Lack of incentive is the very reason why communism is bad for progess. Only reason why Microsoft is pretending to care about security recently is because they are having trouble penetrating (from behind) the enterprise market with their tarnished image.
* Money
When I say money, I don't mean cost to create or distribute bug fixes. Putting a patch on a website for user to download isn't such an expensive proposition. It's lot different than car manufacturer doing a recall. When I mean money, I mean greed. Companies are using bugs fixes as a ploy to get users to upgrade. Marketing departments have figured out that consumers are willing to pay for bug fixes. Example of this is Windows 98 and ME. Essentially they are selling you a big pile of bug fixes as a full product and charging you for it. Sneaky isn't it? MS is not the only guilty party of this devious practice. Many companies such as Vignette, bea systems have done this sort of thing. It's becoming very common in many places and we all have been brainwashed to accept it as a norm.
Since Free Software/Open Source has only one of the four problems to deal contend with, I think it has a somewhat better chance of producing superior software than from commercial environment.
I don't see what the problem is.
;)
If you write it, you do your best to make it secure and keep it that way. If you write insecurities into it, that's your problem.
If you install it, it's up to you to make sure it stays uptodate with patches.
I've got no sympathy for people with cracked boxes when there's a patch that should've been applied (ie in 99.9% of linux and 99.99% windoze cases).
I don't see what casting it in law is going to achieve; far rather use common sense that people are responsible for their own doings, with a few precedent cases to back it up. (That'd be a first
~Tim
--
Rushing on down to the circle of the turn
not it!
This is the stupidest thing I've ever read.
What if s/w companies were held liable:
1. there would a *lot* less software out there
-> restricted choice for the consumer
2. s/w would be a hell of a lot more expensive
-> we would have to pay for increased dev costs
+ vendors insurance etc
3. nobody would use open source, you probably
would even be legally required not to install
open source s/w on any machine connected to
a network
who would win? lawyers that's who
the rest of us - anybody interested in
computing, programming, open source etc -
would all lose big time.
a woman was just jailed (in the UK) for giving a free ride to the son of a friend - he didn't wear a seatbelt so he got killed in the crash (she had drank the night before). The argument was (1) she should have forced him to wear a seatbelt and (2) she should have known that she had alcohol in her blood even though the police refuse to let people buy "self-test" instruments.
_______________________________
"I'm not Conceited...I'm just a realist..."
In a normal hetrogenous environment (as 99% of n/ws are), you're going to be dealing with software and hardware from many different vendors.
It is possible (if not probably) that the interaction of these components will create security holes for an attacker to exploit. Which vendor do you blame? They may all be working as designed. Do you blame your low-paid network guys? Do you spend hundreds of thousands to hire external consultants? Can you blame (and sue) them if your network is breached?
What about default configurations of software? What if the default configuration is insecure, but the documentation describes how to secure it?
I have my own thoughts on these issues, I'd like to see what the general consensus is here.
Btw, if you're looking for a secure OS, try XTS 300 STOP.
The EPL makes interesting reading.
WINDOWS MAKES IT EASY TO UPDATE YOUR SYSTEM:
-fed warning: "Microsoft corp provides free updates to the operating system and software. You are encouraged to do so. However, upgrading your operating system may reder inoperable programs that work flawlessly now. Microsoft corp. will not be liable if your computer or data files are damaged as a result of you using a microsoft-approved update."
"Most people seem to be missing two important distinctions here. You pay for commercial software, but not for free software."
.Now my question is if , the instant I actively charge people for this, even if it's a token amount, I become a "paid" for os and am required to obey a large number of laws.Does the software become liabel or am I just liabel for tech support/what ever extra which I offer the users, or more to the point ,will any law passed with regards to software and liability accept this distinction?
,the line between commercial vendors and amateur efforts, especialy
,clear and concise manor.
Not nessecarily, what about distributions where there exists a pay version and a free version.What you are paying for with the paid distribution is not the distribution par se but the extra features such as phone/web tech support nice packaging and a manul/what ever.The os and accompanying software are the same for both pay and non paying users
"In the software realm, I would expect to see a similiar difference in the treatment of amateur efforts (where people develop software for the love of the craft) and commercial
efforts. If someone is grossly negligent, it won't matter whether they're compensated or not. But for routine oversights, I would expect to see far more severe penalties for
commercial vendors than OSS providers."
My point is that , number one
in linux, can become very blurred and number two, that the people who draft the legislation desiding
liability may not take into account what you would expect and make a clear and fair distinction and even if they did I could see certain cases where the whole issue could become very messy and regretably damaging to linux.
I hope that this is not the case and I hope that what you," would expect (,)to see a similiar difference in the treatment of amateur efforts", does happen in a fair
_________________________________________________
From what I've read most of the damage estimates were pulled out of somebody's ass, anyways. So my question is, if this became law would the damage estimates get lowered considerably?
Damnit, Jim, I'm an anarchist, not a F@#$!^& doctor!
In the article, the author suggests that software companies will force customers to accept patches or risk voiding their warranty.
This is not possible in certain environments without breaking the law (FDA-inspected GMP or GLP pharmaceutical production units come to mind). In these cases, the system has to be recertified which can only be done after rigorous testing. Then you must install the patch on all machines. How do they propose to approach this ?
MICROSOFT!!!!
Sorry? Fully 70% of security problems are bugs in the software? Well what are the other 30%, then?!?!?
Oh yes, I forgot: features!
Cost US business just over 10$ billion.
but they would also say that my use of Linux/FreeBSD last year cost MS over $250,000. (That is only a few servers)
Get a free ipod.
I mean, if you buy bulletproof glass for your car, and somebody shoots you through it, you might have a case: one of its purposes is to stop bullets. But if you buy an ordinary car, and somebody shoots you through the window, you hardly have grounds to sue them for poor product quality.
Being able to stand up against novel forms of human attack is not basic product quality. Worms, trojans, and viruses are not mere environmental hazards, they are the results of intensive effort to find and exploit any system weaknesses.
Disappointed customers and annoyed partners are punishment enough. Market forces will correct the problem; people will eventually learn not to buy stuff that doesn't work. They will also learn to do their part, since security doesn't come in a shrink-wrapped box.
In a way, these petty vandals are doing us all a favor by forcing us to harden our systems. If nobody exploited the security holes, you couldn't convince people to spend extra money or effort on security. Then, when somebody made a truly serious attack, as an act of war, we would be utterly defenseless. I believe humans evolved an instinct for mischief for just this reason, and so we shouldn't be too hard on the script kiddies.
If people are going to hold manufacturers liable for their buggy/insecure software, then why not hardware manufactures as well?
I've seen whole RAID arrays rendered useless because of a problematic controller (no backups too, heh), is Adaptec liable for the loss in data/money/time in the same way that Microsoft/Sun/etc is liable because Joe Admin's machines go down when he didn't apply patches?
If you give out source (which cannot be executed) there's no way you could be liable for what happens once it gets compiled and executed. After all, it could be the faulty compiler which introduced the bug.
If you want to be able to pin the liability on the author/creator, find a firm willing to offer pre-compiled binaries. You'll probably have to pay them. Wow, suddenly there's a reason to buy the boxed set from Red Hat.
If a certain firm chooses to keep it's source closed, and sell only pre-compiled binaries, they get to keep full liability for themselves. Think about software embedded in automobiles. If there's a product defect there, the whole car gets recalled.
And Microsoft can still negotiate the liability away in a contract, it just becomes the OEM's liable for M$ buggy code.
A new kind of meat designed to appeal to vegetarians.
One of the biggest reasons that pointy haired types use when refusing to consider Free software is "Whom do we sue if it goes wrong?"
Well, it appers that the answer is the same for Free software as it is for Microsoft.
You ain't got a hope in hell of successfully sueing anybody, so just use the best technical solution.
The months are just too short. I can count the number of days on one hand.
I believe that the software companies should be liable *up to the point that they release a patch that fixes the problems.* Then the owner becomes responsible. This does 3 things.
First, it makes the software company more dilligent about getting all bugs out of software, and worry more about security concerns (which are, shockingly, rarely "bugs" in the software)
Second, it makes the software company work harder at producing a patch that fixes the problem.
Third (and most importantly in my book) it forces system admins to work faster at patching software.
"If product fails to perform in a secure manner, buyer of product will be entitled to a refund in the amount of two times the purchase price."
Free software covered! :-)
The prevailing of commercial software is set by the market, and reflects the balance of features, updates, price and quality that users want. That's why your word processor crashes sometimes and your defibrillator doesn't. Attempting to set a new and better balance by turning hordes of plaintiffs' lawyers loose on the software industry is going to improve the situation of users about as well as turning lawyers loose on the tobacco industry has helped smokers.
Oh, and if you think that open source software is going to be unaffected by this, either because it has no bugs or because it's so cuddly it will be exempted from liability -- good luck. Bye-bye, Red Hat!
What I'm listening to now on Pandora...
An OS software entity discovers or gets a report of a bug/possible exploit for there OS. That OS software entity makes a patch and publishes it. The script kiddies that moniter security web sites see the new patch and write or download an exploit for the bug. They deploy it on as many boxes as possible, and so begins a viral growth of an exploit.
My point being if companies hire competent administrators that keep up with patches and user with high-speed connections don't ignore the pop-ups(at least in windows) that tell them to download a critical security patch, there wouldn't be the problem as big as it is now.
There is no such thing as a comletely secure peice of software. But if you keep ahead of the script kiddies by applying patches as they are offered, you run a very good chance (98%) of never being comprimised.
I administer a handfull of window servers. I keep up with the patches. In fact the patch for "Code Red" was available 3 months before "Code Red" hit. My Servers have never been comprimised via an OS related security bug. (They were 3 times for other reasons: An Apple Share Software Package, A un-fire-walled anonymous ftp left open, and an application server.)
98% of all comprimises are because of outdated and unpatched software, and lazy admins. A company should be responsible if they refuse to patch or admit of an exploit, not because Johnny B. Lazy didn't patch it.
Keeping a piece of software's source closed should result in harsh liability. Since users cannot examine the source to confirm bugs or even functionality, they are completely at the mercy of the vendor. Since the vendor has welded the hood shut, problems with the engine are THEIR FAULT.
Open source software provides a method with which users can confirm functionality (checking the source to see it really does what it's meant to), report faults to the vendor and even make fixes themselves, if required. These factors should result in a vastly reduced liability, since this kind of software gives users the tools to take responsibility of their systems. Even if the user doesn't have the skills or inclination to use the source, they can hire someone who can.
While this may sound like pandering to the open source crowd and Microsoft-bashing, it just seems to make good sense... keeping the source to yourself means that you have to take responsibility.
..and I'm not talking about free software. If the programs were actually developed with the scrutiny required to develope secure software, it'd take a lot longer to actually produce anything, hence increasing the costs. (And it still wouldn't guarantee there'd be no bugs.) There's always the license: I would refuse to give or sell software to someone who'll sue my ass off in case of problems. If that's not OK for the client, he can go off and get the software from another source.
I'm not sure how this maps to free software though. Basically the way to secure software is peer review, and not just the releases but also the changes. I imagine the kernel diffs are being looked by other than just Linus 'n co, but how about other important software? Or even less important: it only takes one hole in the right place to attack. A remotely exploitable bug in mutt, pine, sendmail, procmail, slrn, apache or ssh would be quite bad - are they all being peer reviewed systematically, every change by atleast two persons? I don't think so.
For the security problems in the past and in the future.. Live with it. I see the only way to fix these is to have a more secure environment, that is, the kernel should be able to limit the capabilities of the programs in higher precision. The other approach would be to use languages that have better built-in checks, but there's lots of old code around and there might be other reasons why for example Java or Python isn't suitable for a project. Also not all security bugs are stack/heap-overflows, but many if not most are.
If you bring a car in for the same repair a number of times, the state can eventually declare the car a "lemon" and you, the consumer have recourse.
I think software manufacturers should be held responsible for known security bugs that constantly do not get fixed from upgrade to upgrade. It is negligence on their part. Even reckless. Like lemon laws, the manufacturer should be given the chance to fix the software.
Suppose that someone is selling a voodoo book that teaches how to make a love potion. The author made a mistake and introduced a wrong ingredient that will make a person paralytic for 24 hours instead of falling in love when drunk. The publisher immediately releases errata for several wrong formulas, but the reader didn't know and thus used the buggy formula and damage was done. Should the publisher be held responsible?
¦ ©® ±
Does this mean that we can sue Apache? This article says that Apache and PHP have flaws. Come on guys, let's sue.
Considering the nature of software, bugs are a fact of life. No code is going to be 100% bug free unless it's a simple "Hello World" program. It's how the vendor treats the bugs that counts.
If the vendor is informed and fixes the bug in a reasonable amount of time then they shouldn't be liable. (Reasonable being a flexible span of time. If a bug is particularly vexing but they keep their users informed of the progress, then they should get extra time. But if they just say "yeah, yeah, we'll work on it" and then nothing happens for a month, they don't get extra time.) Of course, if the vendor is informed about the bug and does nothing about it, they should be made liable.
Finally, if they release a patch but the user doesn't install it and has their security compromised (e.g. what happened with CodeRed), the user is the one at fault. In this case, it would be like an automobile manufacturer issuing a recall, a consumer ignoring the recall, and then getting into an accident because of the very defect that prompted the recall. Software companies shouldn't be liable for the stupidity/ignorance of their users.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
...most open source projects have CYA verbage in the licenses saying something like "THIS IS UNSUPPORTED, AS IS, USE AT YOUR OWN RISK, BLAH BLAH BLAH"...
It's 10 PM. Do you know if you're un-American?
Automatically applying patches is NOT a solution! There are countless stories where the applying of patches caused formerly working software to crash.(*)
One major advantage of OSS vs Commercial software is the availability of the source code. Another major benefit, but less well recognized, is the visibility of REPORTED DEFECTS. Prior to obtaining an OSS application, say on sourceforge, I can peruse the bug list and get a complete list of reported bugs. What's the chances I can see the complete list of reported defects in, say, Microsoft Office?
Okay, why not just have a law passed that requires commercial software developers to make all reported bugs publically visible? Ain't gonna happen; political contributions and lobbying efforts would squash that in a heartbeat.
BUT, there's another approach. Don't use LEGAL requirements -- make it a MARKET requirement.
In other words, consider these two scenarios when making a recommendation for two different software packages:
In short, software will always have bugs -- just as OSS makes the code available, we can use market forces to trumpet the same visibility of the known (and future) bugs.
(*) Footnote: Feature vs Bug... many years ago I worked for 2+ years in testing a COBOL compiler that was being upgraded to support the latest standard. The version that was already out in the field was rife with bugs. Several customers were worried that we were going to fix some bugs they depended on! Though non-standard code, they had developed workarounds and used them extensively -- fixing the bugs in the compiler would break their programs!
It should not be possible for Microsoft (or any company, but Microsoft is the best example) to boast about how robust and secure their products are in their marketing, and then make the purchaser agree to a EULA that removes their liability, if their claims turn out to be untrue.
This is especially true of their enterprise products, like, say, Outlook/Exchange. It should not be a full-time job patching and reconfiguring the damn stuff to keep the misfit script kiddies with Outlook Worm Kits from bringing down an entire organization's e-mail system. Microsoft should damn well have been able to be held liable for something like ILOVEYOU, that knocked some very large companies' mailservers off the Net for days.
Imagine if, after all the car commercials boasting airbags, crumple zones, etc, those safety features turned out not work-- and then, while paging through it from your hospital bed, you found a EULA in the back of the Owner's Manual disclaiming Ford/GM/whoever from liability, if they didn't?
The biggest bullshit, though, is the notion that people will eventually get pissed off about software not living up to the hype and take their business elsewhere. If that theory held water, Microsoft would already be a memory amongst sysadmins these days. Companies are practically locked into using Microsoft products. And what people use at work, they will buy and use at home because by and large, they are sheep who fear change. Which is exactly the kind of environment in which companies like Microsoft can shovel sub-par shit out the door, not be liable for its flaws, and still thrive.
~Philly
If software users carry liability insurance, as is the case for cars, then at least, they could go to the insurance company and say, "I want to buy a web server. What does insurance cost for various web servers?". Then one could get a safer web server, just like one can get a safer car. Instead of buying software based on the manufacturer's FUD, one buys it based on the insurer's libability.
-- Stephen.
What does this mean to open source software, which is being used to a greater extent in corporate environments?
Pretty simple, nobody would heave that kind of cash to defend an open source suit and the body that produced the software would fold.
If a program you buy destroys something you own, then you do have recourse. Depending on the level of negligence, it might not even matter as to the language of the EULA.
On the other hand, if someone breaks into your computer (house), the software company (lock maker) isn't negligent because some one made a lock pick (found a buffer overflow to exploit).
It is unreasonable to try to hold a lock manufacturer responsible for every day in the future. Now if the lock manufacturer made certain claims, and backed them up with a garuntee, then you might would have recourse. If you bought a deadbolt for your front door, and I knock down the door, are you going to sue the lock manufacturer?
So until a software manufacturer makes the claim that they garuntee you are secure, and don't do something that makes your system less secure than it was without it, then you can start hammering on the software companies.
And just running BIOS isn't more secure than running Windows. And Linux/*BSD have their fare share of vulnerabilities, before we go down that road.
I don't think that Nimda is a good example of the sort of thing that microsoft could be held liable for. Errors that cause data loss, yes. Errors that cause the machine to lock up and cost you time, yes. This is akin to holding car manufacturers liable for things that go wrong with the car (exploding fuel lines and such), and is perfectly justifiable since the manufacturer is directly at fault.
The fault for Nimda, however lies squarely on the shoulders of the virus author. Claiming that an operating system, no matter how insecure, is at fault, is like claiming that non-bulletproof t-shirts are responsible for murder by gunshot. Murderers are responsible for murder. Virus authors are responsible for viruses. Software writers are responsible for software problems-- but not for criminal acts by other people.
I don't think we have to worry about the government passing legislation like this, there are enough Microsoft, Sun, Adobe, etc lobbyists and campaign donations to prevent this from happening.
What? Why the hell would MS lobby AGAINST such a law? MS would be the only company that would be able to afford the lawyers & liability insurance premuims. Open Source would be the second casualty after the shareware folks.
The day such a law passed, MS would truly be a monopoly. If such a bill ever comes to the floor, I'm buying as much MSFT stock as I can.
First. You do not BUY software. You buy the license to use - like a service. If you hire a company to provide support or to manufacture something for you they're responsible.
There is a related story that happened a couple of years ago (don't remember exactly). Tim Hortons is haveing a Roll Up the Rim to Win promotion every year. When you buy a coffee - you can roll up the rim of the cup to see if you won a prize (all I ever got was donuts and more coffee - go figure!). Well.. It came out that some of the people who worked at the company that was manufacturing those cups were cheating by unwrapping those rims and stealing prizes. I know that that company lost the contract - I do not remember if they were sued for damages as well. I think they did - they failed to provide a resonable service they were contracted out for.
OSS is a bit different. It's public domain. Everyone owns it - therefore if you choose to use it, and if it breaks you yourself are responsible for damages.
That's what I think - I don't know how accurate this is, but I do realize that it's not such a great thing. If a company has to choose between OSS and proprietary solution then they will choose the proprietary one. Simply because IF something goes wrong - they have a chance of getting some recompensation.
It's a simple choice - do you buy a reliable car, or one less reliable with insurance?
Wow. I always wonder about figures like that. I wonder how much hallway conversations, the superbowl and Christmas cost companies. Maybe it would be more cost-effective to eliminate those.
Do we hold the homeowner at fault because he doesn't bar all his windows and put a triple row of deadbolts on his door? There are always going to be new exploits coming out, be they security or DOS.... Lets hold the criminals responsible for their actions....even though personal responsibility has become anathema in American society.
...but in some cases the bugs are actually glaringly obvious shortcomings in the basic product design.
There was a huge outcry in the technical community when Outlook was released with the capability to execute scripted content with no interaction by default. There were comments all over the internet about the huge can of worms this could open. Sure enough, Melissa, and later ILUVYOU caused billions of dollars worth of damage. Because some product manager at Microsoft thought it would be cool for users and businesses to be able to send each other interactive email if they really wanted to, but (rightly) figured they wouldn't be savvy enough to turn this feature on for themselves in order to display it correctly.
The question then is, if the program was designed to be able to execute code attached to emails, should Microsoft have been reasonably aware that particularly anti-social code could be executed that could potentially cause a lot of havoc? If they were so aware, should they be liable for releasing such a faulty product to such an (unnaturally) large user-base?
Real life is real life, and the realm of technology is no exception. For some reason, some people got the idea that magically, the world of technology can be free from the influences of bad people and just ordinary entropy. It has long since been figured out that there will be bugs, no matter what.
While some code is safer than others, and some companies are disturbingly sloppy in their coding procedures, ALL code is vulnerable. Making someone liable because they have bugs will punish all, and is contrary to the most fundamental fact of life: you're on your own, watch your own ass, life sucks, wear a helmet.
For your security, this post has been encrypted with ROT-13, twice.
If software is like speech, then how can I be held liable for writing buggy software? Barring those cases that would be analogous to yelling "fire" in a crowded theatre, yadda yadda yadda.
Pushin' 'n dealin', shovin' 'n stealin'
What about if I print the Nimda source code on a T-shirt? Does that make me liable for the damages done due to someone copying and using that code? What about stuff like the DeCSS source code? Isn't the whole point of DeCSS to break security? Could I be held liable for damages caused by lost DVD sales? When I print it on a T-shirt?
Pushin' 'n dealin', shovin' 'n stealin'
If software companies can put licenses on their products that remove thier blame, can't I just do that to a virus I write.
"EULA for You're Skrewed software (virus):
If you install this program, you can't blame us it it melts your harddrive. It's only supposed to pr0n spam the whole world and steal your passwords.
NOT LEGAL IN CANADA, Copyright 200x"
Nobody reads those damn things anyway. I bet 10,000 AOL users would install it the first day it was out.
Sig
Appended to the end of comments you post. 120 chars
If, however, a lawsuit raises the question of product liability, the court will decide where to place responsibility, EULA notwithstanding.
TyZone
They should simply be fined per infraction like the phone industry. Set some standards for the software industry to meet on responsivness to bugs and holes. When they miss the mark, levy a fine. Simple as that. Fines should be in line with the COST$$$ of the software.
Seen from my mind:
If you pay for a product, you should expect the author to be liable for flaws.
If you get it for free, or the author doesn't make revenue from it (ie. charity developers), then the author should not be liable.
Seems logic to me, anyways...
--|--
Tino Didriksen
No one. You hook your computer up to the internet, you take your chances.
I'm not a lawyer (sometimes I wish I was so I could understand the real world), but isn't liability based on someone's neglect in fixing a problem or situation? I heard someone call it the 'dirty banana peel' concept. You're in a grocery store and slip on a banana peel that recently fell on the floor, you'd have trouble sueing the store because they didn't have time to know about it and clean it up. But if the peel had been out for a while (hence, the dirty banana peel), and they did have a chance to clean it but were negligent, you could have a good case.
Anyway, the same would (or should) apply to software. If you could show that the company knew about the bug but sat on their hands, I imagine that's a pretty good case for a lawsuit.
_______
2B1ASK1
MS can make software better, but in the end it is up to the USER to learn how to use it appropriately.
Sysadmins need to spend more time locking down systems and muzzling outlook and visual basic viruses.
Dont do the classic knee-jerk "we gotta sue" reaction: instead just spend time educating what you have. Lawsuits are not effective
As for open source, "As is" is very much implied before you even start using it.
More specifically, "AS IS" only applies to commerce, and giving away a CD or download rights for free likely does not constitute commerce. As for RedHat CDs or other open source software which is sold, if there is no label which reads "AS IS", you probably have a case.
I don't consider myself a twisted person, but sometimes I write horrible flamebait. Just for fun. It's a wierd, impish desire that comes to me on boring days. For some reason, if gives me an odd joy to get Apple lovers mad. I know it's wrong, but I do it.
So no, I don't think dumb posts are a symptom of some conspiracy. There's plenty of ordinary stupid folk out there, and plenty of people who get a little joy out of stirring the pot.
.
Let's not stir that bag of worms...
I seem to remember that some high-level courts have decided that the transaction is actually what it appears to be: you went into the store, you saw goods on the shelf, you took goods to the cash register, money changed hands, and therefore you bought the goods you paid for. You did not buy a license. You did not walk out with something that remains the property of the manufacturer.
If it looks like a sale of goods, that's what it is, regardless of the manufacturer's efforts to claim that what happened was only the purchase of a license.
Of course, IANAL.
TyZone
Maybe we should treat these incidents like car accidents. If your tire blows out and you hit another car, who is responsible? Well, if the tire was defective, it's the tire manufacurer, correct? On the other hand, if the tire wasn't defective, but you didn't properly inflate it, it's your fault. On the other (third) hand, if the tire was properly manufacured, you properly inflated the tire, and it was a road hazard which caused the blowout and subsequent accident, I believe the result varies by state, but in a no-fault state, no one is responsible (each person pays for his/her own damages.
So yes, that means that you're responsible for the damage that you cause. Better think about getting liability insurance.
Software companies should be legally responsible for any non-public code they release as software even if the damage is caused because of missing patches. Thus, encouraging companies to pay extreme attention to the security/reliability of their software, which they should do anyways. This would also discouraged some of them from using the "Oh well, we'll patch it, when someone finds it" philosophy.
Publicly released software is maintained by the public and released by the public, meaning any kind of legal responsability should be avoided. Thus encouraging the Open Source movement, the education of the general public and the free circulation of academic information, which was the primary goal of the Internet after it's birth from the ARPANET project. The possibility of having security flaws/bugs should always be considered by the users of such software as a disavantage towards using private code.
( Since they can sue for any damage resulting from such flaws )
This is an idealistic view of the problem, however IMHO I think more and more people are going to consider a derivative of this in the next few years.
First error mankind ever made: judge the book by its cover.
Last error mankind will ever made: judge the darn book by its cover.
IANAL, but here is my understanding of this issue:
;) Also open source software downloaded off Freshmeat would be immune (Red Hat might be liable, but the BIND developer probably would not).
When you buy a piece of software, at that time, it is subject to merchantability standards, like a car, a toaster-oven, etc. However, software as you buy it is pretty useless-- it is a shiney disk that you cannot legally install (copying it in whole or part onto your hard drive) without the express permission of the copyright holder. So, the user and manufacturer enter into an agreement (EULA) in which the user of the software agrees not to sue the manufacturer, and abide by other restrictions.
In other words, if the software trashes my system before I agree to the EULA, I can probably sue, but not after
Now, imagine if a tobacco manufacturer required all customers every time to sign a liability waver stating that the customer knows that this product causes cancer, then would agree for a certain fee to deliver a certain quantity of tocacco products to the customer on a certain schedule...
LedgerSMB: Open source Accounting/ERP
What's more, for about ten years, there have been secure (bulletproof glass) software and insecure (ordinary) software products on the market. Less so recently, because the market has consistently preferred the ordinary products, either because
Bulletproof products used to be the norm. How often do you think Open VMS got broken into? But businesses and consumers didn't want that. They wanted what they could get now and cheap.
And now it's all "Waah! Waah! Waah! It's insecure! I wanna SUE! Developers BAD, me GOOD! Me want butt wiped, for free!" Of course, they never consider how many good, careful companies they put out of business because they thought buying insecure crap was Good Business Sense.
The general public cannot afford the costs of secure bug free software, and generally software houses don't charge the sort of prices you might associate with secure bug free software and so software houses can't afford to provide bug free and secure software.
Thats the end of the story,
If someone has enough money they could possibly negotiate better terms.
blog.sam.liddicott.com
The market should be able to handle a problem like this. If consumers (e.g. big businesses that depend on secure software) started demanding licenses that did not include the "we are not liable for anything" clause in software, the big manufacturers would have to start listening. This would keep a law out of the books that would potentially hurt free software development. Moreover, it would open the door for new business ventures in (1) insurance for software manufacturers and (2) free software support companies to sell the fact that they are liable.
Now, the big issue is... when are companies and individuals that buy software going to start demanding this stuff? Who knows? If companies like Walmart and MacDonald's, who have to power to make demands on big software manufacturers, would see this as important then the industry would probably follow along.
You know, I have zero problem with saying people should be responsible for software they write, at least in the abstract. The idea that they should not is kind of silly, if you think about it honestly.
But at this point in time, it would be disasterous to start allowing liability. Why? Because liability is determined by the court system, and with no offense intended, the court system is incompetent at this time to make those sort of decisions.
I have no faith in the ability of the court system to distinguish between an obscure flaw that allows a man-in-the-middle attack on a so-called "secure" connection, and a glaringly obvious security problem like "By default, everyone in the world has full access to your desktop." (reference: Symantec's PCAnywhere for a *very* long time.) In fact, I don't trust me to make those decisions.
At this point in time, and at our current technology level, as we've all heard and said many times, one wrong character in the wrong location, out of billions, can cause a difficult-to-detect error that, when exploited, can give an attacker root access. It's difficult to come up with any sort of definition of proportional responsibility.
If a bridge collapses because all of the tons upon tons of concrete used was an inferior grade, that's one thing. But if the bridge collapses because one screw was made of aluminum instead of steel, is that worth suing over? My real point can be seen in how this metaphor is not applicable; A bridge would never collapse over something so trivial unless it had other fundamental problems! Software is fundamentally more fragile. (So far, all attempts to negate this have essentially failed, and I'm not willing to count on some miraculuous development in the future. Though I suppose if such a thing occurred, and it was legally mandated to use formal methods, that would make people like me who could understand them suddenly no longer competing with hacks who think they're leet 'cause they can sorta use Perl... >:-) )
Even a professional like me might be hard pressed, after the fact, to determine which sort of problem is before the court, to determine liability. Do you want to leave it in the hands of lawyers?
Go look under "Computer Law" and read some of the papers there. He talks a lot about UCITA and the whole liability question. Actually, if you get a chance, go listen to him speak. Cem is a very entertaining and informative speaker.
Cthulhu Barata Nikto
There IS a market but there is only ONE force. Security and safety isn't its concern.
Pushing more features is what sells software and brings in the bucks. Feature lists the size of an encyclopeadia is a software vendor's wet dream.
As for the bugs, security holes and the very desirability or usefulness of those features, the rule in law is "Caveat Emptor."
Up until people start getting killed, you can forget about legislation to address the problem. If the flaws are systemic and there is nothing that can be done by the consumer. Collapsible steering columns were not required until legislators got tired of losing voters to impalement at low speeds.
Even WHEN people are being killed, as with cigatettes, (or cheap hand guns though its not the purchaser who gets killed then,) the rule of law is still "Caveat Emptor."
The average co-optable "attack" PC running windows is running in somebody's den or in a small office. Big firms have guidelines on installing software on their PCs and usually have virus detection systems that are updated from a central server.
Home systems are privately owned and are never patched knowingly. Likewise, virus detection is usually seen as a one-time purchase and installed from a CD-ROM that was obsolete before it came off the truck.
The steering column parallel is a better one for the situation since the average system owner is about as capable of fixing the problem as the average car buyer was of replacing his steering column shaft.
I'd like to hammer script kiddies who tie up my connection by hitting it with a DOS attack and teach them some civility. Its a form of violent behavios that must NOT be tolerated anymore than shooting bullets into the air. They land somewhwere and in urban areas that means somebody bleeds.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
A lot of people have said that, if software vendors were to be held liable for security holes, open software would be up the creek. I'm not so sure about that... it seems like a reasonable form of liability would be the exact same liability my dry cleaner has, if they ruin my favorite shirt... as it says on the sign, liability limitted to 10x the price I paid for the product. Free (as in beer) software, then, is still worth exactly what you pay for it; and the developer does not have to worry about legal repercussions.
I've had this sig for three days.
What he also did, which struck me as more interesting thant the dollar value, was draw a parallel with the early days of aviation.
And how the FAA stepped in as the authority to make things safe. Reluctantly perhaps at first - but much needed as the industry had made itselfs a mess.
Which is more than just a parallel - and might well be the much needed shot in front of the bow and Lima-Lima call this industry needs.
You can be averse of govt. regulation - and if you see the pain and stiffling the FAA imposes on the Aerospace industry - you will even more so. But they will, and are supposed (or at least expected by the people) to step in if things are not fixed and society as a whole is harmed. And that last part is hard to deny.
Perhaps the first sign of a stick. A stick which is much harder to dodge than, say, the DCMA or SCSS.
This seems straight forward and simple, but lets get into it a little deeper...
- unknown design flaw resulting from extended use, while failing part or system has been accepted as safe under these circumstanced by the auto and many other industries for some time. Fault is perhaps split, but it depends. Another analogy is with Drugs: a drug can be tested and overtested and used safely for 10 years, only to find after 20 years that it causes problems that could not have been detected. These cases fall under the 'shit happens' category.
Hmmm, seems that any case would be one of these three... with any 'combination' being simply a breakdown of individual parts, services or components, which should be examined individually anyway.I for one think that MS and many other companies, are often responsible. Reason is that due to their resources, and due to the KNOWN but unaddressed problems of the past, a certain pattern is observed that should be acted upon. However, if we all know that feces is dangerous and harmful to consume, yet the world knows from past performance and studies that the cerial I sell has feces in it, then is it really my fault only when people that refuse to accept reality (and responsibility for their choices and actions) and buy my cereal and get sick? They did not have to buy it, and while I did not advertise the health risks of feces, it was listed that I do have feces (and everyone knows by now anyway).
The person who willfully, deliberately and knowingly chooses to run software that is known (and proven repeatedly in public) to have a bad track record of security problems is guilty of negligence in the highest degree. It's the end-user's fault for exhibiting such reckless behavior instead of proactively seeking out the software that's been proven to be most secure in the first place.
Your car's engine (or the fuel system at the very least) doubtless has a controller unit that runs on embedded software. Let's say it goes berserk due to a bug in the software, causing you to run off the road and severely injure yourself (or to kill someone else). Who do you sue -- the car mfgr or the author of the software?
~REZ~ #43301. Who'd fake being me anyway?
Just like a car: Windows - Unsafe at Any Speed
Can someone explain why discussions like this don't immediately and as a primary feature of the discussion mention the US Government's paranoia about including strong crypto in a product as a primary reason for products not being more secure?
The historical inability to simply bundle strong security into a product without excessively complicating either the installation process or the set of markets into which you can distribute seems to me a primary culprit in the unavailability of secure products, at least in the US and probably worldwide.
Kent M Pitman
Philosopher, Technologist, Writer
I don't think some of you understand what happens if people are made liable for their software. If say there's a law passed that you're liable for security holes in your software, are you going you REALLY go ahead and develop it? I think not. If I find a root exploit in the Linux kernel lets say and some company gets turbo fucked because of it can they sue Linus for billions of dollars in damages? Would that be fair? Should I be able to sue the Apache group if a nexploit is found which leads to me losing megabucks? The clause in software licesnes saying "this software is provided AS IS with no garentee it won't turn around and fuck you" is there for a reason, specifically so the software vendor whoever they may be can't be held responsible for what happens with their software.
The comparisons to the automotive or aviation industries is inherently flawed because both markets deal SPECIFICALLY with the preservation of the life of the operators. A car is responsible for not killing you and that car's manufacturer tacitly agrees that their car won't kill you for anything under their direct control. Same with airplanes and buildings. Business software on the otherhand does not directly effect whether or not someone is going to die (generally) due to some part of its use. Software controlling medical or aviation equipment has to pass stringent testing to ensure it isn't going to go batshit on a trivial error. Software released in these industries do not have "we're not responsible for batshitery which occurs due to our software" clauses. It is the liability and responsibility of the USERS of software for the results of security holes or just inherent flaws in the implimentation even if they aren't directly responsible (they didn't write it) for its creation. They did make a conscious choise to use said software thus the onus is on them. If Nimda caused you millions of dollars in damages it is your own damn fault because you used software that you were not overly confident in in terms of security. If you were overly confident you learned your lesson that shit happens and life ain't fair. No one protects businesses from dumbfuck business plans, they ought not protect them from information technology jackassery either.
I'm a loner Dottie, a Rebel.
If you presented your door to the homeowner in such a manner that gave him a "reasonable expectation" that your doors were secure and would resist being broken down, then you are negligent and may incur liability as a doormaker.
This opinion, like a pair of "Depends" might be full of crap.
Whoever implements the exploit should be liable, just the way whoever uses Napster for violating copyright should be liable, or whoever shoots someone with a gun should be liable.
...the Ford Pinto problem. Ford did some kind of cost-benefit evaluation on fixing the bug in the Pinto and decided not to fix it. The juries saw how unfair the evaluation was to the customers, and award big damages repeatedly. Shipping software with known bugs should be a much bigger liability than shipping software with unknown bugs.
you should never do a "study" on a problem that you suspect you have.... it might just get turned around and used as a weapon against you.
Do we care what the software is?
What about software that controls the dose of radiation for cancer treatment? If you get 10,000 times the intended dose, someone can die. Do we treat that the same as a PDA phone number application that can't find people whose last names begin with 'q' because the "quit" command was munged? (bad example, but you get the idea...)
After all, you can always replace the PDA, and you can't forsee death as a result. Bad control of radiation can quite easily result in injury or death. With the case of the radiation machine, do we CARE how obscure the bug was, or how hard the maker/programmer tried and tested? Or do we just stick him with the liability because it's better than telling the dead person: "tough luck?"
I Am Not A Lawyer But I Have A Friend Who Is...
Of course, he wouldn't officially comment on this, but it did pique his curiosity, so he emailed a couple of his lawyer friends, one an IP lawyer and one who apparently is NOT an IP lawyer (not sure what his speciality is) though he apparently DOES have more litigation experience.
First, the IP guy:
His Reply:
I would think pretty slim. The standard disclaimers on the OSS say that the developers are not liable for anything, etc.
The exception would be if the developer intentionally programmed a back door and then lured people to use the software so that he could go in the back and steal/corrupt the data.
IMHO.
My Friend's Question:
Wanted to get your thoughts on something. Not for a client. A friend raised the issue and was just curious and it piqued my curiosity. I'm sure you're familiar with open source software. According to my friend, there is a movement to make someone responsible for problems in open source software that lead to security breaches and/or data loss. He was just wondering what my thoughts were on the possibility of OSS developers, who don't receive any compensation for the software and put out the typical disclaimers, being sued by someone who uses the software and is damaged as a result.
Next, the Litigation Guy:
His Reply:
Without seeing any of the documentation that changes hands (if any), it's hard to say. Can you have an implied warranty for a product that you are making available for free? I don't know the answer, but my hunch is probably so if the other side can prove reasonable reliance, etc. Best advice might be to beef up the disclaimer and create some sort of waiver that has to be filled out before the program can be used.
My Friend's Response:
Why? I don't know. Practice, I guess. A way to test your software. Make a name for yourself. I do know it's very common among the cyber-geek community. And while the issue of compensation might not affect a negligence analysis, I would think that it would play a role in the effectiveness of the warranty disclaimers under the UCC. I really don't know either. I know it's not strictly speaking an assumption of risk case, but isn't some sort of concept of "Don't trust me. Use this at your own risk." possible? {IP Guy} thought the typical OSS disclaimers would probably protect the software developer, but while I know he knows IP, I wasn't sure how extensive his litigation background is.
Litigation Guy's Response:
I've never heard of it before, but it sounds like there could be some liability. The analysis wouldn't so much whether the developer received a benefit as whether the person who used the program suffered some harm. I'm not really sure to tell you the truth. Why would someone do that if they aren't making any money?
My Friend's Email:
Wanted to get your thoughts on something. Not for a client. A friend raised the issue and was just curious and it piqued my curiosity. Dont know if you're familiar with open source software. Open source software is developed by freelance programmers who make the software freely available, along with the source code, so if someone grabs it, they have the opportunity to examine the code (or hire someone who can) for flaws and fix them if necessary. According to my friend, there is a movement to make someone responsible for problems in open source software that lead to security breaches and/or data loss. He was just wondering what my thoughts were on the possibility of OSS developers, who don't receive any compensation for the software and put out the typical disclaimers, being sued by someone who uses the software and is damaged as a result.
I use Outlook as my mail program at work. I paid for it, and I expect it to be able to send and receive mail. If somebody illegally exploits that program to do malicious things, I don't blame Microsoft, I blame the person who wrote the virus.
Thieves often use commercially made lockpicks to pick a lock. People who make and sell lockpicking tools have been in the past, and are presently, and will continue in the future to get prosecuted civilly for negligence in facilitating burglary if they don't have some kind of discriminatory rules in place for determining who they will sell such tools to. Pretty much anymore, you need to demonstrate that you are in some sort of locksmithing, property management, law enforcement, etc kinds of businesses before you can purchase a set of professional lockpick tools from these vendors.
The way that MS designed Outlook, they practically gave away the "lockpicks" to it for free to everybody.
My point is that , number one ,the line between commercial vendors and amateur efforts, especialy in linux, can become very blurred and number two, that the people who draft the legislation desiding liability may not take into account what you would expect and make a clear and fair distinction and even if they did I could see certain cases where the whole issue could become very messy and regretably damaging to linux.
When legislators start making laws about software liabilty, you can bet your bottom dollar that big $oftware companies will pay out lots of money to lobbyists and political campaigns so those laws will have loopholes that allow them to avoid liability.
And it gets worse. They will have the legislators write those laws so people who provide open source software can not avoid liability. They will do this to discourage people from providing free software, and hence less competition for the big $oftware products.
I think it would be ridiculous to hold a software company liable for insecure software. It's your responsibility to ensure that the software you use is secure, period. Just as it's your responsibility to update and maintain it.
Given Microsoft's track record, it also seems silly for one to think that using their software (even patched and updated) will provide a high level of security. These are choices you can make when deciding what to run on your servers or desktops.
Here we see another strength of open source software: you don't need to trust a company to produce secure software. You can see for yourself what the software is doing.
Also, some security holes are caused simply by using software for purposes contrary to its original design. It is unreasonable to expect a company to attempt to forsee every possible malicious use of their software or be responsible for as much.
If software companies are made liable for insecure software, this will work against consumers. It will become more difficult and expensive to sell software, and fewer companies will be able to do it. This means fewer products on the market and fewer options, as well as fewer jobs for the rest of us (here's the rub).
------
2 + 2 = 5 (for sufficiently large values of 2)
It seems like a high level of security liability would likely cripple the software industry- it's like
making car manufacturers responsible for every reck.
What about just making developers responsible for well-know, easily avoided issues? This would create a basic standard without causing a developer to come under attack when someone extremely clever devises a novel attack. Of course, they developers should be fully liable for disclosing security bugs (like MS's Congressional lobby is gonna let that one through...)
Did I read this right? Microsoft claims to be working on a way to automatically send patches to all the XP users? That would certainly seem like another security hole! I can see the headline now: Microsoft to fix security holes with new security hole
"The large print giveth, and the small print taketh away" -- "Step Right Up", Tom Waits
This goes right to the heart of a big chunk of FUD regarding Open Source software. I've seen it stated over and over, that you don't have anyone to hold responsible for problems with the product. I always thought, "I'll believe that one when someone gets a judgement from MS from damages caused by one of their products".
Second, remember the Mars Climate Orbiter? NASA lost that one thanks to a confusion between metric and imperial units. "Mission control computers had incorrectly gauged the velocity of the craft throughout the entire four-month trip from Earth to Mars." Oops.
By the way, as a pilot, I have to tell you that I certainly would not count on an autopilot being bug-free either. (Probably one reason my flight instructor made me learn five different ways to disable it should it start misbehaving.)
"Biped! Good cranial development. Evidently considerable human ancestry."
At least legally, nobody. And it should stay that way. The market will force proprietary software companies to fix their bugs faster or else the market will choose Open Source software instead. I'm hoping for the latter.
"Gee, Judge, I just downloaded this code from the internet and installed it on my computer."
Also, though IANAL, I believe that if the code is free there is no sales contract since there was no exchange of value.
Your problem is with the deep pockets law. First I want to show you how to abuse the law. The taxi business has a high liability risk. A cab company might decide to make all of its drivers "independent contractors." The independent contractors would be responsible for their insurance. The independent contractors would be underinsured, etc..
In this scenerio, the taxi cab companies were trying to avoid risk by pushing the risk onto a smaller business that would simply go bankrupt when an accident occurred.
You can imagine a company giving away the troublesome parts of the program for free (to avoid the liability exposure) while selling the stable pieces for a premium. Should MS have to pay for a bug in a free patch, or a free utility they distribute with XP?
In the taxi case, the courts would found the taxi cab company partially liable for the accident. Since they have deep pockets, they ended up paying the full claim.
This deep pocket legislation is quite popular since it prevents companies with deep pockets from spinning off risk into small entities.
Deep pocket litigation has some really bad side effects. Really, in every accident that occurs, you can say the county or city that built the road was partly to blame. This means that counties and cities become the deep pocket in thousands of lawsuits.
In the software world, we would start seeing the same gamesmanship going around if we started flinging billion dollar suits left and right. We would see big companies spawning little companies whose primary purpose is to control risk exposure. Meanwhile, fearing deep pocket litigation, the big companies would stop funding smaller research projects or stop giving code to GPL efforts in fear of become a deep pocket in a suit they really cannot control.
The litigation would not be pretty. The only certainty is that the lawyers would make out like bandits.
"Currently software is exempt from product liability . . ."
We've all seen the anti-warranty agreements that state that even if the software formats your hard drive, the company that produced that software isn't liable.
However, what if a company puts out insecure software and that insecure software floods my internet server causing it to crash? I didn't agree to that anti-warranty so I do have the right to sue to recover damages.
The only question is do I sue the person running the insecure software or the company who produced it or both?
The race isn't always to the swift... but that's the way to bet!
http://www.heise.de/english/newsticker/data/anw-26 .02.02-007/
Encryption in Company Networks Foiled
The encrypting of e-mails in company networks is foiled if
it is done in a Microsoft Exchange/Outlook 9x/200x environment...
Should companies' be liable for security holes? I really don't think so. Everytime you install software you get the EULA that says how 'by using this software, you agree not to blame us if the program formats your hard drive' thing. We all know the risks we take by using a computer to make our jobs easier. As an amateur programmer, I sure wouldn't (and couldn't financially) be able to be liable for some obscure security failure, whether I charged for the software or not. However, I do think that companies should be swift to follow up on security problems that are currently known, and deliver fixes in a convienient and easy manner. Perhaps there should be a universal security upgrade protocol, by which a company can upgrade installed software. That way, any software distributed with support for that protocol would carry a 'Seal of Approval'. Consumers would learn quickly to not buy software without this certification.
Obviously, that upgrade protocol itself would hav to be securely implemented, and I don't know how you'd regulate something like that. But at least programmers wouldn't have to always wonder if they might be liable if their software did some Bad Thing. If programmers (or program companies) were held strictly liable for security issues (including possibly class-action suits for damages), you'd see a lot less diversity in software, since only a few companies would be able to take that risk. Is that something we want?
What could possibly hurt the security of the American people more than giving our own government the ability to hide its
open source software states in the license that it does not garentee fitness for any purpose...
Many MANY MANY bugs in released software are not neccisarily completely due to faulty design in one particular program. Often many programs in tandem are liable. Misconfiguration on the part of the user can also be a problem. If I misconfigure ssh and sudo and someone 'rm -Rf's my machine, who'se liable? A Law like this argued by the right lawyer could easily find the ssh people, the sudo people or even the rm people liable for letting this happen.
Also, how about the fraud possibilities. People injure themselves all the times to collect premiums. How many people do you know that would wipe their box to collect on 'lost IP' or another similar claim. Freely redistributed software would get killed because free software developers knowingly distribute software with bugs, expecting the wide audience to help debug. If suddenly there were no way to protect themselves from liability for a stupid person running bets software who hurts something, thep rocess would get choked out of existence. People sue for everything these days, lets not give them another reason...
Brian
"Imagine if Microsoft was legally liable and a $2 billion suit was filed." Microsoft's annual "administration" or legal budget is over $2 billion, they would settle and save some time.
I run FreeBSD, but my wife and kids run Windows 98/ME. When a security flaw/hole is discovered on FreeBSD and reported to the core development team (or the person responsible for the port), I usually get an email within 24 to 48 hours stating what the hole is, what it effects, along with a patch.
I can choose to install the patch and be safe, or ignore it if it doesn't apply to me (IE: I don't have that port installed and probably never will install it).
Microsoft also notifies users of security holes, (either via their web site or via the auto-update program). However, most of these security holes were reported weeks or months ago to Microsoft, and they chose to ignore it, because it wasn't a wide spread problem (not enough people are effected YET!). Only when the hole has been used to hit thousands of systems does Microsoft quickly release something to patch the system. Hell, I know of a couple of security holes reported last year, that they still haven't fixed.
Unless the hole gets wide media attention, Microsoft just doesn't care. I guess they think they're too busy to fix the problem, until it becomes a major problem. Not so with most Linux/Unix OS's. We usually get information pretty quickly (usually from the manufacturer), and we usually get a fix at the same time.
The day Microsoft creates a product that doesn't suck, it will be known as the Microsoft Vaccuum Cleaner!
Because the passengers and crew were disarmed, and instructed to "just go along" with the hyjackers by central planners who all assumed that all hyjackers want something in return for NOT killing the passengers (look at the FAA regulations), the hyjackers were successful even when outnumbered 5 to 1 at worst.
The continued projection of so-called "American" military force was the repeatedly stated reason for the first attack on the WTC, which failed, and the second attack, which succeeded.
The resultant call for yet more control of peoples lives, and restrictions on their liberty, are merely a sad reminder that those who seek control of others will always seek control, at every opportunity. Especially if they caused it. Reichstaag Fire? Kristalnacht? Those are words every American should know and understand.
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
Well, that song really drags me down, and I'm wondering why any of you are around to read this. The switchboard lit up with crapflooders wanting accusing me of Metallica favoritism. So to shut them up, here's Megadeth's Problems, off of Hidden Treasures.
when you fund a military campaign against communism, and USE a country to do it, and leave it a smouldering wreck when you're done, and ignore any pleas for help to restore the country to what it was before you raped it, you are setting yourself up for hatred and revenge
http://www.accc.gov.au/consumer/consumer.htm