Slashdot Mirror
Who Is Liable For Software With Security Holes?
securitas writes "Interesting article over at eWEEK that asks who is and should be legally responsible for insecure software. Some say it's the manufacturer. Currently software is exempt from product liability as we've come to know it in the physical world. Others say the software licenses should make users responsible if they don't install patches and updates. Infosecurity czar Richard Clarke said in his speech at RSA that Nimda cost US companies an estimated $2 billion. Imagine if Microsoft was legally liable and a $2 billion suit was filed. Now extend that to the other jurisdictions outside the US. What does this mean to open source software, which is being used to a greater extent in corporate environments? Food for thought."
Their points were terrifying: Get hacked, become a jumping off point for hackers to hack others, and watch your nice, corporate deep pockets attract security malpractice lawsuits from whomever was a victim of the hacker.
The other terrifying idea that this raised was that in 5 years or so, everyone would have hacker insurance, and the insurance companies would be dictating your security measures--much like how they give you better rates if you have working smoke detectors in your home today!
I think the law should be modified so that people who discover holes in software and notify the company without doing damage should not be punished. On the other hand, people who deface websites do real damage. One of the problems though is that the companies say "if it ain't broke, don't fix it" and then extend it to "if it isn't hacked, don't secure it." I think it is a major problem that often companies are informed of holes in software but they don't fix it until the hole is out in public, and then say "oh! I didn't know about that!"
This is one good reason for open source software. If there is a bug, people will fix it. There isn't a financial incentive to ignore the bug until it causes real problems.
Well, if license agreements did protect companies we would probably end up with the equivlanent of malpractice insurance for software projects. Effectively increasing development costs by millions or billions. So it would stifle small projects. As fun as it would be to sure Microsoft, the costs and precidents would rebound and damage opensource and GPL.
If party A licenses software from Microsoft, and agrees not to hold Microsoft liable for any bugs in their code, than MS may be safe from suit from party A. However, if party A's sevevers start attacking party B's servers, and party B never had a contract with Microsoft, there's nothing legally stopping them from trying to sue Microsoft. In that, I think, is why issues like this are important.
Be the Ultimate Ninja! Play Billy Vs. SNAKEMAN today!
In the case of Microsoft, you can demonstrate a pattern of negligence in the way they test and release their product. The company also publically denies that there are problems until it is too late for users to do much of anything to protect themselves and their networks. The last thing MS wants is administrators migrating their operations off MS products in favor of more controllable risk(like Open Source or a different and better tested proprietary one). I say controllable risk, because no software is bug-free and it is the job of the administrator to manage the technical arena and minimize risks to their networks.
With the Redmond mis and disinformation machine, you can never be sure of what the truth is in terms of real support from the vendor. Afterall, this latest round with UPnP pretty much proved that the company puts profits over security. I mean, only Microsoft would try to tell the FBI that a security disaster waiting to happen wasn't one. It IS how they maintain their 'edge'.
Death by a 1000 cuts.
In space, no one can hear you moo.
> The question should not be who is responsible for insecure code but rather what can be done to discourage people from vandalism and how to track down and punish those who choose to break the law.
I agree, in principle. A similar concept applies to copy protection; we should concentrate on punishing theft rather than on limiting the fair-use capabilities of our electronics.
But in this case, I've been wondering whether society's best interest lies in a different strategy, more pragmatic if less idealistic.
I'm normally adamantly against blaming the victim for crimes, but consider this. What if we legalized hacking? Within a few weeks, incompetent sysadmins/secadmins would be out on the street. Within a few months, software that was not patched promptly would be replaced by software that was. Within a few years, software that was not essentially secure would be off the market.
Publishing the criminal is certainly just, but it doesn't do a heck of a lot of good to spank someone after the damage has been done. Society is going to be more dependent on computers in the future, and more at risk to insecure softare. We need to take radical action to fix the problem before it grows from inconvenient to devastating.
Admittedly this would cause a great deal of short-term disruption, but at least the problem would get fixed.
It's possible to build secure software; developers and vendors just have to care enough.
Sheesh, evil *and* a jerk. -- Jade
If one ships open source, one can tell the customer to look at the source and don't use the program unless it's correct for their purpose. Can't do that with closed source. Maybe that should put more liability on closed-source vendors.
This will be a tough business in which to survive if someone is liable for every fault.
If you don't publish the source, you're liable. Hiding the inside of a program is perfectly OK - assuming that you take full responsibility for the manner it works.
If you publish the source, you can be extempted. Exposing the inner workings, anyone can verify the suitability of the software for a given purpose.
MS plays safe by not being responsible (sueable) for their bugs. If they where requested to either FIX them holes before release or publish the source, they'd concentrate on security before feature count, which would be double good.
Only problem is, this way of cutting things would hardly feed the lawyers :)
I'm in a Unix state of mind.
Does it seem to anyone else that the whole software industry is starting to look like a house of cards?
All these products are being marketed as easy to use, easy to take care of, easy to everything. It's not. It's hard, very hard sometimes. I run into the strangest interdependencies, completely unexpected behavior, just plain wierd shit all the time.
It's dumb stuff mostly. How many of you knew that Photoshop 6.0 will randomly cut off network access on a Windows box? (6.0.1 fixes it) When presented with this problem, Photoshop was not my first thought, I'm looking at the swich, changing cables etc. Took me an hour to realize that this only happened when Photoshop was running. Would the user have been able to figure this out herself? Not very quickly.
People are starting to clue into this, I've had two people ask me if they should buy Windows XP. Both of them asked if it would mess up any of their programs first, before the asked if XP had any new features they would find useful. It seems to me that the marketing messages are failing, the upgrade treadmill is starting to look more and more like a sham. Seriously, what is the compelling value that will make me upgrade my company from Office 2k to XP? Somebody tell me cause I have no idea at all. I don't want to woosh around the desert on my desk, I want to not restore Outlook .pst files 3 times a week.
I think soon the software industry is going to have to really consider making a more stable product, the flashy wizz bang product doesn't have the draw it used to. Security is really only a part of this but given the Summer of the Worms (tm) we just went through it is the most visible part right now. People are terrified of thier email, those little home firewalls are flying off the shelves, we're almost to the point of widespread clue. I just hope we make it.
Here are some of my thoughts on why we have buggy and insecure softwares.
* Human Nature
People in general don't like to admit that they are wrong. Companies small and large are not much different. Even when they distribute the patch, there is rarely accurate or complete information about the problem or the severity of the problem being addressed. We think apologizing is a sign of weakness.
* Corporate Image
By admitting fault, company loses credibility. Company is always willing to live with few unhappy customers to protect it's overall image. It's one of the reason why software defects, security or otherwise, get hushed up and buried. You all know that the euphemism for this policy when it is applied to security is called "security through obscurity". You also know how well that works. Admitting fault is the last thing company will do. Even when they do admit it publicaly, they will always play down the severity of the problem.
* Monopoly
When a company is a monopoly, there is almost no incentive to admit to a problem and fix it. If you know that you can't get fired and you will get paid the same if you work one hour a day or eight hours a day, which would you choose? Lack of incentive is the very reason why communism is bad for progess. Only reason why Microsoft is pretending to care about security recently is because they are having trouble penetrating (from behind) the enterprise market with their tarnished image.
* Money
When I say money, I don't mean cost to create or distribute bug fixes. Putting a patch on a website for user to download isn't such an expensive proposition. It's lot different than car manufacturer doing a recall. When I mean money, I mean greed. Companies are using bugs fixes as a ploy to get users to upgrade. Marketing departments have figured out that consumers are willing to pay for bug fixes. Example of this is Windows 98 and ME. Essentially they are selling you a big pile of bug fixes as a full product and charging you for it. Sneaky isn't it? MS is not the only guilty party of this devious practice. Many companies such as Vignette, bea systems have done this sort of thing. It's becoming very common in many places and we all have been brainwashed to accept it as a norm.
Since Free Software/Open Source has only one of the four problems to deal contend with, I think it has a somewhat better chance of producing superior software than from commercial environment.
In a normal hetrogenous environment (as 99% of n/ws are), you're going to be dealing with software and hardware from many different vendors.
It is possible (if not probably) that the interaction of these components will create security holes for an attacker to exploit. Which vendor do you blame? They may all be working as designed. Do you blame your low-paid network guys? Do you spend hundreds of thousands to hire external consultants? Can you blame (and sue) them if your network is breached?
What about default configurations of software? What if the default configuration is insecure, but the documentation describes how to secure it?
I have my own thoughts on these issues, I'd like to see what the general consensus is here.
Btw, if you're looking for a secure OS, try XTS 300 STOP.
The EPL makes interesting reading.
* five years later somebody discovers a single bug and writes an exploit
Software will always have bugs. But no producer is punished for making insecure programs. Only bad PR. I think it's suboptimal that bad PR is the ONLY incentive to write secure apps.
Company A wants to sell products for e-tailers? Then they better issue some kind of warranty (not that it's 100% bug free, but at least a level indicating how hard it is to break it, or how much time will it pass before they issue a patch).
unfinished: (adj.)
What I want to know is when the country will make contractual law a part of the high school curriculum? Every dumb shit in America believes every stupid document put in front of them is law.
Unless they have actual knowlage of the laws in question.
This is similar to those signs that say not responsible for blah blah blah. Bullshit. If they are responsible, then they are responsible. Period.
The more subtle one you tend to find in software licencing is "we disclaim anything the law will allow us to disclaim". Using the, usually correct assumption, that most people won't actually know what can and can't be disclaimed in this way...
The prevailing of commercial software is set by the market, and reflects the balance of features, updates, price and quality that users want. That's why your word processor crashes sometimes and your defibrillator doesn't. Attempting to set a new and better balance by turning hordes of plaintiffs' lawyers loose on the software industry is going to improve the situation of users about as well as turning lawyers loose on the tobacco industry has helped smokers.
Oh, and if you think that open source software is going to be unaffected by this, either because it has no bugs or because it's so cuddly it will be exempted from liability -- good luck. Bye-bye, Red Hat!
What I'm listening to now on Pandora...
If a program you buy destroys something you own, then you do have recourse. Depending on the level of negligence, it might not even matter as to the language of the EULA.
On the other hand, if someone breaks into your computer (house), the software company (lock maker) isn't negligent because some one made a lock pick (found a buffer overflow to exploit).
It is unreasonable to try to hold a lock manufacturer responsible for every day in the future. Now if the lock manufacturer made certain claims, and backed them up with a garuntee, then you might would have recourse. If you bought a deadbolt for your front door, and I knock down the door, are you going to sue the lock manufacturer?
So until a software manufacturer makes the claim that they garuntee you are secure, and don't do something that makes your system less secure than it was without it, then you can start hammering on the software companies.
And just running BIOS isn't more secure than running Windows. And Linux/*BSD have their fare share of vulnerabilities, before we go down that road.
First. You do not BUY software. You buy the license to use - like a service. If you hire a company to provide support or to manufacture something for you they're responsible.
There is a related story that happened a couple of years ago (don't remember exactly). Tim Hortons is haveing a Roll Up the Rim to Win promotion every year. When you buy a coffee - you can roll up the rim of the cup to see if you won a prize (all I ever got was donuts and more coffee - go figure!). Well.. It came out that some of the people who worked at the company that was manufacturing those cups were cheating by unwrapping those rims and stealing prizes. I know that that company lost the contract - I do not remember if they were sued for damages as well. I think they did - they failed to provide a resonable service they were contracted out for.
OSS is a bit different. It's public domain. Everyone owns it - therefore if you choose to use it, and if it breaks you yourself are responsible for damages.
That's what I think - I don't know how accurate this is, but I do realize that it's not such a great thing. If a company has to choose between OSS and proprietary solution then they will choose the proprietary one. Simply because IF something goes wrong - they have a chance of getting some recompensation.
It's a simple choice - do you buy a reliable car, or one less reliable with insurance?
"I'm not a lawyer but..." it seems to me that the question is not just one of money, but a question of involving oneself in commerce. Businesses often swap goods instead of services; this might get them past some tax issues but I'm not sure that if money is exchanging hands elsewhere, it exempts them from certain responsibilities of "due care" nor responsibilities under contract law.
Contract law does not discuss "money" trading hands, it deals in terms of each party offering "consideration", which is "acts of legal detriment". It sure looks to me like the use of a GPL'd product means the acceptance of a legal detriment. That is, it offers the benefits of the contract at the cost of accepting a specific legal detriment (the voluntary promise not to seek compensation for certain uses). That seems to me to make a binding contract--certainly the GPL people expect it to be enforceable on their side. As a consequence, I would say that the users of GPL'd software could easily be argued to have obtained a product not merely a gift.
The inherent difference of being a gift is that it comes without "legal detriment", that is, without any legal responsibility to compensate for the benefit given in any way. This is exactly the "free software" vs "free beer" distinction; because free software is not free beer, it seems to me it's still open to liability concerns under the contract.
Moreover, if I remember right, contract law is dealt with differently depending on whether one is a business or an individual. I seem to recall reading that businesses are held to a higher standard than individuals in terms of what they should understand when they enter into a contract even if the contract is not related to their particular business. That is, you may make toilet seats, but if you give away free software under a GPL license, you are expected to have a "business" level of understanding of the implications of writing a contract, not that of a simple individual. And that may, for all I know, open you to more liability. I'm not up on liability law at all, so am going on the basis of guesses on that point. But the bottom line is that it seems to me prudent not to conclude that one is automatically free and clear of responsibility just because money is not changing hands, and especially if money is changing hands elsewhere but just not in the case where the software exchange is occurring.
But that's just me. And, as I said, I'm not a lawyer. Perhaps one will use the opportunity of my remarks here as an excuse to comment in more detail on these matters, or to set me straight if I've made some material gaff based only on my casual listening to study tapes for law school final exams as entertainment listening while driving around in my car...
Kent M Pitman
Philosopher, Technologist, Writer
I Am Not A Lawyer But I Have A Friend Who Is...
Of course, he wouldn't officially comment on this, but it did pique his curiosity, so he emailed a couple of his lawyer friends, one an IP lawyer and one who apparently is NOT an IP lawyer (not sure what his speciality is) though he apparently DOES have more litigation experience.
First, the IP guy:
His Reply:
I would think pretty slim. The standard disclaimers on the OSS say that the developers are not liable for anything, etc.
The exception would be if the developer intentionally programmed a back door and then lured people to use the software so that he could go in the back and steal/corrupt the data.
IMHO.
My Friend's Question:
Wanted to get your thoughts on something. Not for a client. A friend raised the issue and was just curious and it piqued my curiosity. I'm sure you're familiar with open source software. According to my friend, there is a movement to make someone responsible for problems in open source software that lead to security breaches and/or data loss. He was just wondering what my thoughts were on the possibility of OSS developers, who don't receive any compensation for the software and put out the typical disclaimers, being sued by someone who uses the software and is damaged as a result.
Next, the Litigation Guy:
His Reply:
Without seeing any of the documentation that changes hands (if any), it's hard to say. Can you have an implied warranty for a product that you are making available for free? I don't know the answer, but my hunch is probably so if the other side can prove reasonable reliance, etc. Best advice might be to beef up the disclaimer and create some sort of waiver that has to be filled out before the program can be used.
My Friend's Response:
Why? I don't know. Practice, I guess. A way to test your software. Make a name for yourself. I do know it's very common among the cyber-geek community. And while the issue of compensation might not affect a negligence analysis, I would think that it would play a role in the effectiveness of the warranty disclaimers under the UCC. I really don't know either. I know it's not strictly speaking an assumption of risk case, but isn't some sort of concept of "Don't trust me. Use this at your own risk." possible? {IP Guy} thought the typical OSS disclaimers would probably protect the software developer, but while I know he knows IP, I wasn't sure how extensive his litigation background is.
Litigation Guy's Response:
I've never heard of it before, but it sounds like there could be some liability. The analysis wouldn't so much whether the developer received a benefit as whether the person who used the program suffered some harm. I'm not really sure to tell you the truth. Why would someone do that if they aren't making any money?
My Friend's Email:
Wanted to get your thoughts on something. Not for a client. A friend raised the issue and was just curious and it piqued my curiosity. Dont know if you're familiar with open source software. Open source software is developed by freelance programmers who make the software freely available, along with the source code, so if someone grabs it, they have the opportunity to examine the code (or hire someone who can) for flaws and fix them if necessary. According to my friend, there is a movement to make someone responsible for problems in open source software that lead to security breaches and/or data loss. He was just wondering what my thoughts were on the possibility of OSS developers, who don't receive any compensation for the software and put out the typical disclaimers, being sued by someone who uses the software and is damaged as a result.