Who Is Liable For Software With Security Holes?

← Back to Stories (view on slashdot.org)

Who Is Liable For Software With Security Holes?

Posted by Hemos on Wednesday February 27, 2002 @06:47PM from the are-you dept.

securitas writes "Interesting article over at eWEEK that asks who is and should be legally responsible for insecure software. Some say it's the manufacturer. Currently software is exempt from product liability as we've come to know it in the physical world. Others say the software licenses should make users responsible if they don't install patches and updates. Infosecurity czar Richard Clarke said in his speech at RSA that Nimda cost US companies an estimated $2 billion. Imagine if Microsoft was legally liable and a $2 billion suit was filed. Now extend that to the other jurisdictions outside the US. What does this mean to open source software, which is being used to a greater extent in corporate environments? Food for thought."

7 of 439 comments (clear)

Min score:

Reason:

Sort:

Re:Wrong issue by I+Want+GNU! · 2002-02-27 19:03 · Score: 3, Interesting

I think the law should be modified so that people who discover holes in software and notify the company without doing damage should not be punished. On the other hand, people who deface websites do real damage. One of the problems though is that the companies say "if it ain't broke, don't fix it" and then extend it to "if it isn't hacked, don't secure it." I think it is a major problem that often companies are informed of holes in software but they don't fix it until the hole is out in public, and then say "oh! I didn't know about that!"

This is one good reason for open source software. If there is a bug, people will fix it. There isn't a financial incentive to ignore the bug until it causes real problems.
A note about software licenses... by Gerad · 2002-02-27 19:34 · Score: 5, Interesting

If party A licenses software from Microsoft, and agrees not to hold Microsoft liable for any bugs in their code, than MS may be safe from suit from party A. However, if party A's sevevers start attacking party B's servers, and party B never had a contract with Microsoft, there's nothing legally stopping them from trying to sue Microsoft. In that, I think, is why issues like this are important.

--
Be the Ultimate Ninja! Play Billy Vs. SNAKEMAN today!
1. Re:A note about software licenses... by gargle · 2002-02-28 01:43 · Score: 3, Interesting
  
  If I sells doors and a burglar breaks down the door and robs someone's home, who is legally liable? The door manufacturer? Or the criminal?
Blame the victim? by Black+Parrot · 2002-02-27 20:07 · Score: 3, Interesting

> The question should not be who is responsible for insecure code but rather what can be done to discourage people from vandalism and how to track down and punish those who choose to break the law.

I agree, in principle. A similar concept applies to copy protection; we should concentrate on punishing theft rather than on limiting the fair-use capabilities of our electronics.

But in this case, I've been wondering whether society's best interest lies in a different strategy, more pragmatic if less idealistic.

I'm normally adamantly against blaming the victim for crimes, but consider this. What if we legalized hacking? Within a few weeks, incompetent sysadmins/secadmins would be out on the street. Within a few months, software that was not patched promptly would be replaced by software that was. Within a few years, software that was not essentially secure would be off the market.

Publishing the criminal is certainly just, but it doesn't do a heck of a lot of good to spank someone after the damage has been done. Society is going to be more dependent on computers in the future, and more at risk to insecure softare. We need to take radical action to fix the problem before it grows from inconvenient to devastating.

Admittedly this would cause a great deal of short-term disruption, but at least the problem would get fixed.

It's possible to build secure software; developers and vendors just have to care enough.

--
Sheesh, evil *and* a jerk. -- Jade
Re:Depends who you talk to. by 0xA · 2002-02-27 22:01 · Score: 5, Interesting

"why blame them? They did exactly what MS said they could do: plug and play."
Does it seem to anyone else that the whole software industry is starting to look like a house of cards?
All these products are being marketed as easy to use, easy to take care of, easy to everything. It's not. It's hard, very hard sometimes. I run into the strangest interdependencies, completely unexpected behavior, just plain wierd shit all the time.
It's dumb stuff mostly. How many of you knew that Photoshop 6.0 will randomly cut off network access on a Windows box? (6.0.1 fixes it) When presented with this problem, Photoshop was not my first thought, I'm looking at the swich, changing cables etc. Took me an hour to realize that this only happened when Photoshop was running. Would the user have been able to figure this out herself? Not very quickly.
People are starting to clue into this, I've had two people ask me if they should buy Windows XP. Both of them asked if it would mess up any of their programs first, before the asked if XP had any new features they would find useful. It seems to me that the marketing messages are failing, the upgrade treadmill is starting to look more and more like a sham. Seriously, what is the compelling value that will make me upgrade my company from Office 2k to XP? Somebody tell me cause I have no idea at all. I don't want to woosh around the desert on my desk, I want to not restore Outlook .pst files 3 times a week.
I think soon the software industry is going to have to really consider making a more stable product, the flashy wizz bang product doesn't have the draw it used to. Security is really only a part of this but given the Summer of the Worms (tm) we just went through it is the most visible part right now. People are terrified of thier email, those little home firewalls are flying off the shelves, we're almost to the point of widespread clue. I just hope we make it.
Re:Changes in the education system by mpe · 2002-02-28 00:40 · Score: 3, Interesting

What I want to know is when the country will make contractual law a part of the high school curriculum? Every dumb shit in America believes every stupid document put in front of them is law.

Unless they have actual knowlage of the laws in question.

This is similar to those signs that say not responsible for blah blah blah. Bullshit. If they are responsible, then they are responsible. Period.

The more subtle one you tend to find in software licencing is "we disclaim anything the law will allow us to disclaim". Using the, usually correct assumption, that most people won't actually know what can and can't be disclaimed in this way...
Careful what you wish for... by Otter · 2002-02-28 00:41 · Score: 3, Interesting

This strikes me as a textbook case of "Watch out what you wish for because you might get it."
The prevailing of commercial software is set by the market, and reflects the balance of features, updates, price and quality that users want. That's why your word processor crashes sometimes and your defibrillator doesn't. Attempting to set a new and better balance by turning hordes of plaintiffs' lawyers loose on the software industry is going to improve the situation of users about as well as turning lawyers loose on the tobacco industry has helped smokers.
Oh, and if you think that open source software is going to be unaffected by this, either because it has no bugs or because it's so cuddly it will be exempted from liability -- good luck. Bye-bye, Red Hat!

--
What I'm listening to now on Pandora...