Slashdot Mirror
Who Is Liable For Software With Security Holes?
securitas writes "Interesting article over at eWEEK that asks who is and should be legally responsible for insecure software. Some say it's the manufacturer. Currently software is exempt from product liability as we've come to know it in the physical world. Others say the software licenses should make users responsible if they don't install patches and updates. Infosecurity czar Richard Clarke said in his speech at RSA that Nimda cost US companies an estimated $2 billion. Imagine if Microsoft was legally liable and a $2 billion suit was filed. Now extend that to the other jurisdictions outside the US. What does this mean to open source software, which is being used to a greater extent in corporate environments? Food for thought."
Just like a car or a bike, if the equipment is faulty, I think the company that made it should be liable. However, if you got that car or bike for free and knew before hand that hey, this thing may not work because I'm giving this to you out of the goodness of my heart, then I don't think that independent developer should be liable.
;) Having the big boys like Microsoft liable while we get off easy. There's no way in hell those dirty politicians would see that that would make the most sense for the consumer. But hey, that's democracy for you.
I suppose that's only a dream for us OSS kids
Just my US$0.02
Hargun
Think nothing is impossible? Try slamming a revolving door.
Yes, it is the software manufacturer's fault if they make buggy software and don't ever put a hold on new features to fix bugs. The customer is responsible for installing bugfixes, when released.
Still, they aren't legally responsible for the bugs. If you read most licenses, they say "this software is provided as is." Everybody makes mistakes and even though software creators should make more effort to stamp out bugs, no code of a certain level's complexity is perfect.
The important thing here that needs to happen is that businesses and consumers say "features are nice, but fix the bugs first." At the moment though, they say "features first! bugs aren't displayed on the box." They speak with their wallets by buying buggy software. I don't mean to be one of those typical anti-MS people (even though I dislike their software), but the fact is, they produced extremely buggy software and most people still bought it. That says something.
its the contract for the use of software - this is where something like this should be stated. :) the user must accept the license before using the software - however, when a computer is provided pre-installed with software, it makes you wonder if users really do have a choice.
Why should software be any different than any other product on the market? But I do think software makers should be able to protect themselves somehow.
If someone is mowing the lawn and a stick flies up and takes out an eye the lawn mower company isn't liable if there is a warning somewhere saying "must wear eye protection while operating". Maybe a "must back up all data" in the software agreement would cover the software companies somewhat.. but then again, who reads the agreements in the first place?
for what we create. that may give our profession a little more formality of a "true" engineering profession, and force developers to fully think out designs instead of just saying "it'll be addressed in the next version".
What does this mean to open source software...
buh bye sendmail!
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
Funny that Nimda was mentioned; I seem to remember that @Home.net and AT&T were pulling the plugs on their customers because they were saturating the bandwidth due to Nimda. This seems to be directed towards the users' negligence/lack of knowledge about what they're doing, and so one can argue "why blame them? They did exactly what MS said they could do: plug and play."
Now I also remember when the commercial version of SSH released v3.0, there was a HUGE security hole (passwords of length 2 or less would always work...), and SSH developers took the heat; rightfully so. They 'fessed up, and they fixed it. As far as I know, there were no incidents because of it, because the problem was fixed before it was used widespread. But if it did create an issue (like Nimda, Code Red 1/2, etc.) before a fix was made (proactive vs. reactive), they should be held liable, not the users. If a fix exists, and a user says "oh, I don't have *that* problem," well, I think we all know who should get the blame. Just my $0.02 worth though...
-- Dan
I'll take the mod hits to point out that the parent nailed it.
-- @rjamestaylor on Ello
How can users know about holes, where a company charges for tech support calls? Then if there is a hole, the user must pay for the upgrade.
Fight Spammers!
So who broke the law when your computer crashes every five minutes causing you to lose large amounts of productive time (time=money). Besides you're never going to be able to effectively catch all the crackers. The responsibilty lies with the software company to defeat them by making their software secure. Notice I said responsibility, not liability, unless a distributor explicitly states that their system is COMPLETELY secure there is still a possibility for holes. The moment we make companies liable for security holes you can expect half of them to go out of buisness right off the bat. The potential suits are simply way too costly
I stole this Sig
I think the law should be modified so that people who discover holes in software and notify the company without doing damage should not be punished. On the other hand, people who deface websites do real damage. One of the problems though is that the companies say "if it ain't broke, don't fix it" and then extend it to "if it isn't hacked, don't secure it." I think it is a major problem that often companies are informed of holes in software but they don't fix it until the hole is out in public, and then say "oh! I didn't know about that!"
This is one good reason for open source software. If there is a bug, people will fix it. There isn't a financial incentive to ignore the bug until it causes real problems.
Liability is an individual thing. Liability is based on making statements that are not true, or the deliberate cause of harm.
The supposed $2B in "damages" are a liability on those who wrote and launched the worms, directly.
By connecting to the net, just like stepping outside your door, you are assuming risk.
That said, Microsoft should be liable if they represent their product as "safe" and it isn't. I believe their representation of XP as the "Most Secure Windows Ever" does open the company to prosecution for misleading advertizing, but who has the resources to prosecute it?
There is a great deal of difficulty with trying to assign liability to those who are in the wrong place at the wrong time. Someone who gets wet because they weren't wearing a long coat when a truck splashed them doesn't expect to sue the truck driver, do they?
The systems owners who were "damaged" by the worms are indeed guilty of not securing their systems. Who will prosecute them? And for what?
Liability is based on two things: Intent and negligence. False advertizing and misrepresentation are the former, the success of virii is the latter.
Personally, I think a few false-advertizing claims against Microsoft would be great, and from a theoretical standpoint they certainly are misrepresenting their products when they call them "secure" or "safe". Who's got a million or two for the legal fees when we lose?
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
I would have to say that under normal circumstances, the manufacturer would not be liable. If the hole was intentionally put in, that is a different story, but it's not like any company is going to willingly put a security hole in its software.
Bad PR due to security holes again and again are enough of an effect (liability) for companies to wise up, one should hope (how many times have you heard from respected experts and, at times, Microsoft itself, to have IIS disabled on Win2k?).
If you contract a company to design specific software to suit your specific needs, and that software does not perform adequately (security holes, or what have you) then I believe that it is acceptable to blame the software manuf.
Face it, security holes exist. No one likes them, everyone wants to blame someone else for them, but you just have to accept that they do exist.
Weigh your options and choose the option that has proven itself. Be it number of security problems, speed in which they were fixed, or severity (proven and potential)of these vulnerabilities.
Oftentimes this points in the direction away from Microsoft, but that's in the eye of the beholder.
-kwishot
As a matter of law,in Australia, goods including software have to be "reasonably fit for the purpose" they have been purchased for, of "merchantable quality", and must fit the "description" they are sold under. If a good fails to comply with any or all of the above conditions, the disgruntled purchaser can sue for damages or a suitable replacement.In Queensland the relevant legislation is the 1896 Sales of Goods Act, which all Australian and New Zealand jurisdictions, has analogues of.
Many Commonwealth jurisdictions have similar regulatory regimes.
It is arguable that software which doesn't work very well fails all of the above requirements. A former law school acquaintenance of mine has even sued a car distributor, for a fleet of Lada Samaras, claiming that they didn't fit the description of a "motor vehicle" (ie a moving machine !) because they spent all their time in the shop !
What needs to be remembered is that all software producers can be liable under such a regime, Linux or Winduhs.
It's too much liability on small companies...
Think about how many companies form as little one or two man shops that have great ideas.
Sure they have bugs and security holes and hopefully they're fixed before any damage is done, but to sue a small shop a million dollars because you didn't test something you installed on production servers is a joke.
Instead, you could pay another company to test your security all the way around including all software installed on a server.
Also, if there were something that says the software maker is liable, open source should be exempt as everyone has the oppourtunity to review exactly what the code does or doesn't do.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Well, if license agreements did protect companies we would probably end up with the equivlanent of malpractice insurance for software projects. Effectively increasing development costs by millions or billions. So it would stifle small projects. As fun as it would be to sure Microsoft, the costs and precidents would rebound and damage opensource and GPL.
I'm a professional software developer. I work for a very large computer company (not ms). We all try pretty hard to get rid of bugs in programs, hell as programmers we do care that our code is as bug free as possible, it's a pride thing - as well as being good for business. :) However it is possible to lower the amount of problems you are willing to invest a lot more money into testing which in turn ends up costing the users a lot more money (yes I'm sure there will be replies saying open source can solve this problem; more eyes find bugs quicker etc etc etc but a lot of people are still not going to consider open source solutions).
Unfortunately there's no way to produce software which is bug free, just not possible today. Well perhaps with the exception of hello world
I don't think software producers should be responsible unless it's shown they are grossly neglegent and even then they are not neccessarily responsible. Otherwise amer^H^H^H^H people are probably just going to start suing people stupid leading to massive rises in software prices. OTOH when I use windows it pisses me off when it crashes, it I upgraded from 95 to Xp a few months ago. MS says XP is rock stable, hardly ever crashes, bullshit. The lies in advertising piss me off more than the crashes themselves - false advertising that is something I'd like to see them punished for.
He who defends everything, defends nothing. -- Fredrick The Great
This is a standard legal theory. Manufacturers get third-party liability claims all the time, and carry insurance to deal with them. Except in the Y2K area, though, this doesn't seem to have been litigated yet.
who is and should be legally responsible for insecure software?
A. The Author/Publisher
B. The User
C. CowboyNeil
'Same speed C but faster'
Now, this might just sound like one of those zany, out from left field ideas, but "what if" we decided to hold the actual criminals who are breaking in through security holes liable? I know, I know, I must sound like a kook, but hey, you never know what might work!
"Your superior intellect is no match for our puny weapons!"
If party A licenses software from Microsoft, and agrees not to hold Microsoft liable for any bugs in their code, than MS may be safe from suit from party A. However, if party A's sevevers start attacking party B's servers, and party B never had a contract with Microsoft, there's nothing legally stopping them from trying to sue Microsoft. In that, I think, is why issues like this are important.
Be the Ultimate Ninja! Play Billy Vs. SNAKEMAN today!
Perhaps the money involved in purchasing licensed copies of non-free software should be considered a sort of contract. When I pay for an item (any item) at a store, I expect the item not to be shoddy, or at the very least I expect that there will be compensation should shoddiness be present. This compensation usually comes in the form of a refund, although manufacturers of consumer products often are held liable for product defects and any damages that might result from them. The same principle could easily be extended to software. If I pay for a piece of software, I expect it to work. If you certify to me via the implied contract of sale that your product works and it does not (e.g. if I purchase a piece of software which, through some defect, corrupts my data or causes loss), you are liable for the damages.
Free software is a separate case, IMO. If, for example, I download a Linux ISO, then there has been no sale. Accordingly, no contract has been entered into either by myself or the creator of the software. I may have obtained the product legally, but since no contract of sale is present, I am SOL if anything bad happens.
I pledge allegiance to the flag...
of the Corporate States of America...
That gets into a gray area where you really have to define faulty. For instance, when it comes to system faults vendors should be required to offer a guaranteed uptime (they can set the value at whatever they want, so you could sell your software with a guarantee of no more than 20 critical faults a minute, but that might hurt your sales somewhat... As it is, organizations make very few commitments to their systems, allowing Microsoft, as an example, to simply push each new OS as "way more stable that that last piece of software which we sold you under the pretense that it was super duper stable..."). Is that bicycle fault if the rider drives irresponsibly and gets hit in traffic? Is that bicycle faulty if it gets stolen or is otherwise maliciously used?
Security robustness is a marketing function (it's a feature, if you will, just like a Volvo withstands impacts better than most other cars), and insofar as vendors don't outright lie about the security of their systems, they should not be held responsible: The responsible parties are the hackers/DOS attackers/etc, and no one should ever fool themselves into anything otherwise. For all of the talk comparing software to the "real" world, the reality is that the window maker isn't responsible if someone throws a brick through it, and the lock company isn't legally responsible if someone drives a tow truck through the door: As long as it withstood at least the marketed capabilities there is no vendor fault.
In the case of Microsoft, you can demonstrate a pattern of negligence in the way they test and release their product. The company also publically denies that there are problems until it is too late for users to do much of anything to protect themselves and their networks. The last thing MS wants is administrators migrating their operations off MS products in favor of more controllable risk(like Open Source or a different and better tested proprietary one). I say controllable risk, because no software is bug-free and it is the job of the administrator to manage the technical arena and minimize risks to their networks.
With the Redmond mis and disinformation machine, you can never be sure of what the truth is in terms of real support from the vendor. Afterall, this latest round with UPnP pretty much proved that the company puts profits over security. I mean, only Microsoft would try to tell the FBI that a security disaster waiting to happen wasn't one. It IS how they maintain their 'edge'.
Death by a 1000 cuts.
In space, no one can hear you moo.
Most people seem to be missing two important distinctions here. You pay for commercial software, but not for free software.
:-), the latter is practicing medicine without a license.
This totally changes the nature of the beast. As a specific, non-tech example, I can give a friend a ride. I can even graciously accept gas money, or a free lunch for my troubles. I could even be a good Samaritan and offer a lift to total strangers.
But the instant I actively charge people for this, even if it's a token amount, I become a "for hire" limosine service and am required to obey a large number of laws. Some are "on point," others seem to exist solely to eliminate competition.
There are other, more subtle differences. I can refuse to give a friend a lift without explanation. Once I become "for hire" I can't (legally) refuse to accept a passenger without a good reason. E.g., someone showing a weapon can be refused, but someone who stinks because they haven't bathed in weeks can't be refused.
An even more extreme example is the difference between my friend asking me if I've ever experienced certain medical symptoms and a stranger paying me for advice. The former is a casual conversation between friends (or not so casual, if it involves a possible STD
In the software realm, I would expect to see a similiar difference in the treatment of amateur efforts (where people develop software for the love of the craft) and commercial efforts. If someone is grossly negligent, it won't matter whether they're compensated or not. But for routine oversights, I would expect to see far more severe penalties for commercial vendors than OSS providers.
The second difference is that when you get software from Microsoft, you can't change it. Any errors *have* to be due to Microsoft's (in)action. In contrast, free software is released in source form and patches are routinely assigned. It's not morally acceptable to hold people accountable for the (mis)actions of others, so it's much harder to justify penalties against parties that provide source code.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Yes, now imagine if Linux Torvalds or the FreeBSD Foundation were liable for that same $2 Billion. They would be SOL. Microsoft would just be annoyed.
People often tend to forget a very important factor when talking about Microsoft. Microsoft is a *monopoly*, it's official now.
With that monopoly power they have killed off a lot of the competition by creating proprietary standards.
And here is the important fact: People/companies no longer have any *choice* but to use Microsoft's products if they want to share information with someone else. And what companies don't share information today ? None !
So please, don't compare the Microsoft user-license/responsabilities/whatever, that you have no choice but to accept or get out of business, to the open-source ones that people can very easily walk away from if they dislike it.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
As for open source, "As is" is very much implied before you even start using it. It's impossible for anyone to be at fault in either case, from a legal standpoint. Therefore, this story is completely bogus.
And this begs the question of whether or not it's possible to make bug free software in the first place. Given the complexity of software, 100% bug free software might not be a realistic goal and this seems to make it unfair to punish software companies for every bug. Making software companies liable could severely hinder software development due to the high risk involved.
It's very hard to assess liability when software fails. I haven't the solution and I imagine it'll be a while before anything concrete is determined.
It's all about me, I did it all. Blame me. Go ahead.
Thanks,
Al Gore
> The question should not be who is responsible for insecure code but rather what can be done to discourage people from vandalism and how to track down and punish those who choose to break the law.
I agree, in principle. A similar concept applies to copy protection; we should concentrate on punishing theft rather than on limiting the fair-use capabilities of our electronics.
But in this case, I've been wondering whether society's best interest lies in a different strategy, more pragmatic if less idealistic.
I'm normally adamantly against blaming the victim for crimes, but consider this. What if we legalized hacking? Within a few weeks, incompetent sysadmins/secadmins would be out on the street. Within a few months, software that was not patched promptly would be replaced by software that was. Within a few years, software that was not essentially secure would be off the market.
Publishing the criminal is certainly just, but it doesn't do a heck of a lot of good to spank someone after the damage has been done. Society is going to be more dependent on computers in the future, and more at risk to insecure softare. We need to take radical action to fix the problem before it grows from inconvenient to devastating.
Admittedly this would cause a great deal of short-term disruption, but at least the problem would get fixed.
It's possible to build secure software; developers and vendors just have to care enough.
Sheesh, evil *and* a jerk. -- Jade
Selling software is great. Compared to someone selling a real physical product like spark plugs, you legally retain much more extensive control over how your product can be used even after you've sold it. This is because of the enhanced rights you get as a holder of intellectual property as opposed to real property. But even though you can dictate to people the conditions under which they can use your software, if anything goes wrong, the product liability risk you expose yourself to as a seller of software is zero!
Why does anyone even try to sell anything else?
Did we have a similar incident that caused such a damage on Linux or FreeBSD platforms? I know that also Open Source software is listed on the security announcements, but I don't remember that any of this issues caused so much trouble.
Yes, now you can argue that Microsoft products are more widespread than Open Source but then you should also consider that usually Open Source comes more or less secure out of the box while Microsoft products are insecure if you take them out of the box. And of course Microsoft is trying to put the responsibility for security issues on the shoulders of the user, but if a system is insecure by default then its not the fault of the user.
Compare it with cars. If I buy a car without brakes and the salespeople told me "thats the most safe car in the world" and I have an accident... who is responsible? If I use a known as safe car and I don't fasten my seat belts, go with more speed than allowed and I get hurt in an accident then its my own fault.
The only problem is that usually a car has to pass a lot of security tests before firms are allowed to sell it and you are allowed to use it in the daily traffic. With software nobody checks if you are able to use it and if its fulfilling minimum security requirements. So we all meet on the "information highway" and some of us suffer because others have insecure "cars".
The software industry heavly-lobbied for legislation (and got it, of course) that basically makes its products legally without warranty.
Which legislation are you talking about? The only law I know of that would accomplish this for them is UCITA, and that's only been adopted by 2 states.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Its shameful, the way we try to pin the crimes of computers on people. A man buys a computer, the computer hacks into the Federal Reserve and and he goes to jail. Another man writes an operating system, a computer using that operating system smurfs AT&T but he goes to jail. The computers remain free to strike again... when will society hold computers accountable for their actions? When will we stop persecuting man for the crimes of his possessions? Perhaps some day... in the Twilight Zone. (insert cheesy dramatic music followed by annoying roll-credits music)
UCITA for one, DMCA, maybe SSSCA. Read the DMCA, it applies to more than music. Case in point: Dimitry, held in prison for giving a seminar at DEFCON and coding done in Russia for a US company!!! The laws maybe annoying and dumb, but they are laws that are being enforced right now.
What about ridiculous software patents? Those are being "legally" enforced left and right; whole companies are based on IP-squatting.
Wake up and smell the fucking coffee.
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
If you don't publish the source, you're liable. Hiding the inside of a program is perfectly OK - assuming that you take full responsibility for the manner it works.
If you publish the source, you can be extempted. Exposing the inner workings, anyone can verify the suitability of the software for a given purpose.
MS plays safe by not being responsible (sueable) for their bugs. If they where requested to either FIX them holes before release or publish the source, they'd concentrate on security before feature count, which would be double good.
Only problem is, this way of cutting things would hardly feed the lawyers :)
I'm in a Unix state of mind.
Whilst the thought of seeing Microsoft taken to the cleaners for product liability would fill me with a certain amount of malicious glee, I do not believe that software companies should be liable for the security of their products.
As others have pointed out, if someone breaks into your car, then you cannot sue the car manufacturer (at least it is difficult to do so successfully!) for the theft of your vehicle. Similarly if someone steals your hi-fi from your house, you do not sue the manufacturer of your locks and windows, or even the hi-fi maker.
I do believe that software should be reliable and perhaps there is a case for liability if the operation of the software causes a major disaster without malicious outside interference. The problem with that, however, is we're all to aware of what will be the result; software prices will skyrocket to cover the immense legal costs that will result defending and settling these claims.
The only people who would benefit from this will not be the software developers, regardless as to whether it's Micorsoft of open source developers; it would be the legal profession aiming to take 10-50% of your damages award when you did settle.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Who is liable if a lock on my front door does not work? The company who made the lock? Or me for not being able to afford a good lawyer?
I would really like to know what some lawyers have to say.
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
It bothers me that there is this mentality that software designers are responsible for including security in there products. If I buy a peice of software, I am paying for a peice of code that is designed to perform a specific task, not neccescarly for a peice of code that will protect me from illegal activities.
If I buy a car, I'm paying for transportation. It would seem silly to sue the manufacturer because somebody stole my car and I found out the locks on it were easy to pick.
I use Outlook as my mail program at work. I paid for it, and I expect it to be able to send and receive mail. If somebody illegally exploits that program to do malicious things, I don't blame Microsoft, I blame the person who wrote the virus.
On the other hand, I also own a virus scan program. This is a security measure I pay for. If my computer is attacked by a virus, I expect my virus scan program to detect it and remove it. After all, thats what I'm paying for.
Yet the mentality is, if somebody illegally affects my mail program, Microsoft is at fault. While the virus scanner, which I also pay for and keep updated, which failed to do it's task, remains blameless.
It's nuts.
The Internet is generally stupid
I think a lot of us are talking specifically about MS here. MS has supported all of their products (or at least a good number of them) well past 5 years. In fact, it was only November of 2001 that they decided that they were not going to "officially" support Windows 95 anymore. Secondly, like you said, it should be the responsibility of the users/administrators to keep up with patches. This had been the reason why Nimda and Code Red were able to propagate so much. Microsoft had published a bug fix 3 month prior to Code Red. But only a small fraction of the administrator actually implemented it. So who's fault is that? Why should MS be liable for the laziness/inability of the admin to fix a problem that they were notified about. These admins were as much responsible for the spread as the creators of the worm.
_______________________________
"I'm not Conceited...I'm just a realist..."
In addition, there should perhaps be restrictions on what can be sold: for the sale to be legal, consumer software should perhaps have to conform to some basic safety standards, analogous to UL standards for electrical devices. (Since this is a restriction on sales, it would obviously not apply to free software.)
Large commercial customers are presumed to be competent, and they should be responsible for this themselves; they don't need regulations or legislation to protect them. For example, if a company exposes 10000 people to identity theft through an unsecure computer system, the company should be legally liable for that. The company will then insure against that risk (possible directly through the software vendor). The insurer will assess the risk and compute the cost of the insurance. The company then can take the cost of the insurance into account when selecting software. I.e., it comes down to the question of: is Apache plus insurance more or less expensive than IIS plus insurance?
Do you really think this is a good idea? If this were actually implemented, the Open Source industry would just dry up in the corporate environment.
/non-open source solution.
Look at it this way. A company is not willing to put product that has no guarantees of operation on a mission critical application (mission critical can mean Office Suite...if a CEO can't read his email, that is mission critical). You must admit that EVERY piece of software produce will have a problem, whether it is an inherent problem, or just a dumb enduser that thinks the Garbage Can is just another folder. Now when a company comes across a problem, they are not going to spend time reading pages and pages of document for a solution. They would want to be able to talk to someone and make sure that the problem gets resolved.
Now look at it this way. If there is a major security flaw in an application that the publisher knows about and does not resolve, he is liable for any damages that have incurred. The company using this product has at least one way of trying to recoup its losses. Now, (according to you) if they were to use Open Source product, they now cannot sue the company for damages incurred. Knowing this, when the CIO, CTO, C-etc are doing budgeting for software purchases, are they willing to gamble on something that does not come with a warranty? Or will they pony up the extra cash to get something that may or may not have a problem, but will be liable and available to resolve the problem. This will lead the people up top to choose the MS / or big company
Want another way to look at it? You're going out to buy a computer. One store is offering a 30 day unconditional return policy/3 service. Another store is offering 7 day return and 6 month service. Which one would you buy? Would you be willing to pay a little extra for the comfort that you will not be liable for a problem with your computer?
One thing that we all must remember is this. Open Source is not the panacea for software problems. I have seen a lot of good Open Source programs and I have seen a lot of bad open source programs. What is important is how comfortable your customer is with the solution that you are providing. Can you guarantee to him that you will be able to support it? Are you accountable for the problems that might occur?
_______________________________
"I'm not Conceited...I'm just a realist..."
Here are some of my thoughts on why we have buggy and insecure softwares.
* Human Nature
People in general don't like to admit that they are wrong. Companies small and large are not much different. Even when they distribute the patch, there is rarely accurate or complete information about the problem or the severity of the problem being addressed. We think apologizing is a sign of weakness.
* Corporate Image
By admitting fault, company loses credibility. Company is always willing to live with few unhappy customers to protect it's overall image. It's one of the reason why software defects, security or otherwise, get hushed up and buried. You all know that the euphemism for this policy when it is applied to security is called "security through obscurity". You also know how well that works. Admitting fault is the last thing company will do. Even when they do admit it publicaly, they will always play down the severity of the problem.
* Monopoly
When a company is a monopoly, there is almost no incentive to admit to a problem and fix it. If you know that you can't get fired and you will get paid the same if you work one hour a day or eight hours a day, which would you choose? Lack of incentive is the very reason why communism is bad for progess. Only reason why Microsoft is pretending to care about security recently is because they are having trouble penetrating (from behind) the enterprise market with their tarnished image.
* Money
When I say money, I don't mean cost to create or distribute bug fixes. Putting a patch on a website for user to download isn't such an expensive proposition. It's lot different than car manufacturer doing a recall. When I mean money, I mean greed. Companies are using bugs fixes as a ploy to get users to upgrade. Marketing departments have figured out that consumers are willing to pay for bug fixes. Example of this is Windows 98 and ME. Essentially they are selling you a big pile of bug fixes as a full product and charging you for it. Sneaky isn't it? MS is not the only guilty party of this devious practice. Many companies such as Vignette, bea systems have done this sort of thing. It's becoming very common in many places and we all have been brainwashed to accept it as a norm.
Since Free Software/Open Source has only one of the four problems to deal contend with, I think it has a somewhat better chance of producing superior software than from commercial environment.
I don't see what the problem is.
;)
If you write it, you do your best to make it secure and keep it that way. If you write insecurities into it, that's your problem.
If you install it, it's up to you to make sure it stays uptodate with patches.
I've got no sympathy for people with cracked boxes when there's a patch that should've been applied (ie in 99.9% of linux and 99.99% windoze cases).
I don't see what casting it in law is going to achieve; far rather use common sense that people are responsible for their own doings, with a few precedent cases to back it up. (That'd be a first
~Tim
--
Rushing on down to the circle of the turn
_______________________________
"I'm not Conceited...I'm just a realist..."
In a normal hetrogenous environment (as 99% of n/ws are), you're going to be dealing with software and hardware from many different vendors.
It is possible (if not probably) that the interaction of these components will create security holes for an attacker to exploit. Which vendor do you blame? They may all be working as designed. Do you blame your low-paid network guys? Do you spend hundreds of thousands to hire external consultants? Can you blame (and sue) them if your network is breached?
What about default configurations of software? What if the default configuration is insecure, but the documentation describes how to secure it?
I have my own thoughts on these issues, I'd like to see what the general consensus is here.
Btw, if you're looking for a secure OS, try XTS 300 STOP.
The EPL makes interesting reading.
From what I've read most of the damage estimates were pulled out of somebody's ass, anyways. So my question is, if this became law would the damage estimates get lowered considerably?
Damnit, Jim, I'm an anarchist, not a F@#$!^& doctor!
Sorry? Fully 70% of security problems are bugs in the software? Well what are the other 30%, then?!?!?
Oh yes, I forgot: features!
I mean, if you buy bulletproof glass for your car, and somebody shoots you through it, you might have a case: one of its purposes is to stop bullets. But if you buy an ordinary car, and somebody shoots you through the window, you hardly have grounds to sue them for poor product quality.
Being able to stand up against novel forms of human attack is not basic product quality. Worms, trojans, and viruses are not mere environmental hazards, they are the results of intensive effort to find and exploit any system weaknesses.
Disappointed customers and annoyed partners are punishment enough. Market forces will correct the problem; people will eventually learn not to buy stuff that doesn't work. They will also learn to do their part, since security doesn't come in a shrink-wrapped box.
In a way, these petty vandals are doing us all a favor by forcing us to harden our systems. If nobody exploited the security holes, you couldn't convince people to spend extra money or effort on security. Then, when somebody made a truly serious attack, as an act of war, we would be utterly defenseless. I believe humans evolved an instinct for mischief for just this reason, and so we shouldn't be too hard on the script kiddies.
I believe that the software companies should be liable *up to the point that they release a patch that fixes the problems.* Then the owner becomes responsible. This does 3 things.
First, it makes the software company more dilligent about getting all bugs out of software, and worry more about security concerns (which are, shockingly, rarely "bugs" in the software)
Second, it makes the software company work harder at producing a patch that fixes the problem.
Third (and most importantly in my book) it forces system admins to work faster at patching software.
"If product fails to perform in a secure manner, buyer of product will be entitled to a refund in the amount of two times the purchase price."
Free software covered! :-)
What I want to know is when the country will make contractual law a part of the high school curriculum? Every dumb shit in America believes every stupid document put in front of them is law.
Unless they have actual knowlage of the laws in question.
This is similar to those signs that say not responsible for blah blah blah. Bullshit. If they are responsible, then they are responsible. Period.
The more subtle one you tend to find in software licencing is "we disclaim anything the law will allow us to disclaim". Using the, usually correct assumption, that most people won't actually know what can and can't be disclaimed in this way...
The prevailing of commercial software is set by the market, and reflects the balance of features, updates, price and quality that users want. That's why your word processor crashes sometimes and your defibrillator doesn't. Attempting to set a new and better balance by turning hordes of plaintiffs' lawyers loose on the software industry is going to improve the situation of users about as well as turning lawyers loose on the tobacco industry has helped smokers.
Oh, and if you think that open source software is going to be unaffected by this, either because it has no bugs or because it's so cuddly it will be exempted from liability -- good luck. Bye-bye, Red Hat!
What I'm listening to now on Pandora...
Keeping a piece of software's source closed should result in harsh liability. Since users cannot examine the source to confirm bugs or even functionality, they are completely at the mercy of the vendor. Since the vendor has welded the hood shut, problems with the engine are THEIR FAULT.
Open source software provides a method with which users can confirm functionality (checking the source to see it really does what it's meant to), report faults to the vendor and even make fixes themselves, if required. These factors should result in a vastly reduced liability, since this kind of software gives users the tools to take responsibility of their systems. Even if the user doesn't have the skills or inclination to use the source, they can hire someone who can.
While this may sound like pandering to the open source crowd and Microsoft-bashing, it just seems to make good sense... keeping the source to yourself means that you have to take responsibility.
Suppose that someone is selling a voodoo book that teaches how to make a love potion. The author made a mistake and introduced a wrong ingredient that will make a person paralytic for 24 hours instead of falling in love when drunk. The publisher immediately releases errata for several wrong formulas, but the reader didn't know and thus used the buggy formula and damage was done. Should the publisher be held responsible?
¦ ©® ±
Does this mean that we can sue Apache? This article says that Apache and PHP have flaws. Come on guys, let's sue.
Considering the nature of software, bugs are a fact of life. No code is going to be 100% bug free unless it's a simple "Hello World" program. It's how the vendor treats the bugs that counts.
If the vendor is informed and fixes the bug in a reasonable amount of time then they shouldn't be liable. (Reasonable being a flexible span of time. If a bug is particularly vexing but they keep their users informed of the progress, then they should get extra time. But if they just say "yeah, yeah, we'll work on it" and then nothing happens for a month, they don't get extra time.) Of course, if the vendor is informed about the bug and does nothing about it, they should be made liable.
Finally, if they release a patch but the user doesn't install it and has their security compromised (e.g. what happened with CodeRed), the user is the one at fault. In this case, it would be like an automobile manufacturer issuing a recall, a consumer ignoring the recall, and then getting into an accident because of the very defect that prompted the recall. Software companies shouldn't be liable for the stupidity/ignorance of their users.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
...most open source projects have CYA verbage in the licenses saying something like "THIS IS UNSUPPORTED, AS IS, USE AT YOUR OWN RISK, BLAH BLAH BLAH"...
It's 10 PM. Do you know if you're un-American?
Automatically applying patches is NOT a solution! There are countless stories where the applying of patches caused formerly working software to crash.(*)
One major advantage of OSS vs Commercial software is the availability of the source code. Another major benefit, but less well recognized, is the visibility of REPORTED DEFECTS. Prior to obtaining an OSS application, say on sourceforge, I can peruse the bug list and get a complete list of reported bugs. What's the chances I can see the complete list of reported defects in, say, Microsoft Office?
Okay, why not just have a law passed that requires commercial software developers to make all reported bugs publically visible? Ain't gonna happen; political contributions and lobbying efforts would squash that in a heartbeat.
BUT, there's another approach. Don't use LEGAL requirements -- make it a MARKET requirement.
In other words, consider these two scenarios when making a recommendation for two different software packages:
In short, software will always have bugs -- just as OSS makes the code available, we can use market forces to trumpet the same visibility of the known (and future) bugs.
(*) Footnote: Feature vs Bug... many years ago I worked for 2+ years in testing a COBOL compiler that was being upgraded to support the latest standard. The version that was already out in the field was rife with bugs. Several customers were worried that we were going to fix some bugs they depended on! Though non-standard code, they had developed workarounds and used them extensively -- fixing the bugs in the compiler would break their programs!
It should not be possible for Microsoft (or any company, but Microsoft is the best example) to boast about how robust and secure their products are in their marketing, and then make the purchaser agree to a EULA that removes their liability, if their claims turn out to be untrue.
This is especially true of their enterprise products, like, say, Outlook/Exchange. It should not be a full-time job patching and reconfiguring the damn stuff to keep the misfit script kiddies with Outlook Worm Kits from bringing down an entire organization's e-mail system. Microsoft should damn well have been able to be held liable for something like ILOVEYOU, that knocked some very large companies' mailservers off the Net for days.
Imagine if, after all the car commercials boasting airbags, crumple zones, etc, those safety features turned out not work-- and then, while paging through it from your hospital bed, you found a EULA in the back of the Owner's Manual disclaiming Ford/GM/whoever from liability, if they didn't?
The biggest bullshit, though, is the notion that people will eventually get pissed off about software not living up to the hype and take their business elsewhere. If that theory held water, Microsoft would already be a memory amongst sysadmins these days. Companies are practically locked into using Microsoft products. And what people use at work, they will buy and use at home because by and large, they are sheep who fear change. Which is exactly the kind of environment in which companies like Microsoft can shovel sub-par shit out the door, not be liable for its flaws, and still thrive.
~Philly
Do you have any non MS software on that computer? How about your video drivers, sound card drivers etc.
MS is extremely stable for some people, extremely unstable for others. And a large part of that variance is due to 3rd party software, DLLS and drivers.
MS cannot be held accountable for every possible configuration or installation base out there.
To do so would be the equivilent of holding a brink manufacturer liable when a building constructed using their bricks falls down. You have to show that it is a defect in the brick, and not someone making an unbalanced building.
The legal difference between Microsoft and Free Software Organizations is simple - "quid pro quo". There is, legally speaking, much more liabilty if someone has paid you for something, than if they simply took it (even with permission). If there is no quid pro quo, it would be VERY difficult to convince a judge that a developer, or organization is liable for damages.
-- Rich
Free your mind and your Ass will follow -- George Clinton
I don't think that Nimda is a good example of the sort of thing that microsoft could be held liable for. Errors that cause data loss, yes. Errors that cause the machine to lock up and cost you time, yes. This is akin to holding car manufacturers liable for things that go wrong with the car (exploding fuel lines and such), and is perfectly justifiable since the manufacturer is directly at fault.
The fault for Nimda, however lies squarely on the shoulders of the virus author. Claiming that an operating system, no matter how insecure, is at fault, is like claiming that non-bulletproof t-shirts are responsible for murder by gunshot. Murderers are responsible for murder. Virus authors are responsible for viruses. Software writers are responsible for software problems-- but not for criminal acts by other people.
First. You do not BUY software. You buy the license to use - like a service. If you hire a company to provide support or to manufacture something for you they're responsible.
There is a related story that happened a couple of years ago (don't remember exactly). Tim Hortons is haveing a Roll Up the Rim to Win promotion every year. When you buy a coffee - you can roll up the rim of the cup to see if you won a prize (all I ever got was donuts and more coffee - go figure!). Well.. It came out that some of the people who worked at the company that was manufacturing those cups were cheating by unwrapping those rims and stealing prizes. I know that that company lost the contract - I do not remember if they were sued for damages as well. I think they did - they failed to provide a resonable service they were contracted out for.
OSS is a bit different. It's public domain. Everyone owns it - therefore if you choose to use it, and if it breaks you yourself are responsible for damages.
That's what I think - I don't know how accurate this is, but I do realize that it's not such a great thing. If a company has to choose between OSS and proprietary solution then they will choose the proprietary one. Simply because IF something goes wrong - they have a chance of getting some recompensation.
It's a simple choice - do you buy a reliable car, or one less reliable with insurance?
If you leave your door unlocked and a thief steals your Tivo, is that any less of a crime than if your door was locked? Don't blame the locksmith, blane the thief!
The real question is what standards will we use to prosecute people who break the law, and will they be at all equal?
Consider these two stories, from The Reg and The Rochester, NY Newspaper. In both cases, web sites were broken into by guys in their twenties who said that the security on those sites is woefully inadequate, and claimed that they were practically "invited" in? The Library even mentioned that they were in the middle of revamping their security, so they knew they had problems.
Anyway, The guy who had access to Rush Limbaugh's social security number and made himself a NY Times employee in their database gets off scot-free, while the guy who did not access any sensitive information at a county library and "merely" changed their web page is facing up to seven years in prison.
Granted, the guy who broke into the Times was Adrian Lamo, who is apparently considered a "white-hat" hacker and has a track record of playing nice with the corporations he hacks into. (He may even read /., for all I know). But why is he going to get off the hook for his vandalism, while the other guy is facing a long sentence? Didn't they essentially do the same thing? Maybe I need more coffee this morning, but something doesn't sound right...
Real life is real life, and the realm of technology is no exception. For some reason, some people got the idea that magically, the world of technology can be free from the influences of bad people and just ordinary entropy. It has long since been figured out that there will be bugs, no matter what.
While some code is safer than others, and some companies are disturbingly sloppy in their coding procedures, ALL code is vulnerable. Making someone liable because they have bugs will punish all, and is contrary to the most fundamental fact of life: you're on your own, watch your own ass, life sucks, wear a helmet.
For your security, this post has been encrypted with ROT-13, twice.
It seems to me that people are missing a point - the Nimda worm affected not only Windows users, but the network as a whole. I can see how courts might hold Microsoft harmless in the case where a purchaser of their software might want to recover damages, but what about a situation where a third party running, say BSD is damaged by Microsoft software. What legal theory would prevent the third party from suing?
I'm not a lawyer (sometimes I wish I was so I could understand the real world), but isn't liability based on someone's neglect in fixing a problem or situation? I heard someone call it the 'dirty banana peel' concept. You're in a grocery store and slip on a banana peel that recently fell on the floor, you'd have trouble sueing the store because they didn't have time to know about it and clean it up. But if the peel had been out for a while (hence, the dirty banana peel), and they did have a chance to clean it but were negligent, you could have a good case.
Anyway, the same would (or should) apply to software. If you could show that the company knew about the bug but sat on their hands, I imagine that's a pretty good case for a lawsuit.
_______
2B1ASK1
I seem to remember that some high-level courts have decided that the transaction is actually what it appears to be: you went into the store, you saw goods on the shelf, you took goods to the cash register, money changed hands, and therefore you bought the goods you paid for. You did not buy a license. You did not walk out with something that remains the property of the manufacturer.
If it looks like a sale of goods, that's what it is, regardless of the manufacturer's efforts to claim that what happened was only the purchase of a license.
Of course, IANAL.
TyZone
IANAL, but here is my understanding of this issue:
;) Also open source software downloaded off Freshmeat would be immune (Red Hat might be liable, but the BIND developer probably would not).
When you buy a piece of software, at that time, it is subject to merchantability standards, like a car, a toaster-oven, etc. However, software as you buy it is pretty useless-- it is a shiney disk that you cannot legally install (copying it in whole or part onto your hard drive) without the express permission of the copyright holder. So, the user and manufacturer enter into an agreement (EULA) in which the user of the software agrees not to sue the manufacturer, and abide by other restrictions.
In other words, if the software trashes my system before I agree to the EULA, I can probably sue, but not after
Now, imagine if a tobacco manufacturer required all customers every time to sign a liability waver stating that the customer knows that this product causes cancer, then would agree for a certain fee to deliver a certain quantity of tocacco products to the customer on a certain schedule...
LedgerSMB: Open source Accounting/ERP
You're absolutely right. They should pay more for insurance against hacking/viruses if they are using a less secure OS.
That certainly doesn't make you *guilty* any more than it makes a homeowner who doesn't bar his windows in a rough neighborhood guilty. The guy who does the breaking and entering is still at fault, not the builder, the homeowner, or the manufacturer who made the windows.
Vintage computer games and RPG books available. Email me if you're interested.
You know, I have zero problem with saying people should be responsible for software they write, at least in the abstract. The idea that they should not is kind of silly, if you think about it honestly.
But at this point in time, it would be disasterous to start allowing liability. Why? Because liability is determined by the court system, and with no offense intended, the court system is incompetent at this time to make those sort of decisions.
I have no faith in the ability of the court system to distinguish between an obscure flaw that allows a man-in-the-middle attack on a so-called "secure" connection, and a glaringly obvious security problem like "By default, everyone in the world has full access to your desktop." (reference: Symantec's PCAnywhere for a *very* long time.) In fact, I don't trust me to make those decisions.
At this point in time, and at our current technology level, as we've all heard and said many times, one wrong character in the wrong location, out of billions, can cause a difficult-to-detect error that, when exploited, can give an attacker root access. It's difficult to come up with any sort of definition of proportional responsibility.
If a bridge collapses because all of the tons upon tons of concrete used was an inferior grade, that's one thing. But if the bridge collapses because one screw was made of aluminum instead of steel, is that worth suing over? My real point can be seen in how this metaphor is not applicable; A bridge would never collapse over something so trivial unless it had other fundamental problems! Software is fundamentally more fragile. (So far, all attempts to negate this have essentially failed, and I'm not willing to count on some miraculuous development in the future. Though I suppose if such a thing occurred, and it was legally mandated to use formal methods, that would make people like me who could understand them suddenly no longer competing with hacks who think they're leet 'cause they can sorta use Perl... >:-) )
Even a professional like me might be hard pressed, after the fact, to determine which sort of problem is before the court, to determine liability. Do you want to leave it in the hands of lawyers?
There IS a market but there is only ONE force. Security and safety isn't its concern.
Pushing more features is what sells software and brings in the bucks. Feature lists the size of an encyclopeadia is a software vendor's wet dream.
As for the bugs, security holes and the very desirability or usefulness of those features, the rule in law is "Caveat Emptor."
Up until people start getting killed, you can forget about legislation to address the problem. If the flaws are systemic and there is nothing that can be done by the consumer. Collapsible steering columns were not required until legislators got tired of losing voters to impalement at low speeds.
Even WHEN people are being killed, as with cigatettes, (or cheap hand guns though its not the purchaser who gets killed then,) the rule of law is still "Caveat Emptor."
The average co-optable "attack" PC running windows is running in somebody's den or in a small office. Big firms have guidelines on installing software on their PCs and usually have virus detection systems that are updated from a central server.
Home systems are privately owned and are never patched knowingly. Likewise, virus detection is usually seen as a one-time purchase and installed from a CD-ROM that was obsolete before it came off the truck.
The steering column parallel is a better one for the situation since the average system owner is about as capable of fixing the problem as the average car buyer was of replacing his steering column shaft.
I'd like to hammer script kiddies who tie up my connection by hitting it with a DOS attack and teach them some civility. Its a form of violent behavios that must NOT be tolerated anymore than shooting bullets into the air. They land somewhwere and in urban areas that means somebody bleeds.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
A lot of people have said that, if software vendors were to be held liable for security holes, open software would be up the creek. I'm not so sure about that... it seems like a reasonable form of liability would be the exact same liability my dry cleaner has, if they ruin my favorite shirt... as it says on the sign, liability limitted to 10x the price I paid for the product. Free (as in beer) software, then, is still worth exactly what you pay for it; and the developer does not have to worry about legal repercussions.
I've had this sig for three days.
Your car's engine (or the fuel system at the very least) doubtless has a controller unit that runs on embedded software. Let's say it goes berserk due to a bug in the software, causing you to run off the road and severely injure yourself (or to kill someone else). Who do you sue -- the car mfgr or the author of the software?
~REZ~ #43301. Who'd fake being me anyway?
Just like a car: Windows - Unsafe at Any Speed
I don't think some of you understand what happens if people are made liable for their software. If say there's a law passed that you're liable for security holes in your software, are you going you REALLY go ahead and develop it? I think not. If I find a root exploit in the Linux kernel lets say and some company gets turbo fucked because of it can they sue Linus for billions of dollars in damages? Would that be fair? Should I be able to sue the Apache group if a nexploit is found which leads to me losing megabucks? The clause in software licesnes saying "this software is provided AS IS with no garentee it won't turn around and fuck you" is there for a reason, specifically so the software vendor whoever they may be can't be held responsible for what happens with their software.
The comparisons to the automotive or aviation industries is inherently flawed because both markets deal SPECIFICALLY with the preservation of the life of the operators. A car is responsible for not killing you and that car's manufacturer tacitly agrees that their car won't kill you for anything under their direct control. Same with airplanes and buildings. Business software on the otherhand does not directly effect whether or not someone is going to die (generally) due to some part of its use. Software controlling medical or aviation equipment has to pass stringent testing to ensure it isn't going to go batshit on a trivial error. Software released in these industries do not have "we're not responsible for batshitery which occurs due to our software" clauses. It is the liability and responsibility of the USERS of software for the results of security holes or just inherent flaws in the implimentation even if they aren't directly responsible (they didn't write it) for its creation. They did make a conscious choise to use said software thus the onus is on them. If Nimda caused you millions of dollars in damages it is your own damn fault because you used software that you were not overly confident in in terms of security. If you were overly confident you learned your lesson that shit happens and life ain't fair. No one protects businesses from dumbfuck business plans, they ought not protect them from information technology jackassery either.
I'm a loner Dottie, a Rebel.
Pretty much everywhere in the U.S. a bar or a party host is subject to liability if a person has too much to drink there and then goes driving. That's why most bars make it a point to cut people off when they're obviously drunk, and offer to call them a cab.
Do we care what the software is?
What about software that controls the dose of radiation for cancer treatment? If you get 10,000 times the intended dose, someone can die. Do we treat that the same as a PDA phone number application that can't find people whose last names begin with 'q' because the "quit" command was munged? (bad example, but you get the idea...)
After all, you can always replace the PDA, and you can't forsee death as a result. Bad control of radiation can quite easily result in injury or death. With the case of the radiation machine, do we CARE how obscure the bug was, or how hard the maker/programmer tried and tested? Or do we just stick him with the liability because it's better than telling the dead person: "tough luck?"
I Am Not A Lawyer But I Have A Friend Who Is...
Of course, he wouldn't officially comment on this, but it did pique his curiosity, so he emailed a couple of his lawyer friends, one an IP lawyer and one who apparently is NOT an IP lawyer (not sure what his speciality is) though he apparently DOES have more litigation experience.
First, the IP guy:
His Reply:
I would think pretty slim. The standard disclaimers on the OSS say that the developers are not liable for anything, etc.
The exception would be if the developer intentionally programmed a back door and then lured people to use the software so that he could go in the back and steal/corrupt the data.
IMHO.
My Friend's Question:
Wanted to get your thoughts on something. Not for a client. A friend raised the issue and was just curious and it piqued my curiosity. I'm sure you're familiar with open source software. According to my friend, there is a movement to make someone responsible for problems in open source software that lead to security breaches and/or data loss. He was just wondering what my thoughts were on the possibility of OSS developers, who don't receive any compensation for the software and put out the typical disclaimers, being sued by someone who uses the software and is damaged as a result.
Next, the Litigation Guy:
His Reply:
Without seeing any of the documentation that changes hands (if any), it's hard to say. Can you have an implied warranty for a product that you are making available for free? I don't know the answer, but my hunch is probably so if the other side can prove reasonable reliance, etc. Best advice might be to beef up the disclaimer and create some sort of waiver that has to be filled out before the program can be used.
My Friend's Response:
Why? I don't know. Practice, I guess. A way to test your software. Make a name for yourself. I do know it's very common among the cyber-geek community. And while the issue of compensation might not affect a negligence analysis, I would think that it would play a role in the effectiveness of the warranty disclaimers under the UCC. I really don't know either. I know it's not strictly speaking an assumption of risk case, but isn't some sort of concept of "Don't trust me. Use this at your own risk." possible? {IP Guy} thought the typical OSS disclaimers would probably protect the software developer, but while I know he knows IP, I wasn't sure how extensive his litigation background is.
Litigation Guy's Response:
I've never heard of it before, but it sounds like there could be some liability. The analysis wouldn't so much whether the developer received a benefit as whether the person who used the program suffered some harm. I'm not really sure to tell you the truth. Why would someone do that if they aren't making any money?
My Friend's Email:
Wanted to get your thoughts on something. Not for a client. A friend raised the issue and was just curious and it piqued my curiosity. Dont know if you're familiar with open source software. Open source software is developed by freelance programmers who make the software freely available, along with the source code, so if someone grabs it, they have the opportunity to examine the code (or hire someone who can) for flaws and fix them if necessary. According to my friend, there is a movement to make someone responsible for problems in open source software that lead to security breaches and/or data loss. He was just wondering what my thoughts were on the possibility of OSS developers, who don't receive any compensation for the software and put out the typical disclaimers, being sued by someone who uses the software and is damaged as a result.
This goes right to the heart of a big chunk of FUD regarding Open Source software. I've seen it stated over and over, that you don't have anyone to hold responsible for problems with the product. I always thought, "I'll believe that one when someone gets a judgement from MS from damages caused by one of their products".
Second, remember the Mars Climate Orbiter? NASA lost that one thanks to a confusion between metric and imperial units. "Mission control computers had incorrectly gauged the velocity of the craft throughout the entire four-month trip from Earth to Mars." Oops.
By the way, as a pilot, I have to tell you that I certainly would not count on an autopilot being bug-free either. (Probably one reason my flight instructor made me learn five different ways to disable it should it start misbehaving.)
"Biped! Good cranial development. Evidently considerable human ancestry."
At least legally, nobody. And it should stay that way. The market will force proprietary software companies to fix their bugs faster or else the market will choose Open Source software instead. I'm hoping for the latter.
Now let's see... when was the last time the Linux or BSD *kernel* was exploited by self-replicating malicious code? Oh yeah, NEVER. And when was the last significant incident of self-replicating malicious code on any Unix system? That's right, The Morris worm of 1988 when Reagan was still in the White House. The Ramen worm was a minor annoyance in comparison. Personally, I'd worry more about the ISC who writes BIND than the Linux or BSD kernels.
I haven't found anything in the DMCA that would enforce a click-through EULA. The SSSCA hasn't been passed. And, like I said, UCITA has only been adopted by 2 states. It's possible that more will adopt it, but it hasn't happened yet, and there has been some significant resistance to it since it violates some basic tenets of contract law.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Your problem is with the deep pockets law. First I want to show you how to abuse the law. The taxi business has a high liability risk. A cab company might decide to make all of its drivers "independent contractors." The independent contractors would be responsible for their insurance. The independent contractors would be underinsured, etc..
In this scenerio, the taxi cab companies were trying to avoid risk by pushing the risk onto a smaller business that would simply go bankrupt when an accident occurred.
You can imagine a company giving away the troublesome parts of the program for free (to avoid the liability exposure) while selling the stable pieces for a premium. Should MS have to pay for a bug in a free patch, or a free utility they distribute with XP?
In the taxi case, the courts would found the taxi cab company partially liable for the accident. Since they have deep pockets, they ended up paying the full claim.
This deep pocket legislation is quite popular since it prevents companies with deep pockets from spinning off risk into small entities.
Deep pocket litigation has some really bad side effects. Really, in every accident that occurs, you can say the county or city that built the road was partly to blame. This means that counties and cities become the deep pocket in thousands of lawsuits.
In the software world, we would start seeing the same gamesmanship going around if we started flinging billion dollar suits left and right. We would see big companies spawning little companies whose primary purpose is to control risk exposure. Meanwhile, fearing deep pocket litigation, the big companies would stop funding smaller research projects or stop giving code to GPL efforts in fear of become a deep pocket in a suit they really cannot control.
The litigation would not be pretty. The only certainty is that the lawyers would make out like bandits.
Legislation doesn't need to be passed anyhow, the courts have set precendents. In California and Washington state, click-wrap licenses are enforcable (see III.6, III.7).
Thread.destroy();
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
Should companies' be liable for security holes? I really don't think so. Everytime you install software you get the EULA that says how 'by using this software, you agree not to blame us if the program formats your hard drive' thing. We all know the risks we take by using a computer to make our jobs easier. As an amateur programmer, I sure wouldn't (and couldn't financially) be able to be liable for some obscure security failure, whether I charged for the software or not. However, I do think that companies should be swift to follow up on security problems that are currently known, and deliver fixes in a convienient and easy manner. Perhaps there should be a universal security upgrade protocol, by which a company can upgrade installed software. That way, any software distributed with support for that protocol would carry a 'Seal of Approval'. Consumers would learn quickly to not buy software without this certification.
Obviously, that upgrade protocol itself would hav to be securely implemented, and I don't know how you'd regulate something like that. But at least programmers wouldn't have to always wonder if they might be liable if their software did some Bad Thing. If programmers (or program companies) were held strictly liable for security issues (including possibly class-action suits for damages), you'd see a lot less diversity in software, since only a few companies would be able to take that risk. Is that something we want?
What could possibly hurt the security of the American people more than giving our own government the ability to hide its
I don't have a problem with clickthrough agreements such as Hotmail's. It is licenses of the type at issue in III.7 that I'm taking issue with. One of the reasons for the decision is given as "(3) the purchaser had the opportunity to reject the license by returning the software for a refund." This obviously does not always hold true, and in fact usually doesn't, as Windows Refund Day showed us. Microsoft claims that you must get your refund from the OEM. The OEM claims that they can't give refunds because Microsoft won't give them a refund. So in effect, the customer IS NOT able to return the software for a refund.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Because the passengers and crew were disarmed, and instructed to "just go along" with the hyjackers by central planners who all assumed that all hyjackers want something in return for NOT killing the passengers (look at the FAA regulations), the hyjackers were successful even when outnumbered 5 to 1 at worst.
The continued projection of so-called "American" military force was the repeatedly stated reason for the first attack on the WTC, which failed, and the second attack, which succeeded.
The resultant call for yet more control of peoples lives, and restrictions on their liberty, are merely a sad reminder that those who seek control of others will always seek control, at every opportunity. Especially if they caused it. Reichstaag Fire? Kristalnacht? Those are words every American should know and understand.
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
Is MS responsible for all the problems in the 2.4.x kernel too? How about Ciscos SNMP problems. How about the slew of buffer overflow problems recently found in PHP that can crash Apache? Imagine if all THOSE people who have no money to begin with were liable for a $2 billion dollar lawsuit! MS would survive, no one else would.
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
If the government decided that the group responsible for the product (who is responsible is, of course, another issue entirely) must pay damages caused by security flaws, these licenses aren't worth the bandwidth they're downloaded on. I think that was one of the implications of the arcicle.
In order to understand the true implications of your statement in relation to liability in the United States, we need to look at just what is behind the strict liability doctrine behind product liability law. No, I'm not a lawyer, I've just been studying this stuff recently. (Take with appropriate amounts of salt. Not applicable to law outside the USA.)
The reason that manufacturers of goods are held to strict liability with their products is that they are receiving money for their product. In turn for receiving money, the seller assumes certain warrants about the product: freedom from harm of the buyer that uses the product reasonably, that the product is made to a reasonable standard, and that the product will indeed work for the purpose for which it is sold.
What makes things tough for software is that almost all of the warrants are disclaimed in EULAs, a practice that consumer advocates find untenable. Because ALL software vendors do it, there may well be anti-trust action in the future to do away with the disclaimer of warranty...assuming Congress doesn't get there first by making the implied warranties I've described enforcable by statute regardless of contract.
What separates "software products" covered by the GPL from ones covered by a commercial transaction is that there is no monetary consideration for the product.
Let's also not forget that "commercial transaction" can include shareware, because there IS an exchange of monetary consideration for the product, but not at the time the person gets the product to try out. The sale happens when the person sends in his $5 or $15 or whatever.
Now, where does Red Hat, Debian, and other "sellers" of Linux come in? They don't sell the software, they sell the packaging of otherwise freely available software, GNU/Linux and a collection of GNU utilities, along with other utilities, and all of what they provide are freely available elsewhere. (This may not be true of Red Hat specific software, although the availability of the ISO images without payment to Red Hat would strongly argue against that view.)
My thesis is that any change in product liability law would indeed apply only to commercial software, because product liability law today requires the commercial transaction as defined by the Universal Commercial Code (UCC).
(See a licensed attorney to learn how the law applies to your specific situation.)
http://www.accc.gov.au/consumer/consumer.htm