Slashdot Mirror
Who Is Liable For Software With Security Holes?
securitas writes "Interesting article over at eWEEK that asks who is and should be legally responsible for insecure software. Some say it's the manufacturer. Currently software is exempt from product liability as we've come to know it in the physical world. Others say the software licenses should make users responsible if they don't install patches and updates. Infosecurity czar Richard Clarke said in his speech at RSA that Nimda cost US companies an estimated $2 billion. Imagine if Microsoft was legally liable and a $2 billion suit was filed. Now extend that to the other jurisdictions outside the US. What does this mean to open source software, which is being used to a greater extent in corporate environments? Food for thought."
Yes, it is the software manufacturer's fault if they make buggy software and don't ever put a hold on new features to fix bugs. The customer is responsible for installing bugfixes, when released.
Still, they aren't legally responsible for the bugs. If you read most licenses, they say "this software is provided as is." Everybody makes mistakes and even though software creators should make more effort to stamp out bugs, no code of a certain level's complexity is perfect.
The important thing here that needs to happen is that businesses and consumers say "features are nice, but fix the bugs first." At the moment though, they say "features first! bugs aren't displayed on the box." They speak with their wallets by buying buggy software. I don't mean to be one of those typical anti-MS people (even though I dislike their software), but the fact is, they produced extremely buggy software and most people still bought it. That says something.
Funny that Nimda was mentioned; I seem to remember that @Home.net and AT&T were pulling the plugs on their customers because they were saturating the bandwidth due to Nimda. This seems to be directed towards the users' negligence/lack of knowledge about what they're doing, and so one can argue "why blame them? They did exactly what MS said they could do: plug and play."
Now I also remember when the commercial version of SSH released v3.0, there was a HUGE security hole (passwords of length 2 or less would always work...), and SSH developers took the heat; rightfully so. They 'fessed up, and they fixed it. As far as I know, there were no incidents because of it, because the problem was fixed before it was used widespread. But if it did create an issue (like Nimda, Code Red 1/2, etc.) before a fix was made (proactive vs. reactive), they should be held liable, not the users. If a fix exists, and a user says "oh, I don't have *that* problem," well, I think we all know who should get the blame. Just my $0.02 worth though...
-- Dan
That's a little different. Software bugs cost money to fix. Car bugs kill people. The tobacco industry gets sued because they kill their own customers, but I don't think software companies do the same. Plus, if the software manufacturer is liable, and writes nearly perfect code, and then five years later somebody discovers a single bug and writes an exploit, who is liable? I say nobody is, the licenses always say that the software provider is not responsible.
I think the law should be modified so that people who discover holes in software and notify the company without doing damage should not be punished. On the other hand, people who deface websites do real damage. One of the problems though is that the companies say "if it ain't broke, don't fix it" and then extend it to "if it isn't hacked, don't secure it." I think it is a major problem that often companies are informed of holes in software but they don't fix it until the hole is out in public, and then say "oh! I didn't know about that!"
This is one good reason for open source software. If there is a bug, people will fix it. There isn't a financial incentive to ignore the bug until it causes real problems.
Liability is an individual thing. Liability is based on making statements that are not true, or the deliberate cause of harm.
The supposed $2B in "damages" are a liability on those who wrote and launched the worms, directly.
By connecting to the net, just like stepping outside your door, you are assuming risk.
That said, Microsoft should be liable if they represent their product as "safe" and it isn't. I believe their representation of XP as the "Most Secure Windows Ever" does open the company to prosecution for misleading advertizing, but who has the resources to prosecute it?
There is a great deal of difficulty with trying to assign liability to those who are in the wrong place at the wrong time. Someone who gets wet because they weren't wearing a long coat when a truck splashed them doesn't expect to sue the truck driver, do they?
The systems owners who were "damaged" by the worms are indeed guilty of not securing their systems. Who will prosecute them? And for what?
Liability is based on two things: Intent and negligence. False advertizing and misrepresentation are the former, the success of virii is the latter.
Personally, I think a few false-advertizing claims against Microsoft would be great, and from a theoretical standpoint they certainly are misrepresenting their products when they call them "secure" or "safe". Who's got a million or two for the legal fees when we lose?
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
As a matter of law,in Australia, goods including software have to be "reasonably fit for the purpose" they have been purchased for, of "merchantable quality", and must fit the "description" they are sold under. If a good fails to comply with any or all of the above conditions, the disgruntled purchaser can sue for damages or a suitable replacement.In Queensland the relevant legislation is the 1896 Sales of Goods Act, which all Australian and New Zealand jurisdictions, has analogues of.
Many Commonwealth jurisdictions have similar regulatory regimes.
It is arguable that software which doesn't work very well fails all of the above requirements. A former law school acquaintenance of mine has even sued a car distributor, for a fleet of Lada Samaras, claiming that they didn't fit the description of a "motor vehicle" (ie a moving machine !) because they spent all their time in the shop !
What needs to be remembered is that all software producers can be liable under such a regime, Linux or Winduhs.
I'm a professional software developer. I work for a very large computer company (not ms). We all try pretty hard to get rid of bugs in programs, hell as programmers we do care that our code is as bug free as possible, it's a pride thing - as well as being good for business. :) However it is possible to lower the amount of problems you are willing to invest a lot more money into testing which in turn ends up costing the users a lot more money (yes I'm sure there will be replies saying open source can solve this problem; more eyes find bugs quicker etc etc etc but a lot of people are still not going to consider open source solutions).
Unfortunately there's no way to produce software which is bug free, just not possible today. Well perhaps with the exception of hello world
I don't think software producers should be responsible unless it's shown they are grossly neglegent and even then they are not neccessarily responsible. Otherwise amer^H^H^H^H people are probably just going to start suing people stupid leading to massive rises in software prices. OTOH when I use windows it pisses me off when it crashes, it I upgraded from 95 to Xp a few months ago. MS says XP is rock stable, hardly ever crashes, bullshit. The lies in advertising piss me off more than the crashes themselves - false advertising that is something I'd like to see them punished for.
He who defends everything, defends nothing. -- Fredrick The Great
who is and should be legally responsible for insecure software?
A. The Author/Publisher
B. The User
C. CowboyNeil
'Same speed C but faster'
If party A licenses software from Microsoft, and agrees not to hold Microsoft liable for any bugs in their code, than MS may be safe from suit from party A. However, if party A's sevevers start attacking party B's servers, and party B never had a contract with Microsoft, there's nothing legally stopping them from trying to sue Microsoft. In that, I think, is why issues like this are important.
Be the Ultimate Ninja! Play Billy Vs. SNAKEMAN today!
Most people seem to be missing two important distinctions here. You pay for commercial software, but not for free software.
:-), the latter is practicing medicine without a license.
This totally changes the nature of the beast. As a specific, non-tech example, I can give a friend a ride. I can even graciously accept gas money, or a free lunch for my troubles. I could even be a good Samaritan and offer a lift to total strangers.
But the instant I actively charge people for this, even if it's a token amount, I become a "for hire" limosine service and am required to obey a large number of laws. Some are "on point," others seem to exist solely to eliminate competition.
There are other, more subtle differences. I can refuse to give a friend a lift without explanation. Once I become "for hire" I can't (legally) refuse to accept a passenger without a good reason. E.g., someone showing a weapon can be refused, but someone who stinks because they haven't bathed in weeks can't be refused.
An even more extreme example is the difference between my friend asking me if I've ever experienced certain medical symptoms and a stranger paying me for advice. The former is a casual conversation between friends (or not so casual, if it involves a possible STD
In the software realm, I would expect to see a similiar difference in the treatment of amateur efforts (where people develop software for the love of the craft) and commercial efforts. If someone is grossly negligent, it won't matter whether they're compensated or not. But for routine oversights, I would expect to see far more severe penalties for commercial vendors than OSS providers.
The second difference is that when you get software from Microsoft, you can't change it. Any errors *have* to be due to Microsoft's (in)action. In contrast, free software is released in source form and patches are routinely assigned. It's not morally acceptable to hold people accountable for the (mis)actions of others, so it's much harder to justify penalties against parties that provide source code.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
If I build a tree house on my property that is unsafe and someone tresspasses and uses this tree house (which I haven't even said he could use) and gets hurt then I am potentially liable both crimally and civilly. It's called an attractive nuiscence.
I didn't charge anybody anything... I didn't even give permission for it to happen. So if this is a crime surely if I knowingly give somebody a car that is faulty (even if I don't charge him) shouldn't I also be guilty.
Just because I don't profit off of a transaction doesn't give me a right to put somebody at risk, financially or physically, unless perhaps I am completely forth right and even then often not; and simply saying "Well, at your own risk," is not completely forth right, not even close.
The problem with your argument is you offer two different arguments and claim that one applies to paid software and the other to free. Yet your arguments have no dependency on this variable so it is unclear why the arguments vary so. What it appears you are saying is if you are giving away software then you are a nice person. And nice people shouldn't be held to the same laws as mean people. Well a system bases on niceness is in a different ball park than a justice system.
The other way your argument makes sense is if the seller is only liable up to the price he charged and is not liable for damages. Otherwise you're buying the right not to be put in a dangerous situation with out your knowledge... which u can't buy.
> The question should not be who is responsible for insecure code but rather what can be done to discourage people from vandalism and how to track down and punish those who choose to break the law.
I agree, in principle. A similar concept applies to copy protection; we should concentrate on punishing theft rather than on limiting the fair-use capabilities of our electronics.
But in this case, I've been wondering whether society's best interest lies in a different strategy, more pragmatic if less idealistic.
I'm normally adamantly against blaming the victim for crimes, but consider this. What if we legalized hacking? Within a few weeks, incompetent sysadmins/secadmins would be out on the street. Within a few months, software that was not patched promptly would be replaced by software that was. Within a few years, software that was not essentially secure would be off the market.
Publishing the criminal is certainly just, but it doesn't do a heck of a lot of good to spank someone after the damage has been done. Society is going to be more dependent on computers in the future, and more at risk to insecure softare. We need to take radical action to fix the problem before it grows from inconvenient to devastating.
Admittedly this would cause a great deal of short-term disruption, but at least the problem would get fixed.
It's possible to build secure software; developers and vendors just have to care enough.
Sheesh, evil *and* a jerk. -- Jade
Selling software is great. Compared to someone selling a real physical product like spark plugs, you legally retain much more extensive control over how your product can be used even after you've sold it. This is because of the enhanced rights you get as a holder of intellectual property as opposed to real property. But even though you can dictate to people the conditions under which they can use your software, if anything goes wrong, the product liability risk you expose yourself to as a seller of software is zero!
Why does anyone even try to sell anything else?
Its shameful, the way we try to pin the crimes of computers on people. A man buys a computer, the computer hacks into the Federal Reserve and and he goes to jail. Another man writes an operating system, a computer using that operating system smurfs AT&T but he goes to jail. The computers remain free to strike again... when will society hold computers accountable for their actions? When will we stop persecuting man for the crimes of his possessions? Perhaps some day... in the Twilight Zone. (insert cheesy dramatic music followed by annoying roll-credits music)
In addition, there should perhaps be restrictions on what can be sold: for the sale to be legal, consumer software should perhaps have to conform to some basic safety standards, analogous to UL standards for electrical devices. (Since this is a restriction on sales, it would obviously not apply to free software.)
Large commercial customers are presumed to be competent, and they should be responsible for this themselves; they don't need regulations or legislation to protect them. For example, if a company exposes 10000 people to identity theft through an unsecure computer system, the company should be legally liable for that. The company will then insure against that risk (possible directly through the software vendor). The insurer will assess the risk and compute the cost of the insurance. The company then can take the cost of the insurance into account when selecting software. I.e., it comes down to the question of: is Apache plus insurance more or less expensive than IIS plus insurance?
My car's design has a flaw and the manufacturer issues a public recall for a free repair, I have this mentioned when I next go for a service, but choose not to have the work done because it's too inconvenient. The part fails and I am involved in an incident that causes harm to a third party - I think I should have my ass sued clean off, don't you?
My software has a bug, the vendor issues a freely downloadable patch, and even emails me about it, which I choose to ignore and don't install it. My server is compromised and used to DoS a third party - I think I should have my ass sued clean off, don't you?
In the incidence of software this is clearly related to the debate about disclosure of vulnerabilities. You have to acknowledge that software is going to have flaws, that it takes a period of time from discovery of a flaw to produce, test and release the fix, and that during this time liability is the grey area this topic is discussing, but once the fix is out and announced, responsibilty *has* to be transferred onto the people using the software rather than those that produced it.
I don't think you can blame a vendor for having a bug in their code, because it's not a perfect world and it happens (albeit more with some vendors than with others) and doing so sets a precedent that would effect other industries as well. You can however apportion a great deal of blame after the flaw becomes public knowledge, and reapportion that blame once the fix is available or if the fix is sufficiently tardy in arrival to cause problems. Which explains a great deal about some people's attitudes towards the issue of full disclosure, doesn't it?
UNIX? They're not even circumcised! Savages!
I mean, if you buy bulletproof glass for your car, and somebody shoots you through it, you might have a case: one of its purposes is to stop bullets. But if you buy an ordinary car, and somebody shoots you through the window, you hardly have grounds to sue them for poor product quality.
Being able to stand up against novel forms of human attack is not basic product quality. Worms, trojans, and viruses are not mere environmental hazards, they are the results of intensive effort to find and exploit any system weaknesses.
Disappointed customers and annoyed partners are punishment enough. Market forces will correct the problem; people will eventually learn not to buy stuff that doesn't work. They will also learn to do their part, since security doesn't come in a shrink-wrapped box.
In a way, these petty vandals are doing us all a favor by forcing us to harden our systems. If nobody exploited the security holes, you couldn't convince people to spend extra money or effort on security. Then, when somebody made a truly serious attack, as an act of war, we would be utterly defenseless. I believe humans evolved an instinct for mischief for just this reason, and so we shouldn't be too hard on the script kiddies.
What I want to know is when the country will make contractual law a part of the high school curriculum? Every dumb shit in America believes every stupid document put in front of them is law.
Unless they have actual knowlage of the laws in question.
This is similar to those signs that say not responsible for blah blah blah. Bullshit. If they are responsible, then they are responsible. Period.
The more subtle one you tend to find in software licencing is "we disclaim anything the law will allow us to disclaim". Using the, usually correct assumption, that most people won't actually know what can and can't be disclaimed in this way...
The prevailing of commercial software is set by the market, and reflects the balance of features, updates, price and quality that users want. That's why your word processor crashes sometimes and your defibrillator doesn't. Attempting to set a new and better balance by turning hordes of plaintiffs' lawyers loose on the software industry is going to improve the situation of users about as well as turning lawyers loose on the tobacco industry has helped smokers.
Oh, and if you think that open source software is going to be unaffected by this, either because it has no bugs or because it's so cuddly it will be exempted from liability -- good luck. Bye-bye, Red Hat!
What I'm listening to now on Pandora...
Considering the nature of software, bugs are a fact of life. No code is going to be 100% bug free unless it's a simple "Hello World" program. It's how the vendor treats the bugs that counts.
If the vendor is informed and fixes the bug in a reasonable amount of time then they shouldn't be liable. (Reasonable being a flexible span of time. If a bug is particularly vexing but they keep their users informed of the progress, then they should get extra time. But if they just say "yeah, yeah, we'll work on it" and then nothing happens for a month, they don't get extra time.) Of course, if the vendor is informed about the bug and does nothing about it, they should be made liable.
Finally, if they release a patch but the user doesn't install it and has their security compromised (e.g. what happened with CodeRed), the user is the one at fault. In this case, it would be like an automobile manufacturer issuing a recall, a consumer ignoring the recall, and then getting into an accident because of the very defect that prompted the recall. Software companies shouldn't be liable for the stupidity/ignorance of their users.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Comment removed based on user account deletion
Automatically applying patches is NOT a solution! There are countless stories where the applying of patches caused formerly working software to crash.(*)
One major advantage of OSS vs Commercial software is the availability of the source code. Another major benefit, but less well recognized, is the visibility of REPORTED DEFECTS. Prior to obtaining an OSS application, say on sourceforge, I can peruse the bug list and get a complete list of reported bugs. What's the chances I can see the complete list of reported defects in, say, Microsoft Office?
Okay, why not just have a law passed that requires commercial software developers to make all reported bugs publically visible? Ain't gonna happen; political contributions and lobbying efforts would squash that in a heartbeat.
BUT, there's another approach. Don't use LEGAL requirements -- make it a MARKET requirement.
In other words, consider these two scenarios when making a recommendation for two different software packages:
In short, software will always have bugs -- just as OSS makes the code available, we can use market forces to trumpet the same visibility of the known (and future) bugs.
(*) Footnote: Feature vs Bug... many years ago I worked for 2+ years in testing a COBOL compiler that was being upgraded to support the latest standard. The version that was already out in the field was rife with bugs. Several customers were worried that we were going to fix some bugs they depended on! Though non-standard code, they had developed workarounds and used them extensively -- fixing the bugs in the compiler would break their programs!
It should not be possible for Microsoft (or any company, but Microsoft is the best example) to boast about how robust and secure their products are in their marketing, and then make the purchaser agree to a EULA that removes their liability, if their claims turn out to be untrue.
This is especially true of their enterprise products, like, say, Outlook/Exchange. It should not be a full-time job patching and reconfiguring the damn stuff to keep the misfit script kiddies with Outlook Worm Kits from bringing down an entire organization's e-mail system. Microsoft should damn well have been able to be held liable for something like ILOVEYOU, that knocked some very large companies' mailservers off the Net for days.
Imagine if, after all the car commercials boasting airbags, crumple zones, etc, those safety features turned out not work-- and then, while paging through it from your hospital bed, you found a EULA in the back of the Owner's Manual disclaiming Ford/GM/whoever from liability, if they didn't?
The biggest bullshit, though, is the notion that people will eventually get pissed off about software not living up to the hype and take their business elsewhere. If that theory held water, Microsoft would already be a memory amongst sysadmins these days. Companies are practically locked into using Microsoft products. And what people use at work, they will buy and use at home because by and large, they are sheep who fear change. Which is exactly the kind of environment in which companies like Microsoft can shovel sub-par shit out the door, not be liable for its flaws, and still thrive.
~Philly
You know, I have zero problem with saying people should be responsible for software they write, at least in the abstract. The idea that they should not is kind of silly, if you think about it honestly.
But at this point in time, it would be disasterous to start allowing liability. Why? Because liability is determined by the court system, and with no offense intended, the court system is incompetent at this time to make those sort of decisions.
I have no faith in the ability of the court system to distinguish between an obscure flaw that allows a man-in-the-middle attack on a so-called "secure" connection, and a glaringly obvious security problem like "By default, everyone in the world has full access to your desktop." (reference: Symantec's PCAnywhere for a *very* long time.) In fact, I don't trust me to make those decisions.
At this point in time, and at our current technology level, as we've all heard and said many times, one wrong character in the wrong location, out of billions, can cause a difficult-to-detect error that, when exploited, can give an attacker root access. It's difficult to come up with any sort of definition of proportional responsibility.
If a bridge collapses because all of the tons upon tons of concrete used was an inferior grade, that's one thing. But if the bridge collapses because one screw was made of aluminum instead of steel, is that worth suing over? My real point can be seen in how this metaphor is not applicable; A bridge would never collapse over something so trivial unless it had other fundamental problems! Software is fundamentally more fragile. (So far, all attempts to negate this have essentially failed, and I'm not willing to count on some miraculuous development in the future. Though I suppose if such a thing occurred, and it was legally mandated to use formal methods, that would make people like me who could understand them suddenly no longer competing with hacks who think they're leet 'cause they can sorta use Perl... >:-) )
Even a professional like me might be hard pressed, after the fact, to determine which sort of problem is before the court, to determine liability. Do you want to leave it in the hands of lawyers?