Slashdot Mirror
Cure For Bad Software? Legal Liability
satch89450 writes: "SecurityFocus had a column that I missed when it was first published a few days ago, titled 'Responsible Disclosure' Draft Could Have Legal Muscle, but I discovered it when researching an answer to a comment on the CYBERIA mailing list. In this article, Mark Rasch discusses how the Draft would set the rules for reporting security vunerabilities, and in particular define the boundaries of liability assumed by bug-disclosers. By adopting a "Best Practices" RFC, the IETF could help the reporters of security-related bugs do their job, and put the onus of fixing the bugs on the vendors who make the mistakes, where it belongs. (The RFC draft described in the article, 'Responsible Vulnerability Disclosure Process, is here at the ISI repository.) This is, of course, in direct opposition to the process that Microsoft's Scott Culp, Manager of the Microsoft Security Response Center, would like to see. As Microsoft is more part of the problem than part of the solution, I believe that the path to a formal process would better serve the entire community - and that community includes Microsoft's customers. I'm taking this seriously because the mainstream press is talking about the issue, and what it's going to take to fix it. Here is an example from BusinessWeek that scares me silly. I'm glad I'm looking to change careers from software development to something safe, like law."
if we have software liabilities then we also open "Open Source" software to liabilities....
It would be crazy to say that "Open Source" have no liability while "Closed Source" do...
-- Note: These Comments are Generated by ME! Not You! ME!
Should such a situation come to pass, the fallout would include:
1) Higher development costs
2) Far fewer small companies in consulting
3) Shrinking job market for new grad coders
4) Larger legal costs on both sides on the fence
On the brightr side, it would also include:
1) Lessening of age discrimination - experience outweighs youth
2) Alteration of programming education to focus on security
3) Higher standard of programming excellence
4) Self-policing. Companies who fail to adhere will run themselves right out of business in short order.
Finally, legal liability for Open Source projects is not a bad idea at all.
If I'm using a tool, component, or class library from a 3rd party, what happens if the vulnerability is in their code? As a contractor would I have to spend $10,000 in legal fees just to prove it's Borland or MS or Sun's fault? Besides, how can you gurantee 100% that anything is safe? With the lawsuit happy society we have today the smallest mistake could put even a medium sized company right out of business. And if you think this will help open source, it won't. Would you use "free" software that has no liability while commercial software does? Would you get a "free" operation from a doctor with no liability or pay for one from someone who does.
As it's first etc, this will probably get written off as a troll, but its insight is keen. We've seen it ALL before. Microsoft has more than enough money to fend off any possible lawsuits (believe me, a little security liability case is peanuts compared to a multistate anti-trust case--I don't care that they technically lost that one, it's a testament to their legal fortitude that we haven't actually seen any results from that loss).
However, smaller companies and Open Source companies will be easily trampled by larger companies if this sort of crap were in place. Small companies don't have huge legal budgets. They can't afford to pay a settlement to make someone go away. They can't afford to litigate for a long time. So they'll be deathly afraid to develop anything risky.
Why don't we stop hating Microsoft for a second and realize that if Linux were the dominant platform then we would have scores of security holes being exploited in that system instead of Windows. It has to do with marketshare and the people who write the exploits, not the people who write the software.
visit the hwky website for a lyrical genius infusion.
Any liability law should offer an exemption for software that is distributed along with buildable, commented source code.
The reason is simple. The end-users of open source software are in a position to verify the integrity and correctness of the software. Even if such an end-user is not a programmer, they could, if they were concerned, pay someone else to inspect the code. They have been provided with the ability to protect themselves, because the source code accurately describes the actual operation of the product.
The end-users of proprietary software are in no such position. They are absolutely dependant on the software vendor to verify the integrity and correctness of the software. They are powerless to protect themselves, and without the source code, they are only left with a representation of the operation of the product. This is far less information then the source code, which specifies the actual operation of the software.
Therefore, only proprietary software vendors should be held liable for bugs in their software.
Comment removed based on user account deletion
If I give you a car, am I liable for the fact that it has no brakes? What if I sell you a car?
What if I give you a tool? Am I liable that it breaks and breaks whatever you were trying to fix with it, too? What if I sell you one? What if I sell you one and say that it's rated for the work you're trying to do, but it still breaks?
See the differences?
Now for software:
What if I give you a binary? Am I liable that it doesn't work? Am I liable that it has flaws?
What if I sell it to you? Am I liable then?
Now for something completely different: Source Code What if I give you source code? It's available for your inspection... Can we say that source code documents itself? If you are worried about what the code does, you can read it, compile it, debug it, step-trace it. Source code is NOT a program, it's closer to an algorithm than to a program. Can I be sued for giving you instructions on how to tell you computer to do something?
If source code if just instructions, directions for a computer, then source code starts to look like something different, and precedent must come not from binary-software but from things like legal advice.
And you know how that goes... IANAL, so I can say anything, you take my word if you want to. So, if IANAP (not a programmer), can I give you whatever source code I want, and I won't be liable?
And who defines what a programmer is? The ACM?
free the mallocs!
IMNSHO, this would be a really good thing. One of the current problems with software (and a lot of other things) is that cost are shifted away from where they belong in order to make a product cheaper.
It is cheaper to write software that works most of the time, but has a few bugs than it is to have an proper design, implementation and testing process that prevents buggy software from being shipped too soon. In general the industry has the felling that it cheap and easy to release a patch for a bug later so the cost of not catching it early is small.
This is the exact opposite of hardware engineering, were companies go to extreme measures to try and debug the design be commiting to Si since it is very expensive to do this.
Increasing the cost of bugs to the software developer will decrease the quantity of code and increase the quality of code, something that is sorely needed.
</rant>
The Economics of Website Security
If you make the software company liable, the businesses and citizens should also be liable for damages they cause due to not patching. I don't believe we need legislation to stop this. We need awareness, most of the major worms/viruses were at their worst when a patch was available to fix it.
Surely there's a reasonable expectation of liability when something goes wrong, but to point monetary blame back to the developer when it breaks seems to be anti-progress. This would definitely be the case when open source or small business development is the problem.
If I shell out $$$ for a program, I expect it to work without fail. If it does fail, I expect support and a bugfix, but I'm not going to go as far as say that they owe me money for my loss because I was down for a week waiting for the fix.
This could have a wonderful effect on upgrades. No more mixing fixes and feature adds -- too dangerous (aka Service Packs).
:-)
Can you imagine MicroSoft's position? New license agreements with WinXP require users to upgrade every two years. MS will be held legally liable for the stability of those upgrades. They better damn well get it right.
Remember that U.S. Navy ship that switched to NT and was dead in the harbor? Imagine the Navy sending a bill to Bill.
Learning HOW to think is more important than learning WHAT to think.
Because of this, it can be SOLD. If I sell you a keyboard for $20, you now have the expectation of merchantability. It is expected to work, and both reasonable business sense and many local and federal laws require that if it does not, I either provide something that works, or give you your money back, within a reasonable period of time. (14 days in California)
If we re-institute the concept of merchantability in software, all that would happen is that you could get your money back - thus little to no effect on OSS software.
Red Hat may be impacted, but since they are already selling services rather than products (you can download all their stuff for free) even they would be minimally affected.
So, as an advocate of open source and "free" software, I welcome the issues of product liability and the enforcement of merchantability. It would improve the industry, force it to get better, and would finally provide its customers what they've been promised all along - a better, easier life!
What should happen? A date set for a software "merchantability horizon". All products released before that date would be exempt, any products released/sold after that date would have to fit the definition of merchantability, products sold before that point can continue on their merry way.
Can you imagine how many people would upgrade their Windows if they knew that MS would be liable thereafter if it screwed up?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Non-Donor []
A check in the Campaign Donor box guarrantees the
holder insulation from legislation which may find
the card holder liable for any damages, further, the
card holder may be elligible for assistance from the
Department of Justice in legal matters.
A feeling of having made the same mistake before: Deja Foobar
I believe a good model for liability in the software field is to move to the service and practitioner of the field model.
A customer asks a practitioner of the software field to solve a particular problem. The practitioner then writes and/or reuse and/or adapt existing software to solve the customer problem. Then the provider is liable for having provided a wrong solution according to current practices of the field.
For example delivering a closed source software with poor security track record as part of a contract specifying security as critical would rank as an obvious cause of liability, since the provider choosed it amongst various solutions, he/she will have to justify its choice before a court.
I believe the regular mechanism to cover potential liability damage in other fields, insurance companies, will play its cleaning up role by not accepting to cover software solution providers with poor practices.
It will probably also make the free software code base the center of most of these service providers, since it easy easy to customize, most of the code base have well known status, and there is no hairy licensing issues when you use them
As for shrink wrap software, it should install on the designated system, but after that you probably have no recourse at all if this doesn't work that well.
I attended a lawyer conference on software licenses and liabilities, and there are vague texts and no case law, and most lawyers were quite sure that the standard warranty disclaimer was with high probability invalid (under French law). They talked about services and "open source", and some recognized that using that as scientific knowledge and having practioners use it to deliver solution was like architects building bridges vs people creating mathematical models of gravity: the scientist is not responsible if an architect use his/her model (reviewed and published in good faith) to design a bridge and it falls down, it is obviously the architect responsability to choose a model that works, to the level of the accepted practice of the field of course. If the architect has a solid track record, if the phenomenom is beyond current knowledge, then it is up to insurance companies.
Since a piece of software shares a lot with a theorem applying to symbolic information I find this model of liability very pertinent to the software field.
Disclaimer: I am not a Lawyer
Does this mean we can get a class action against uncle George for making crappy Star Wars (TM) strategy games?
I think I'm going to get some money back for Force Commander!
In my opinion, this is just going to be abused like every other law out there. It's just human nature. How long is it before Ed the plumber can't read his e-mail because Outlook crashed and he files a lawsuit?
No matter how good a job programmers do, software will always be buggy. It is impossible to test every single possible combination of inputs that a piece of software will have to handle. There will always be something unforseen.
How about a thought exercise?
Should Joe get the $1.5 million he asks for because Microsoft released a buggy piece of software, or is it Joe's fault for not downloading the patch?
In my opinion, it was Joe's responsibility to update, and he did not do so. No money for him.
I'm the tasty treat nobody can resist!
IM Me! AOL IM:Tasty Beef Jerky
In theory, this should help the little guy and open source because they could be more responsible for their customer.
But in fact, it will have the opposite effect. It means that software will have to be "certified" before it could be released.
Little developers (guys in their basement) could never afford this. Big guys (Microsoft) could. Again, this favors big, established companies over upstarts.
But more seriously, lets look at the worst issue with having liability for unsecure software:
If I have a Firestone tire (as mentioned in one of the links), I expect that it will be safe to put on my car and drive up to the speed rating on the side. But if I used the tire as a swing in my backyard and I fell off and broke my arm, should Firestone be liable? After all, a lot of people use tires for swings, and they didn't do anything to make them safer for this purpose.
Silly? Maybe. But now apply to something like a computer operating system. What is its intended purpose? Basically its purpose is infinite. It will allow a piece of hardware to begin to have infinite possibilities. So now I have to make sure my software is safe in any possible circumstance that I can't even forsee!
Mind you, I'm not excusing bad software, but I don't see how this proposal will do anything, because a new license will come out that people will simply have to accept something like:
"I accept that if I use this software it is completely insecure and will allow bad people to do bad things to me and my computer. I completely waive all rights to bring legal action again the makers of this software, even if they knew there is or was a problem. "
This is a "good in theory, bad in practice" solution.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
I got suspicious when I saw a banner ad for Microsoft .NET on /. imagine my surprise when I saw ad.doubleclick.net as the source. Cool! /. sold out!
There are so many frivolous lawsuits these days (someone spills hot coffee and sues McDonalds, the threat of suing airlines for 9-11), that we don't need to open another floodgate for crooked attorneys to profit from software flaws. Fix the legal system, and then allow this.
Microsoft has a duty to take responsibility for their software. As does Sun, as does IBM, as do many 'open source' projects.
;)).
I think an idea of, "My system crashed - pay me $10k." won't fly. Microsoft can handle it. Sun and IBM can handle it. Many other commercial vendors can't, and most open source projects most assuredly can't.
What would be nice is legislation to force producers of software to alert users to bugs when they find out that they're there. Perhaps mandatory websites/etc. displaying known bugs (Most OSS projects do this already
This is dangerous ground, the idea that Microsoft could get sued into oblivion for flawed software is nice depending on your degree of zealotry - but you have to remember, open source software isn't exactly bug free. They've got the cash and legal shock troops to weather this sort of thing, we don't.
What is certain is that software vendors should have some sort of liability - again, disclosing known bugs would, I think, be enough. Users could see what's going on, and opt to wait for a patch, ditch an application, or not use an application.
Now if you want to give away software you'll really have to pay for it. Sooner or later a responsibility document was going to happen but the areas where it's going to hit hardest are not in mainstream press but in free software, where programmers won't have enough money to release anything in the first place.
For example, If I buy a car tire from firestone, but instead use it on some home-build dune-buggy that I use to drive over lava fields in Hawaii and the tire blows (flipping me into the lava) should Firestone pay? I wasn't using the tire according to the specs that they call for the tire.
Imposing liability on software will only force software manufacturers to list hardware/software configurations on which they are willing to accept liability. If you use the software outside of that configuration, then you're on your own. My guess is that this would disqualify just about everybody, as they'll only be able to certify a limited amount of equipment (as it will entail actually owning that equipment to test).
I mean, would you accept liability on a product that can be used on a multi-use computer that may have god-knows-what software/hardware config?
So this will lead to something like:
Which then just gives software companies even more reason to offer less support, as they'll then only need to offer support on their specific hardware, or risk the liability of condoning the use of their software on unsafe/untested environments.
Think about it.
Comment removed based on user account deletion
I've said it once and I'll say it again. CowboyNeal should be held responsible for these vulnerabilities. *grin* Anyway, here's a very similar slashdot discussion and the related article at eWeek which I don't believe is referenced in this new incarnation.
'Same speed C but faster'
you won't like it.
It will lead to VERY VERY strict licensing terms for software, and software development tool - sort of like Civil Engineering
Let's say I was Microsoft (or ANY other software vendor)
You buy a new motherboard - my answer is, "I do not approve of my software being installed on that hardware" - You will very quickly see things like "Approved Configuration Lists" - X Brand Motherboard, with Y brand Video Card, Z keyboard - ONLY. The "ONLY" other software I approve on the box at the same time is AAAA. Make any changes and your on your own
Heck, buy a car, change the suspension parts yourself to NON factory parts. Flip over due to your front wheel falling off - good luck suing the car mfg, you'll have to prove it was not YOUR changes
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
Microsoft might be able and interested to remove security bugs from their software, no downside for them there. But what if Microsoft would engage in some obvious "good software practices" to make their software less bad? Like what if they made their software simpler? More modular? Like if their OS could run whatever window system, window manager, file browser you wanted, a la UNIX. Or whatever web browser. Imagine.
What kind of idiotic system design is it that has all these user-mode applications inextricably woven into the fabric of the OS? What unfathomable nonsense. What person who ever studied software engineering buys this silly story?
How about if MS would use unobfuscated data formats, so that it would be easy to work with document data (let's grep through my .doc files!)
or multimedia data (let's convert between .wma and .mp3!).
How about if they had a simple and stable API for writing software, so that it would be easy to port software between the MS OS and other OS's. Fat chance.
These are some of the things that make MS bad. Will they ever address them? Magic 8-ball says, "Outlook not so good."
Ok, so I'm currently working on a auction system that is in use by at least one company. They ask for a change in the software so the commission percentages that are charge to their consignors are handled in a slightly different way. I make the change and under certain conditions, it's now possible for the consignor to be charge half of what they should be. I can see there should possibly be some liability here especially if I were "selling" the product.
btw, none of the things I'm listing here ever happened, I'm just supposing...
Now, they ask for a change that resizes the storage size for the Notes for each customer. I make the change, but my code does not also make the change to their database schema. I provide a separate script that does that. The customer installs the upgrade, but does not upgrade the db. Who is liable? Can I be held liable for not making my upgrade *easy* enough if the client forgets to run the db upgrade script and loses data?
Let go even further. I use MySQL for the db, python-mysql for the db module, python for the language and Qt for the interface. ReportLab is being used for pdf generation, lpr for printing, X-windows for launching the program, KDE for the desktop manager, and Acrobat Reader to parse the pdf files into ps for printing. Without these things, the program will not run.
Now, due to a bug in MySQL, the company finds that it is losing n*$50 where n is the number of items in the auction for every auction. Perhaps the 50 entry fee is not getting stored correctly and suppose that's a database problem. Who's liable? Me, for leveraging off an existing system without it being totally stable? The db? Maybe in this case it's clear the db maker would be held responsible.
Now let's lose some data because MySQL was not *configured* correctly. Who's fault now? Customer, me, or MySQL?
Lastly, let's lose some data due to a bug in the database that was caused by a ambiguity in the API of glibc that allows a function to be called in a way that was not intended and works as expected most of the time, but is clearly not a bug when it doesn't work the expected way. Who now? MySQL? The library they used? Me for using MySQL? The customer for being stupid enough to hire me when I'm not even competent enough to ensure the tools I use have absolutly no bugs in them? ARGH!
I'll tell you one thing... I've never associating my name with a general library if this kind of thing goes through. Blame would very often be passed back down the chain as far as possible trying to find a scapegoat other than yourself.
A friend of mine is a civil engineer. When he signs the drawing for a building he is PERSONALLY liable as a professional engineer. He can have his lisence revoked and fined if the thing falls down. Of course what they dont tell you is that the companies competing for the contract, which he is employed by, continually underbid one another which ends up leaving him insuffient funds to complete the job properly and safely. Now imagine the same scenario where you are writing code for a heart monitor and the thing fails and someone dies. Gauranteed your company will put you up on a pedistal as the guilty coder if they can, if you are liable, when the managers underbid the contract in the first case. BAD IDEA!!!
Microsoft may get a massive fine that it can afford, but RedHat will get a smaller fine that forces it to declare bankruptcy and die. Yes, liability, the fastest way to kill opensource. Thank you.
While the write-up for the article singles out MSFT, I find it hard to believe that any corporation (e.g. Sun, IBM, Oracle, the whole NOISE gang, actually) would want to be legally and finacially tied to software bugs. Framing this as a "let's screw Microsoft" deal misses the point.
Most businesses that contract software have an SLA (service-level agreement); if the software doesn't meet certian standards, the supplier must pay a penalty. For the most part, the more serious potential problems are handled privately, without the need for some sweeping government iron hand.
Java is the blue pill
Choose the red pill
As a programmer, I have often given a simple explanation of why I can't write reliable software. On most vendors' computers (Microsoft obviously, but also Sun, HP, IBM and most of the rest), the inner workings are totally hidden from me. I can't even in principle know what a lot of my code will do in all cases, because I much make calls to the underlying system and its libraries, and the code for these things is a proprietary secret.
What I usually use as a parallel is: Imagine that the people who built buildings or bridges were required to use commercial steen and concrete, but the specs for these materials were trade secrets. Imagine that construction firms had to use whatever material was delivered, and were not permitted to see its specs. There would be no way that anyone could calculate the effect of loads and stresses, and things would fall down under load.
This is how software is built.
On Open Source systems, it's somewhat different, because the source is available. But even there, you can only understand the system "in principle". You usually don't have the time it would take to thoroughly investigate all the components that you use. Open Source software does generally work better, true, but it's not because every programmer has examined every piece of the source. It's because a lot of them have examined a few pieces, and they can tell each other about problems (and fix them).
This probably has significant legal impact. Consider the construction parallel again. If I design a structure and specify materials of a certain quality, those materials are used, and the structure collapses, I am probably liable. But if the material vendors substitute material with different properties (usually for cost reasons), all I need to do is show in court that the material didn't meet my specs. I'm not liable, and the vendors end up facing some serious fraud charges.
With software, this sort of fraud happens routinely, with all sorts of system components that are delivered knowing that they don't do what the manuals says they do. Or the vendors don't even bother checking that things work right, because they know they can't be held liable. Then people hire programmers like me to write software using such shoddy systems, and expect us to write reliable software on top of it. Then it turns out that some parts of the system have "undocumented features", and the code doesn't work right.
Until we find a way to force reliability on the Microsofts and Suns and IBMs of the world, the way we have with companies that sell steel and concrete, there's no way whatsoever that programmers can ever write reliable software.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
should have fixed this fucking exploit months ago when they first discovered it. Of course it only affects IE, but the reality is that 80% of slashdot traffic is from IE.
I can't beleive they expect me to pay for access to this place!
See today's date...
I wonder who's at fault.
A feeling of having made the same mistake before: Deja Foobar
Comment removed based on user account deletion
My favourite quote from the article:
"This spring, Microsoft will unveil technology that allows Windows users to receive automatic updates each time a bug fix is available."
Oh, yes, PLEASE patch production servers automatically. I can't wait. With M$' history of their patches breaking otherwise-working machines, I can't wait to see this.
Naturally, any half-assed sysadmin would disable this, but that kinda takes the whole point out, right?
Chalk up one more for M$' "Useless Bug^H^H^HFeatures".
All this will bring on is more expensive software and stile innovation.
You want to be able to sue me for $100,000 if something is wrong? Fine, but if I'm going to take on that extra liability, I'm going to quadruple the price of my software.
Second of all, the RFC really has no force given the RFC language. The two key provisions, that companies SHOULD fix holes within 30 days, and that customers SHOULD apply patches in a timely manner, can both be ignored since "SHOULD" in RFC-speak is different from "MUST".
Thirdly, this RFC is a bit too targeted at Microsoft:
1) The Vendor SHOULD ensure that programmers, designers, and testers are knowledgeable about common flaws in the design and implementation of products.
2) Customers SHOULD configure their products and systems in ways that eliminate latent flaws or reduce the impact of latent flaws, including (1) removing default services that are not necessary for the operation of the affected systems, (2) limiting necessary services only to networks or systems that require access, (3) using the minimal amount of access and privileges necessary for proper functioning of the products...
This is too "ripped from today's Microsoft headlines". This stuff about removing default services is bogus. Something like UPNP in Windows (designed to makes things easy for novice users) is useful only if it is turned on by default. Anyway what does "not necessary for the operation of the affected systems" mean. You can run Linux without a GUI...so if an exploit is found in KDE or Gnome will someone jump up and say, "You enable the GUI by default and it wasn't necessary and you violated the RFC"? The solution to flaws in UPNP to not ship with them, not to disable everything in the box.
Fourth, what the heck is this supposed to mean:
7) The Customer SHOULD give preference to products whose Vendors follow responsible disclosure practices.
Can we please keep the social engineering out of the RFC -- this is an absurd requirement to put in there. Why not just say "Customers SHOULD give preference to open source software because we think it's k3wL"?
- adam
Then freeware could be released anonymously, like viruses are now.
I think a lot of software is released buggy as hell simply because investers and customers expect development houses to show results very quickly. Many contract jobs are six months or shorter, barely enough time to come up with a dog & pony slideshow of great software, let alone develop a secure product. Most developers depend on tools from other companies to cover the gaps in the process -- tools like IIS and apache.
The problem lies with the fallacy of internet time -- that software advances can keep up with hardware advances. The difficulty here is that Moore's law is based on years of research -- an advance in memory that doubles the speed next year will have begun five years or more ago with tons of R&D. Software doesn't really have that luxury -- it's all about the now.
One might say that this sort of demand is a requirement in business -- but in many ways, it's a self maintaining fad. Look at biotech -- a biotech company might do research for dozens of years before they can release a new drug or procedure. They have amazingly tedious checks and balances. Why? Because human lives are at stake. Because a single slip up will cost them millions in malpractice.
Holding software companies liable for security failures is a great idea in the respect that it will force dev houses to make better software. But in the process something will have to be done about the expectation that software is a need it now sort of deal.
As a side note: this sort of legislature would be a godsend for contract programmers. If company X has to wait years for a secure product to come out of Microsoft or hire somebody now to do the work cheap and sign off on the liability, they'll probably choose the latter. It'll also decrease on the feature blitz of new products that is leading to the increased need for pay for play software licensing.
Hey freaks: now you're ju
There is a lot of "sky is falling" rhetoric going on about this that is just wrong-headed. Clearly, it would be a bad idea to make a company liable in perpetuity for a software product, with that liability beginning the moment a vulnerability is reported to them, or worse yet, discovered.
However, it is possible to write reasonable legislation around this. Consider: you can do any software task in hardware, albeit possibly less efficiently and frequently less easily and at higher cost. If you were to make a circuit which performed some function, and that circuit were to have an error which caused economic harm to someone, that person could sue you for damages. Thus, why should it not be legal to sue for damages a company which makes a product which *could* be reduced to a circuit, provided that the other circumstances were the same?
If a law were written to allow users to sue a software company for liability, under the conditions that the company had known of the vulnerability for some time (say, 30 days just to be arbitrary, or say 3 years - whatever), and knowing that, had neither produced a fix nor issued a recall to all registered customers, I don't see a problem.
You would certainly want a grace period for the company to fix the flaw or recall the product. You would probably want limitations on liability to the provable immediate losses, or the cost of the software, whichever is higher (possibly with some limited damages above that). You would likely want such a law to exempt programs distributed as or with complete and understandable source code, on the same basis that you couldn't sue someone who printed a design from which you built your own circuit. (That is, including source code would transfer liability from the producer to the user.)
This would allow companies which depend on commercial products that they cannot inspect to have legal protection, while not bankrupting companies who act responsibly by fixing problems within a short period after they are found.
-jeff
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
Comment removed based on user account deletion
well, do i have the right to sue the manufacturer if someone smashes the window and drives off with my car?
similarily, i do NOT have legal rights against you if someone pulls off man in the middle or some other such hack while i'm using your software.
if i install your program and it erases all my files, then i have rights, but the author here is confusing code that is susceptible to attack w/ code that is somehow generally hazardous to use.
I think making software companies liable for their products so they would be forced to fix reported bugs would be a great idea. I remember a year or so ago I found a bug in a game by Activision, and I dutifully reported it to them. I didn't make it public at the time, since I wanted to give them a fair amount of time to issue a patch, but their complete refusal to do anything about it leaves me little choice. Maybe they don't think that fixing the bug in Ghostbusters that prevents you from entering one of the buildings on the map from a certain direction isn't worthy of their attention, but dammit I paid $30 for that game back in 1984, and it interferes with my enjoyment of the product! The customer support rep's excuse? "I'm sorry sir, I've never heard of a 'Commodore,' so I must assume we do not support it." Where does it end?
Mind you, I'm not excusing bad software, but I don't see how this proposal will do anything, because a new license will come out that people will simply have to accept something like:
"I accept that if I use this software it is completely insecure and will allow bad people to do bad things to me and my computer. I completely waive all rights to bring legal action again the makers of this software, even if they knew there is or was a problem. "
Okay, whose EULA were you quoting there?
Nope, no sig
...to make their software as reliable and trustworthy as electric, water, and telephone service
Well, Windows is already more reliable than Ameritech or Indianapolis Power & Light Co. The water company still has 'em beat, though.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
It seems to me that people that are harmed by buggy software that is run by other people should have legal recourse. For example if I'm running a secure Linux web site and Mr. Smith is running IIS and he gets hacked by some worm that then fires off a DOS against my site from his server. Should not I be able to sue Mr. Smith and Microsoft for the loss of my business?
Accountability seems to make sense, especially on the surface. It could have a major chilling effect if it is applied to an open source project with many contributors, however.
Turn around the situation and assume that an open source product is at fault. Who would be liable?
The race isn't always to the swift... but that's the way to bet!
This is silly. First off, the Firestone thing caused DEATH. So if a software malfunction/bug caused DEATH because of the malfunction/bug, whoever wrote it should absolutely get sued for writing bad software. Just like malpractice suits. It's DEATH because of poor quality.
Off of that tangent, I think this is a great idea. Maybe software will come out slower because people are being more thorough. Maybe software will have a higher quality because people spend the time rather than rush it. Maybe it creates a whole new insurance industry for programmer's insurance.
Do you want missile guidance systems to have software bugs in them? Do you want your financial institution to "lose your accounts" because of bugs in the software? This is serious stuff folks. It's time to get serious about it.
I personally don't think it'll hurt the little guys at all unless they're creating bad software. In which case, maybe it should hurt them.
Speaking for myself, I'm all for this. How many times have you wanted to do a better job but were given impossible deadlines, leading to shipping something you knew wasn't tested well enough, and hoping to fix the bugs later? Most programmers WANT to produce good software, but are not given time or tools.
I hope that something like this will cause managers and execs to provide proper tools and sufficient time to produce truly stable programs. I do believe that, like other forms of liability, though, unless intentional negligence is shown, liability must stop at corporations, not individual programmers.
Also, there must be still a way for free software to escape liability. If you're getting something for free, you can't expect the author to take liability.
I would think that in this situation, Microsoft should WELCOME liability law; it would be a great selling point for them in the face of Linux, if they could say "if you use free software, nobody is liable if it destroys your business, but Microsoft IS liable for any harm caused your business by our software." I imagine that many corp execs would give that argument a lot of weight.
However, at the same time I don't know if it would be 100% effective, because by now enough CTO's have realized that Linux (and other free solutions) is a more reliable platform for many applications, and it's still better for all involved to use something that works than to use something that causes you monetary loss and then try to recoup it in court.
If you want liability for software kiss the GPL goodbye and look forward a stifling of developmental progress in software. Under a liability law the GPL would be unenforcible because it provides that the author is in no way responsible for the software you're using. One of the two isn't going to work out and I think the liability law would have a little more clout. That is assuming people even develop software anymore. I'm not going to put myself in a position to get sued because of a bug in my software. I'm not going to go through the hassle and effort to try to start my own business if any software we write is going to lead to our legal raping because we couldn't possibly squash all the bugs in our code.
The GPL and free software in general would be forced the way of the Dodo. If your license couldn't absolve you from responsibility for your code fucking up a whole tenet of the GPL would be meaningless. Besides being impossible to develop no one would continue to use it. If the possibility for a software glitch to cause monetary damage are you going to pick a vendor you can sue or can't sue? Managers are going to go with the folks they can slap a lawsuit against in order to recoup damages. Why would you use an open source application in which a bug could cause you millions in damages that you couldn't recoup? The only reason managers go with open source software now is they can't sue vendors of proprietary software for bugs so they go with the lower TCO (whichever option that is).
It is also ridiculous to compare an operating system like Windows to some RTOS or firmware system that control hazardous equipment. Windows and Linux aren't designed for use in hazardous environments. They also are not cleared to operate on certain pieces of equipment. If a system doesn't pass a safety inspection it isn't going to get sold. A heart monitor isn't going to run Linux and the control equipment for a nuclear reactor is not going to have Clippy morphing into a bicycle.
I'm a loner Dottie, a Rebel.
in most software licenses that states that the software is not guaranteed to be fit for a particular purpose.
Why should software be treatedly so differently from other commercial goods?
________ semper ubi sub ubi
Great, another revenue source for lawyers. Does any one else see a problem with this?
Imagine someone suing everytime they got a blue screen. The ONLY way to make the software super duper lawyer proof would be to overly control the hardware. Thus stiffling inovation and the creative process as a whole. Remember that original IBM PC and the clone makers were more successful than Apple because the box was open and could be added to and hacked with relative ease. No persons box will have anything "easy" about hacking at it after the lawyers are finished.
For almost any problem where litigation has been the answer, the solution is often worse than the initial problem.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
It seems the limits to liability seem to only go up. They mentioned Firestone being liable for their tires. The problem with this is that all tires fail to some degree. The only problem with Firestone tires was someone noticed they were failing more than other tires. Someone was surprised by this and concluded they should have done more to prevent failures. There are probably other tires manufactured with just as high of a failure rate that just didn't produce enough tires for good statistics to show those tires were bad. Does that mean those manufacturers should get off? An obvious answer to that is because Firestone makes more money selling more tires they carry more responsibility to protect the consumer.
The reason I bring all this up is that some posts worry OSS will be open to just as much liability as a company like Microsoft. If you used the argument above, a software manufacturers liability should be limited to their responsibility to repay society from which they benefit.
First of all, I can not see any of the Behemouths (MS, AOL, Oracle, SAP) supporting this kind of legislation without there being a "public beta clause." That would be like any automotive maker firing all their quality assurance engineers, believing they could create safe vehicles without them. This "public beta" area will probably be where all free and open source software lives from now on, probably including the software that was intended to be legislated against... sigh. Will we ever have smart people on the Hill? The world may never know.
When it comes to stealing music of the internet all the open source zealots make comparisons about sharing physical items with friends.
But when it's open source software that can be held liable for deficiencies it's somehow very different than physical products and it's up to the user to fix problems.
Gun shops liable for selling guns then they should make software liable as well...fair is fair
As much as I hate microsoft, this has got to be the dumbest idea to hit the market in a long while. And this is just the tip of the ice burg, if security holes make you liable, then couldn't crashes which eliminate unsaved data or some how mess up a file also cause you to be held accountable.
::Mac freak rant:: Windows being the only exception to this rule ::end rant::
If you're dumb enough to believe that the product you buy is going to be free of bugs and exploits, then you deserve to have your computer hacked fried and served on a half shell. Every piece of software has a weak spot, there is no such thing as bug free software. This is no excuse for lousy programing, but if the program is that lousy, word will spread quickly and no one will buy it
T Money
World Domination with a plastic spoon since 1984
It will definitely hurt the companies that can't afford to hire a full time lawyer. The exact effects would, of course, depend on the details of the law. I suspect that one of the reasons for the degree of apprehension about this is that we have recently seen so many laws that were only to the benefit of whoever was the highest bidder.
(Well, that's not strictly true. MS has benefited from laws designed to aid Disney. But if you consider categories of bidders rather than individual bidders, then it appears to be true.)
.
I think we've pushed this "anyone can grow up to be president" thing too far.
IANAL, but IIRC, source code has been found by the courts to be speech. Software liability will create a prior restraint on the expression of that speech. I don't think that any liability laws will be upheld in the courts for people who release source code. They can claim that it's simply the exercise of their 1st amendment rights.
But this will impact the distributions, who release software in binary form. I don't believe that binary code is considered speech. So the Red Hat's, SuSE's, Madrake's, Debian's of the world might be in trouble with their current distribution method. But probably not the authors.
All told, I still find the idea of software liability to be discomforting. Unless it can be done in such a way that it doesn't immediately disadvantage free/opensource software, either directly (by holding authors/distributors liable) or indirectly (by making free/opensource software a business liability since there's no one to sue), I think it's a really bad idea. See my journal entry for more details.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
As it is, software companies get off scott free, with only their reputations at stake (and those w/ deep pockets can afford the advertising budget to counter the bad experiences and boost their reputation). But it would be nice to see some sort of financial incentive to produce better quality, reliable software instead of just a lousy implementation of the latest greatest big idea. Just like there are contracts that reward being completed on time and punished for being late, we could have mandated licensing terms where a major bug (like the UPnP hole thing) VERIFIED by a disinterested 3rd party, would result in a partial refund, to partially cover the expenses of patching. I would not go so far as making a company legally liable for some of those always overinflated 'costs' that show up in class action lawsuits. Noone should have to code in fear that a missing comma is going to cost the company a million dollars. But a simple system of rewards and punishments to get over the 'flashy crud' that so many consumers fall for, and onto a more stable, robust, secure world.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
A large proportion of the of the security problems would just go away if the subroutine return address was stored in a separate memory area from the data area. This would make the buffer overflow / stack-smashing type of attack impossible. It's such a simple idea I am amazed that it has not implemented long ago. There must therefore be something wrong in my thinking, what is it?
Not that I'm complaining/trolling (I hate that company too:), but here we go again:
As Microsoft is more part of the problem than part of the solution,
If an instruction manual for building a set of bookshelves from IKEA fails to mention safety protocols for using a hammer (if said bookshelves requires using a hammer), is IKEA held liable? If a toddler climbs up on the thing and it falls over on them...
If a car manufacturer issues a ["sufficiently" publicized] recall on their tires, and ["sufficient" time has passed] later, a driver attempts to sue the manufacturer for faulty tires, who wins?
If someone who's violently allergic to peanuts buys a mom-and-pop-store cake that happens to have peanut oil in it, but doesn't have a label on it stating that it has peanut oil in it, and they neglect to ask about it, who's at fault? (legally and otherwise, I suppose).
Source-released projects are at least vaguely akin to the first, the second is an invitation to explore adequate response times, as well as, along with the third, a jump into responsible disclosure.
'Maybe software will come out slower because people are being more thorough'
That would be nice. The company I used to work for would ship unreadable CDs just to put out press releases that a 'product' shipped. They were so worried about Time to Market, they didn't really care if the end product was installable.
When the customer complained they would just act dumb, meanwhile they gained a few days.
GEAC^H^H^H^HThe company I worked for deserved to be sued.
I write an anti-spam filter that and post it into the public domain (Open Sourced). Microsoft uses it in their next whiz-bang mail server.
Who sold it, you or Microsoft? The one selling it bears the liability. Same as when a component of a physical good is defective. The end user sues the seller, and maybe the original componenet manufacturer. The seller may also sue the manufacturer to recover their own legal costs.
But end users always sue the guy with the deepest pockets. In your example, I don't think many people would waste their time suing you.
Nope, no sig
Incredibly, the latest proposed UCITA modifications (to make it acceptable to more states) is the exact opposite of this.
Commercial software is exempt from all liability. Even if they acted in bad faith and consciously lied to you about the presence of critical bugs, you have no resource.
Open source software is held to the highest legal standards.
The legislation doesn't state it this nakedly, but it moves commercial software out of the "product" category and into a new category, so none of the consumer protection or product liability laws apply. Esp. if you never release the "final" version of your software.
In contrast, other definitions apply to all software. But since there's no exchange of "items of value" with OSS, there's no contract and it gets hit with the full power of the law.
This is totally indefensible for the reasons mentioned elsewhere. Microsoft has the ability to test its software bettter, and denies me the ability to protect myself, yet it gets a free pass. Meanwhile the guy who spent his weekends trying out an idea and who posted it with warnings that the code is not yet well-tested could lose his house.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I say this every time someone uses firstone as a metaphore. The SUV's that came with firestone tires on them generally had the tires inflated to around 15psi. This is on a tire that is supposed to be used at 35psi. Hrm.... should the tires have blown at after such little use probably not. Would the tires have blown out if they were fully inflated? I don't really know.
But to further your train of thought imagine this:
You buy a new Dell(Dude! You're getting screwe^H^H^H^H^H^H^H a dell). Dell decides to set windows to be very insecure. Your computer is cracked because your browser downloaded malicious code from a website. If Dell hadn't touched the security settings, you'd be fine. Now, who is liable for the damage?
If you want your software to be guaranteed to have feature 'x', then demand that your vendor sign on the dotted line a promise that the product meets your expectations. And be prepared to pay money to get what you want.
Otherwise, read the damn license. You know, the one that says "NO GUARANTEE OF FITNESS TO RUN NUCLEAR POWER PLANTS BLAH BLAH BLAH". If a vendor is explicitly telling you that they are NOT promising you anything, then you are just plain stupid to think that you have the right to demand more. If you don't like it, put your money back in your pocket.
Where you might take issue with are products that hide the fine print inside the shrink wrap. Of course you have no such problem when you can see the source.
--Lawrence Lessig for Congress!
I seem to recall, in big bold letters, a statement at the end of the standard EULA that says without question that installing the software makes the user assume any and all responsibility for loss due to the installation or use of the software being licensed. Even if the law generally requires people to give reasonable disclosure, I don't see how someone can't use the EULA and say,"Sorry bud. You read the agreement, and there's your notice."
Lawyers please reply.
Merchanitability is not liability. As far as I can see, this already covers software, correct?
Most modern EULA's specifically disclaim merchantability to any purpose whatsoever. The poster you're replying to is simply saying that if your software doesn't do what the seller said it would, then they owe you your money back.
You downloaded it for free? Then they don't owe you anything. You paid $50,000 for multiple installations and several hundred user seat licenses? They owe you a refund.
Nope, no sig
One thing that is encouraging is that Software Engineering may become a real discipline and not just a buzzword. It is inevitable that Software Engineering will take the same course as other traditional engineering disciplines. Our reputations depend on it.
One thing that is discouraging is the possibility that hobbyists will be shut out depending on what sort of legislation occurs. This is something that hasn't happened in many other disciplines. Would wonders like TLC's "Junk Yard Wars" be possible if the Mechanical Engineering industry were regulated to death? What about model rockets? Home chemistry sets? Do-it-yourself electronics? Helping your neighbor build a tree-house for the kids?
I hope the people behind any new legislation understand that purely non-commercial efforts, where the would-be customers pay nothing and nothing is promised, should not be regulated.
Free Software is non-commercial and nothing is promised to the end-user, so it should be left as-is. However, those who choose to commercialize it, such as Red Hat or IBM, should be willing to accept some liability. After all, they are making money off of it.
In conclusion, software should be treated just like any other product. If money is being made off of it, then the customers are due what they paid for. If no money is involved, the lawyers and politicians should just keep their hands off.
Healthcare article at Kuro5hin
Obviously, since simple software is both more reliable and easier to prove, I'd limit myself to simple software. Good-bye GUI, hello command line. Also, since most software these days is built heavily dependant on someone else's libraries, I'd either have to have the source or roll my own: black boxes, no matter how well guaranteed by the vendor, won't fly because of the costs of litigation. So what we end up with are small, simple programs to which the source is widely available and easy to tinker with.
:)
Is it me or does that sound very familiar?
Didn't you realize that this is a conspiracy by the open source movement to put legal pressure on closed source companies? Only GPL'd software will be free of legal consequences, and as a result, the GNU software suite will flourish and take over the world. Look just below this story and you'll find the HURD announcement - it's already beginning.
Sorry, I just had to
Re: your Linux Comment
If MS shipped with every home edition of its product several varities of FTP clients and Servers, an HTTP Server, and loads of other soft-
ware which you can hook to the net, especially
considering that each of these extra tools have been acquired from other individuals not directly under the control of the vendor...Would it be possible to do a recount on Security Holes????
Before WWII, there was a thriving business with dozens of light plane makers. You could buy good, cheap little planes. After WWII, there was some consolidation in the industry but you could still get a decent little plane for reasonable bucks.
Then the lawyers got involved. Liability lawsuits appeared everywhere. Since planes stick around for a while, a crash of a 20 year old model was still grounds to sue. Cessna quit making anything smaller than a corporate jet. Piper nearly went bankrupt. The entire GA industry entered a slump.
Finally, Congress acted and set strict liability limits on older light planes. (If it's been flying for 15 years, the maker probably isn't at fault.) Liability is still a problem though: a decent light plane that can carry a small family costs as much as a house now. This isn't a fancy plane: cloth seats and barely enough room to move your feet.
There are a few small makers out there (Cessna came back), but almost nothing cheap is left. You can build your own from a kit and slap an "Experimental" tag on it, but that leaves *you* fully liable for anything that happens. (Then again, as a pilot it was probably your fault anyway.) You could go for an ultralight, but that's for sightseeing, not for travel.
End result: a few companies sell a few, very expensive planes to rich people. Folks like me with a pilot's license but no trust fund rent aging C152s on weekends since we can't afford anything else. (Someday I'm going to build one, but I've got a 7-month old kid and a mortgage right now.)
Liability is almost certainly the wrong way to do this
Eric
"Seven Deadly Sins? I thought it was a to-do list!"
My gut instinct (like many people here im sure) was to say . 'GREAT .. now M$ has to fix their holes.'
.. after thinking about it (and finishing the article) Many smaller companies (shareware/freeware) are gonna get nailed on this first.
.. anyone wanna bet how quickly the new M$ department that checks for vulnarabilities in compedator's products would get formed ? Why spend years in court .. when you can just bury them in paperwork *THAT THEY LEGALLY ARE RESPONSABLE FOR*.
.. vote no.
Bad move on my part
The one man-opensource-grassroots guys are gonna get hammered.
Hell
I for one
--Ne auderis delere orbem rigidum meum, non erravi pernicose!
Recall that an American Destroyer was rendered dead in the water as a result of NT crashes and space shuttle missions rendered write-offs because of NT crashes. Not to pick on NT, but these are cases where lives did depend upon software. Death is just an example of liability.
Could not an Open Source developer include a disclaimer like "Yes, this stuff has more bugs than you'll find under a big rock and if you use it most probably hackers will invade your system and steal your first born"? (I am NOT trolling here) Would this protect against being sued?
So what happens to a newbie? So, this new 16 year-old guy who discovered programming in high school decides to learn it as well on his own. So he reads some tutorials, doesn't understand some warnings, codes, runs his program and has a bug. So he puts his code on the net (a bulletin board for example), and asks for help. Imagine that his program causes someone who wanted to help a mega filesystem crash and that all his data is corrupted. Is the newbie gonna get sued because he was learning? And that when he seeked for help, his program caused harm (even if he didn't know about it)?
If that's to happen, how are there ever gonna be new programmers? They will be extremely rare!
The authors assume that there is consensus regarding dealing with disclosure of vulnerabilities, at least in the industry, i.e. some limited information is published.
However, this assumption is false. Have you ever read about a security hole in z/OS? Or SAP? Do you think these products are completely error-free?
This whole damn problem stems from the monopoly that Microsoft has already. It's an attempt to remedy the wrong ailment. If multiple vendors produced "Windows", the insecure versions would NOT be purchased by those concerned with security. And the word for the average consumer would at least be "be careful about that cheap Windows from company X, you get what you pay for". As it stands now, hundreds of millions of people simply do not have the option of choosing Windows from another company because of Microsoft's monopoly.
"Hello, World", 17 errors, 31 warnings
There are two elements to this: loss of revenue resulting from software failure due to poor design, and failure due to illegal activities.
Software is a tool. When you pay for software you have an expectation that the software will do it's job. If it fails to do it's job and results in loss of revenue because of it's poor design, then it seems clear that the company who designed the buggy software should share some of the liability.
On the other hand, when a security hole is found and exploited, the ensuing loss of revenue is the result of a criminal activity. Why should software companies be held liable for the actions of law breakers? (unless the software is implicitly designed as a security tool).
If I buy a new TV set and a week after I get home it doesn't work because of a defect in the manufacturing process, I expect the company who made the TV to make reparations. If it doesn't work because vandal kids broke into my apartment and smashed the screen with a baseball bat, I doubt it would be fair to file suit against Sony because they didn't make the screen with thick enough glass.
Of course, Microsoft shoots itself in the foot every it mentions 'secure' in it's marketing. By doing so, it implies that security is a feature of it's software, and in turn should bear legal liability of it's own security holes.
Personally, I'd like companies to make software that works. Microsoft should focus on making an operating system that doesn't crash. In turn, other companies should focus on making software that protects the operating system from criminals.
If anything should be done in the courts, some legislation that would force software companies to release source code to third parties in the business of security for review would be a good start.
The Internet is generally stupid
Of course, any liability law would have to have a clause for beta testers, becuase you can't hold somone liable for failing while in the TESTING phase (If you could, test tracks all over the country would be bankrupt). The solution will naturally be that everything gets released as a beta. Everything. Office Xb, Mac OSb, Linux Kernal 2.5.4.7.1.1-prebeta-RC4-b ... um, ok, Linux kernals will remain unchanged.
"Your superior intellect is no match for our puny weapons!"
I firmly believe that good software is possible. A key ingredient is tying the income of the programmer to the quality of his software. I wrote an article about this on K5.
"Yet more legal recourse to screwing the little guy. Well done, anti-Microsoft dickheads."
You freaking moron, youre missing the point entirely. Liability regulation protects the little guy by protecting his credit card number and the access to his machine. Why are tiremakers (Firestone) legally liable to produce a safe product? Because cutting corners has the potential to injure the "little" guy you presume to defend.
Despite protestations that this would fall with undue burden on "the little guy," there remain plenty of engineers in high-stakes fields who work in small groups or as independent contractors. They manage their liability through a clever invention called insurance which, for a fee, indemnifies them from potential harm caused by their errors and omissions.
To get this insurance, the insurer must be certain that the insured engineer is qualified, and is operating to currently recognized standards of quality assurance, including rigorous testing and debugging. Sometimes things go wrong, and lawyers get to decide who screwed up and whose insurance company must pay. Such is the way of the world.
As software becomes increasingly integral to our daily lives, expect more, not less liability to enter your world. If a Boeing plane, for example, were to crash due to a software-generated avionics failure, the company could not go to the victims' families and say "Hey, it was a software bug. We're not responsible." Consequently, they have to have a rigorous method for deploying software including all sorts of oppressive things that 1337 h^x0rz detest, like code review, documentation, and testing. To my knowledge, there aren't a lot of pizza parties, all-nighters, or dogs in the office, either.
The only reasons liability hasn't been a more integral aspect of software engineering as we know it have been A) that the stakes have been so very low (nobody sues Microsoft because of the Blue Screen Of Death or LL Bean because they can't order that sweater in taupe), and B) consumers have shown an appalling willingness to sign licenses that require they sign away their rights. As consumers grow more sophisticated, this will change.
As for the assignation of liability on open source projects, a rigorous process of procurement for any software should include code review, either by the purchaser (or his agent) and the rest of the developer community (open source/free model) or via a trusted third party auditor working with escrowed secret code (closed/proprietary model). If an auditor signs off on the code, they get the liability for any failures due to bugs they don't catch. That's why they make the big bucks. In fact, that's why anyone does.
Sad, but those of us not in the Land Of The Free may have to consider this eventually, sort of an inverse case of the situation that used to exist with encryption and the US. Sigh.
I hereby inform you that I have NOT been required to provide any decryption keys.
WRT Open Source software, I see no a priori reason why OSS developers should be any less liable than commercial software companies, PROVIDED that certain reasonable guidelines apply:
- liability should never exceed the amount of money the developer/company *received* from the customer or class of customers unless gross negligence can be proved;
- in cases of gross negligence, the liability should coincide with the amount of *actual damages*; i.e., you don't get a million bucks because someone was able to read your web documents unless that act actually cost you $1 million in losses;
- developers should be reasonably shielded from liability in cases where the customer/user *actually* modified the software (not just *had* source available) -- if the modifications had a substantive affect on the security or safety of the product;
- parties can enter binding legal contracts to alter the balance of liability -- in instances where the customer *plans* to alter the software, whether they end up doing it or not. CLICKWRAP LICENSES DON'T COUNT.
These measures will only benefit the the software industry; serious programmers will have the satisfaction of working in a climate where time to market takes a back seat to quality (because the law penalizes nonconformance to this norm); software processes in the aggregate will improve for the same reason; customers and users will have a better experience with software in general and will have more respect for practioners who take the profession seriously.And people who lack confidence in their abilities to generate bug-free code can buy liability insurance, just like many other professionals currently do. In other words, software professionals can finally expect to *earn* the title!
Have you read the agreement to use ICQ software? Pretty much the same as this. I think that Open source is fine, because it is not as 'branded' as a company like Microsoft is, and therefore should be treated differently. And if Microsoft, or other companies decide to change to an open source platform to avoid the security laws, this would be very good for a lot of people.
Just my opinion, nothing more.
Maybe it creates a whole new insurance industry for programmer's insurance.
Yeah - that's just what we need. A bigger insurance industry. Can you imagine malpractice insurance for programming? This aspect alone should scare the be-jeezus out of coders. Just look at what the insurance industry has done to the cost of health care. I recently was in an emergency room getting stitches in my thumb. The doctor sewing me up spent half the time complaining about how he wouldn't get paid for the work for at least 3-4 months due to the insurance company dragging it's feet. Let's hope this is not the future of the software industry!
"Michael, I did nothing. I did absolutely nothing - and it was everything that I thought it could be."
I can see only two possible outcomes if a software author becomes liable for the correct operation of their code.
1. No one will code except the huge guys with the resources to check their software line by line
2. Software will cost A LOT more to cover the cost of extra testing and liability insurance.
In any case, how difficult would it be to lay the blame at any one persons door. If something goes wrong with what I write but it turns out to be a bug in the Win32 API who is liable and would I in turn have to sue M$? Would they turn round and sue the PC vendor or perhaps the authors of some program running on another machine somewhere on a LAN. Where would it end?
Businesses like to (and must) manage their risk. If software companies are in fact reasonably liable for bugs/security issues in their software, IT managers and their bosses will have to weigh the ease with which they can tell their lawyers to sue someone against trusting their network administrators and support personnel with verifying open source software is secure. If the current sheep-like decision making holds -- *bleat* Buy Microsoft! *bleat* -- this could result in much less corporate adoption of open source software.
I believe this is pretty much the way it works with everything except software, and recently some courts have starting invalidating clickwrap licenses on the basis of arguments like these (which IIRC was one of the motivations for the UCITA). In other words, in the literal basketball example you would currently legally be liable (AFAICT, IANAL, etc). Why should Free Software be any different?
First off, this is an Internet Draft. Anyone can write one, with a simple boilerplate saying that ISOC owns the copyrite on it (so they can publish it for 6 months) and some formatting I can publish an Internet Draft that says anything (I have published a few too...) THERE IS NO SUCH THING AS AN RFC Draft
Second this is going non-standards track, and as such has no weight, either protocol wise, or legally
Oh well... It must have been fun to write, ZDnet in London had a link to it a week ago, where they tried to pawn Mr. Culp off as the author... Oh well.
Thank you... Come again
Most businesses that contract software have an SLA (service-level agreement); if the software doesn't meet certian standards, the supplier must pay a penalty. For the most part, the more serious potential problems are handled privately, without the need for some sweeping government iron hand.
And how does that help some small business when they buy a copy of Windows* and it hoses, costing them hours of work? How does that help them if Outlook Express cheerfully formats someone's hard drive because some kid in Brazil sent a virus-infected e-mail that exploited yet another Windows/HTML/Javascript/VBscript/etc. flaw? Most businesses buy and use commercial software for which there is no SLA available. Ever try to get Microsoft to agree to an SLA?
I am a software engineer and have been for over 20 years. I am still astounded by the "everyone except us" attitude. Why should we hold Boeing liable if one of their jets has an engineering flaw that kills people? The engineering in a commercial jet is far more complex than the engineering in 99.99% of the commercial software that's been written. The same can be said of automobiles, skyscrapers, submarines, satellites, and nuclear reactors. But we don't exempt the companies the produce those items from legal liability.
And don't tell me that "software flaws don't kill people." Software flaws in aircraft and medical equipment have already killed people. When a software flaw takes the phones down and people can't call 911, it can kill people.
I think any developer who releases source code should be shielded from product liability. The only ones that ought to be liable are the ones that keep the source code private.
If you release source, you have fully disclosed the capabilities of, as well as the flaws in your product, and any liability laws ought to recognize that and reduce yor eliminate your liability burden. If you decline to release source, you should assume liability for the undisclosed capabilities and flaws in your product. It would then be your choice whether keeping your code proprietary is worth assuming the liability burden.
Admittedly, I haven't thought about this a lot, but it has a certain logical appeal to it. There might be some ways around it. Maybe Microsoft releases source code to Windows 95 claiming it is for Windows 2000, hoping no one would notice. Myabe small firms or individuals that want to keep code proprietary are unfairly burdened. Or maybe lack of liability and/or source unfairly burdens the customer, regardless of the size of the vendor. I dunno... what do you think?
Edith Keeler Must Die
How much of a stretch is it to see M$ declare that they don't agree with the RFC, that it's an irresponsible process, so they're not going to play? I'd be surprised if they did anything else.
Sorry, but I see this as a weak claim. Sadly, law often seems to work counter to how rational people would expect, so we'll see.
Gimmie a break. THAT will kill free software, *not* imposing liability!
All this talk about legislating software bugs and comparing software to airplanes. Just look at how pathetic you all are!! For God's sake, the damn government legislates enough as it is,(poorly I might add - those WTC murderer pilots just got visas) and now you want to add more to the pile. The oh-so-convienent talk about "open source wouldn't apply to this" is outright stupid and ignorant.
Why should open source be excluded from something like this? Because anyone can see the source you say. BZZZZZT! Wrong answer...again. A bug is a bug, no matter how you look at the source code. Now let's see here who would be liable for the numerous, unreported in this forum, bugs in Linux......hmm...Linus Torvalds! Why? Because he makes the decisions. Someone has to lay their ass on the line and we all know the "open source community" won't do it.
The comparison between airplanes and software is bogus too, and all those who posted that know it. I can't recall any instance where software was responsible for the death of a human being. That one is one of the most ridiculous things I've ever heard in my life.
Most folks on this forum would like to see Microsoft die in any way possible, including government intervention. As a matter of fact, that's the only way it could happen. And you know what? That's a BAD thing. Just wait until the government says YOU can't do something because someone else doesn't like it, then they come down on you will full force.
Just imagine if Linux was as dominant as Microsoft products are, we'd see an article a day about Linux and the coders being hounded to death about everything imaginable. You know that to be true.
You cannot legislate everything, unless you're living in a dictatorship or a communist regime. Think before you speak, it'll keep you from looking like an ass.
Nobody would do software development except companies that can afford massive liability insurance. Experts don't even agree on whether it is theoretically possible to guarantee that code is bug-free. Software liability is an attempt to milk money out of the inevitable. Bugs happen. Kids fall off tricycles. Coffee is hot. The last thing I want to see is for the litigation industry to grow in yet another direction at everyone else's expense.
It's like this... If there is no money to extract you can't get a lawyer to proceed with a liability lawsuit anyway.
That would pretty much make this an issue for corporations or rich people who sell their software (open or closed source)
In the case of corporations the individual developers are producing "works-for-hire" which are sold and distributed by the corporation. I think it would be a far stretch to imagine the developers of the software could be sued directly.
Firestone's engineers didn't get sued, Firestone did.
As a twenty-year veteran of commercial software development I think some pressure on some of these shoddy corporations to produce reasonably bug-free code might actually help improve the lives of developers.
Developers are often forced to push unfinished software out the door under duress so sleazy companies can begin slopping at the trough of ill-gained profit.
I'm all for product liability laws being applied to software distributed by commercial for-profit entities unless the customer has waived those rights in advance.
But you're right, I guess people don't actually ever get sued for people falling down and hurting themselves on slippery sidewalks in front of businesses ("accident", you cry) or getting burned by a cup of McDonalds coffee ("accident" you merrily chirp again).
Oh, wait; they do! For millions even!
Let's say MS buys some code from a small competeing company. MS runs the code and it crashes one of their servers and causes some minor damage. MS then, using these new laws about accountability, sends it's massive legal department after the small competing company. The small company, having no finances to put up against MS, will cease to exist.
Sure the new laws of accountability sound nice but it takes money to enforce them.
Outdoor digital photography, mostly in New Engl
Just where exactly is all this free beer everyone talks about? I have looked and looked and all the beer I find costs money!!! So, is "free as in beer" mean "free as in it costs money but is available in the grocery store" (liquer can't be sold in stores in this state)? Or is it "Free in that if you run fast enough you might not get caught and serve time"? Inquiring minds want to know what exactly is meant by "Free as in beer"?!?!?
NR
It's so simple: If you don't like crappy software, Just Say No. Don't buy it, don't use it.
Is "Just Say No" not an option (e.g. MS monopoly)? Then there's your problem; fix that. Until then, keep your lawyers off my computer.
There's some magic point along the cost/quality somewhere in between Microsoft and NASA, and people can find the right point for themselves, if they are free. The current situation may be funnelling people toward one extreme, but software liability (even in cases where the customer doesn't want to pay for it) will just funnel everyone toward the other. We don't need that.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
So, you could change it... but you'd need to make a new CPU, new controlers, rewrite virtual memory... it's be a lot of work.
I don't know if it would be more or less effort to do that than it would be for sloppy programers to stop writing code that's vulnerable to buffer overflows.
Those who fail to understand communication protocols, are doomed to repeat them over port 80.
Not Meta-modding due to apathy.
this is BS. If I make a program, then decide that I will allow you to use it, i shouldn't be responsible for it. No one is forcing you to use sh*tty products. If you arent happy with the security of a product, dont use it.
Time for your daily dose of Open Source Heresy...
All commercial software should be warranted. [gasp!]
I am not advocating a law demanding such warrantees, rather, I am advocating that software companies stop committing fraud by marketing products while simultaneously disclaiming merchantibility.
If I buy a refrigerator and it does not keep my food cold I can return it and get my money back. If the manufacturer won't refund my money I can sue. If this same refrigerator explodes causing material damage to my home and my health, I can sue for major bucks. But not so with software. They all have this little warranty disclaimer saying if the product even *intentially* kills my dog I am S.O.L.
Before you all get your panties in a bind, please note that I said "commercial" software. Noncommercial software is a completely different matter.
"But no one would want to contribute to Open Source if they could get sued. Bullshit. No one but the seller gets sued. YOU are not the one selling the software. Remember when Odwalla got sued for tainted apple juice? It was Odwalla, the seller of the apple juice, that got sued, and not the Odwalla employees, or the apple growers, or the fertilizer salesmen selling manure to the apple growers, or the cattlemen selling manure to the fertilizer salesmen selling fertilizer to the apple growers, etc.
Now before all the libertarians and free marketeers jump all over me, let me stress again that this is a *fraud* issue. A company that sells a product is asserting that the product is fit to be sold. This is known as merchantibility. It's the cornerstone of the US Commercial Code, and much of Western Civilization's common law. Any disclaimers of merchantibility need to be be explicity to the consumer before purchase. Hiding them in fine print on the bottom of the box, or God forbid inside the box itself, is fraudulent.
Every other product on the store shelves is assumed to be fit to sell, EXCEPT for software. This is stupid. This needs to be changed. All warranty disclaimers for commercial products should be null and void unless they are written in three foot high blinking neon lights.
A Government Is a Body of People, Usually Notably Ungoverned
Comment removed based on user account deletion
Comment removed based on user account deletion
I guess if these lawsuits become common, it won't totally destroy the software industry and put programmers out on the street and all that. It'll just make programmers envy doctors, school administrators, and all those other individuals who live every day in fear of getting sued. But hey, the U.S. court system buried in malpractice cases, class-actions, divorces, (criminal proceedings), you name it. A little more couldn't possibly hurt.
Oh, another thing. If you think small software publishers have difficulty competing with Microsoft now, just wait for "software liability legislation" to pass. Ah, progress.
In Tort law, people are all held to some normative standard of "due care" in all of their interactions with other people regardless of the context. If a person's failure to excercise said normative level of due care causes harm to another, they are liable for damages, plain and simple. Even in war, where the purpose is to kill others, there exist normative standards, transgression of which turns warriors into war criminals.
The McDonalds coffee lady got her money because 12 jurors felt that McDonalds didn't meet the standard of due care with regard to the temperature at which reasonable people serve coffee. If you decided to show your contempt for normative standards of urban foot travel by running blindfolded up and down city streets until you collided with someone, sending them tumbling to the ground and injuring them, legally you'd be liable. No less a legal mind than Oliver Wendell Holmes wrote "If, for instance, a man is born hasty and awkward, is always having accidents and hurting himself or his neighbors ... his slips are no less troublesome to his neighbors than if they sprang from guilty neglect." So AS I SAID BEFORE, even incompetence is no excuse.
Because of standard warranty disclaimers in software, software developers are among the only people for whom no violation of normative standards of due care are enough to trigger liability.
I can understand how anonymous trolls might not feel bound by normative standards of society; most reasonable and thoughful people in this forum, however, can probably conceed that some liability, properly crafted to offer balanced protection to consumers and producers of software products, whether free or proprietary, is at least as morally justified and neccessary as standards for hot caffeinated beverages.
Keep the government out of the technology business, it will only come back you haunt you. Do you really want some bureaucrats who are puppets for Gate, McNealy, and Ellison defining processes only they could afford to do. I would rather see a standards organization that has a logo that only users who meet and maintain software to their definition can use. Advertise so the public knows software with this logo is build and maintained at acceptable standard. Educate the public so they look for this logo when buying software. That will make the logo important so companies want to comply.
BTW, the Holmes quote is from Common Law. Thank God for Project Gutenberg.
The friend's lack of liability comes from his lack of negligence, not his lack of profit. He might be held liable if he knew it was defective, or if it had been on the news for months that the empty lot he'd taken it from was full of cars that explode, or if the reason he gave it to me was because he didn't like the overwhelming stench of gas fumes that mysteriously appeared every time he drove it...
This is where I'd usually say "you get the point," except it's clear you don't.
http://www.google.ca/search?q=space+computer+failu re&hl=en
r /
(search: space computer failure)
Gives at least this result: http://www.cnn.com/TECH/space/9806/01/mir.compute
Which, although neither referencing Windows NT, and on MIR not a shuttle, is an equally valid example of software failures jeapordizing human life in space.
Regarding the failure on the Space Shuttle, I similarly cannot find references for it. I remember it quite clearly (which does not make it an infalliable statement by any stretch, though), but references for it I cannot find at this time.
Hope that helps.
You missed my pet SW quality issue: Modular Testing. Simply put, it's very difficult to test a module throughly when it's part of a large program. Getting the program to take a submodule through its entire range of functionality is difficult enough. It generally impossible to try every combination of operating modes for all of the program's modules. The way around this is to test test the modules stand-alone (in addition to full-program tests).
I am an electrical engineer working in the networking field. The group that I head just released for fabrication a large (~100 million transistors) ASIC (Application Specific Integrated Circuit). There is no way that a device of this size could have been adequately tested by simulating the whole chip. Standard practice in the chip industry is to break the code down into relatively small modules with simple, easily understood, and easily verified interfaces. This usually allows us to get 100% test coverage. It's not a perfect system and bugs do occasionally slip through. However, the relative quality of chips compared to most software products I work with is very high.
For a more extreme example, consider the Space Shuttle. AFAIK, it's the only launcher ever to have put humans into space without a single full-up system test. Would you want to be sitting in the cabin of the first shuttle if you didn't have the knowledge that every component had been tested as throroughly as possible?
I'm not suggesting that all software be developed as is done in the space program or even chip development. Basically, it comes down to a tradoff between reliabity and development cost. However, it seems to me that a lot of the software problems we live with every day are a result of failure of SW development groups to address the problems and just plain laziness (as opposed to any meaningful tradeoff analysis).
SCSG
The whole idea is wrong at a fundamental level. The problem lies in inadequate software. The proposed solution here is to throw legal wetware at security holes. The real answer is to educate users so that they can make intelligent choices about software use. As for legal liability, I think it should be left up to the contract: if an educated customer is willing to waive the right to sue Linus, he should be allowed to.
Now if I distribute a web server, and I either
- know it contains a buffer overflow which can result in a remote root exploit, and don't fix it
- think that since I'm giving it away, I don't have to be bothered to check for common code errors that are well known sources of exploits
Than it can (and should) be argued that I have failed to show consumers of my software "due care", have been negligent, and am therefore liable for damages -- ASSUMING that damage results from the vulnerabilities!I need to let this thread die before I have a stroke!
I'm working in 3rd level support at a PC vendor for a while and my experience tells me that the thing runs like that:
Customer is reporting a problem and complains a lot and of course wants money for the trouble he got. We even got customers that wanted to get paid for the work of flashing a BIOS.
Companies are not happy to give customers money. So they need to be forced. But the problem is that you need a very strong evidence that it is really the fault of the company that you're in trouble. Unfortunately your product is not made by only one company, its more like that:
- The hardware is from Compaq, Dell or whoever
- The operating system is lets say Windows 2000 from Microosoft
- The network is based on Novell
- And your office suite is from Lotus/IBM
Now you run into trouble. What's the cause?- Could be a hardware problem. I know that there are bugs in every hardware and sometimes the BIOS does a workaround for those bugs. But if your hardware vendor gives you a workaround in the BIOS its not because he's the guilty one, sometimes 3rd party PCI cards can cause trouble and that can be fixed by the BIOS. So the hardware vendor will state "that is a software problem".
- Could be a bug in the operating system. Can you prove it? Whatever you tell Microsoft can show you a lot of systems where it works fine in the same situation. So they will tell you that its not the fault of Microsoft and you should go to the hardware vendor or to Novell or IBM to get a fixed version of the "3rd party software".
- Novell and IBM will do the same. Nobody will take the blame, especially not if there is the risk that you have to pay for the damage.
The usual home user won't be able to pay for a lawsuit to get his damage paid. Practical example: Here in Germany (where I live) you can get easily a new dial up network connection installed when you surf on some sites. The bad thing is that those numbers are charging you up to 900 Euro per connection. If such a shit happens, you could try and sue Microsoft because their product is not preventing such a hostile attack. But they will tell you that you acknowledged the installation and its your fault. Are you in the condition to fight a lawsuit with Microsoft after your phonebill has eaten up your income?If you are a company user you have better cards. Especially big companies get their support because no vendor wants to lose a customer that buys 10000+ of his product every year. But you won't get paid for your damage and so the support crew will try to find a solution that proves that they are not guilty and its just a combination of "bad factors". So if you want to be paid for the damage you will have to fight a lawsuit and at the end probably nobody wins because you are not able to prove that one of the vendors is guilty.
And really don't forget that most of the problems reported are only existing between keyboard and chair. And that many of those users are not even able to tell you what their problem is.
So I think that software liability would be great if you have the chance to prove whose fault it is when there is a problem. But especially with closed source, NDAs and secrets about bugs in every company you won't be able to do that.
In this case the agency should have tested whether NT was suitable for mission critical purpose or not. If NT was chosen because M$ convinced them that it is safe, then M$ should be liable, otherwise it's the agency's fault.
What? He/she never mentioned the issue of Firestone tires exploding and causing death. He said that Firestone makes their tires to go on cars and tests them for that purpose. Then he said that if you used one as a swing and then it broke and you fell and hurt yourself, it wouldn't be fair to sue Firestone because you were using the tire for a purpose that it was not intended for. Firestone doesn't take the saftey of tire swings into account when creating their tires. (please read what someone says before saying it's silly).
Then he/she stated that with software this is impossible. You don't know what yor customers are going to do with it so their is no way to assure that in all situations and under all hardware your product is going to be perfect. Therefore, and I agree, this proposal is gay (meaning stupid, not homosexual).
Why are people who should know better pushing this?
It's not going to hurt Microsoft. They have the
financial resources to survive this. However, it
does mean the end of the software industry
... open source included - nobody will use open
source because of the legal liability problem.
If legislation like this is adopted it will
simply raise the barrier to entry into the
software industry.
Expect to see Microsoft strongly supporting
these measures soon.
Code has to be run before any bugs in the code can manifest themselves. The bugs only turn into damage when the code is deployed. In addition, the same code in another deployment might not cause any damage. Therefore, you cannot hold a programmer responsible for bugs. You can only hold him liable for damages done through bugs.
When software bugs cause damage, that implies the software was being run, probably doing something useful, perhaps operating on valuable data. The software breaks *because* it is part of a workflow, part of a system.
This is when you can hold liable the person that sold you the *system*. Some people, notably IBM, will do this.
HOWEVER, if you download and install applications willy-nilly, and play games, and don't reboot properly, and thus proceed to *construct your own system*, then *you* are liable.
What people do not realize, is that by dragging icons and windows across the screen, they are picking the fruits of over 40 years of work by other programmers, who made programming a computer as easy as dragging icons and windows across the screen.
Pushin' 'n dealin', shovin' 'n stealin'
I have no idea how this would be implemented. It seems to me what is needed is some sort of security rating system/standard. Let's say it runs from level 1 to level 5 where level 1 is "use at your own risk" and level 5 is "bullet proof". I don't know who would would oversee this (Comptia?) but it would at least give the consumer some idea of what they were dealing with. That would leave room for uncertified software. (Again, use at your own risk).
Comment removed based on user account deletion
Recall that an American Destroyer was rendered dead in the water as a result of NT crashes and space shuttle missions rendered write-offs because of NT crashes. Not to pick on NT, but these are cases where lives did depend upon software. Death is just an example of liability
And if they used linux, and the same thing happened, the developers shouldn't be responsible......why?
And if they used linux, and the same thing happened, the developers shouldn't be responsible......why?
First, it wasn't Linux, it was NT.
Second, NT was a purchased product, so money was exchanged for software architecture, engineering and development. The liability would be different if no monetary exchange was made.
Third, if it was Linux, then the agency would be capable of fixing the problem internally, on the fly. A software systems expert can fix any problem, save hardware, with enough experience or training, on an open system.
Fourth, as I said, that was not a post about NT, it just so happened that the most fruitful examples involved NT, so I used them. There are several excellent posts regarding why developer liability of free & open software is posited onto the user in that the user can fix it, has not entered into a commercial contract, and the user has not just the option but the incentive to fix problems, should they encounter them and will them away.