Slashdot Mirror
Liability and Computer Security
Pelerin writes "In the latest
Crypto-Gram,
Bruce Schneier has written an interesting essay with some thoughts about the current lack of business incentives for
the deployment and production of more secure software. His main recommendation/prediction is this: "Step one: enforce liabilities. This is essential. Today [...] the marketplace rewards low quality. More precisely, it rewards early releases at the expense of almost all quality. If we expect
CEOs to spend significant resources on security -- especially the security of their customers -- they must be liable for mishandling their customers' data. If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products." Schneier's five-step plan for thinking about security is also good.
Pelerin continues: "All well and good, but this raises some questions in the case of a company offering security solutions based on open source / free software.
- Where does the chain of liability end? Can somebody attempt to recover damages from Linus when a kernel security hole shows up?
- Can a case be made for lower insurance rates for free software solutions? (I mean, can it be made to the accountants and the lawyers, not the techies).
- When liability enters the picture, which mechanisms can allow free software to compete based on its merits, not on the likelihood of surviving a liability lawsuit?
That's interesting, but I still say that the user is solely liable for his data. I don't fully trust third-party encryption because anyone could have a master key or a back door, no one knows for sure what interests all go into things like this. The only safe way is to use your own homemade ciphers, assuming that you're not a total idiot.
Calm down, it's *only* ones and zeroes.
Fortunately, the GPL licenses state that this is distributed under no warranty of any kind, which might provide some legal relief. If this was legislated around it could be a MAJOR blow to the free software community - if you can be held liable for your code fucking someone's computer up, that's a BIG incentive for little freelance coders to give up - Microsoft can pay the legal fees and out-of-court settlements - I cannot.
Chris
The problem with liability is that the your financial risk now becomes proportional to your success. While the model sounds good one bad security error could potentially put the software provider out of buisness from the lawsuits which would also leave hanging the people still using the software. The only time a company should be held liable is when the bug or security problem was intentionally left in (they would of had to take out a feature to fix it) and even then it's not a clear-cut issue. The only other time is when an incident happens at a time when the company has the fix but did not distribute it for some reason (i.e. marketing wanted to make the installed a different colour).
I stole this Sig
make software quality known and let the free market adjust for it. If you try to punish software makers for their bugs/security holes beyond this, you'll really put a damper on the industry. The free market is your friend.
I hate to be naive here (but I am)... why do we ...you
need MORE laws to control us? What about
those magic fingers of the markets?
know -- the ones that are supposed to push
products toward what people demand.
It's not clear to me that legislating software
through increased liability is the best way to
get security.
thoughts?
The argument for manufacturer liability can be extended to be applied toward gun manufacturers. Just because a gun can be used to kill someone, doesn't mean the manufacturer should be held liable for the wrongful death. The lack of common sense present in the user should not be cause to pass the blame onto someone else.
By making software makers liable for security holes in their programs, you kill free and low-cost software. Nobody smaller than a large corporation would dare releasing networking software, out of fear that they'd be sued for millions in damages caused by a tiny bug.
"A company doesn't buy security for its warehouse -- strong locks, window bars, or an alarm system -- because it makes it feel safe. It buys that security because its insurance rates go down. The same thing will hold true for computer security. Once enough policies are being written, insurance companies will start charging different premiums for different levels of security. Even without legislated liability, the CEO will start noticing how his insurance rates change. And once the CEO starts buying security products based on his insurance premiums, the insurance industry will wield enormous power in the marketplace. They will determine which security products are ubiquitous, and which are ignored. And since the insurance companies pay for the actual liability, they have a great incentive to be rational about risk analysis and the effectiveness of security products. And software companies will take notice, and will increase security in order to make the insurance for their products affordable. "
Could you imagine if the corporation you owner was charged more for liability insurance because you used the current version of IIS? It's so sad it's funny. If this wouldn't make Microsoft or Company X clean up their act I can't imagine what would other than the ethics of it :)
Personally I work in healthcare so if my crap's not together I am going to jail. Too bad there's not HIPAA for everyone.
...you're just going to end up with a swarm of lawyers invading the software industry, looking for anyone to sue.
And the hardest hit will be the small and free software developers.
Honestly it looks like the _best_ way to make big companies serious about software quality is to get the press on your side. A few high-profile MS security holes and what do they do? Launch a major internal initiative and rewrite IIS from scratch. If they continue to have holes after this, you can bet the press will be right there to grill them for it.
Why do with lawyers what the free press and word of mouth can do better, faster, and cheaper?
I don't recommend that everyone should employ the strongets security tactics at their companies. There is no incentive....in the end nor should they. What does producing a ultra-secure environment do to the bottom line? What does it do for society? What does it do for your customers? Absolutely NOTHING !!!!!
Security is about due diligance, not being paranoid. If there are huge patches that need to be employed then do it. If there are basic steps that can be employed without reducing productivity or quality then do it.
Security is about due diligance not being secure.
If you read a license, any license, it basically states that you use the enclosed software "at risk", meaning you can't sue if something, anything, goes wrong. Including data corruption, script kiddie 0wn@g3, etc. What he's proposing is getting rid of that. Fine, now Microsoft is liable for NT vulns, but you can't basically throw MS licensing rules out the window and leave BSD and GPL in tact. So then the "As Is" portions of the Open licenses have too.
.01a version of code that some guy wrote on his weekend off as a proof of concept on their primary webserver, immediately get hacked, and sue Joe Programmer into the stonage.
Why not hold Network Admins responsible for problems on their networks? I am a network admin, and if some kid got in and stole a database from one of my employers, compromising customers, I would expect to take the full heat for it. In the back of my mind I'd be saying "F*** Microsoft and their buggy-ass code", but I would know it was my fault for allowing it to happen.
This is no solution. What's the estimated cause of Nimda so far? Code Red? SadminD? Melissa? I love you? all the other outlook worms?
The cost of lawsuits from just these AUTOMATED attacks would cripple even Microsoft. Not to mention the CDUniverses of the, er, Universe.
Software authors need these clauses for a reason, if they didn't have them there, they might as well go start a farming commune instead because it wouldn't be worth it to code anymore.
Free Software authors would then also have to specify under which conditions they would ALLOW their software to be run. Otherwise some schmuck could install some
Nice idea, just to tweak MS, but I don't like the way it would play out.
I like music
Allright, lets start making software producers liable. But how exactly are we going to enforce it? There is no such thing as perfect software once you get past certain limits in complexity. Who will say if the software producer has done a reasonable job or not when securing the product?
As countless examples in the US legal history tell us, this problem will most probably be solved by creating a set of (rather stupid) arbitrary rules that software makers must follow.
Consider this example: US government institutions may only use software that meets certain accessibility standards (e.g. you have to be able to increase the font size, display stuff in high-contrast mode etc.) The only company that has resources to make its software compliant with these rules at the moment is Microsoft, it is just too expensive for others.
Now what makes anyone think it would be any different with these security requirements? The rules will probably be something like "all financial transactions must use SSL" or "passwords must be encrypted with 128-bit keys" or something like that. But the reason behind most security holes today is not so much insecure protocols or insufficient key lengths but invalid assumptions between different components in complex software. And no law is ever going to take care of this problem.
When men used to be men
Unless there was some way to enforce this for software companies around the world, this won't work. No government will handicap their own country's software companies by making them delay product releases. The masses will buy whatever is out first, putting those security conscious companies at a competive disadvantage, since software companies outside the country could simply beat them to the markets.
--
Luck is just skill you didn't know you had.
i think this is bs. The user is responsible. No one is forcing them to use insecure software. If they choose to, then it is their problem.
Liability is the reason that the Broadcast 2000 project was removed from public access, which is a tragedy because I'm sure tons of people could benefit from their free software. From their web site:
Theirs isn't a security issue, but it's still very relevant as they are acting out of the fear of being held liable for what they were offering for free. That is really sad.
Security issues are deep-rooted, and most definitely can't be solved by nullifying the liability clause in licenses.
putfwd.com - 1GB Free file storage with a twist
Schneier is smart and knows a lot, but this is a stupid idea.
sulli
RTFJ.
just look at all of the security updates.
Algorithm:
foreach (@msft_bug) { pay $_ and wait };
foreach (@competitors_bug) { they_pay $_ or go belly_up };
negotiate any class_action_suit ( "just like tobacco companies did" => increase price if (you_can_cite_extra_liabilities));
expand kitty;
wait and see everyone vanish "like fleas";
If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products.
The simple fact is, customers do not want software that has reduced features and is more expensive. The customer wants cheap software that is slightly secure and feature-full. If a customer wants secure software, then there are alternatives (Linux, BSD, contract a programmer to create a secure program...)
If the government begins to practice software liability, then they are essentially telling the customer what she wants. The government does not know that the customer wants, the cusomer knows what the customer wants.
The problems caused by insecure and misapplied software can be partly attributed to failures by software vendors, but I don't think it's realistic to insist that Microsoft be held liable for its bugs. For one thing, this would make it legally impossible to disclaim warranty over software... which would expose many open-source developers and hobby programmers to lawsuits for code they've posted to the public.
For another thing, many of the security problems that exist (as the article points out) stem from improper configuration and use of a software product. If I buy something from CheckPoint, and accidentally leave myself wide open while installing it because I'm too cheap to hire a real firewall jockey to do it right, how is that CheckPoint's fault? And if we don't hold vendors responsible for these misconfigurations, the "sue the vendors" fix doesn't solve this part of the problem at all.
As an alternative, think about holding the person or company who deploys insecure products, or deploys secure products incorrectly, responsible for the damaged caused. If some virus emerges that roots your webserver and uses it to DoS me, it's your fault that I'm losing traffic. This puts the incentive to fix insecure configurations in the hands of the people who are closest to the problem.
Additionally, holding users responsible will tend to breed better security products. If a company realizes that it can be sued when its machines are compromised by ILOVEYOU and harming others' property, it will have a strong incentive to be selective and careful when purchasing and installing security measures. The guys selling IIS will have to clean up their act, or face a complete lack of customer interest.
Liability and Computer Security: Nine Principles by Ross J Anderson can be found here (PDF).
The HTML version can be found here.
--Metrollica
I have some interesting (+1 interesting worthy!) ideas about the whole thing. First, instead of either blaming the company or the person, look at the circumstances. I realize that can't just shut down their entire network to patch everything, but it should be their risk if they choose not to. I also realize that shouldn't release obviously shitty software to make a profit, and then patch it into maturity. If has installed all their patches like a good , and they still get hacked and damaged somehow due to an obvious bug for which their is no patch, they should be entitled to some kind of compensation from . Not full compensation, but at least enough to give incentive to fix the gaping hole in their software.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
"Today [...] the marketplace rewards low quality. More precisely, it rewards early releases at the expense of almost all quality."
Was he thinking of Windows XP when he wrote this?
Anyhoo, I agree with him about the ineffective airline security measures after September 11. If someone wanted to get on a plane and run it into some building, soldiers in terminals and having guards check for tickets at the gate won't stop them. If they really felt like doing so, I don't think spending the $200-whatever for a ticket is going to deter them. I think it's just there for looks. (they confiscate nail clippers for crying out loud)
Why yes I am paranoid! Thanks for asking!
"The costs of ignoring security and getting hacked are small: the possibility of bad press and angry customers, maybe some network downtime, none of which is permanent. And there's some regulatory pressure, from audits or lawsuits, that add additional costs. The result: a smart organization does what everyone else does, and no more."
I don't understand. If the cost of having no security is so low then liability won't change anything. Why get security insurance if you can easily swallow the cost of getting hacked?
It seems like the real problem is that security doesn't matter that much to most companies. If it did they would work hard to protect their bottom line by finding secure software. Liability won't significantly change this.
An engineer can guarantee a bridge to fail at specific loads ... can the state of software engineering claim the same for a piece of software? Even design by contract software like Eifel is no security blanket when used by the wrong hands or incomplete specifications (cf rocket that blew up due to engine being calibrated for different flight mode).
... :-(
We are still in the dark ages as far as software liability goes
LL
What if a software company were to change its license such that it WOULD assume liability? Granted, it would probably need insurance of some kind, but how much more comfortable would a purchaser of this hypothetical company's software be if had somebody to sue?
Let the free market speak - Once a company is confident enough in its product to offer a warranty, the rest will follow.
This proposal sounds to me like proposing Ford Motors be liable for Fords crashing... which is not the way that works, and everyone knows why. The operator makes a big difference.
Not that "common best practice" insurance for security liability wouldn't be a bad thing - it's so much easier to cost justify "running this will take our insurance premiums up $x" than it is to say "running this will increase our risk of Something Bad Happening some unknown percentage." But it's the operators that bear that cost, not the manufacturers.
If you wanna run that FlashyRedSportscar 1.0 software that makes it more likely you hit a wall at 140 MPH - your risk, your call. Providing FlashyRedSportscar Software, Inc. was diligent in its processes, they shouldn't have to hire lawyers when you meet the wall.
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
This insurance will get much cheaper if you use good systems and have the required competence to make them secure.
Some problems will have to be resolved by the legal community:
The last point is important, since you are only responsible for problems caused by your equipment, as long as they are not due to some criminal action by somebody else that you could not easily detect.
To stay with the car analogy: If somebody sabotages your brakes in a way you don't notice until they stop working, accidents that result may not be your responsibility.
An additional point: While a car manufacturer has certain responsibilities, not everything that can go wrong is their responsibility. Only things they claim or are required by law to claim have to be backed up by their product. If you hit a tree because you don't know how to drive or if you start sliding on ice, that is certainly not the manufacturer's fault.
In the case of software this gets a little more complicated, as there is no "unit" of software. My feeling is that Manufacturers will not face legal requirements for characteristics their software will need to have, because such characteristics might be impossible to specify (not saying people will not try). Instead I think that cheap "computer operation insurance" will only be available for products where either the Manufacturer takes legal responsibility for some characteristics of the product or where the insurance companies have a strong indication that the pice of software has these characteristics.
I also think that Computer Scientists and other people that produce code and systems will have to have a kind of "Malpractice Insurance" whenever they commercially create code for others.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
OpenBSD & Qmail are examples of insecure freeware. But isn't OpenBSD exhaustively audited with many sections rewritten to eliminate security bugs probably spotted before ever being exploited? Doesn't Dan Bernstein write rock solid secure code in packages like Qmail and DJBDNS? The answer to both of those questions is a definite yes. The problem isn't that these things are made insecure, which is not the case at all. The problem is that the end user, or the system administrator, too easily can make things insecure by even the simplest mistake in configuration.
I'd love to have secure programs as much as anyone, and OpenBSD and Qmail certainly show that some of that is available now. But when I choose what software I will install, I have to do more than just choose what is securely written; I have to balance development security against administrative security. Certainly hiring more skilled administrators can improve security. But if the software is harder to configure and manage, then it either takes more administrator time, skill, and attention, for a given level of result. To that end, one of the important factors I judge software by is how easily it can be configured.
Close to that is another factor measuring how easily a given package can be hacked to correct a bug, or change a feature, if needed. If the code is well written, well documented, and clearly organized, the time it takes to hack it, and the certainty of hacking it correctly, is improved.
For any given package, there will be some people more experienced with that one than others, and so this isn't always a clear cut decision. I made the choice to go with Linux and Postfix, instead of the other choices. But this decision suited my needs, balancing reasonably secure software and reasonably secure adaptability to my environment (including programming and administrative skills). It won't be the same choice for everyone. And there are cases I've recommended software I don't actually use because it better suited someone else's different circumstances (fortunately I was at least reasonably familiar with it from evaluation to know its specifics). For example, if you have no need to change anything, I'd say OpenBSD would be the best choice for a combo firewall and server (just don't let anyone touch it ... a console is a dangerous thing).
Now here's the rub. What if someone does install OpenBSD and/or Qmail, and after they configure them, some kid breaks in and takes the machine for a ride? Are we going to blame Theo and Dan? I wouldn't, because I've seen way too many administrator mistakes (and learned from the ones I've made) to be putting the blame on the software. My big worry is that if we start pointing the liability finger at the software vendor, they're going to end up taking the heat way way more than they should be.
The OpenBSD and Qmail development people, as far as I know, fess up to their bugs, especially the security bugs, and let people know when a hole is found. If we are going to have software liability, I think that a practice of consistently divulging known vulnerabilities should be considered a safe-harbor from the liability, even for bugs that got exploited before the developers were aware. It's the practice of covering up on the vulnerabilities that I despise. That's where the liability should be.
The legal test should be whether the software vendor has carried out a consistent practice of immediately divulging (if not to the whole public, then at least to all their customers) the existance of the vulnerability, even if they don't have a fix for it yet. I'd rather take a web site down for a day if it is discovered to be insecure, while waiting to get it fixed. Of course open source is a plus here, as I can dig in and hack up a fix or work around myself, even if its just a quick and dirty one (like gross over sized malloc with some randomizing, for buffer overflows, to ride out a few days until a proper fix is available). And this means all customers, not just a few privileged big corporate customers.
now we need to go OSS in diesel cars
This raises an interesting way in which the closed source/open source battleground could be leveled somewhat, and could bring computer software up to the level of quality we expect from other engineered products. Would we cross bridges if they BSOD'ed while we were on them, killing us? I think not.
What the government needs to do is enact legislation that ties source code to a company's liability for the damage their software causes in case of failure. If a company releases its code with its products, then exempt them from liability; the customer has the code and could fix it if they wanted to. But, for companies that choose not to release their code, make them liable for their shoddy product. After all, what they're selling us is *supposed* to be complete and useable, and if they're not going to put their customers in a position where they can fix problems with a product themselves, then the closed source software company should pay.
This would even be a positive situation for the closed software companies in the long run, as the liability that they are selling along with their product is yet another feature their software can claim. This could one day end up being the competitive point between open source and closed source: open source = a gamble for your company, but a cheaper product, closed source = guaranteed to work by the producer at extra cost.
Either way, something has to be done.
Is it practical to guarantee that extremely large systems are error-free? For little programs all you need is a few test cases and you've basically covered every set of circumstances. I would imagine a modern operating system is a different story.
I think software companies should take reasonable steps to ensure that their software is secure, and they should design their software with security in mind from day one. However, I don't think companies should be held liable for flaws unless those flaws are the result of negligence.
irb(main):001:0>
As it stands, just about every software license and EULA out there says that the software is not certified to be fit for any purpose, that unexpected results may vary and that they are not responsible for damages resulting from the use of the softare.
To me that's a huge load. As far as software is concerned, we're still selling snake oil and living in the old west. There's a lot of buyer beware which is why I support trial-warez.
On the other hand, open source software is almost always considered "a work in progress" that seemingly never completes. That's just a given. But when a commercial product is released, there's a sense of finality involved. This is version 1.0 and any newer version will cost you money.
To me, once you exchange money and acquire a product, there is a moral responsibility on the supplier's part to guarantee the work in some way. I hate to use physical world analogies and so I won't go into detail. But imagine if the same sort of agreement went into the purchase of cars?
There is a huge difference between a publically contributed free work and one that is licensed (not sold) to a user for a given purpose. This game of "I want your money but not the liability" is a load of attorney crap. If you're a professional, be prepared to behave like a professional.
In any case, I think I'll go into business as a brain surgeon and make people sign agreements that say I'm not useful for any particular purpose, am not responsible for my actions and any additional surgical procedures resulting from my accidentally leaving my tools inside the patients body is an undocumented feature and not an error on my part.
This is what will happen to software if similar laws are applied to software.
...just jack up the price to include your liability insurance.
Common aspects of liability are not really significant. Every comoany pushes it's product as soon as it's barely working, this products are being pushed untested (or barely tested). One of the greatest examples is Microsoft, which pushes products that surelly contain security holes. One point of view is that this security holes benefit company to spy easily on users actions, the other one is lack of testing.
Trouble of liability is that everybody expects greater liability of GPL products than proprietary ones. Usualy OOS is more secure and more tested, but to expect liability of product that's is insane. (at least as long as Microsofts clause about 0.5$ is valid)
In all of my cases that involved security or patches, I get much better support from OOS projects than proprietary ones. For instance contacting Corel or Microsoft is quite painfull, either they don't have a patch, don't know or in the worst case they don't even know that patch for solution already exists.
If you take to consideration all of 5 points, what do you get?
1. Greater expectations of proprietary software (liability must be included, so I really don't know if Microsoft could push another project like IIS or IE, without 0.5$ clause they'd be dead and burried in no time)
2. Attack on OOS, where people are giving software for free, but they are liable for that??? Don't know but this is insane. OOS projects were always either well support or they died, but in 99% of cases I felt I've got a great support, either I got an answer or an explanation, in one case only I didn't get an answer and I didn't really bothered, I just swaped to another one that supported my needs well.
So if you ask me liability was talked about too much. Talk rather about who should be liable and who should not be liable. This is a real question, not liability itself.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
Secure servers without back doors are for weenies. :)
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
A - Offering at no cost anything.
and
B - Paying for a product for a given purpose.
:) Distributing binaries, claiming that they do something, in exchange for money, is a totally different kettle of fish to Open Source.
I am sure you can expect very little legal comeback if someone gives you $product, and you lose a finger messing about trying to make it work. However if someone makes you pay leading you to believe their $product is suitable and safe, and you lose a finger due to a poorly designed product, Trading Standards & Consumer Protection laws can be used to sue the seller of $product for damages.
Free Software is given away, no money, no trade, therefore the performance expectation is zero - anything more is a bonus
Commercial software is sold, therefore assumed to be of a certain level of performance, usually "as advertised" - if a product fails to work as it should, or worse causes damage, the people making money should be liable, for sure.
Open Source Software surely must avoid such liability issues, since compilation is required before anything can be expected to work, e.g. "Here are some text files - I find they can produce a program which may carry out function X". Even with harsh software product liability laws, you could charge money for the source code, since it alone can do nothing without a careful process required by the user - the binaries produced are the user's responsibility
By not disclosing source code, companies take on the responsibility of making sure it works right. This should make them liable.
It's worth recalling that the proposed changes to UCITA (since only two states were dumb enough to immediately adopt the original model law) contains a truly incomprehensible couplet.
Commercial contract can waive all liability. I seem to recall that the "technical self-help" measures (which allows them to write software that actively damages your system if it thinks your license has lapsed) has been removed, but it still gives them broad rights to gag you when you try to report problems, to falsely claim others haven't reported problems, to falsely claim that the problem either doesn't really exist or has been fixed, etc. It can do all of this because you handed over hard cash and a bona fide contract exists. (I'm not so sure it's bona fide - a contract requires an *exchange* of items of value, and I don't see much value in this software.)
In contrast, free software isn't covered by a contract (since no money was exchanged) and UCITA explictly requires that warranties apply.
This means that Microsoft (to pick a company at random), a company with billions of dollars in the bank and easily able to afford decent product testing, gets a free walk. Meanwhile Joe Sixpack, a professional programmer who released a simple "scratch my itch" program, can lose his house in legal fees defending himself even if he ultimately wins the court cases.
The commentators (UF law professors, working under the aegis of the ACM?) suggested that the voting delegates seemed indifferent to this indefensible state of affairs. Hopefully they'll either fix it, or the lawmakers in the various states will quickly realize that UCITA 2.0 is just as bad as the original.
But it's something that MUST be considered whenever we talk about the need for liability law to start applying in the software world. We can see the importance of having your own source code, but the people who would actually write the laws are still hearing from Microsoft et al, not us.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Lower Your Insuance Premiums: Use Linux. The article is here. I haven't seen any follow up news, but this is where product liability has the best potential to hurt MS: where the only way they can affect the true cost of their product is by releasing a product that works.
I spent a year in Iraq looking for WMD and all I found was this lousy sig.
Comment removed based on user account deletion
And I know that was what the original article is trying to get across. You can treat the GPL'd/BSD'd stuff as some sort of non-profit entity and exempt them from the game. That would be great, but you can bet MS's PAC would bitch up a storm in DC about being singled out, even though they aren't, and try to get it applied to every piece of software there is.
People pay for GPL'd software every time they buy a distro of Linux, the burden in that case would probably fall on RedHat or SuSE or Mandrake, rather than the original authors, but the arguement can be made. And if there's an arguement to make, leave it to some shifty ambulance chaser to make it...
I like music
1. Then you wouldn't mind to have a heart condition, and peacemaker controlled "by Microsoft Corporation"
2. Where have you seen that? "Alice in wonderland"?
3. You gotta be working for M$ to say that.
4. No if it would be liability = damage * (price you payed / some factor)
5. That's the main intention
6. People just started to care
The person using the flawed application?
:) ) and there's one thing seriously pissing me off from Microsoft, not as a Linux zealot (I hate linux at it's current state to be honnest) but as a customer who bought for almost 6 digits of microsoft software. They put so much on marketting, they put so much on presentation, they put so much in finding new ways of doing stuff, or clever ways to steal^H^H^H^H^H Implement existing ideas, but GOD I *HATE* it when I see them claiming their OS is the most secure, GOD I HATE it when they say it's more reliable than any competitor OS, I hate it when there's a bug and I think it's me who is the problem and I find out it's an OS bug (but that I can live with it). All this to say: If a vendor claims that his OS/Software suite/product is more secure for marketting purposes, it SHOULD AUTOMATICALLY MAKE HIM RESPONSIBLE FOR *ANY* UNEXPECTED ARISING SECURITY ISSUES, ESPECIALLY THE MAJOR ONES.
the person creating the flawed application?
Follow me on this.
there are both sides for this, some people MIGHT want a less secure software (thus, a bit more rushed, thus less expensive) because of his specific application, why would his customers that don't request the features absorb the costs?
We could discuss this point and give out gray areas, and it could make an interresting debate, but It's 1am and I'll limit this to something plain and simple and this is no microsoft bashing karma whoring since I already topped the 50 limit,
Here goes: If you want the companies to be responsible for security flaws in their software, you have to first see if they do any misleading claims. Guess who comes to mind first? yes.. Microsoft. I don't run unix servers at work yet, I am exploring putting my email server on FreeBSD with postfix (which is kinda bitchy for a win2k guy that lost his unix/amiga side a long time ago
Look at how nimda killed most servers and workstations running IIS, look at the freakin time it took for this bastard to get off the net? even MONTHS later I still had port 80 probbing on my machine for god's sake, how many high-speed provider shutted down incoming traffic on port 80? this was due to one serious SECURITY flaw and costed a lot of downtime and unexepected expenses.
Yes there are stupid admins that don't update their machines often. But let's be honnest here, how many update do you need for major flaws on IIS versus Apache for example? I run IIS as an intranet, so I can "forget to update", but if I'd run it on internet for example, how many updates a month would I have to do compared to apache? a LOT more, I read both security lists out of curiosity, and the feeling I had about this was absolutely true. Too bad Apache doesn't have a IIS front-end and ease of use on win2k because I'm sure IIS would take an even bigger drop. I guess microsoft will do something really good with IIS6 because they are probably feeling the heat right now.
Anyways, this is the reason why I will NEVER run my critical services such as DNS server or EMAIL on microsoft software (I use the ISP's for now, considering moving locally) they rush their things out, and fix later, which is totally unacceptable, and forcing to upgrade your browser instead of patching the bugs, and introducing new ones, etc... this is really becomming a serious issue, I wouldn't mind all this if they would at LEAST be honnest about this, but no, they want to go the PR way and bullshit people about security compared to unix system? come on, I have yet to see a nimda breaking loose on unix servers (this is only one example, let's not talk about melissa or any others).
There aren't only negative sides to Microsoft software, windows 2000 is the best OS I've ever used since my amiga, it has it's downsides, amiga has it's downsides too so nothing is perfect, Win2k server is great for small buisness like mine and it's stable enough to do the job and I find IIS great for running my intranet. Well IIS would probably be the only software I'd expose out to the internet (if it was a non-critical server), because it's simple, easy to manage, permissions sets up pretty simply (for those of us who hate text files), but like a lot of people here, even if I find most microsoft software simple and Ok, I'd NEVER build a mission-critical solution on their product, I'd never run a "ebay" on IIS, I'd never be a ISP and running my DNS services on win2k, some do, and some don't have much problems, but when they do have them, they can tell you what hell looks like.
So all this to say: If you want to sell stuff with no responsibilities attached to it because the people don't ask you for it or simply because of budget constraint, you can still be succesful and fill a need, but if you LIE about it, in my book, you diserve to be punished, and severely. If you'd be turning blue and a doctor would tell you "it's nothing, just take two aspirins" and you'd die a few hours later, he'd get his career kissed goodbye, while buisness isn't necessarely life, you can messup a LOT of lifes if your buisness go down because you miss a demo or your 20 programmers are down for 2 days because of a big virus attack and you need to rebuild all the servers and so on, I'm sure there's probably one example from a slashdot reader that could say he missed a demo and financing because of a stupid issue like this (well this might be a bit stretched but you get the point), what about the life of those employees? What about the total cost of all this downtime in the country?
Microsoft is quick to blaim piracy costing BILLION of $$$, but they are quick also to change subject when we ask them how much THEY are costing to the industry because of downtime or upgrade or patching. Again, I am not against Microsoft because I think they are still doing great product, I am against their ATTITUDE towards the industry and all the false (or at least exagerated) claims they are making, if I'd do 1/2 of this as a small buisness, I would kiss my career goodbye, why would US's Icon be allowed to do this blattanly?
--- Metamoderating abusive downgraders since my 300th post.
The problem is modifying applications to live within the limits of LOMAC-type security. Work is underway to make WU-FTPD work under LOMAC, but somebody needs to do Apache and a mail program.
If you work on any of those apps, read the LOMAC stuff and fix your apps to live within the LOMAC rules. This will do more for security than any amount of patching.
Consider the fact that if a vendor is forced to take liability for its Zapwicky Mark II. It uses some free software internally, this is known, nothing untoward is happening. The problem is the vendor is itself taking on liability for the free software. If i were making the decision on what to include in the distribution, that in itself would be reason to abandon the use of free software, and choose something proprietry that if there were problems, liability can be "passed on".
Clearly, IANAL.
dominionrd.blogspot.com - Restaurants on
This would fuel the certification and standards industry and virtually stop all free software developement, because nobody would use free software written by people without dozens of certificates who could not prove that they followed certain standards.
I say invest more in education and teach people about security.
I know that sometimes the only way to force businesses to improve quality of service is to hurt them where it hurts most, i.e. dig into theor bank accounts, but the proposed solution would kill software developement.
Not good.
Jacek Artymiak
freelance consultant and writer
master of many a page
This is no different than Ford making a car.
If Ford can be sued for making bad cars so can a softeare manufacturer be sued for making buggy software.
It's nothing strange or magical about that.
Just saying it like it are.
This would make software more expensive; you simply cannot have it for free. Period. So the only question is whether or being able to hold the software producers liable, is worth what it costs.
And the answer to that is entirely variable and conditional. If it costs (pulling a number out of my ass) $5000 extra for a machine that you only play games on, then it's not worth it; if it costs a million dollars for a machine that controls your water recycling on a year-long trip to Mars, it probably is.
And because it is sometimes worth it and sometimes not, it should be an option. Instead of making every programmer bonded and liability-insured, thereby increasing the cost of all software, let the user decide when it's important and when it's not, and deal with buying the insurance themselves.
And once it comes down to that, we all damned-well know that most users really don't care about security. So Bruce is trying to push this against the will of the people who will have to pay for it. I know he means well, but it's really just another attempt to enforce good ideas, which is usually a bad idea. Instead, he should stick to educating people about security, which he happens to be very, very good at. Instead of writing your congressman about outlawing liability disclaimers in license agreements, buy a copy of "Secrets and Lies" for a friend.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Lets be clear: software is not the same. Peoples lives do not depend on commodity software.
What's "commodity software" in this respect? The subject is network security. There are enough networked computer systems whose failure or lack of intrusion protection will affect people's lives.
Military, aerospace, nuclear energy, utilities, medical, insurance, law enforcement, financial industry. In each of those areas (and more) it is quite easy to point to not so farfetched scenarios in which people's lives, health, well-being, or just privacy (which is important to some of us) are dependent on security and reliability of computer systems.
In commercial world, companies routinely keep sensitive proprietary information, including those of other entities (under NDA's etc) on poorly protected networks, without appropriate backup schemes, or serious disaster recovery plans. Loss or leakage of such data can lead to companies going out of business, significant losses, people getting laid off, etc. This does affect lives.
I agree with you (and with Schneider) in that people do not normally think in these terms about computer and network security, while they do when bridges are concerned. It's high time this attitude is changed.
Software liability, in the same sense as liability for a "standard" engineering product (electrical appliances, cars, buildings, etc.) is, like you say, ludicrous. That's because companies can employ underwriting laboratories to do testing that would exceed the cost of an in-house testing matrix. Engineering is governed by the laws of physics, which generally can tell you a lot about how resistant a building is to heat, wind, rain, etc. In general, software is just plain not tested enough. This is the biggest problem to the formulation of software engineering as a respectable discipline on par with civil or mechanical engineering.
1. Businesses can crumble because of security assured to them by their software vendor that doesn't exist. People lose houses, jobs, and families because of this kind of thing. Security is dependent on more than just each component of a solution being appropriately secure - it needs the combination of each individual piece to be secure. This task is, in general, too difficult for the average tech lead at a small business, college, or school, who will have enough problems with basic functionality. To some extent, the burden needs to be shifted to software providers- I don't think this is a point of contention.
2. It is easy to purchase the software you need, with a guarantee of security and reliability, and at a reasonable price, only if you are involved with the government of a large country, and even then you don't always get it right.
3. IIS on its own may be secure enough for a company intranet, but if the intranet's firewall and proxy servers are compromised, then it has become not secure enough. Schneier wants insurance companies to take the brunt of deciding how effective security solutions are - not the US government.
4. Schneier's main goal in instituting software liability is the management of security risk by lowering insurance premiums for people with more secure software. People who want to develop software without liability protection can count on an according security check level - if a system was in place that made security important for everybody, and not just these guys, the world might be a better place.
5. There are enough larger players within the software world that I don't think this would happen - specifically, IBM wants to protect AIX, Apple wants to protect OS X, and Sun wants to protect Solaris. And if IBM and the NSA want to continue to promote Linux, they WILL make it secure
6. OpenBSD has had four years without a remote hole in the default install configuration - it has also had several local holes, and this is entirely discounting the problem of people who configure the software the wrong way. People are choosing to do this, and the market is sorting it out, but not to the extent that's necessary to prevent another Nimda, Code Red, or Iloveyou virus - the cost in lost productivity alone is earth-shattering. And people don't need to get hacked for terrible things to happen to them- in fact, if they never figure it out, all the better for the attacker. No, for the most part, people don't care- and they should. Most people don't want to get vaccinated, but we make them- because the cost to not get vaccinated for society as a whole is that much greater.
If fire up my Ham radio transmitter I had better not be causeing interference to other services on the ether. In fact I have to have a licence to operate this thing first. There are penalties for misbehaving.
So I wonder how it is that after all these months my PC is still getting hit with CodeRed/Nimda attacks. The operators of these "transmitters" have no liability for, or even knowlege of what thay do.
Like many in the security industry, he just cant argue. He's all but given up trying to convince people that security is important. It's funny, but he actually believes that the common man gives a shit about security. News flash: they dont. Due to this misunderstanding he pushes the blame onto the developers. Why should they be forced to develop secure software if no-one wants it? There-in lies the problem. If you want security to be taken seriously stop trying to use the force of government to make developers do something the market doesn't want. Convince the market that it is important. And no, that doesn't mean releasing scripts on bugtraq so kiddies go attacking the innocents so you can point your finger at developers and say "see see, bad software".
How we know is more important than what we know.
Exactly. Schneier complains that the market prefers quickly-released software to secure software. He may think this is foolish. But since when was it up to him to dictate what people should and should not be able to buy? Currently you have the choice between cheap software with no liability and very expensive software sufficient checking. Some like NASA and the military may choose the expensive option, but the cheap option should be available too.
Most Slashdot readers may think it unfortunate that the market prefers Windows and MS Office to more capable alternatives, but few would argue for the more popular choice to be banned as a way of 'correcting' the market's decision.
-- Ed Avis ed@membled.com
At a time when trade barriers are (generally) being lowered between the EU and US, the fact that this directive is required is a sad reflection on privacy in the United States.
Of course, even here enforceability is an issue - some small LLC can always pop up, harvest data, and then go bankrupt a couple of months later.
A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
- Then:
- You can verify the functionality before using the software.
- You can fix anything that turns out to be broken.
- You can contribute to the community at will without fear of being sued.
- Anyone has a legally respected way to do this.
This could easily apply selectively, like when a coorporation participates in the MS Shared Source program - then also MS earns the right to disclaim liability towards that customer.OTOH, if a company decides to hide the inner workings of a program, it's perfectly fine - they trust their code, and they guarantee that it works for its intended purpose.
I'm in a Unix state of mind.
Thank you, danheskett. I read reply after reply hoping to find one sane voice. I'm glad that I persisted and found your message. To your wisdom, I would add only the following: Of everyone crying out for government intervention I ask, what makes you think that more laws or government regulation will improve software quality? If we declare a "War on Computer Insecurity", it will be exactly as successful as the "War on Poverty" and the "War on Drugs", and a half dozen other government "Wars". If you think the "War on Terrorism" is successful, give it some time. If you want more secure software, stop buying and using less secure software. We have this love-hate relationship with government. On one hand, we scorn government as inept and we demand that it stay out of OUR lives. On the other hand, we want government to protect us, to solve our every problem. Incredibly, we convince ourselves that the same government that can't do anything right will surely protect us this time. Grow up. Our government does very little well, and regulating software quality is not one of them.
If Ford can be sued for making bad cars so can a softeare manufacturer be sued for making buggy software.
Did you read what I wrote at all?
Ford has strict guidelines that they must follow (e.g. gas tanks must have a thickness of at least x). If they break these guidelines then they can be sued, otherwise not. it is impossible to create any meaningful rules in software industry.
When men used to be men
Liability as applied in the US is a bit crazy to begin with. Essentially what this is advocating is removing consumer choice. The big companys that buy buggy, insecure software are making a choice to do so. They don't want to pay for more security analysis for commercial software, and they don't want the extra thought burden (i.e. percieved difficulty) of choosing open source solutions that tend to be safer.
The notion that I can be sued because you decided to do something really stupid with my product is a bit ridiculous. Liability makes sense in the case of gross negligence, or when the providers should have known better but the consumer couldn't have, but unless you've been living under a rock, it's pretty clear that Microsoft (for example) has a horrid security record, yet people still buy their software, instead of using UNIX or Macintosh. That indicates clear acceptance by the market of poor security.
I'm continuously amazed that people are willing to buy software from a company that makes such obvious and eggregious security mistakes. The fact that people continue to support a company that actually took a hoax (email viruses) played on Internet newbies for years, and turned it into reality just boggles the mind. (Antitrust can't explain this one away. There are other mail clients, and other web clients. I've seen administrators actually forbid Netscape on their machines, only to be hit later by stupid Microsoft security bugs.)
Anyway, big companies who are consumers of software have the power to demand security, by choosing secure solutions. We don't need more stupid laws on the books that make it so that nobody can produce software without putting themselves at risk of being forced to pay for idiots' misuse of their products.
I know this is a late post and almost no one will read it but I read alot of the above posts and everyone got caught up in the licencing.
Liability will extend to everyone and everything. I company x has to insure their network then they not only will have to purchase and use software that has a good record of not being sued for liability but they will have to follow best practices that are recommended/enforced by insurance companies. They will have to hire NetAdmins that stand up to insurance scrutiny. etc...
This is no different then many other areas of risk managment that companies already do. For example if Company X is a trucking company then for their insurance premiums to be low they have to make sure their trucks are in good shape and do not break down often, they have to hire good drivers, keep them drug and alchohol free, and give them safety training.
There will be a time when this is so, it happened everywhere else it is just that the field is still maturing. Eventually the job of a NetAdmin will be dictated by policies and procedures (you know those poorly written documents in the company manual).
Comment removed based on user account deletion
Comment removed based on user account deletion
Is Bruce in the same industry I am? Has the certainties of mathematics addled his brain? We're just software cowboys winging it!
Although it's called computer science, it's still not a science yet... although we call it "software engineering" I find it hard to compare myself to the level of knowledge in the practice a good civil engineer.
We don't deal with predictable physical properties. We deal in delivering features in a timely fashion while managing complexity. The better developers do a better job at that, but no one can say we've advanced to a stage where we're ready to say "we only have bugs if we made a mistake"
As a comp sci major I learned some languages, data structures and about the process of software engineering, but I got no impression at any time that we've really figured this thing out. I have even run a QA department. We're hit and miss and anyone that tells you otherwise is selling you a bill of goods.
I have faith that we'll get there one day, when we design our systems with schematics and standard components rather than winging it. The discipline needs to grow up a bit more before we can say it's ready to cast into stone.
(A day late, a dollar short... I doubt anyone will read this. Oh well.)
I agree with Schneier that software liability is the only thing that can fix the sorry state of today's commercial software. I also agree with the Slashdotters who say that making authors of free (either meaning) liable would kill off the practice. When I first pondered this dilemma before, I came up with an idea so fiendishly perfect that I'm sure tons of people have thought of it before: make the degree of liability proportional to the cost of the software!
The Microsofts and Oracles of the world who make expensive, broken software will have to change one or the other or be sucked dry by damages awarded in liability lawsuits. On the flip side of the coin, the freeware and Open Source/Free Software communities won't have to change anything, and the shareware folks would be protected by the fact that most people who use their stuff never pay for it, perhaps even encouraging more people to buy shareware so that they might have legal recourse if it ever fails in the future.
Range Voting: preference intensity matters
If part of unsecure software is due to hackers, script kiddies and the like,... then isn't his kinda like blamind a car company becuase someone broke into your car and stole your stereo...
It just sounds like legislation isn't the solution...
Unfortunately, no it isn't. I've said it once, and I'll say it before, if someone goes out of their way to blow up the bridge, are the construction workers liable?
No. Similarily, when discussing computer security we are dealing with people actively and maliciously trying to break it. This is why software makers/vendors can never be held 'liable'.
If the bridge collapses of it's own accord then the makers are liable, likewise if a piece of software I make actively takes your sensitive data and spews it out all over the place then I am liable. However, the moment an attack/attacker is involved it is impossible to pin liability on the creators since you would be asking them to proof against all possible methods of break in both past/present and unthought of.
It's the same with Firestone (his dramatic finishing example). If someone was running around sabotaging (sp?) all those tires would people be suing Firestone? I doubt it.
(I don't work for an insurance company, so I may be totally wrong...)
When an insurance company decides to cover risk, they have to decide if their liabilities will justify the revenue. Many of us with automobiles pay rates above and beyond what we claim to the insurance company, so they can offset the big claims. Simple enough.
If the insurance company is expecting a lot of claims (e.g. Nimda) from an incident, they have to relatively plan that out in advance (similar to an earthquake or large disaster). The actuarials do some fun statistic to see how they are doing and also if any experience (more claims filed than projected) has occurred. The problem for software is where's the precedence for the actuarials to say if they're doing okay? There isn't. So for the insurance company, they will assume a bunch of initial risk, which means they will charge some high premiums.
Now since they don't like assuming too much risk (their shareholders won't make money), they will need to base their logic on something, usually large coffers. Microsoft can afford to be sued, and since they will be using a contract, the insurance companies really don't see that as too big of a risk. GPL, BSD, etc., don't have large coffers, so the insurance companies will see that as a risk (who do they sue if they incur a lot of experience over a massive remote root compromise?). They will charge huge premiums to the fellows that use such software, since the insurance company wants to cover themselves first.
After a while, things will settle, and the actuarials will be able to make decent guesses on how some open source software does, but that still doesn't erase the fact the insurance companies will assume all the risk. This cloud of risk over such software limit its usage, since companies would rather use something that will drive their premiums down versus incurring a business risk.
Open source software may used if 3rd party vendors use it and allow themselves to be liable. But how many vendors are around that want to do this?
Jon
The most frightening alternative to this idea of liability is UCITA. It is one thing to debate who takes the rap for a catastrophe; it is quite another to prohibit the debate at all. For the US, UCITA will spell the end of consumer rights when it comes to computer software. If you haven't been by the Affect site, do it now and sign up - then get back to the debate you're now helping to keep alive.
radsoft.net
Regardless of the source of the patch, it is essential to test it before putting it into production. With OSS / Free Software. You can usually create a functional duplicate of the production machine on some spare hardware and test and tweak the patch thouroughly before setting it loose in a production environment.
This can't be done legally with expensive and restrictive licenses, unless you pay for and maintain a full set of duplicate licenses. Even with a fat budget, there's still the delay of days or weeks while bosses or purchasing departments sign off on things.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
I honestly believe that software liability would be a net win for the industry, admittedly with a little pain in the short term as people learned to live within the new system.
However, theirs was a somewhat special circumstance as they had a reasonable expectation of being sued by deep-pocketed organizations (MPAA, RIAA) whose motiviations are well known and have little to do with actual software security or quality.