Slashdot Mirror

← Back to Stories (view on slashdot.org)

Liability and Computer Security

Posted by michael on from the money-makes-the-world-go-round dept.

Pelerin writes "In the latest Crypto-Gram, Bruce Schneier has written an interesting essay with some thoughts about the current lack of business incentives for the deployment and production of more secure software. His main recommendation/prediction is this: "Step one: enforce liabilities. This is essential. Today [...] the marketplace rewards low quality. More precisely, it rewards early releases at the expense of almost all quality. If we expect CEOs to spend significant resources on security -- especially the security of their customers -- they must be liable for mishandling their customers' data. If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products." Schneier's five-step plan for thinking about security is also good.

Pelerin continues: "All well and good, but this raises some questions in the case of a company offering security solutions based on open source / free software.

  • Where does the chain of liability end? Can somebody attempt to recover damages from Linus when a kernel security hole shows up?
  • Can a case be made for lower insurance rates for free software solutions? (I mean, can it be made to the accountants and the lawyers, not the techies).
  • When liability enters the picture, which mechanisms can allow free software to compete based on its merits, not on the likelihood of surviving a liability lawsuit?
"

2 of 159 comments (clear)

  1. Liability and free software by lux55 · · Score: 3, Informative

    Liability is the reason that the Broadcast 2000 project was removed from public access, which is a tragedy because I'm sure tons of people could benefit from their free software. From their web site:

    In recent months the line between warranty exemption and liability has become increasingly blurred as more companies have liquidated and more individuals have begun to seek compensation. We've already seen several organizations win lawsuits against GPL/warranty free software writers because of damage that software caused to the organization. Several involved the RIAA vs mp3/p2p software writers. Several involved the MPAA vs media player authors. You might say that warranty exemption has become quite meaningless in today's economy.

    Theirs isn't a security issue, but it's still very relevant as they are acting out of the fear of being held liable for what they were offering for free. That is really sad.

    Security issues are deep-rooted, and most definitely can't be solved by nullifying the liability clause in licenses.

    --
    putfwd.com - 1GB Free file storage with a twist
  2. Why make security software better? by fasteddie203 · · Score: 2, Informative

    ...just jack up the price to include your liability insurance.