Slashdot Mirror
Liability and Computer Security
Pelerin writes "In the latest
Crypto-Gram,
Bruce Schneier has written an interesting essay with some thoughts about the current lack of business incentives for
the deployment and production of more secure software. His main recommendation/prediction is this: "Step one: enforce liabilities. This is essential. Today [...] the marketplace rewards low quality. More precisely, it rewards early releases at the expense of almost all quality. If we expect
CEOs to spend significant resources on security -- especially the security of their customers -- they must be liable for mishandling their customers' data. If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products." Schneier's five-step plan for thinking about security is also good.
Pelerin continues: "All well and good, but this raises some questions in the case of a company offering security solutions based on open source / free software.
- Where does the chain of liability end? Can somebody attempt to recover damages from Linus when a kernel security hole shows up?
- Can a case be made for lower insurance rates for free software solutions? (I mean, can it be made to the accountants and the lawyers, not the techies).
- When liability enters the picture, which mechanisms can allow free software to compete based on its merits, not on the likelihood of surviving a liability lawsuit?
Fortunately, the GPL licenses state that this is distributed under no warranty of any kind, which might provide some legal relief. If this was legislated around it could be a MAJOR blow to the free software community - if you can be held liable for your code fucking someone's computer up, that's a BIG incentive for little freelance coders to give up - Microsoft can pay the legal fees and out-of-court settlements - I cannot.
Chris
The problem with liability is that the your financial risk now becomes proportional to your success. While the model sounds good one bad security error could potentially put the software provider out of buisness from the lawsuits which would also leave hanging the people still using the software. The only time a company should be held liable is when the bug or security problem was intentionally left in (they would of had to take out a feature to fix it) and even then it's not a clear-cut issue. The only other time is when an incident happens at a time when the company has the fix but did not distribute it for some reason (i.e. marketing wanted to make the installed a different colour).
I stole this Sig
If you read a license, any license, it basically states that you use the enclosed software "at risk", meaning you can't sue if something, anything, goes wrong. Including data corruption, script kiddie 0wn@g3, etc. What he's proposing is getting rid of that. Fine, now Microsoft is liable for NT vulns, but you can't basically throw MS licensing rules out the window and leave BSD and GPL in tact. So then the "As Is" portions of the Open licenses have too.
.01a version of code that some guy wrote on his weekend off as a proof of concept on their primary webserver, immediately get hacked, and sue Joe Programmer into the stonage.
Why not hold Network Admins responsible for problems on their networks? I am a network admin, and if some kid got in and stole a database from one of my employers, compromising customers, I would expect to take the full heat for it. In the back of my mind I'd be saying "F*** Microsoft and their buggy-ass code", but I would know it was my fault for allowing it to happen.
This is no solution. What's the estimated cause of Nimda so far? Code Red? SadminD? Melissa? I love you? all the other outlook worms?
The cost of lawsuits from just these AUTOMATED attacks would cripple even Microsoft. Not to mention the CDUniverses of the, er, Universe.
Software authors need these clauses for a reason, if they didn't have them there, they might as well go start a farming commune instead because it wouldn't be worth it to code anymore.
Free Software authors would then also have to specify under which conditions they would ALLOW their software to be run. Otherwise some schmuck could install some
Nice idea, just to tweak MS, but I don't like the way it would play out.
I like music
My company does the same, but not every company has a security expert with a Ph.D. on staff (not me, I just wrote the code after the good Dr. designed the method). On the flip side, it's secure enough that I'd have no fear of releasing the source code to customers if they demanded it. Maybe clients should wise up and start demanding it. Any security scheme worth a damn is just as good even if an attacker knows *exactly* how it works...
"Convictions are more dangerous enemies of truth than lies."
This isn't about adding new laws to make writing software more difficult. It's about ending special protection and holding software companies to the same standards as everyone else. If I buy something from you, it better work--this is how it is for every other product under the sun, why is software special? As for free software, well the same standards would apply as for anything else that is free. You normally can't sue over something that is free, except in extreme cases where you can prove gross negligence or outright malice. That standard would work just fine here too.
This may give proprietary software a PR advantage over free software (it has to uphold higher standards), but them's the breaks. Besides, free software has always touted an equivalent PR advantage (the source has been reviewed by countless experts in the field), so it's just good old-fashioned competition.
In my view, those who are against software liability are no better than the RIAA/MPAA who try to prop up their inefficient ways of doing business through lobbying and legal bullying. They too like to blame their customers when anything goes wrong.
Vintage computer games and RPG books available. Email me if you're interested.
An engineer can guarantee a bridge to fail at specific loads ... can the state of software engineering claim the same for a piece of software? Even design by contract software like Eifel is no security blanket when used by the wrong hands or incomplete specifications (cf rocket that blew up due to engine being calibrated for different flight mode).
... :-(
We are still in the dark ages as far as software liability goes
LL
I can see where the liability guys are coming from. OSS folks release the source, and GPL folks release a whole bunch of other rights as well. With code in hand and a pile of rights to do with it as you please, as well as probably not having paid a dime for it, the customer is more of a partner- assuming a lot of responsibility. Proprietary people charge money for what is really, despite their protests, a product. I've got a CD, maybe a book or two, some shrink wrap lying on the floor, and I'm at the vendor's mercy. I find out about security holes by getting cracked, even if the vendor has known about the hole for six months.
The bottom line is that by retaining power, proprietary software companies also retain responsibility. If I am not allowed to look through and modify the source, the holes in my system are not my responsibility (except for buying bad software), but that of the vendor who won't allow me access. Power = responsibility. Money = money. People pushing for finding software companies liable aren't the "let's sue everybody" crowd, they are using the standards of the proprietary, corporate world against itself. Or, if you prefer, holding those companies to their own standards.
License agreements are funny. According to one, I can't use my copy of XP on any box except the one it came on (don't worry, I haven't even used it on that one). How legally binding is an "agreement" that I didn't get to see until after the sale was completed? For that matter, how legally binding is an "agreement" with a monopoly? The "magic fingers of the markets" that you are holding out hope for are wearing thumbcuffs, my friend. But if the customers have to pay through the nose and have all real power held back from them, then the only answer is financial liability for the vendor. They might actually bother to produce good software then. If that financial incentive isn't enough, then there are other, more drastic legal measures. MS is illegally maintaining a monopoly, you know.
I spent a year in Iraq looking for WMD and all I found was this lousy sig.
This is what will happen to software if similar laws are applied to software.
A - Offering at no cost anything.
and
B - Paying for a product for a given purpose.
:) Distributing binaries, claiming that they do something, in exchange for money, is a totally different kettle of fish to Open Source.
I am sure you can expect very little legal comeback if someone gives you $product, and you lose a finger messing about trying to make it work. However if someone makes you pay leading you to believe their $product is suitable and safe, and you lose a finger due to a poorly designed product, Trading Standards & Consumer Protection laws can be used to sue the seller of $product for damages.
Free Software is given away, no money, no trade, therefore the performance expectation is zero - anything more is a bonus
Commercial software is sold, therefore assumed to be of a certain level of performance, usually "as advertised" - if a product fails to work as it should, or worse causes damage, the people making money should be liable, for sure.
Open Source Software surely must avoid such liability issues, since compilation is required before anything can be expected to work, e.g. "Here are some text files - I find they can produce a program which may carry out function X". Even with harsh software product liability laws, you could charge money for the source code, since it alone can do nothing without a careful process required by the user - the binaries produced are the user's responsibility
By not disclosing source code, companies take on the responsibility of making sure it works right. This should make them liable.
Comment removed based on user account deletion
Exactly. Schneier complains that the market prefers quickly-released software to secure software. He may think this is foolish. But since when was it up to him to dictate what people should and should not be able to buy? Currently you have the choice between cheap software with no liability and very expensive software sufficient checking. Some like NASA and the military may choose the expensive option, but the cheap option should be available too.
Most Slashdot readers may think it unfortunate that the market prefers Windows and MS Office to more capable alternatives, but few would argue for the more popular choice to be banned as a way of 'correcting' the market's decision.
-- Ed Avis ed@membled.com