Slashdot Mirror
Liability and Computer Security
Pelerin writes "In the latest
Crypto-Gram,
Bruce Schneier has written an interesting essay with some thoughts about the current lack of business incentives for
the deployment and production of more secure software. His main recommendation/prediction is this: "Step one: enforce liabilities. This is essential. Today [...] the marketplace rewards low quality. More precisely, it rewards early releases at the expense of almost all quality. If we expect
CEOs to spend significant resources on security -- especially the security of their customers -- they must be liable for mishandling their customers' data. If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products." Schneier's five-step plan for thinking about security is also good.
Pelerin continues: "All well and good, but this raises some questions in the case of a company offering security solutions based on open source / free software.
- Where does the chain of liability end? Can somebody attempt to recover damages from Linus when a kernel security hole shows up?
- Can a case be made for lower insurance rates for free software solutions? (I mean, can it be made to the accountants and the lawyers, not the techies).
- When liability enters the picture, which mechanisms can allow free software to compete based on its merits, not on the likelihood of surviving a liability lawsuit?
The argument for manufacturer liability can be extended to be applied toward gun manufacturers. Just because a gun can be used to kill someone, doesn't mean the manufacturer should be held liable for the wrongful death. The lack of common sense present in the user should not be cause to pass the blame onto someone else.
"A company doesn't buy security for its warehouse -- strong locks, window bars, or an alarm system -- because it makes it feel safe. It buys that security because its insurance rates go down. The same thing will hold true for computer security. Once enough policies are being written, insurance companies will start charging different premiums for different levels of security. Even without legislated liability, the CEO will start noticing how his insurance rates change. And once the CEO starts buying security products based on his insurance premiums, the insurance industry will wield enormous power in the marketplace. They will determine which security products are ubiquitous, and which are ignored. And since the insurance companies pay for the actual liability, they have a great incentive to be rational about risk analysis and the effectiveness of security products. And software companies will take notice, and will increase security in order to make the insurance for their products affordable. "
Could you imagine if the corporation you owner was charged more for liability insurance because you used the current version of IIS? It's so sad it's funny. If this wouldn't make Microsoft or Company X clean up their act I can't imagine what would other than the ethics of it :)
Personally I work in healthcare so if my crap's not together I am going to jail. Too bad there's not HIPAA for everyone.
...you're just going to end up with a swarm of lawyers invading the software industry, looking for anyone to sue.
And the hardest hit will be the small and free software developers.
Honestly it looks like the _best_ way to make big companies serious about software quality is to get the press on your side. A few high-profile MS security holes and what do they do? Launch a major internal initiative and rewrite IIS from scratch. If they continue to have holes after this, you can bet the press will be right there to grill them for it.
Why do with lawyers what the free press and word of mouth can do better, faster, and cheaper?
It would be amusing if a HUGE sticker were required to be slapped on the outside of software boxes containing such licenses, stating that "Food for thought: The publisher of this product would like you to know that he feels entitled to FUCK OVER YOUR COMPUTER AND ALL ITS CONTENTS and he won't owe you a dime."
In big alarming black-on-yellow letters.
Pity it'd never happen, but...
Only the dead have seen the end of war.
Unless there was some way to enforce this for software companies around the world, this won't work. No government will handicap their own country's software companies by making them delay product releases. The masses will buy whatever is out first, putting those security conscious companies at a competive disadvantage, since software companies outside the country could simply beat them to the markets.
--
Luck is just skill you didn't know you had.
'Some States do not permit exclusion of liability, even for free software. You are not licensed to use this software in those States.'
The problems caused by insecure and misapplied software can be partly attributed to failures by software vendors, but I don't think it's realistic to insist that Microsoft be held liable for its bugs. For one thing, this would make it legally impossible to disclaim warranty over software... which would expose many open-source developers and hobby programmers to lawsuits for code they've posted to the public.
For another thing, many of the security problems that exist (as the article points out) stem from improper configuration and use of a software product. If I buy something from CheckPoint, and accidentally leave myself wide open while installing it because I'm too cheap to hire a real firewall jockey to do it right, how is that CheckPoint's fault? And if we don't hold vendors responsible for these misconfigurations, the "sue the vendors" fix doesn't solve this part of the problem at all.
As an alternative, think about holding the person or company who deploys insecure products, or deploys secure products incorrectly, responsible for the damaged caused. If some virus emerges that roots your webserver and uses it to DoS me, it's your fault that I'm losing traffic. This puts the incentive to fix insecure configurations in the hands of the people who are closest to the problem.
Additionally, holding users responsible will tend to breed better security products. If a company realizes that it can be sued when its machines are compromised by ILOVEYOU and harming others' property, it will have a strong incentive to be selective and careful when purchasing and installing security measures. The guys selling IIS will have to clean up their act, or face a complete lack of customer interest.
What if a software company were to change its license such that it WOULD assume liability? Granted, it would probably need insurance of some kind, but how much more comfortable would a purchaser of this hypothetical company's software be if had somebody to sue?
Let the free market speak - Once a company is confident enough in its product to offer a warranty, the rest will follow.
This insurance will get much cheaper if you use good systems and have the required competence to make them secure.
Some problems will have to be resolved by the legal community:
The last point is important, since you are only responsible for problems caused by your equipment, as long as they are not due to some criminal action by somebody else that you could not easily detect.
To stay with the car analogy: If somebody sabotages your brakes in a way you don't notice until they stop working, accidents that result may not be your responsibility.
An additional point: While a car manufacturer has certain responsibilities, not everything that can go wrong is their responsibility. Only things they claim or are required by law to claim have to be backed up by their product. If you hit a tree because you don't know how to drive or if you start sliding on ice, that is certainly not the manufacturer's fault.
In the case of software this gets a little more complicated, as there is no "unit" of software. My feeling is that Manufacturers will not face legal requirements for characteristics their software will need to have, because such characteristics might be impossible to specify (not saying people will not try). Instead I think that cheap "computer operation insurance" will only be available for products where either the Manufacturer takes legal responsibility for some characteristics of the product or where the insurance companies have a strong indication that the pice of software has these characteristics.
I also think that Computer Scientists and other people that produce code and systems will have to have a kind of "Malpractice Insurance" whenever they commercially create code for others.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
This raises an interesting way in which the closed source/open source battleground could be leveled somewhat, and could bring computer software up to the level of quality we expect from other engineered products. Would we cross bridges if they BSOD'ed while we were on them, killing us? I think not.
What the government needs to do is enact legislation that ties source code to a company's liability for the damage their software causes in case of failure. If a company releases its code with its products, then exempt them from liability; the customer has the code and could fix it if they wanted to. But, for companies that choose not to release their code, make them liable for their shoddy product. After all, what they're selling us is *supposed* to be complete and useable, and if they're not going to put their customers in a position where they can fix problems with a product themselves, then the closed source software company should pay.
This would even be a positive situation for the closed software companies in the long run, as the liability that they are selling along with their product is yet another feature their software can claim. This could one day end up being the competitive point between open source and closed source: open source = a gamble for your company, but a cheaper product, closed source = guaranteed to work by the producer at extra cost.
Either way, something has to be done.
It's worth recalling that the proposed changes to UCITA (since only two states were dumb enough to immediately adopt the original model law) contains a truly incomprehensible couplet.
Commercial contract can waive all liability. I seem to recall that the "technical self-help" measures (which allows them to write software that actively damages your system if it thinks your license has lapsed) has been removed, but it still gives them broad rights to gag you when you try to report problems, to falsely claim others haven't reported problems, to falsely claim that the problem either doesn't really exist or has been fixed, etc. It can do all of this because you handed over hard cash and a bona fide contract exists. (I'm not so sure it's bona fide - a contract requires an *exchange* of items of value, and I don't see much value in this software.)
In contrast, free software isn't covered by a contract (since no money was exchanged) and UCITA explictly requires that warranties apply.
This means that Microsoft (to pick a company at random), a company with billions of dollars in the bank and easily able to afford decent product testing, gets a free walk. Meanwhile Joe Sixpack, a professional programmer who released a simple "scratch my itch" program, can lose his house in legal fees defending himself even if he ultimately wins the court cases.
The commentators (UF law professors, working under the aegis of the ACM?) suggested that the voting delegates seemed indifferent to this indefensible state of affairs. Hopefully they'll either fix it, or the lawmakers in the various states will quickly realize that UCITA 2.0 is just as bad as the original.
But it's something that MUST be considered whenever we talk about the need for liability law to start applying in the software world. We can see the importance of having your own source code, but the people who would actually write the laws are still hearing from Microsoft et al, not us.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is very different from designing bridges or buildings, for example, where the thousands of decisions going into the design tend to reinforce the basic premise of its fundamnetal soundness. The mathematics of each calculation are usually verified by calculations done during other parts of the work. Due to this feedback, systematic failures are extremely rare, and when they do happen, often end up showcased on History Channel programs such as "Engineering Disasters".
But it is possible to write secure software through good software engineering practices. Unfortunately, not many people seem to understand them. Only a few individuals like Dan Bernstein can consistently and effectively write secure software, and will guarantee that it is secure.
If software was thoroughly designed from the start before any code was written, the same as with normal engineering projects, then perhaps more software would be secure. If you look at his guarantee for qmail, then you'll notice that he followed several principles throughout the design and implementation that allow him to guarantee that it is secure. If software engineers become liable for their work in the same way that traditional engineers are liable, then maybe software engineering will become more like traditional engineering.Software liability, in the same sense as liability for a "standard" engineering product (electrical appliances, cars, buildings, etc.) is, like you say, ludicrous. That's because companies can employ underwriting laboratories to do testing that would exceed the cost of an in-house testing matrix. Engineering is governed by the laws of physics, which generally can tell you a lot about how resistant a building is to heat, wind, rain, etc. In general, software is just plain not tested enough. This is the biggest problem to the formulation of software engineering as a respectable discipline on par with civil or mechanical engineering.
1. Businesses can crumble because of security assured to them by their software vendor that doesn't exist. People lose houses, jobs, and families because of this kind of thing. Security is dependent on more than just each component of a solution being appropriately secure - it needs the combination of each individual piece to be secure. This task is, in general, too difficult for the average tech lead at a small business, college, or school, who will have enough problems with basic functionality. To some extent, the burden needs to be shifted to software providers- I don't think this is a point of contention.
2. It is easy to purchase the software you need, with a guarantee of security and reliability, and at a reasonable price, only if you are involved with the government of a large country, and even then you don't always get it right.
3. IIS on its own may be secure enough for a company intranet, but if the intranet's firewall and proxy servers are compromised, then it has become not secure enough. Schneier wants insurance companies to take the brunt of deciding how effective security solutions are - not the US government.
4. Schneier's main goal in instituting software liability is the management of security risk by lowering insurance premiums for people with more secure software. People who want to develop software without liability protection can count on an according security check level - if a system was in place that made security important for everybody, and not just these guys, the world might be a better place.
5. There are enough larger players within the software world that I don't think this would happen - specifically, IBM wants to protect AIX, Apple wants to protect OS X, and Sun wants to protect Solaris. And if IBM and the NSA want to continue to promote Linux, they WILL make it secure
6. OpenBSD has had four years without a remote hole in the default install configuration - it has also had several local holes, and this is entirely discounting the problem of people who configure the software the wrong way. People are choosing to do this, and the market is sorting it out, but not to the extent that's necessary to prevent another Nimda, Code Red, or Iloveyou virus - the cost in lost productivity alone is earth-shattering. And people don't need to get hacked for terrible things to happen to them- in fact, if they never figure it out, all the better for the attacker. No, for the most part, people don't care- and they should. Most people don't want to get vaccinated, but we make them- because the cost to not get vaccinated for society as a whole is that much greater.
(A day late, a dollar short... I doubt anyone will read this. Oh well.)
I agree with Schneier that software liability is the only thing that can fix the sorry state of today's commercial software. I also agree with the Slashdotters who say that making authors of free (either meaning) liable would kill off the practice. When I first pondered this dilemma before, I came up with an idea so fiendishly perfect that I'm sure tons of people have thought of it before: make the degree of liability proportional to the cost of the software!
The Microsofts and Oracles of the world who make expensive, broken software will have to change one or the other or be sucked dry by damages awarded in liability lawsuits. On the flip side of the coin, the freeware and Open Source/Free Software communities won't have to change anything, and the shareware folks would be protected by the fact that most people who use their stuff never pay for it, perhaps even encouraging more people to buy shareware so that they might have legal recourse if it ever fails in the future.
Range Voting: preference intensity matters