Slashdot Mirror
Liability and Computer Security
Pelerin writes "In the latest
Crypto-Gram,
Bruce Schneier has written an interesting essay with some thoughts about the current lack of business incentives for
the deployment and production of more secure software. His main recommendation/prediction is this: "Step one: enforce liabilities. This is essential. Today [...] the marketplace rewards low quality. More precisely, it rewards early releases at the expense of almost all quality. If we expect
CEOs to spend significant resources on security -- especially the security of their customers -- they must be liable for mishandling their customers' data. If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products." Schneier's five-step plan for thinking about security is also good.
Pelerin continues: "All well and good, but this raises some questions in the case of a company offering security solutions based on open source / free software.
- Where does the chain of liability end? Can somebody attempt to recover damages from Linus when a kernel security hole shows up?
- Can a case be made for lower insurance rates for free software solutions? (I mean, can it be made to the accountants and the lawyers, not the techies).
- When liability enters the picture, which mechanisms can allow free software to compete based on its merits, not on the likelihood of surviving a liability lawsuit?
Fortunately, the GPL licenses state that this is distributed under no warranty of any kind, which might provide some legal relief. If this was legislated around it could be a MAJOR blow to the free software community - if you can be held liable for your code fucking someone's computer up, that's a BIG incentive for little freelance coders to give up - Microsoft can pay the legal fees and out-of-court settlements - I cannot.
Chris
The problem with liability is that the your financial risk now becomes proportional to your success. While the model sounds good one bad security error could potentially put the software provider out of buisness from the lawsuits which would also leave hanging the people still using the software. The only time a company should be held liable is when the bug or security problem was intentionally left in (they would of had to take out a feature to fix it) and even then it's not a clear-cut issue. The only other time is when an incident happens at a time when the company has the fix but did not distribute it for some reason (i.e. marketing wanted to make the installed a different colour).
I stole this Sig
I hate to be naive here (but I am)... why do we ...you
need MORE laws to control us? What about
those magic fingers of the markets?
know -- the ones that are supposed to push
products toward what people demand.
It's not clear to me that legislating software
through increased liability is the best way to
get security.
thoughts?
"A company doesn't buy security for its warehouse -- strong locks, window bars, or an alarm system -- because it makes it feel safe. It buys that security because its insurance rates go down. The same thing will hold true for computer security. Once enough policies are being written, insurance companies will start charging different premiums for different levels of security. Even without legislated liability, the CEO will start noticing how his insurance rates change. And once the CEO starts buying security products based on his insurance premiums, the insurance industry will wield enormous power in the marketplace. They will determine which security products are ubiquitous, and which are ignored. And since the insurance companies pay for the actual liability, they have a great incentive to be rational about risk analysis and the effectiveness of security products. And software companies will take notice, and will increase security in order to make the insurance for their products affordable. "
Could you imagine if the corporation you owner was charged more for liability insurance because you used the current version of IIS? It's so sad it's funny. If this wouldn't make Microsoft or Company X clean up their act I can't imagine what would other than the ethics of it :)
Personally I work in healthcare so if my crap's not together I am going to jail. Too bad there's not HIPAA for everyone.
...you're just going to end up with a swarm of lawyers invading the software industry, looking for anyone to sue.
And the hardest hit will be the small and free software developers.
Honestly it looks like the _best_ way to make big companies serious about software quality is to get the press on your side. A few high-profile MS security holes and what do they do? Launch a major internal initiative and rewrite IIS from scratch. If they continue to have holes after this, you can bet the press will be right there to grill them for it.
Why do with lawyers what the free press and word of mouth can do better, faster, and cheaper?
If you read a license, any license, it basically states that you use the enclosed software "at risk", meaning you can't sue if something, anything, goes wrong. Including data corruption, script kiddie 0wn@g3, etc. What he's proposing is getting rid of that. Fine, now Microsoft is liable for NT vulns, but you can't basically throw MS licensing rules out the window and leave BSD and GPL in tact. So then the "As Is" portions of the Open licenses have too.
.01a version of code that some guy wrote on his weekend off as a proof of concept on their primary webserver, immediately get hacked, and sue Joe Programmer into the stonage.
Why not hold Network Admins responsible for problems on their networks? I am a network admin, and if some kid got in and stole a database from one of my employers, compromising customers, I would expect to take the full heat for it. In the back of my mind I'd be saying "F*** Microsoft and their buggy-ass code", but I would know it was my fault for allowing it to happen.
This is no solution. What's the estimated cause of Nimda so far? Code Red? SadminD? Melissa? I love you? all the other outlook worms?
The cost of lawsuits from just these AUTOMATED attacks would cripple even Microsoft. Not to mention the CDUniverses of the, er, Universe.
Software authors need these clauses for a reason, if they didn't have them there, they might as well go start a farming commune instead because it wouldn't be worth it to code anymore.
Free Software authors would then also have to specify under which conditions they would ALLOW their software to be run. Otherwise some schmuck could install some
Nice idea, just to tweak MS, but I don't like the way it would play out.
I like music
That's interesting, but I still say that the user is solely liable for his data. I don't fully trust third-party encryption because anyone could have a master key or a back door, no one knows for sure what interests all go into things like this. The only safe way is to use your own homemade ciphers, assuming that you're not a total idiot.
If you're smart enough to make your own ciphers, you're smart enough to examine others' ciphers and determine whether they're good or not. Furthermore, many people will have investigated the security of well-known ciphers, but that will not be true of ciphers you create yourself. There's no reason to make your own cipher.
My company does the same, but not every company has a security expert with a Ph.D. on staff (not me, I just wrote the code after the good Dr. designed the method). On the flip side, it's secure enough that I'd have no fear of releasing the source code to customers if they demanded it. Maybe clients should wise up and start demanding it. Any security scheme worth a damn is just as good even if an attacker knows *exactly* how it works...
"Convictions are more dangerous enemies of truth than lies."
Unless there was some way to enforce this for software companies around the world, this won't work. No government will handicap their own country's software companies by making them delay product releases. The masses will buy whatever is out first, putting those security conscious companies at a competive disadvantage, since software companies outside the country could simply beat them to the markets.
--
Luck is just skill you didn't know you had.
Liability is the reason that the Broadcast 2000 project was removed from public access, which is a tragedy because I'm sure tons of people could benefit from their free software. From their web site:
Theirs isn't a security issue, but it's still very relevant as they are acting out of the fear of being held liable for what they were offering for free. That is really sad.
Security issues are deep-rooted, and most definitely can't be solved by nullifying the liability clause in licenses.
putfwd.com - 1GB Free file storage with a twist
Schneier is smart and knows a lot, but this is a stupid idea.
sulli
RTFJ.
Vintage computer games and RPG books available. Email me if you're interested.
It seems to me that this is exactly the kind of test case that needs to be looked at when discussing legal liability for software. If the patch is available, how much of the responsibility is on the administrator to apply it and how much is on the software company not to have written the buggy code in the first place? You can certainly argue that the availability of the patch should exempt the manufacturer from liability, but just how long does the patch have to be available to count? Is it acceptable if the patch is only available one month before the exploiting code shows up? One week? One day? One hour? Or should software authors have an affirmative responsibility to send patches to users, the same way that car manufacturers have to contact their buyers in the event of a recall? Who is liable when the patch is available but unapplied is the really interesting issue, not who is liable when no patch is available.
There's no point in questioning authority if you aren't going to listen to the answers.
An engineer can guarantee a bridge to fail at specific loads ... can the state of software engineering claim the same for a piece of software? Even design by contract software like Eifel is no security blanket when used by the wrong hands or incomplete specifications (cf rocket that blew up due to engine being calibrated for different flight mode).
... :-(
We are still in the dark ages as far as software liability goes
LL
What if a software company were to change its license such that it WOULD assume liability? Granted, it would probably need insurance of some kind, but how much more comfortable would a purchaser of this hypothetical company's software be if had somebody to sue?
Let the free market speak - Once a company is confident enough in its product to offer a warranty, the rest will follow.
This proposal sounds to me like proposing Ford Motors be liable for Fords crashing... which is not the way that works, and everyone knows why. The operator makes a big difference.
Not that "common best practice" insurance for security liability wouldn't be a bad thing - it's so much easier to cost justify "running this will take our insurance premiums up $x" than it is to say "running this will increase our risk of Something Bad Happening some unknown percentage." But it's the operators that bear that cost, not the manufacturers.
If you wanna run that FlashyRedSportscar 1.0 software that makes it more likely you hit a wall at 140 MPH - your risk, your call. Providing FlashyRedSportscar Software, Inc. was diligent in its processes, they shouldn't have to hire lawyers when you meet the wall.
"Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer." - Linux Advocac
This insurance will get much cheaper if you use good systems and have the required competence to make them secure.
Some problems will have to be resolved by the legal community:
The last point is important, since you are only responsible for problems caused by your equipment, as long as they are not due to some criminal action by somebody else that you could not easily detect.
To stay with the car analogy: If somebody sabotages your brakes in a way you don't notice until they stop working, accidents that result may not be your responsibility.
An additional point: While a car manufacturer has certain responsibilities, not everything that can go wrong is their responsibility. Only things they claim or are required by law to claim have to be backed up by their product. If you hit a tree because you don't know how to drive or if you start sliding on ice, that is certainly not the manufacturer's fault.
In the case of software this gets a little more complicated, as there is no "unit" of software. My feeling is that Manufacturers will not face legal requirements for characteristics their software will need to have, because such characteristics might be impossible to specify (not saying people will not try). Instead I think that cheap "computer operation insurance" will only be available for products where either the Manufacturer takes legal responsibility for some characteristics of the product or where the insurance companies have a strong indication that the pice of software has these characteristics.
I also think that Computer Scientists and other people that produce code and systems will have to have a kind of "Malpractice Insurance" whenever they commercially create code for others.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
OpenBSD & Qmail are examples of insecure freeware. But isn't OpenBSD exhaustively audited with many sections rewritten to eliminate security bugs probably spotted before ever being exploited? Doesn't Dan Bernstein write rock solid secure code in packages like Qmail and DJBDNS? The answer to both of those questions is a definite yes. The problem isn't that these things are made insecure, which is not the case at all. The problem is that the end user, or the system administrator, too easily can make things insecure by even the simplest mistake in configuration.
I'd love to have secure programs as much as anyone, and OpenBSD and Qmail certainly show that some of that is available now. But when I choose what software I will install, I have to do more than just choose what is securely written; I have to balance development security against administrative security. Certainly hiring more skilled administrators can improve security. But if the software is harder to configure and manage, then it either takes more administrator time, skill, and attention, for a given level of result. To that end, one of the important factors I judge software by is how easily it can be configured.
Close to that is another factor measuring how easily a given package can be hacked to correct a bug, or change a feature, if needed. If the code is well written, well documented, and clearly organized, the time it takes to hack it, and the certainty of hacking it correctly, is improved.
For any given package, there will be some people more experienced with that one than others, and so this isn't always a clear cut decision. I made the choice to go with Linux and Postfix, instead of the other choices. But this decision suited my needs, balancing reasonably secure software and reasonably secure adaptability to my environment (including programming and administrative skills). It won't be the same choice for everyone. And there are cases I've recommended software I don't actually use because it better suited someone else's different circumstances (fortunately I was at least reasonably familiar with it from evaluation to know its specifics). For example, if you have no need to change anything, I'd say OpenBSD would be the best choice for a combo firewall and server (just don't let anyone touch it ... a console is a dangerous thing).
Now here's the rub. What if someone does install OpenBSD and/or Qmail, and after they configure them, some kid breaks in and takes the machine for a ride? Are we going to blame Theo and Dan? I wouldn't, because I've seen way too many administrator mistakes (and learned from the ones I've made) to be putting the blame on the software. My big worry is that if we start pointing the liability finger at the software vendor, they're going to end up taking the heat way way more than they should be.
The OpenBSD and Qmail development people, as far as I know, fess up to their bugs, especially the security bugs, and let people know when a hole is found. If we are going to have software liability, I think that a practice of consistently divulging known vulnerabilities should be considered a safe-harbor from the liability, even for bugs that got exploited before the developers were aware. It's the practice of covering up on the vulnerabilities that I despise. That's where the liability should be.
The legal test should be whether the software vendor has carried out a consistent practice of immediately divulging (if not to the whole public, then at least to all their customers) the existance of the vulnerability, even if they don't have a fix for it yet. I'd rather take a web site down for a day if it is discovered to be insecure, while waiting to get it fixed. Of course open source is a plus here, as I can dig in and hack up a fix or work around myself, even if its just a quick and dirty one (like gross over sized malloc with some randomizing, for buffer overflows, to ride out a few days until a proper fix is available). And this means all customers, not just a few privileged big corporate customers.
now we need to go OSS in diesel cars
This raises an interesting way in which the closed source/open source battleground could be leveled somewhat, and could bring computer software up to the level of quality we expect from other engineered products. Would we cross bridges if they BSOD'ed while we were on them, killing us? I think not.
What the government needs to do is enact legislation that ties source code to a company's liability for the damage their software causes in case of failure. If a company releases its code with its products, then exempt them from liability; the customer has the code and could fix it if they wanted to. But, for companies that choose not to release their code, make them liable for their shoddy product. After all, what they're selling us is *supposed* to be complete and useable, and if they're not going to put their customers in a position where they can fix problems with a product themselves, then the closed source software company should pay.
This would even be a positive situation for the closed software companies in the long run, as the liability that they are selling along with their product is yet another feature their software can claim. This could one day end up being the competitive point between open source and closed source: open source = a gamble for your company, but a cheaper product, closed source = guaranteed to work by the producer at extra cost.
Either way, something has to be done.
As it stands, just about every software license and EULA out there says that the software is not certified to be fit for any purpose, that unexpected results may vary and that they are not responsible for damages resulting from the use of the softare.
To me that's a huge load. As far as software is concerned, we're still selling snake oil and living in the old west. There's a lot of buyer beware which is why I support trial-warez.
On the other hand, open source software is almost always considered "a work in progress" that seemingly never completes. That's just a given. But when a commercial product is released, there's a sense of finality involved. This is version 1.0 and any newer version will cost you money.
To me, once you exchange money and acquire a product, there is a moral responsibility on the supplier's part to guarantee the work in some way. I hate to use physical world analogies and so I won't go into detail. But imagine if the same sort of agreement went into the purchase of cars?
There is a huge difference between a publically contributed free work and one that is licensed (not sold) to a user for a given purpose. This game of "I want your money but not the liability" is a load of attorney crap. If you're a professional, be prepared to behave like a professional.
In any case, I think I'll go into business as a brain surgeon and make people sign agreements that say I'm not useful for any particular purpose, am not responsible for my actions and any additional surgical procedures resulting from my accidentally leaving my tools inside the patients body is an undocumented feature and not an error on my part.
This is what will happen to software if similar laws are applied to software.
...just jack up the price to include your liability insurance.
Secure servers without back doors are for weenies. :)
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
It's worth recalling that the proposed changes to UCITA (since only two states were dumb enough to immediately adopt the original model law) contains a truly incomprehensible couplet.
Commercial contract can waive all liability. I seem to recall that the "technical self-help" measures (which allows them to write software that actively damages your system if it thinks your license has lapsed) has been removed, but it still gives them broad rights to gag you when you try to report problems, to falsely claim others haven't reported problems, to falsely claim that the problem either doesn't really exist or has been fixed, etc. It can do all of this because you handed over hard cash and a bona fide contract exists. (I'm not so sure it's bona fide - a contract requires an *exchange* of items of value, and I don't see much value in this software.)
In contrast, free software isn't covered by a contract (since no money was exchanged) and UCITA explictly requires that warranties apply.
This means that Microsoft (to pick a company at random), a company with billions of dollars in the bank and easily able to afford decent product testing, gets a free walk. Meanwhile Joe Sixpack, a professional programmer who released a simple "scratch my itch" program, can lose his house in legal fees defending himself even if he ultimately wins the court cases.
The commentators (UF law professors, working under the aegis of the ACM?) suggested that the voting delegates seemed indifferent to this indefensible state of affairs. Hopefully they'll either fix it, or the lawmakers in the various states will quickly realize that UCITA 2.0 is just as bad as the original.
But it's something that MUST be considered whenever we talk about the need for liability law to start applying in the software world. We can see the importance of having your own source code, but the people who would actually write the laws are still hearing from Microsoft et al, not us.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Lower Your Insuance Premiums: Use Linux. The article is here. I haven't seen any follow up news, but this is where product liability has the best potential to hurt MS: where the only way they can affect the true cost of their product is by releasing a product that works.
I spent a year in Iraq looking for WMD and all I found was this lousy sig.
Comment removed based on user account deletion
And I know that was what the original article is trying to get across. You can treat the GPL'd/BSD'd stuff as some sort of non-profit entity and exempt them from the game. That would be great, but you can bet MS's PAC would bitch up a storm in DC about being singled out, even though they aren't, and try to get it applied to every piece of software there is.
People pay for GPL'd software every time they buy a distro of Linux, the burden in that case would probably fall on RedHat or SuSE or Mandrake, rather than the original authors, but the arguement can be made. And if there's an arguement to make, leave it to some shifty ambulance chaser to make it...
I like music
The patch for this was available for a month before the exploits started rolling in.
Which leads to the question of why it wasn't applied.
The person using the flawed application?
:) ) and there's one thing seriously pissing me off from Microsoft, not as a Linux zealot (I hate linux at it's current state to be honnest) but as a customer who bought for almost 6 digits of microsoft software. They put so much on marketting, they put so much on presentation, they put so much in finding new ways of doing stuff, or clever ways to steal^H^H^H^H^H Implement existing ideas, but GOD I *HATE* it when I see them claiming their OS is the most secure, GOD I HATE it when they say it's more reliable than any competitor OS, I hate it when there's a bug and I think it's me who is the problem and I find out it's an OS bug (but that I can live with it). All this to say: If a vendor claims that his OS/Software suite/product is more secure for marketting purposes, it SHOULD AUTOMATICALLY MAKE HIM RESPONSIBLE FOR *ANY* UNEXPECTED ARISING SECURITY ISSUES, ESPECIALLY THE MAJOR ONES.
the person creating the flawed application?
Follow me on this.
there are both sides for this, some people MIGHT want a less secure software (thus, a bit more rushed, thus less expensive) because of his specific application, why would his customers that don't request the features absorb the costs?
We could discuss this point and give out gray areas, and it could make an interresting debate, but It's 1am and I'll limit this to something plain and simple and this is no microsoft bashing karma whoring since I already topped the 50 limit,
Here goes: If you want the companies to be responsible for security flaws in their software, you have to first see if they do any misleading claims. Guess who comes to mind first? yes.. Microsoft. I don't run unix servers at work yet, I am exploring putting my email server on FreeBSD with postfix (which is kinda bitchy for a win2k guy that lost his unix/amiga side a long time ago
Look at how nimda killed most servers and workstations running IIS, look at the freakin time it took for this bastard to get off the net? even MONTHS later I still had port 80 probbing on my machine for god's sake, how many high-speed provider shutted down incoming traffic on port 80? this was due to one serious SECURITY flaw and costed a lot of downtime and unexepected expenses.
Yes there are stupid admins that don't update their machines often. But let's be honnest here, how many update do you need for major flaws on IIS versus Apache for example? I run IIS as an intranet, so I can "forget to update", but if I'd run it on internet for example, how many updates a month would I have to do compared to apache? a LOT more, I read both security lists out of curiosity, and the feeling I had about this was absolutely true. Too bad Apache doesn't have a IIS front-end and ease of use on win2k because I'm sure IIS would take an even bigger drop. I guess microsoft will do something really good with IIS6 because they are probably feeling the heat right now.
Anyways, this is the reason why I will NEVER run my critical services such as DNS server or EMAIL on microsoft software (I use the ISP's for now, considering moving locally) they rush their things out, and fix later, which is totally unacceptable, and forcing to upgrade your browser instead of patching the bugs, and introducing new ones, etc... this is really becomming a serious issue, I wouldn't mind all this if they would at LEAST be honnest about this, but no, they want to go the PR way and bullshit people about security compared to unix system? come on, I have yet to see a nimda breaking loose on unix servers (this is only one example, let's not talk about melissa or any others).
There aren't only negative sides to Microsoft software, windows 2000 is the best OS I've ever used since my amiga, it has it's downsides, amiga has it's downsides too so nothing is perfect, Win2k server is great for small buisness like mine and it's stable enough to do the job and I find IIS great for running my intranet. Well IIS would probably be the only software I'd expose out to the internet (if it was a non-critical server), because it's simple, easy to manage, permissions sets up pretty simply (for those of us who hate text files), but like a lot of people here, even if I find most microsoft software simple and Ok, I'd NEVER build a mission-critical solution on their product, I'd never run a "ebay" on IIS, I'd never be a ISP and running my DNS services on win2k, some do, and some don't have much problems, but when they do have them, they can tell you what hell looks like.
So all this to say: If you want to sell stuff with no responsibilities attached to it because the people don't ask you for it or simply because of budget constraint, you can still be succesful and fill a need, but if you LIE about it, in my book, you diserve to be punished, and severely. If you'd be turning blue and a doctor would tell you "it's nothing, just take two aspirins" and you'd die a few hours later, he'd get his career kissed goodbye, while buisness isn't necessarely life, you can messup a LOT of lifes if your buisness go down because you miss a demo or your 20 programmers are down for 2 days because of a big virus attack and you need to rebuild all the servers and so on, I'm sure there's probably one example from a slashdot reader that could say he missed a demo and financing because of a stupid issue like this (well this might be a bit stretched but you get the point), what about the life of those employees? What about the total cost of all this downtime in the country?
Microsoft is quick to blaim piracy costing BILLION of $$$, but they are quick also to change subject when we ask them how much THEY are costing to the industry because of downtime or upgrade or patching. Again, I am not against Microsoft because I think they are still doing great product, I am against their ATTITUDE towards the industry and all the false (or at least exagerated) claims they are making, if I'd do 1/2 of this as a small buisness, I would kiss my career goodbye, why would US's Icon be allowed to do this blattanly?
--- Metamoderating abusive downgraders since my 300th post.
The problem is modifying applications to live within the limits of LOMAC-type security. Work is underway to make WU-FTPD work under LOMAC, but somebody needs to do Apache and a mail program.
If you work on any of those apps, read the LOMAC stuff and fix your apps to live within the LOMAC rules. This will do more for security than any amount of patching.
Consider the fact that if a vendor is forced to take liability for its Zapwicky Mark II. It uses some free software internally, this is known, nothing untoward is happening. The problem is the vendor is itself taking on liability for the free software. If i were making the decision on what to include in the distribution, that in itself would be reason to abandon the use of free software, and choose something proprietry that if there were problems, liability can be "passed on".
Clearly, IANAL.
dominionrd.blogspot.com - Restaurants on
This would make software more expensive; you simply cannot have it for free. Period. So the only question is whether or being able to hold the software producers liable, is worth what it costs.
And the answer to that is entirely variable and conditional. If it costs (pulling a number out of my ass) $5000 extra for a machine that you only play games on, then it's not worth it; if it costs a million dollars for a machine that controls your water recycling on a year-long trip to Mars, it probably is.
And because it is sometimes worth it and sometimes not, it should be an option. Instead of making every programmer bonded and liability-insured, thereby increasing the cost of all software, let the user decide when it's important and when it's not, and deal with buying the insurance themselves.
And once it comes down to that, we all damned-well know that most users really don't care about security. So Bruce is trying to push this against the will of the people who will have to pay for it. I know he means well, but it's really just another attempt to enforce good ideas, which is usually a bad idea. Instead, he should stick to educating people about security, which he happens to be very, very good at. Instead of writing your congressman about outlawing liability disclaimers in license agreements, buy a copy of "Secrets and Lies" for a friend.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Software liability, in the same sense as liability for a "standard" engineering product (electrical appliances, cars, buildings, etc.) is, like you say, ludicrous. That's because companies can employ underwriting laboratories to do testing that would exceed the cost of an in-house testing matrix. Engineering is governed by the laws of physics, which generally can tell you a lot about how resistant a building is to heat, wind, rain, etc. In general, software is just plain not tested enough. This is the biggest problem to the formulation of software engineering as a respectable discipline on par with civil or mechanical engineering.
1. Businesses can crumble because of security assured to them by their software vendor that doesn't exist. People lose houses, jobs, and families because of this kind of thing. Security is dependent on more than just each component of a solution being appropriately secure - it needs the combination of each individual piece to be secure. This task is, in general, too difficult for the average tech lead at a small business, college, or school, who will have enough problems with basic functionality. To some extent, the burden needs to be shifted to software providers- I don't think this is a point of contention.
2. It is easy to purchase the software you need, with a guarantee of security and reliability, and at a reasonable price, only if you are involved with the government of a large country, and even then you don't always get it right.
3. IIS on its own may be secure enough for a company intranet, but if the intranet's firewall and proxy servers are compromised, then it has become not secure enough. Schneier wants insurance companies to take the brunt of deciding how effective security solutions are - not the US government.
4. Schneier's main goal in instituting software liability is the management of security risk by lowering insurance premiums for people with more secure software. People who want to develop software without liability protection can count on an according security check level - if a system was in place that made security important for everybody, and not just these guys, the world might be a better place.
5. There are enough larger players within the software world that I don't think this would happen - specifically, IBM wants to protect AIX, Apple wants to protect OS X, and Sun wants to protect Solaris. And if IBM and the NSA want to continue to promote Linux, they WILL make it secure
6. OpenBSD has had four years without a remote hole in the default install configuration - it has also had several local holes, and this is entirely discounting the problem of people who configure the software the wrong way. People are choosing to do this, and the market is sorting it out, but not to the extent that's necessary to prevent another Nimda, Code Red, or Iloveyou virus - the cost in lost productivity alone is earth-shattering. And people don't need to get hacked for terrible things to happen to them- in fact, if they never figure it out, all the better for the attacker. No, for the most part, people don't care- and they should. Most people don't want to get vaccinated, but we make them- because the cost to not get vaccinated for society as a whole is that much greater.
Like many in the security industry, he just cant argue. He's all but given up trying to convince people that security is important. It's funny, but he actually believes that the common man gives a shit about security. News flash: they dont. Due to this misunderstanding he pushes the blame onto the developers. Why should they be forced to develop secure software if no-one wants it? There-in lies the problem. If you want security to be taken seriously stop trying to use the force of government to make developers do something the market doesn't want. Convince the market that it is important. And no, that doesn't mean releasing scripts on bugtraq so kiddies go attacking the innocents so you can point your finger at developers and say "see see, bad software".
How we know is more important than what we know.
Exactly. Schneier complains that the market prefers quickly-released software to secure software. He may think this is foolish. But since when was it up to him to dictate what people should and should not be able to buy? Currently you have the choice between cheap software with no liability and very expensive software sufficient checking. Some like NASA and the military may choose the expensive option, but the cheap option should be available too.
Most Slashdot readers may think it unfortunate that the market prefers Windows and MS Office to more capable alternatives, but few would argue for the more popular choice to be banned as a way of 'correcting' the market's decision.
-- Ed Avis ed@membled.com
Comment removed based on user account deletion
Comment removed based on user account deletion
(A day late, a dollar short... I doubt anyone will read this. Oh well.)
I agree with Schneier that software liability is the only thing that can fix the sorry state of today's commercial software. I also agree with the Slashdotters who say that making authors of free (either meaning) liable would kill off the practice. When I first pondered this dilemma before, I came up with an idea so fiendishly perfect that I'm sure tons of people have thought of it before: make the degree of liability proportional to the cost of the software!
The Microsofts and Oracles of the world who make expensive, broken software will have to change one or the other or be sucked dry by damages awarded in liability lawsuits. On the flip side of the coin, the freeware and Open Source/Free Software communities won't have to change anything, and the shareware folks would be protected by the fact that most people who use their stuff never pay for it, perhaps even encouraging more people to buy shareware so that they might have legal recourse if it ever fails in the future.
Range Voting: preference intensity matters
I honestly believe that software liability would be a net win for the industry, admittedly with a little pain in the short term as people learned to live within the new system.
However, theirs was a somewhat special circumstance as they had a reasonable expectation of being sued by deep-pocketed organizations (MPAA, RIAA) whose motiviations are well known and have little to do with actual software security or quality.