Liability and Computer Security

Pelerin writes "In the latest Crypto-Gram, Bruce Schneier has written an interesting essay with some thoughts about the current lack of business incentives for the deployment and production of more secure software. His main recommendation/prediction is this: "Step one: enforce liabilities. This is essential. Today [...] the marketplace rewards low quality. More precisely, it rewards early releases at the expense of almost all quality. If we expect CEOs to spend significant resources on security -- especially the security of their customers -- they must be liable for mishandling their customers' data. If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products." Schneier's five-step plan for thinking about security is also good.

Pelerin continues: "All well and good, but this raises some questions in the case of a company offering security solutions based on open source / free software.

• Where does the chain of liability end? Can somebody attempt to recover damages from Linus when a kernel security hole shows up?
• Can a case be made for lower insurance rates for free software solutions? (I mean, can it be made to the accountants and the lawyers, not the techies).
• When liability enters the picture, which mechanisms can allow free software to compete based on its merits, not on the likelihood of surviving a liability lawsuit?

"

Free software

[chennes]

Fortunately, the GPL licenses state that this is distributed under no warranty of any kind, which might provide some legal relief. If this was legislated around it could be a MAJOR blow to the free software community - if you can be held liable for your code fucking someone's computer up, that's a BIG incentive for little freelance coders to give up - Microsoft can pay the legal fees and out-of-court settlements - I cannot.

Chris

Re:Free software

[Stonehand]

It would be amusing if a HUGE sticker were required to be slapped on the outside of software boxes containing such licenses, stating that "Food for thought: The publisher of this product would like you to know that he feels entitled to FUCK OVER YOUR COMPUTER AND ALL ITS CONTENTS and he won't owe you a dime."

In big alarming black-on-yellow letters.

Pity it'd never happen, but...

Liability?

[quantaman]

The problem with liability is that the your financial risk now becomes proportional to your success. While the model sounds good one bad security error could potentially put the software provider out of buisness from the lawsuits which would also leave hanging the people still using the software. The only time a company should be held liable is when the bug or security problem was intentionally left in (they would of had to take out a feature to fix it) and even then it's not a clear-cut issue. The only other time is when an incident happens at a time when the company has the fix but did not distribute it for some reason (i.e. marketing wanted to make the installed a different colour).

on legal liability

[drDugan]

I hate to be naive here (but I am)... why do we
need MORE laws to control us? What about
those magic fingers of the markets? ...you
know -- the ones that are supposed to push
products toward what people demand.

It's not clear to me that legislating software
through increased liability is the best way to
get security.

thoughts?

Re:on legal liability

This isn't about adding new laws to make writing software more difficult. It's about ending special protection and holding software companies to the same standards as everyone else. If I buy something from you, it better work--this is how it is for every other product under the sun, why is software special? As for free software, well the same standards would apply as for anything else that is free. You normally can't sue over something that is free, except in extreme cases where you can prove gross negligence or outright malice. That standard would work just fine here too.

This may give proprietary software a PR advantage over free software (it has to uphold higher standards), but them's the breaks. Besides, free software has always touted an equivalent PR advantage (the source has been reviewed by countless experts in the field), so it's just good old-fashioned competition.

In my view, those who are against software liability are no better than the RIAA/MPAA who try to prop up their inefficient ways of doing business through lobbying and legal bullying. They too like to blame their customers when anything goes wrong.

Re:on legal liability

[Fat+Casper]

Well, we don't need more laws. There are already product liability laws. They just don't apply here. Just one of the many reasons that MS doesn't want software to be seen as a "product."

I can see where the liability guys are coming from. OSS folks release the source, and GPL folks release a whole bunch of other rights as well. With code in hand and a pile of rights to do with it as you please, as well as probably not having paid a dime for it, the customer is more of a partner- assuming a lot of responsibility. Proprietary people charge money for what is really, despite their protests, a product. I've got a CD, maybe a book or two, some shrink wrap lying on the floor, and I'm at the vendor's mercy. I find out about security holes by getting cracked, even if the vendor has known about the hole for six months.

The bottom line is that by retaining power, proprietary software companies also retain responsibility. If I am not allowed to look through and modify the source, the holes in my system are not my responsibility (except for buying bad software), but that of the vendor who won't allow me access. Power = responsibility. Money = money. People pushing for finding software companies liable aren't the "let's sue everybody" crowd, they are using the standards of the proprietary, corporate world against itself. Or, if you prefer, holding those companies to their own standards.

License agreements are funny. According to one, I can't use my copy of XP on any box except the one it came on (don't worry, I haven't even used it on that one). How legally binding is an "agreement" that I didn't get to see until after the sale was completed? For that matter, how legally binding is an "agreement" with a monopoly? The "magic fingers of the markets" that you are holding out hope for are wearing thumbcuffs, my friend. But if the customers have to pay through the nose and have all real power held back from them, then the only answer is financial liability for the vendor. They might actually bother to produce good software then. If that financial incentive isn't enough, then there are other, more drastic legal measures. MS is illegally maintaining a monopoly, you know.

Indemnity clauses

[xrayspx]

If you read a license, any license, it basically states that you use the enclosed software "at risk", meaning you can't sue if something, anything, goes wrong. Including data corruption, script kiddie 0wn@g3, etc. What he's proposing is getting rid of that. Fine, now Microsoft is liable for NT vulns, but you can't basically throw MS licensing rules out the window and leave BSD and GPL in tact. So then the "As Is" portions of the Open licenses have too.

Why not hold Network Admins responsible for problems on their networks? I am a network admin, and if some kid got in and stole a database from one of my employers, compromising customers, I would expect to take the full heat for it. In the back of my mind I'd be saying "F*** Microsoft and their buggy-ass code", but I would know it was my fault for allowing it to happen.

This is no solution. What's the estimated cause of Nimda so far? Code Red? SadminD? Melissa? I love you? all the other outlook worms?

The cost of lawsuits from just these AUTOMATED attacks would cripple even Microsoft. Not to mention the CDUniverses of the, er, Universe.

Software authors need these clauses for a reason, if they didn't have them there, they might as well go start a farming commune instead because it wouldn't be worth it to code anymore.

Free Software authors would then also have to specify under which conditions they would ALLOW their software to be run. Otherwise some schmuck could install some .01a version of code that some guy wrote on his weekend off as a proof of concept on their primary webserver, immediately get hacked, and sue Joe Programmer into the stonage.

Nice idea, just to tweak MS, but I don't like the way it would play out.

Re:Indemnity clauses

[cthugha]

Fine, now Microsoft is liable for NT vulns, but you can't basically throw MS licensing rules out the window and leave BSD and GPL in tact.

You can get MS and leave the GPL (essentially) intact. The difference between them is that you pay for MS stuff, whereas you generally don't pay for GPL software. Of course, if you pay for GPL software, you should probably have a right of action against the supplier (but not necessarily the original author, if s/he gives it away).

The technical legal difference between the two is that an MS EULA is a contract (legally binding agreement for mutual consideration), whereas the GPL is only a licence (permission to do something the grantee couldn't previously do without anything in return) I understand the contract/licence nature of the GPL is still a matter of some debate, but if a law were passed saying "no clauses excluding liability in contracts for the sale of software", then we could probably catch the EULAs and leave the GPL and other open source licences intact where the GPL'd or OSL'd software was provided gratis. At any rate, I think it should be possible somehow to distinguish the two on a "you pay for one, you don't pay for the other" basis.

Why not hold Network Admins responsible for problems on their networks? I am a network admin, and if some kid got in and stole a database from one of my employers, compromising customers, I would expect to take the full heat for it. In the back of my mind I'd be saying "F*** Microsoft and their buggy-ass code", but I would know it was my fault for allowing it to happen.

It depends on who made the decision to go with the buggy software. If it was your decision, then yes, the responsibility falls on your shoulders. If, however, the decision came from management on the rationale that "nobody got sued for going with MS" or some other non-tech-related reason, and that decision was made against your own advice, then you shouldn't cop the heat for that

Of course, given your lowly position in your organization relative to the goon that actually made the decision, office politics will pretty well guarantee that you'll take the heat anyway :).

Re:Indemnity clauses

[Waffle+Iron]

Software authors need these clauses for a reason, if they didn't have them there, they might as well go start a farming commune instead because it wouldn't be worth it to code anymore.

That's true. Software is unlike most any other product because of its complexity and nonlinearity. The average software developer makes hundreds of individual decisions per day that end up embedded in their code. Any one of those decisions could be a hole that destroys the security of the entire product.

Testing and review helps, but it decades ago it was mathematically shown that in general you cannot prove whether an algorithm is bug-free. The tiniest crack in the logic could be used by an attacker as a wedge to subvert the entire product.

This is very different from designing bridges or buildings, for example, where the thousands of decisions going into the design tend to reinforce the basic premise of its fundamnetal soundness. The mathematics of each calculation are usually verified by calculations done during other parts of the work. Due to this feedback, systematic failures are extremely rare, and when they do happen, often end up showcased on History Channel programs such as "Engineering Disasters".

Laws developed to assign liability for bridge failures, train wrecks, etc. are not suitable for software problems. There needs to be a crystal clear distinction made between companies and individuals who make an honest mistake and work in good faith to correct it (no matter what havoc it wrecked), versus those who recklessly ignore third-party warnings and past problems in favor of distributing obviously flawed products time and time and again.

In other words, software liability should not focus on individual incidents, but trends and patterns of behavior. Unfortunately, the law usually focuses on minutia, and it would be very hard to get it to focus on the big picture to punish only the genuine schmucks. Current legal practice usually likes to make examples out of a few unlucky small-timers. But as I explained, every software developer is almost certainly a potentially unlucky small-time offender.

Re:Indemnity clauses

[Electrum]

This is very different from designing bridges or buildings, for example, where the thousands of decisions going into the design tend to reinforce the basic premise of its fundamnetal soundness. The mathematics of each calculation are usually verified by calculations done during other parts of the work. Due to this feedback, systematic failures are extremely rare, and when they do happen, often end up showcased on History Channel programs such as "Engineering Disasters".

But it is possible to write secure software through good software engineering practices. Unfortunately, not many people seem to understand them. Only a few individuals like Dan Bernstein can consistently and effectively write secure software, and will guarantee that it is secure.

If software was thoroughly designed from the start before any code was written, the same as with normal engineering projects, then perhaps more software would be secure. If you look at his guarantee for qmail, then you'll notice that he followed several principles throughout the design and implementation that allow him to guarantee that it is secure. If software engineers become liable for their work in the same way that traditional engineers are liable, then maybe software engineering will become more like traditional engineering.

Liability and free software

[lux55]

Liability is the reason that the Broadcast 2000 project was removed from public access, which is a tragedy because I'm sure tons of people could benefit from their free software. From their web site:

In recent months the line between warranty exemption and liability has become increasingly blurred as more companies have liquidated and more individuals have begun to seek compensation. We've already seen several organizations win lawsuits against GPL/warranty free software writers because of damage that software caused to the organization. Several involved the RIAA vs mp3/p2p software writers. Several involved the MPAA vs media player authors. You might say that warranty exemption has become quite meaningless in today's economy.

Theirs isn't a security issue, but it's still very relevant as they are acting out of the fear of being held liable for what they were offering for free. That is really sad.

Security issues are deep-rooted, and most definitely can't be solved by nullifying the liability clause in licenses.

Re:microsoft anyone?

[SuiteSisterMary]

I know this will probably get modded into the ground, but what about Microsoft? Nimda and Code Red, which exclusively affected IIS on Win2K did "millions of dollars" in damage. If software companies are found to be liable for their hole-laden sotware, I would think Microsoft should be on the top of the list.

Bad example. The patch for this was available for a month before the exploits started rolling in. What would OSS do if such laws existed? It would either need to be classified as 'non professional' code, meaning it's indemified against liability, but nobody would use it, or it would need to play by EXACTLY the same rules as any other software release. Having the code available should NOT release it from that responsibility, any more than an engineer would be released from responsibility for building a bridge that was unsafe, even if he allowed the random public to look at the blueprints all they wanted.

Re:microsoft anyone?

[rgmoore]

I know this will probably get modded into the ground, but what about Microsoft? Nimda and Code Red, which exclusively affected IIS on Win2K did "millions of dollars" in damage. If software companies are found to be liable for their hole-laden sotware, I would think Microsoft should be on the top of the list.

Bad example. The patch for this was available for a month before the exploits started rolling in.

It seems to me that this is exactly the kind of test case that needs to be looked at when discussing legal liability for software. If the patch is available, how much of the responsibility is on the administrator to apply it and how much is on the software company not to have written the buggy code in the first place? You can certainly argue that the availability of the patch should exempt the manufacturer from liability, but just how long does the patch have to be available to count? Is it acceptable if the patch is only available one month before the exploiting code shows up? One week? One day? One hour? Or should software authors have an affirmative responsibility to send patches to users, the same way that car manufacturers have to contact their buyers in the event of a recall? Who is liable when the patch is available but unapplied is the really interesting issue, not who is liable when no patch is available.

Basis of liability

[gweihir]

The liability will not go to Linus. Basically everybody operating computing equipment will have to have insurance, just like if you operate a car or like you should have if you go wind-surfing.

This insurance will get much cheaper if you use good systems and have the required competence to make them secure.

Some problems will have to be resolved by the legal community:

• Who is responsible for the operation of a pice of computing equipment and how does this responsibility transfer?
• How is the competence of such an "operator" graded?
• What constituts criminal/unauthorised misuse of computing equipment?

The last point is important, since you are only responsible for problems caused by your equipment, as long as they are not due to some criminal action by somebody else that you could not easily detect.
To stay with the car analogy: If somebody sabotages your brakes in a way you don't notice until they stop working, accidents that result may not be your responsibility.

An additional point: While a car manufacturer has certain responsibilities, not everything that can go wrong is their responsibility. Only things they claim or are required by law to claim have to be backed up by their product. If you hit a tree because you don't know how to drive or if you start sliding on ice, that is certainly not the manufacturer's fault.

In the case of software this gets a little more complicated, as there is no "unit" of software. My feeling is that Manufacturers will not face legal requirements for characteristics their software will need to have, because such characteristics might be impossible to specify (not saying people will not try). Instead I think that cheap "computer operation insurance" will only be available for products where either the Manufacturer takes legal responsibility for some characteristics of the product or where the insurance companies have a strong indication that the pice of software has these characteristics.

I also think that Computer Scientists and other people that produce code and systems will have to have a kind of "Malpractice Insurance" whenever they commercially create code for others.

Amateur cars

[interiot]

Take as an analogy the auto industry. Ford had legal suits brought against it due to its possible problems with their cars. This is good for the general safety of consumers, but it results in almost zero amateur cars. Individuals can build kit cars for themselves but can't sell newly manufactured ones, and smaller manufacturers can distort their cars so they fit into some exception of the laws. But generally, 99.9% of the cars in the US are made by a couple of manufacturers.

This is what will happen to software if similar laws are applied to software.

UCITA

[coyote-san]

It's worth recalling that the proposed changes to UCITA (since only two states were dumb enough to immediately adopt the original model law) contains a truly incomprehensible couplet.

Commercial contract can waive all liability. I seem to recall that the "technical self-help" measures (which allows them to write software that actively damages your system if it thinks your license has lapsed) has been removed, but it still gives them broad rights to gag you when you try to report problems, to falsely claim others haven't reported problems, to falsely claim that the problem either doesn't really exist or has been fixed, etc. It can do all of this because you handed over hard cash and a bona fide contract exists. (I'm not so sure it's bona fide - a contract requires an *exchange* of items of value, and I don't see much value in this software.)

In contrast, free software isn't covered by a contract (since no money was exchanged) and UCITA explictly requires that warranties apply.

This means that Microsoft (to pick a company at random), a company with billions of dollars in the bank and easily able to afford decent product testing, gets a free walk. Meanwhile Joe Sixpack, a professional programmer who released a simple "scratch my itch" program, can lose his house in legal fees defending himself even if he ultimately wins the court cases.

The commentators (UF law professors, working under the aegis of the ACM?) suggested that the voting delegates seemed indifferent to this indefensible state of affairs. Hopefully they'll either fix it, or the lawmakers in the various states will quickly realize that UCITA 2.0 is just as bad as the original.

But it's something that MUST be considered whenever we talk about the need for liability law to start applying in the software world. We can see the importance of having your own source code, but the people who would actually write the laws are still hearing from Microsoft et al, not us.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Bad Idea, Very Bad

[Ed+Avis]

Exactly. Schneier complains that the market prefers quickly-released software to secure software. He may think this is foolish. But since when was it up to him to dictate what people should and should not be able to buy? Currently you have the choice between cheap software with no liability and very expensive software sufficient checking. Some like NASA and the military may choose the expensive option, but the cheap option should be available too.

Most Slashdot readers may think it unfortunate that the market prefers Windows and MS Office to more capable alternatives, but few would argue for the more popular choice to be banned as a way of 'correcting' the market's decision.