Slashdot Mirror

← Back to Stories (view on slashdot.org)

Liability and Computer Security

Posted by michael on from the money-makes-the-world-go-round dept.

Pelerin writes "In the latest Crypto-Gram, Bruce Schneier has written an interesting essay with some thoughts about the current lack of business incentives for the deployment and production of more secure software. His main recommendation/prediction is this: "Step one: enforce liabilities. This is essential. Today [...] the marketplace rewards low quality. More precisely, it rewards early releases at the expense of almost all quality. If we expect CEOs to spend significant resources on security -- especially the security of their customers -- they must be liable for mishandling their customers' data. If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products." Schneier's five-step plan for thinking about security is also good.

Pelerin continues: "All well and good, but this raises some questions in the case of a company offering security solutions based on open source / free software.

  • Where does the chain of liability end? Can somebody attempt to recover damages from Linus when a kernel security hole shows up?
  • Can a case be made for lower insurance rates for free software solutions? (I mean, can it be made to the accountants and the lawyers, not the techies).
  • When liability enters the picture, which mechanisms can allow free software to compete based on its merits, not on the likelihood of surviving a liability lawsuit?
"

4 of 159 comments (clear)

  1. Re:on legal liability by Anonymous Coward · · Score: 5, Insightful

    This isn't about adding new laws to make writing software more difficult. It's about ending special protection and holding software companies to the same standards as everyone else. If I buy something from you, it better work--this is how it is for every other product under the sun, why is software special? As for free software, well the same standards would apply as for anything else that is free. You normally can't sue over something that is free, except in extreme cases where you can prove gross negligence or outright malice. That standard would work just fine here too.

    This may give proprietary software a PR advantage over free software (it has to uphold higher standards), but them's the breaks. Besides, free software has always touted an equivalent PR advantage (the source has been reviewed by countless experts in the field), so it's just good old-fashioned competition.

    In my view, those who are against software liability are no better than the RIAA/MPAA who try to prop up their inefficient ways of doing business through lobbying and legal bullying. They too like to blame their customers when anything goes wrong.

  2. Amateur cars by interiot · · Score: 5, Insightful
    Take as an analogy the auto industry. Ford had legal suits brought against it due to its possible problems with their cars. This is good for the general safety of consumers, but it results in almost zero amateur cars. Individuals can build kit cars for themselves but can't sell newly manufactured ones, and smaller manufacturers can distort their cars so they fit into some exception of the laws. But generally, 99.9% of the cars in the US are made by a couple of manufacturers.

    This is what will happen to software if similar laws are applied to software.

  3. Re:Indemnity clauses by cthugha · · Score: 5, Insightful

    Fine, now Microsoft is liable for NT vulns, but you can't basically throw MS licensing rules out the window and leave BSD and GPL in tact.

    You can get MS and leave the GPL (essentially) intact. The difference between them is that you pay for MS stuff, whereas you generally don't pay for GPL software. Of course, if you pay for GPL software, you should probably have a right of action against the supplier (but not necessarily the original author, if s/he gives it away).

    The technical legal difference between the two is that an MS EULA is a contract (legally binding agreement for mutual consideration), whereas the GPL is only a licence (permission to do something the grantee couldn't previously do without anything in return) I understand the contract/licence nature of the GPL is still a matter of some debate, but if a law were passed saying "no clauses excluding liability in contracts for the sale of software", then we could probably catch the EULAs and leave the GPL and other open source licences intact where the GPL'd or OSL'd software was provided gratis. At any rate, I think it should be possible somehow to distinguish the two on a "you pay for one, you don't pay for the other" basis.

    Why not hold Network Admins responsible for problems on their networks? I am a network admin, and if some kid got in and stole a database from one of my employers, compromising customers, I would expect to take the full heat for it. In the back of my mind I'd be saying "F*** Microsoft and their buggy-ass code", but I would know it was my fault for allowing it to happen.

    It depends on who made the decision to go with the buggy software. If it was your decision, then yes, the responsibility falls on your shoulders. If, however, the decision came from management on the rationale that "nobody got sued for going with MS" or some other non-tech-related reason, and that decision was made against your own advice, then you shouldn't cop the heat for that

    Of course, given your lowly position in your organization relative to the goon that actually made the decision, office politics will pretty well guarantee that you'll take the heat anyway :).

  4. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion