Slashdot Mirror
Software Product Liability?
ben writes "Reuters just ran a story about the increasing number of calls for liability on the part of software developers, with a not-too-suprising focus on Microsoft and its uber-fallible IIS webserver. Given that many other engineering disciplines have some sort of accreditation and licensing body to enforce codes of professional ethics, I'm curious what impact the demand for such a creature in the software industry could have on Open Source developers, especially the part-time hobbyist ones. That is, establishment of some sort of Software Developer's license means the developer is potentially liable for whatever havoc his bugs may wreak, and traditionally the only environment with legal resources adequate to deal with such liability has been the megalithic corporate one."
Of course having to undo the shrinkwrap to read the EULA, and by having read in the EULA that by undoing the shrinkwrap you therefore agree with it.. that's another issue altogether
Evil ZEN Scientist
just blame your bugs on bad drivers.
Best wishes,
Raymond Davies
``the developer is potentially liable for whatever havoc his bugs may wreak''
That is why all open-source licenses that I am aware of state that the product is provided ``as is'', without any warranty, yada yada.
Please correct me if I got my facts wrong.
What if they blame your software, when in reality it's the fault of some other software used in conjunction with it? Or it's a hardware problem? Or it's a user trying to cover their own ass when they screw up? It's not quite as easy to see what happened after the fact as it would be if say... a building fell down.
It's more analagous to doctors prescribing medications. They do their best to make sure the patient is in the right condition to take them, but they can't control what the patient takes them with, or how they might misuse them. But of course, malpractice insurance is quite expensive...
This is a serious question that always seems to be glazed over by the open source advocates. Most seem to see it only as a method of attacking MS.
Well, if liabilities become a reality, EULA's won't protect the company, otherwise every company just puts a clause in it and the liabilities cease to exist. The law would be required to allow very few, if any, exceptions.
If the open source community has to face this, what will happen? The next time there's an error (such as the recent Bind exploit) do the lawsuits begin?
There can certainly be some kind of liability for bad code that you deliver to clients under a contractual relationship, just like there can be malpractice if your doctor gives you bad advice.
But liability for a program that you've published on the net or sold retail? That's as bad as liability for publishing a book advising people to plan their finances by astrology or go on some quack diet to prevent cancer. Those books are published all the time and it's (rightfully) up to the buyer to take the advice or not take it.
Most buyers simply know better than to believe such stuff. And sooner or later they will hopefully know better than to run Windows. It's just a matter of the field getting more mature.
Maybe they could add a clause that says only Microsoft and Oracle have to be liable.
This could lead to all kinds of nastiness. If a software vendor wants to limit their liability, they may tie their software to a very specific hardware configuration. This could result in the unintended consequence of giving M$$$$ an unprecedented amount of control over the hardware manufacturers and resellers. So, instead of purchasing software to solve a particular problem, you purchase hardware to meet the requirements of a software package. This seems^H^H^H^H^H is half-assed backward.
Couple of quotes in the article I like:
The products are even less buggy than others, in terms of per capita usage, Microsoft Chief Executive Steve Ballmer has said.
So does that mean that because more people use Microsoft software they can have more bugs in it? This sort of statistic is like using "Revenue over number of employees named Frank" as an accounting measure for companies!
And the other one:
Mundie said. "Microsoft can't control that process. If the printer driver tanks the system, who do you hold liable?"
Now *that* explains what caused all those holes in my locked down IIS server!
Go out and get sailing!
I really think software needs to have lemon laws. Much like the auto-industry, if they sell you crap...you get your money back.
IMHO, this is the biggest issue with software (Linux included)...there's no liablity. There's no real incentive to not produce crap software, besides people not buying it.
It's broken?, it doesn't work?, Doesn't do XYZ? Too bad. You're screwed. Once you buy it and use it, u can't return it. You just have to either deal with buggy software or eat the loss.
...it'll never happen - Micro$oft couldn't afford it.
Why is there only one Monopolies commission?
Being liable is clearly a problem if you release your software for free (i use both meanings here). I think software companies should be liable if their software is not free. When you agree to give up money or "freedom" for software, It is my opinion that you should get a quality of service granted in exchange.
This should usually be handled by the invisible hand of competition, but huge software companies are so well-established that they can afford to give up on quality. I think that such a measure would protect the consumer from such abuses.
This is just an idea, it's certainly flawed and incomplete. Does anyone care to contribute?
Trollem mirabilem hanc subnotationis exigiutas non caperet
I think this would be an administrative nightmere for open source... Don't give me some B.S. about open source getting some kind of exemption cause its not gonna happen... also don't give me B.S. about open source not having security bugs... they DO!
Lets say this becomes true and Microsoft gets sued cause HyperTerminal (part of Windows) has an root exploit. Microsoft pays damanges and then will probably sue HillGrave Software (or whatever company they sub-contracted to write it). (or they have insurance). This will drive up the cost of software for sure..
Lets take a look at the open source way. Lets say some company using package X get rooted cause of an bug in package X. It sues the maintainer of package X. The maintainer then pays out. What does the maintainer do? sue the developer who wrote the chunks of code?
This will particularily bad for open source software for the following reason: large companies can afford insurance against this.. open source cannot... once open source gets one or two lawsuits cause of this... I expect more and more open source projects/developer to give up cause they can't afford to pay out..
-- Note: These Comments are Generated by ME! Not You! ME!
It's not that the software developers could do it, we just need to force them to. It's impossible to enforce ethics and discipline on so many people. The combined software on your PC today involved many, many more people creating it that e.g. designing your car, including all the parts suppliers. Software is by far the most complex engineering product there is.
This comment is printed on 100% recycled electrons.
I doubt software vendors could continue to exist, if there were a level of performance required where NO bugs/faults were required. What may work though, especially when it comes to software like IIS and all of its fun vulnerabilities, is lemon laws similar to for cars.
A model of car needing a recall is no big deal - it's a bummer and an inconvenience most of the time, much as most software has the odd patch/upgrade for reasons of bugs appearing publicly. Continual faults/bugs/etc are a different matter entirely.
The notion also, of Unstable, Stable, Testing versions of software seems pretty sensible when it comes to the liability in open source software. Letting a user know what they're in for when using an Unstable product limits liability by saying "OK, this really could be crap" - miles more than IIS, to use one example.
a grrl & her server
The NIST commissioned a study (sorry, 1.4Mb
If you don't want to download the report, there's a brief summary in RISKS Digest 22.11, on comp.risks. If you do download the report, the final numbers are on p.174
Sheesh, evil *and* a jerk. -- Jade
- Non-Comercial For which money is not charged
- Commercial for which money is charged
- Licensed Commercial For which Money is charged, but for which no sale is made.
Commercial software would include the obligation of support, although the require period of time is open to debate. I would advocate 5 years, although this could be set to several classes, such as 1 year, 3 year, 5 year, and 7 year. Each with a degree of obligation of support, liability, etc.Non Commercial would not be subject to the warranty, and so would cover open source, donation ware, shareware, etc.
Shareware, etc. would probably have to be sorted out as software where no payment is required.
I advocate that any software not sold but merely licensed must have complete liability coverage and support for the duration of the License.
"It is a greater offense to steal men's labor, than their clothes"
E&O insurance is standard in all professional practices. IANAL but I think this goes to injurious reliance and tort law. My courses on Law of Tort, (the elder Cromwell and The Court of Star Chambers (?)), seemed to suggest there are no tried and true answers to the questions that arise in the development and application of such a body of law. If the legislators decide to enact such legal requirements then most probably there'll be a long period of adjustments with the attendant horror stories. Playtime is over. Welcome to the real world where the big bucks bring big liabilities. As a litigation appraiser I had to carrry substantial E&O. The premiums and the threat of litigation will do for focus what no amount of coffee can. Fear is a great motivator.
I always point to the ham radio market. In general, there are very few pieces of "bad" ham radio gear sold. Some may be better than others, but none are truly bad. Why? I believe it is because the FCC requires that one understand the gear before they can get a license and use it.
Computer consumers, in contrast, often understand practically nothing about what they are purchasing. They do not understand how software (or hardware) works, how it is designed, what it is reasonable to expect a computer to do and what it is not. As a result, there are marketing droids demanding that people be able to cut & paste from video editing software to word processing documents. This leads to the software engineering team spending an inordinate amount of time creating bloatware with as many bugs as features. Adding to this problem are the EULAs that software vendors use to shield themselves from any product liability lawsuits ("it's not a product, it's just a license to use the software"), thus undermining the only thing that had any possibility of keeping the software quality in check.
If licensing improved the quality of software, then MCSEs would be turning out works of art. And I think that we can all agree that it's not happening.
About what you'd expect a lawyer to say. No point in going after someone with empty pocketses.
If software was tested until there were absolutely zero defects in it you A) be waiting a long time to get it and B) you'd probably faint dead away when you saw the price tag. Maybe writing your own software and debugging and testing it would be less expensive and more rewarding. Then again maybe not.
What i want to know is this: There will, invariably, be a big furor in this thread about , how, well, when you use Windows and IIS, you agree to this EULA, and this means that you can't sue Microsoft.
I don't know why everyone keeps acting as if the users of Microsoft products are the only ones hurt by Microsoft's poor security.
I think it would be effortless to compile a huge list of instances where because a microsoft IIS setup was improperly secured, a great many innocent bystanders were economically hurt-- for example, perhaps the person who cracked the IIS setup later went on to use that IIS server as a springboard for future attacks. Or perhaps the crack in question was a worm such as NIMDA or Code Red, and non-microsoft-using persons who just happened to get their internet access from the same provider as some microsoft-using persons had their bandwidth decimated at an important time by the NIMDA requests clogging everything. Why can't *THESE* people sue Microsoft for incompetence of some sort? They have signed no EULA, they are not beholden to absolve MS as anything. But they have been hurt by MS's actions. Think:
Gun companies create and sell a product that everyone knows have the purpose of hurting things. They try to build in safety devices, etc, and comply with government requests to run background checks on everyone they sell to and such. Their customers, in using the product, often cause great harm to innocent third parties in the wrong place at the wrong time.
Microsoft creates a buggy program which it is certain has a great many unfound security holes which allow access and damage to people's property, and decides its policy in this will be to wait until someone discovers and decides to go public with a specific security hole, then fix it. They set up their software to by default be installed in such a way that many, many features with potential security holes are enabled without the user being completely clear on what these features are or why they're there, and do not make particular effort to make sure that all their customers are aware of the discovery of new security holes. As such, in order for your NT box to be secure, you must research, figure out the best configuration for you, and then constantly stay on top of the latest security notices from MS to make sure that you have all the newest patches. However, then MS markets NT/IIS as something which any idiot could take out of the box, set up, forget about it, and it would just work without any further work! As a result, MS's customers, becuase they used the product the way that MS's marketing publicly claimed that they would be able to use it, allowed damage to be done to themselves and allowed collateral damage to occur in the process.
I do not approve of the lawsuits against the gun companies, and believe those lawsuits are potentially infringing on civil liberties, but if the gun companies can be sued because of what they did, i think MS can as well. MS has made consious, irresponsible decisions to choose convenience over their customers safety, and third parties are getting hurt as a direct result of these decisions-- in a manner which should have been completely obvious to MS at the time of those decisions. Do not the third parties have some recourse against MS?
I am tired of having my httpd error_logs filled with thousands of lines of messages explaining that someone requested index.ida or somethingdubious.exe but it does not exist.
What is sold as a product is not speech. If the courts have not been uniformly easy on code which expresses scientific ideas, written in an academic context, then certainly commercial software will not (and I think should not) enjoy protection as speech.
What would have to happen to change the current setting where commercial practice (and law) considers all software to be 'without warranty' is another matter.
The obvious reason that SW is presently very much a 'caveat emptor' instance is that most nontrivial software products are both comple and can be run in such a wide array of hardware and software environments that solid analysis of potential failures is clearly infeasible.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
> If software was tested until there were absolutely zero defects in it you A) be waiting a long time to get it and B) you'd probably faint dead away when you saw the price tag.
That's certainly true today, but must it be true forever? I suspect we'll soon reach the point where the public says "Enough!" to crappy software, and then the eggheads with their code generators and correctness provers will crowd out us ordinary geeks with our bug-laden code.
Sheesh, evil *and* a jerk. -- Jade
This could generate an answer to the question "What is the difference between Red Hat/Debian/random-distro" of Linux -- the difference could be in how much they guarantee the liability in their software. Sure it's a risk for a distro to do so, but if they really believe the "many eyeballs == better software" theory, it's a risk someone may take.
- adam
Nail those crappy programmers and their teams of bean counters. Wipe out the EULA. It is a unilateral contract if a contract at all. This software stuff being copyrighted is a recent concept. A flawed one at that. Since when does War and Peace re-write itself, changing characters and plots? Never, that is when. Static things can be copyrighted, but marginal thinking seems hell bent to make things in flux be copyrighted. I say bullshit to that. If it is as yet undefined, who can we protect it with copyright? Bill Gates can blow me!
disclaimers? prehaps for those "book" they have disclaimers and stuff ......
just like those "Psyhic (sp?) Friend Network" ads they have subtitles "for entertainment purposes only"
and labels on peanut choclate bars that says "this may contain nuts" (I know peanuts is not a nut but geeze).
people are STUPID enough to belive these things...
-- Note: These Comments are Generated by ME! Not You! ME!
Hi everybody! Hi Doctor Nick!
Writing software is not like construction work. The famous analogy, about buildings being constructed like our software is, is false. Software is a lot more complex, and the unknowns in design and planning are numerous. Think... how many software projects are actually on time? And of those, how did they make the deadline? Exactly, by cutting corners and sacrificing quality.
Time, money and quality are important to both the customer and the contractor, not just quality alone. The old saying about being able to meet only two of these three requirements holds true most of the time. So... demanding that your product is bug free will mean it will either be late, or have a budget overrun. And trying to compete in the market with a product that is late or more expensive than its competitors will simply not work.
Holding software developers liable for damage caused by bugs sounds marvellous, especially when one thinks of Microsoft, but it is unfair. Also, I fear the truth in the comment about only big corporations having the means to deal with liability on this scale. Liability laws will kill the small firms with big clients.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
not really needed. I don't have to have a credited engineer come build a windmill, car, boat, etc for me. Ultimately as humans we are responsible for ourselves. I will mostlikely not buy a car that was manufactured by joe schmuck because i do not think the risk outweighs the benefits. Now with software the risk are a not as great as they are with items mentioned above so you'll find more people taking risks and trying software created by the hobbist. But at teh same time when it comes to critical data such as medical records i would not want to trust that to an unproven software+hardware package. And having a developer(s) that had the ye ol' industry "stamp of approval" would help to determine which software+hardware package to choose. But it is still my choice what to use, and therefore it is my responsibility to choose the best package for the job. For example i choose to use apache over IIS becasue in my opinion and from what i have experienced it does a better job. So it comes down to the consumer and wether or not they are willing to take a risk and use something created by someone that dose not have a "seal of aproval."
lets consider two facts..
1) RedHat/Mandrake/Suse/Caledra has been the big push of open source for the business world... without them Linux would be dead in the business world...
2) companies in (1) released products for sale (you buy them) and they sometimes have security bugs (a lot of them has a recent exploit in SSH recently)..
3) companies who uses products by companies in (1) who get 'rooted will sue the companies in (1)
4) companies in (1) will die (they have lot less $$$ then MSFT)..
5) bad for Linux...
-- Note: These Comments are Generated by ME! Not You! ME!
I don't care what software package you are talking about, but I can find at least one bug in it. And I can set it up so that the bug in questions causes me some amount of damage. Then I just find a lawyer and sue. I could make quite a living. I just buy a new piece of software each week and manufacture another lawsuit.
I could be wrong (and lose karma because of that), but I think a lot of what we are going to say here is already discussed in Free Software at Risk Under Lemon law.
Teenagers these days don't have as much sex as they want each other to think they do.
If, however, I am the head engineer for a project, and it fails, my head should roll. This goes for things I would manufacture and sell.
If I putz around with some code, and share it, no big deal. As soon as I am in the software BUSINESS, and sell that code, however, I have a responsibility to the folks who use that code.
Most folks who write stuff in their spare time, write it first and foremost for their own use. Since they made the effort, many folks decide to share it with the world. Of course it won't be polished, but at least they try not to hurt themselves with it, so it follows they wouldn't be hurting others with it either.
Software vendors make software for a profit. And do a shitty job of it. They SHOULD be held accountable for their inferior shit that hurts individuals and businesses with lost productivity and data.
traditionally the only environment with legal resources adequate to deal with such liability has been the megalithic corporate one.
Professional engineers, doctors and lawyers are subject to liability claims arising from negligent behavior. There is also insurance available to cover these circumstances.
Megalithic corporations do not have any special exemption from disaster due to product liability claims. Many are driven into bankruptcy as a result of liability problems (Dow Corning, Johns-Manville, and Soon Arhter Anderson).
Two reasons, the onion ring effect and forenisics.
The onion ring effect is simply where does the fault lie, your code the next API, the one that calls, the one after that, perhaps bad hardware, bad memory, dirty power, the list is endless.
Also the transient nature of the problem, code blows up, transactions are lost, business must go on, server is booted.
Compare this to a bridge collapse. Plenty of time for forensics
a) Pillar has moved in sediment that the geologists said was bedrock sue them.
b) Steel Girder has fractured, sue the steel mill.
c) 20 Tonne truck has gone over 10 Tonne Bridge, sue driver who ignored max load signs.
The number of permutations and transient nature of a software crash make absolute accountability very difficult.
But some sort of licencing as to you level of competence might be nice, be good to see some of these vb code jockeys actually learn about error handling etc.
As a developer, I cringe at the thought of being liable for my code. We all know its next to impossible to make something completely bug free.
However, as a consumer, buying software should not be a risk. It should do what it says on the box, and if it doesn't, I should be entitled to have it fixed.
Of course, these sentiments are ingrained from my days as a Windows user. With Open Source, its a whole different kettle of fish. I've paid nothing for it, so I've gained by merely having the software. If it doesn't work, big deal, I either move on to another app, report it, wait for it to be fixed or if I'm really desperate dig the code out myself. At the end of the day, the worst situation that I can be in is that I'm back to where I started, it hasn't costed me anything.
If I recall correctly, all products have "implied" warranties that cannot be voided. So, if you ever sign something that "voids" your warranty when you buy something from a merchant ("as is"), it really doesn't mean anything if the product is deffective. Lawyers just like putting phrases like that in so that the people who don't know any better will say "shoot, I can't sue because I signed that paper . . ."
I think "common law" applies to non-merchants and is very different (your hobbiest), but I better shut up before I post some big mistakes.
Anyway, to begin, I am assuming that expecting hobbiest to be liable for their code is total BS. It is like making someone responsible if their post causes someone damages or to kill themselves. Not only do I think current "common law" would imply hobbiest to be free of liability, they could always just use an alias for their code contributions, making enforcement impractical.
However, as a merchant, I think that by giving out the source code of your product, all related parties would effectively have the ability to check the code before they use it, which would shift the responsibility to the consumer. Yes, this is impractical! However, why do you think CPA's exist? Accounting information is extremely impractical for each individual to analize, so we have something called "auditors" to do this for us. It wouldn't be weird if a "software auditor" were to come to be and would give an "unqualified opinion" if everything was in order in your favorite distro.
Companies who didn't release their source, however, would not be allowed to void their implied warranties because there is no way to check if the code will do damage or not.
This would be a drastic change but would probably increase the quality of software, in general. MS would probably be the only company left that could afford not to open their source, but that is fine by me. At least they would be responsible when their software deficiencies indirectly impair my bandwidth.
Sdelat' Ameriku velikoy Snova!
While implementing some liability for bad software *could* put open source developers at risk to liabilities that should possibly lie elswhere I believe there should be some basic liability to vendors supplying a commecial product. Just as auto makers are required to follow regulations regarding pollution and occupant safety.
one poster even compares coding to free speech. Bad code is more like a journalist printing a false or inaccurate (in some cases grossly inaccurate) story than it is and editorial on gun laws or abortion.
If a vendor produces a product and make claims about that product that if false would cause harm or injury to the consumer of said products then would you expect the vendor to be held liable?
It seems to me that the vast majority of open source software is not being offered as a commercial product by the actual developer but by some other entity that has taken it branded it and sold service around it. In most cases it will be the "other entity" who will look like a better target in a lawsuit anyway.
"Waitress I need two more boat-drinks..."
Now, ratifying this unreasonable expectation of software in law is misguided. There are already sufficient principles in law to handle the situation. People should be educated to understand what 'use at own risk' means. If you wish to have a piece of software that absolutely must work (and has been proven to do so) then you will need to pay the price to have such software developed. The fact that you desire mission critical software should not prevent me from obtaining and using 'at risk' software for my own use.
People sue too much as it is. Grow a spine and take responsibility for your own actions for once. You bought and installed the software. You have taken the risk and the responsibility. If that's unacceptable, cough up the dough to get someone to write a bulletproof webbrowser. Or use a typewriter.
Just because you're paranoid doesn't mean they're NOT after you.
On the other hand, program writing is too young a discipline to have yet evolved a set of absolutely-proven "natural laws" yet, especially when programming paradigms (high-level/structured/oop) change every generation or so.
Those "natural laws" just won't happen for a while, especially if the architecture eventually changes from Von-Neumann to something else (parallel/neural/photonic).
The main problem behind attribution of liability stems from the lack of "natural laws" governing programming itself, thus making the analysis of software failure a shaky endeavour.
Finally, the programming establishment will simply not accept liability, and, most importantly (to the point of dooming the whole liability scene), no underwriter will accept to back software liability insurers either.
The use of open source and free (as in speech or beer) software is still a hard sell in many companies. I have been into this discussion many times with managers. They claim: "Yes but it's made by a bunch of geeks in their spare time! If it is faulty, I have no recourse!"
Currently that is a false statement. Or rather it is true, but if software from, say, Microsoft turns out to be faulty, you have no recourse either. However, if liability comes into play, this changes. Free software such as Linux will probably be exempt from liability, since it is released "as is" and for free, to be used at ones own risk. Commercial software will not be exempt. This means that commercial software will, from a manager's standpoint, always be the safe choice! After all if it goes poof, you can sue! Remember the saying "No one has ever been fired for buying IBM"? This will be the same, and will effectively kill commercial use of free software.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
I am having too many thoughts tonight (time to meet some beer). this would also be fairly bad for code resuse.
Lets say I own WangCorp and market a commerical linux application which say uses zlib. Now lets say that a bug in zlib causes my application to crash. One of the clients, SingerCorp lost some data cause of this.
1) does SingerCorp sue WangCorp or the writers of zlib? does it matter if zlib is GPL code?
2) assume that WangCorp does not link to zlib but instead another similar library but commerical. does that change the issue?
3) will the writers of a library be liable for damanges that the library causes if it used in another application?
4) for example: VMWare includes a copy of Samba for file sharing. lets say that Samba get rooted. do you sue VMWare Incorperated or the Samba people?
-- Note: These Comments are Generated by ME! Not You! ME!
The unfortunate thing about this is that it is really a market failure that has produced this situation. You have on the one hand expensive software that places your company's IP, and profitability at high risk, and on the other hand, free software that contains significantly less risk. What's wrong with this picture? Market failure. In this case a lack of good information, and lots of very good (bad) marketing.
How the clueless economics graduates will reconcile this with their idea that the free market is 'perfect', I dont know, but the market can correct this situation the same way it has produced it. How? By making better informed purchasing decisions when it comes to software.
Surely if the market can 'wise up', then the better, more robust, more secure software will afford companies who rely on computing technology an advantage over their competitors.
This will improve the quality of software from ALL vendors, including Microsoft. After all, Microsoft was only selling what the market would bear. If the market has a lower tolerance of poor quality software, then the better quality software will eventually be the winner.
Adding regulatory control to software is a good idea in theory, but is ultimately impractical. First, it is usually non-obvious what the software is supposed to do. Unlike a bridge, who everyone agrees has the job of carrying vehicles over a divide while not falling down.
Many exploits found in MS products were actually features of the software in a different context. It would be very easy to argue, as Microsoft has many times in the past, that an exploit was not really a standards failure, because the software is doing what it is designed to do, and the exploit is only a side effect. Even in custom software development, where a contract is drawn up, it is rare to have a specification detailed enough to accurately say that the standard has not been met.
If the market can get 'smarter' at choosing software, there will be no need for regulation. And that begins with education. Business cases need to be put forward for quality software. Some work has begun on this with TCO studies. However, these studies are often rough estimates rather than actual case studies of side-by-side companies competing in the same industry, one using quality software, and the other using cheap software. What would be the advantage in the short term, the medium term and the longer term? Putting together these types of documents and createing a way to disseminate this information to the software buying corporate market should be the goal of the whole software industry.
>>
I am the director, and this is my movie
There is a distinction that can be (automatically) drawn between closed and open source software: you have the opportunity to do something about a problem with OSS. blah blah blah do-one reads the code blah blah blah - I can't hear you
The point is that: if you buy a car, don't read the manual and then it fails because you didn't do something you could have (viz. find out that the brake pedal is in an unusual place) then its your fault. You (if it really mattered to you) could have checked the problems out yourself. You could have hired someone else to do the checking. You could have followed any number of paths to ensure that the given problem does not exist.
Not doing that is your fault. Now the problem that Microsoft faces is this: by keeping the source closed, and by taking money for that, they are saying "you don't have to worry about security - pay us to do that for you."
They then ship software with insecure defaults, and have it come back and bite them.
An OSS developer, on the other hand, sends his handiwork into the world saying "this won't work". If it does work, then congratulations: you got something cool for free. If it doesn't work, get someone to make it work.
The advantage of OSS is that everyone's contribution to the "it works" field and "its secure" can be shared around between those who go to the effort of making it secure (in the interests of version 2.0 still being secure).
So if Microsoft wants to take your money for something, they are saying that its worth your money: in security, in quality, in (your adjective here). An OSS developer does none of these things, because you get the source.
In the intersts of this post not being 12 pages long, I won't go into how RedHat, Mandrake, OpenBSD, etc. are different (e.g. they take money, but for a different service than MS) - but a little logic on your part should end in the same eventual conclusion...
I'm curious what impact the demand for such a creature in the software industry could have
we'd be right back facing the reason why MLS and the corresponding orange book stds went out of vogue... by the time the accreditation is done, sure you've got a stable/secure product... but you're 3-4 years behind the product that whatever market doesn't subscribe to your stds is using.
Oh god, that woman is John Romero!
Come on, users are stupid. With software, we provide them with most of the working pieces sitting right there.....with them having perfect access. (code or not, all the files needed to run an application are there). With a car, or a building, etc it's not like that. With a building, you don't have immediate "delete" access to main structural supports. With a car, it at least takes some effort to cut the brake lines or remove the transmission. But with software, you CAN just delete that .dll or .so, you CAN just move associated files around randomly. You CAN just mess everything up with one or two keystrokes. If there's liability, then any software I write, the user will ONLY be able to hit the delete button on any files they created. Not to mention, a lengthy uninstall process that absolves me of any sins.
Have you noticed the big diference between an ad and the small print:
ad: "This is the solution to All Problems on Earth!"
EULA: "The product may or may not work at all, that's not our problem"
I think it should be illegal to run those kind of advertisings. If the ad says it's "Unbreakable", it better be! or your money back (including some other costs) at least.
If something like that could be enforced, the field would be a lot more level to all players.
-Kz-
I don't know who wrote this but it's a standard article of faith(sic) in the IT industry.
The only case I can think of in which a vendor provides a meaningful statement that a system operates with a particular fitness for purpose would be systems evaluated under Common Criteria orTSEC
And these systems differ from the vast majority of operating software systems in that:
So the current state of the art is "software is too complex to guarantee performance", this is codified in commercial code and practice. What this means for now is that entitities which use software cover themselves with insurance. (I have no idea what it costs to insure a commercial web-presence.)
I think changing things to hold producers of commercial software and systems would be a good step. I can't see however how this would happen without forcing considerable change in the practice of software design and development.
Either tehcnology and QA need to change, or software systems would need to become simple. Given the current set of assumptions it is effectively impossible to perform an analysis of any non-trivial code and determine that it is safe in the expected execution environment(s).
Simplicity sounds great on paper. At present there isn't a market for simple software that works with high assurance. (Look at the tiny marketshare for the BSD's). Even the systems that run over unix-like / oss show a degree of bloat that continues to push reliability out the window.
Prudence and solid engineering practice in operations dictate that we use the simpler / more robust tools in key locations. So BSD or secured versions of linux get deployed as firewalls etc, and critical application and database servers are run with various redundancies (clustering / failover etc), which effectively throws hardware at solving the software 'problem'
Which is just another name for insurance.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
will this lead to code bloat? I mean think about this...
most software use a lot of libraries... you get into a lot of problems if the libraries are slighty different...
Lets say that my products works with a shared library version 2.4.292. Lets say that the implementors of the shared library makes a slight change in version 2.4.293. Lets say someone who uses it with version 2.4.293 crashes...
am I responsible? If I am... I am sure hell going to compile my executable statically linking every single shared library... (eek. on the code size)
-- Note: These Comments are Generated by ME! Not You! ME!
The quality of mainstreem software sold today is pretty much none. Considering that software has been around longer than hardware (Ada anyone?) it should be the other way around. Todays EULA's keep the software companies free of any liability due to untested software and crappy programming. To say that the extreme complexity of software makes it impossible to make bugfree software is to oversimplify.
Why is it that new meens more feetures? How many fetures is usable and how many is there to show "look m'a i can"?.Would any engineer anywhere put things of random usability on a bridge/house/car? It seems that if a part was to be put anywhere where it affects security or usability it must be evaluated.
Something has to be done to give incentive to software companies to start making things that is built from ground up to "just work". Today the only incentive is the market and it has been clearly shown that no matter how bad ill-engineered software you have you still can prevail with some help from the media and a ton of marketing funds. Crap can be sold if you market it as goldcrap(tm) until people starts tp belive it really exists oldcrap(tm).
The best thing software liability could give is an escape from the never ending upgradecycle. The incentive to cram all and every line of code generated from your programmers in just because would wanish. To add code is usually to add problems.Atleast from a probability perspective. Old tested code would be more appriciated than new untested every year with new bugs to root out. Im only speaking about companies selling software, not the open source/free software movement. You cant be held liable if you give something away. Thats just insane if it comes to that in the end.
Anyway, its perfectly clear that something has to be done before your fridge, car, bathtub or whatever is online and has its own CPU and software. Since the market and software companies has proven themselves definitely not up to the task of ensuring quality it have to be regulated. We dont want to put us in the position that a bug could kill us one day do we?
HTTP/1.1 400
does slashdot run this story every 60 days?
.. is anyone actually Running this thing?
or do the editors finally lose enough brain
cells to the ganja along that same cycle and
forget that they keep running this same damn
story?
hello?
Just wait till we legally have to make it work - the testing alone will 3x-4x the current price....
... is really pointless. The argument is: an architect designs a house that doesn't blow over, or a bridge that handles the traffic load without collapsing. However, in these cases, anyone who does something out of the ordinary with the house (fills it with water, tries to open the inside door without opening the screen door), would be laughed at if they called it a design flaw.
Take the usual punching bag for example: IIS. IIS, when used properly, works quite well. You might argue about the functionality/performance/cost compared to [insert favorite httpd], but pass over those arguments for now.
Security is a common complaint for IIS. However, if a person broke into your house by going in through a weak point (a window, the chimney, etc), you wouldn't blame the architect.
Zealots might say that backdoors in software are like using doors without locks. But this is ignoring the fact that software is often not an integration of existing, proven solutions, but an exploration of ways to attack a problem. Also, these failings are plain to the layman, whereas software bugs are often obscure to the guru. You simply cannot have the expectation that software will *NEVER* crash.
An architect has a given set of solutions for common problems (building codes, pre-existing designs, etc). If they can't solve a problem with an existing, proven solution (or a mild derivation of such), they probably wouldn't take on the job. Programmers do not have this luxury. We are inventing these solutions on the fly -- and we will make mistakes.
Here is the problem as I see it. It's one of scale.
It is easy to certify most engineering professions. If you build a building, it must meet certain tolerances. A weld between two I beams would support so much weight. This is easy and empiracle (sp?).
You learn this, and are tested on it to get your license. How ever, in the current state of software engineering, you deal on a much more fine grained scale. How does an extra iteration of a loop affect the stability and security of the program. There is no algorithimic way of determining this, like building a building at the molecular level.
The Windows® 2000 Server operating system integrates Internet technologies across all services, from File and Print to advanced line-of-business application services. This helps ensure organizations can more effectively exchange information with customers, partners, and employees worldwide.
Windows 2000 Server meets the needs of a broad spectrum of users, from corporate intranets to Internet Service Providers hosting Web sites receiving millions of hits per day. Because Internet Information Server 5.0 (IIS) is fully integrated at the operating system level, Windows 2000 Server lets organizations add Internet capabilities that weave directly into the rest of their computing infrastructure.
Specifically, Windows 2000 Server lets organizations:
* Share information more efficiently using the Web.
In the past, performing standard file operations on a network file share was much easier than performing similar operations on a remote Web site. Now, Windows 2000 Server technologies such as Web Distributed Authoring and Versioning (WebDAV) make it as easy to carry out standard file operations on a Web share.
* Create Web-based business applications.
Creating Web-based applications that integrate well into traditional business applications can be difficult. Windows 2000 Server overcomes this burden by sharing internet-aware application development tools with IIS, an efficiency that extends applications to the Web and eliminates awkward bridges between internal and external processes.
* Bring server operating system functionality to the Web.
In addition to allowing organizations to extend basic file and print services to the Web, Windows 2000 Server supports applications, media, and communications and networking services from a common server platform. This convergence means that everything a company can do with Windows 2000 Server is automatically supported in a fully integrated Web environment.
Sharing Information
Feature Description
Support for Web Distributed Authoring and Versioning (WebDAV) WebDAV is an Internet standard that lets multiple people collaborate on a document using an Internet-based shared file system. It addresses issues such as file access permissions, offline editing, file integrity, and conflict resolution when competing changes are made to a document. WebDAV expands an organization's infrastructure by using the Internet as the central location for storing shared files.
Web Folders Support for Web Folders lets users navigate to a WebDAV-compliant server and view the content as if it were part of the same namespace as the local system. Users can drag and drop files, retrieve or modify file property information, and perform other file system-related tasks. Web Folders let users maintain a consistent look and feel between navigating the local file system, a networked drive, and an Internet Web site.
Support for FrontPage Server Extensions Windows 2000 Server lets administrators use Microsoft FrontPage® Web authoring and management features to deploy and manage Web sites. With FrontPage Server Extensions, administrators can view and manage a Web site in a graphical interface, so creating Web sites with the FrontPage Web site creation and management tool is as easy as clicking a check box on a property page for the Web site. In addition, authors can create, edit, and post Web pages to IIS remotely.
Support for Latest Internet Standards Using the integrated Web services in Windows 2000 Server, organizations can take advantage of the latest Internet standards to publish and share information over the Web. Microsoft Internet Information Services (IIS) 5.0 complies with the HTTP 1.1 standard, including features such as PUT and DELETE, the ability to customize HTTP error messages, and support for custom HTTP headers. Support for the latest protocols provides optimum performance for Web server connections.
Support for Multiple Sites with One IP Address With support for host headers, an organization can host multiple Web sites on a single computer running Microsoft Windows 2000 Server with only one Internet Protocol (IP) address. This lets Internet service providers (ISPs) and corporate intranets host multiple Web sites on a single server while offering separate user domains for each site.
News and Mail Administrators can use Simple Mail Transfer Protocol (SMTP) and Network News Transport Protocol (NNTP) Services to set up intranet mail and news services that work in conjunction with IIS. SMTP is a commonly used protocol for sending e-mail messages between servers; NNTP is the protocol used to post, distribute, and retrieve USENET messages.
PICS Ratings Administrators can apply Platform for Internet Content Selection (PICS) ratings to sites that contain content for mature audiences. This lets them host a variety of sites and provide information about suitability for particular audiences.
HTTP Compression HTTP compression allows faster transmission of pages between the Web server and compression-enabled clients. This is useful in situations where bandwidth is limited.
File Transfer Protocol (FTP) and FTP Restart The File Transfer Protocol (FTP) service, used to publish information to a Web server, is integrated into Windows 2000 Server. FTP Restart provides a faster, smoother way to download information from the Internet. Now, if an interruption occurs during data transfer from an FTP site, a download can be resumed without having to download the entire file over again.
To top of page
Creating Web-Based Applications
Feature Description
Active Server Pages Microsoft Active Server Pages (ASP) lets developers create dynamic content by using server-side scripting and components to create browser-independent dynamic content. ASP provides an easy-to-use alternative to Common Gateway Interface (CGI) and Internet Server Application Program Interface (ISAPI) by letting content developers embed any scripting language or server component into their HTML pages. ASP pages provide standards-based database connectivity and the ability to customize content for different browsers. ASP also provides error-handling capabilities for Web-based applications.
Performance-enhanced Objects ASP provides performance-enhanced versions of its popular installable components. These objects scale reliably in a wide range of Web application environments.
XML Integration Just as HTML lets developers describe the format of a Web document, Extensible Markup Language (XML) lets them describe complex data structures. Developers can share this information across a variety of applications, clients, and servers. Using the new Microsoft XML Parser, developers can create applications that enable their Web server to exchange XML-formatted data with both Microsoft Internet Explorer and any server capable of parsing XML.
Windows Script Components ASP supports the new scripting technology, Windows Script Components. This lets developers turn business logic script procedures into reusable COM components for Web applications and other COM-compliant programs.
Browser Capabilities Component ASP has a new feature for determining the exact capabilities of a browser. When a browser sends a cookie describing its capabilities (such a cookie can be installed by using a simple client-side script), developers can create an instance of the Browser Capabilities Component that retrieves the browser's properties as returned by the cookie. Developers can use this feature to discover a browser's capabilities and adjust an application accordingly.
ASP Self-Tuning ASP now senses when executing requests are blocked by external resources and automatically provides more threads to simultaneously execute additional requests while continuing processing. If the CPU becomes overburdened, ASP curtails the number of threads in order to reduce the constant switching that occurs when too many non-blocking requests are executing simultaneously.
Encoded ASP Scripts Traditionally, Web developers have been unable to prevent others from reading their scripting code. ASP now supports a new script encoding utility provided with Microsoft Visual Basic Scripting Edition (VBScript) and Microsoft JScript 5.0. Web developers can apply an encoding scheme to both client and server-side scripts that makes the programmatic logic unreadable. When unencoded, the logic appears in standard ASCII characters. Encoded scripts are decoded at run time by the script engine, so there's no need for a separate utility. Although this feature is not intended as a secure, encrypted solution, it can prevent most casual users from browsing or copying scripts.
Application Protection IIS 5.0 offers improved protection and increased reliability for Web applications. By default, IIS runs all applications in a common or pooled process that is separate from core IIS processes. In addition, administrators can still isolate mission-critical applications that should be run outside of both core IIS and pooled processes.
ADSI 2.0 Administrators and application developers can add custom objects, properties, and methods to the existing Active Directory Service Interfaces (ADSI) provider, giving administrators more flexibility in configuring sites. ADSI is a COM-based directory service model that lets ADSI-compliant client applications access a wide variety of distinct directory protocols, including Windows Directory Services and Lightweight Directory Access Protocol (LDAP), while using a single, standard set of interfaces. ADSI shields the client application from the implementation and operational details of the underlying data store or protocol.
To top of page
Bringing Server Operating System Functionality to the Web
Feature Description
Multisite Hosting Often Web sites for several departments can run on a single server, freeing a company from spending the time and money to set up and manage multiple servers. Windows 2000 Server offers a comprehensive platform for hosting multiple Web sites on a single server. In addition, the multisite hosting capability in Windows 2000 Server lets ISPs host Web sites that can scale from hosting thousands of small sites on a single server to hosting a great number of sites across multiple servers.
Multiple User Domains The integration between the Web servers and directory services (the Active Directory) in Windows 2000 Server lets organizations host multiple Web sites with independent user domains--that is, each Web site on a single server has its own user database.
User Management Delegation This lets an IT or ISP administrator who hosts multiple Web sites on a single server delegate the day-to-day management of the Web site.
Process Throttling This lets administrators limit the amount of CPU time a Web application or site can use during a predetermined period of time to ensure that processor time is available to other Web sites or to non-Web applications.
Per Web Site Bandwidth Throttling This lets administrators regulate the amount of server bandwidth each site uses. This lets an ISP, for example, guarantee a predetermined amount of bandwidth to each site.
Integrated Setup & Upgrade Internet Information Server (IIS) 5.0 installs as a networking service of Windows 2000 Server. Customers with any existing version of Windows NT Server 3.51 or 4.0 will automatically be upgraded to the new Web services in Windows 2000 Server and can take advantage of the new features and services of Windows 2000 Server and IIS.
Microsoft Management Console (MMC) Task Pad The MMC task pad considerably simplifies the administration of an IIS server. For example, if a user selects a server under the IIS MMC snap-in, the task pad will display wizards for creating new Web and FTP sites. Administrators simply select the task they want to complete, and a wizard walks them through the steps.
Dfs as Filing System for IIS You can use Microsoft Dfs as the filing system for IIS by selecting the root for the web site as a Dfs root. Doing so lets you move resources within the Dfs tree without affecting any HTML links. (Windows Media Services content can also be stored in the Dfs tree.)
Improved Command-line Administration Scripts IIS ships with scripts that can be executed from the command line to automate the management of common Web server tasks. Administrators can create custom scripts that automate the management of IIS.
Reliable IIS Restart Users can stop and restart all Internet services from within the IIS MMC snap-in, which makes it unnecessary to restart the computer when applications become unavailable.
Backing Up and Restoring IIS Administrators can back up and save metabase settings to make it easy to return to a safe, known state. (A metabase is the structure for storing IIS configuration settings; the metabase performs some of the same functions as the system registry, but uses less disk space.)
Process Accounting Process Accounting, which is enabled and customized on a per-site basis, lets administrators monitor and log how Web sites use CPU resources on the server. Both system administrators and application developers can use this feature to determine CPU utilization.
Internet service providers (ISPs) can use this information to determine which sites are using disproportionately high CPU resources or that may have malfunctioning scripts or Common Gateway Interface (CGI) processes. IT managers can use this information to charge back the cost of hosting a Web site and/or application to the appropriate division within a company.
Improved Custom Error Messages Administrators can now send informative messages to clients when HTTP or ASP errors occur on their Web sites. They can use the custom errors that IIS 5.0 provides or create their own.
Configuration Options Administrators can set permissions for read, write, execute, script, and FrontPage Web operations at the site, directory, or file level.
Remote Administration IIS 5.0 has Web-based administration tools that allow remote management of a server from almost any browser on any platform. With IIS 5.0, administrators can set up administration accounts called Operators with limited administration privileges on Web sites, to help distribute administrative tasks.
Terminal Services The Terminal Services support in Windows 2000 Server lets administrators remotely administer IIS by using the Microsoft Management Console (MMC) over a dial-up or PPTP connection. To do this, the Terminal Services client must be installed on client computers.
Centralized Administration Administrators can use the MMC snap-in for IIS from a computer running Windows 2000 Professional to administer a computer on their intranet running Internet Information Services on Windows 2000 Server.
To top of page
Securing Web Services
Feature Description
Integrated Web Security The Windows 2000 Server Web services are fully integrated with the Kerberos security infrastructure. The Kerberos Version 5 authentication protocol, which provides fast, single logon to Windows 2000 Server, replaces NTLM as the primary security protocol for access to resources within or across Windows 2000 domains. Users can securely authenticate themselves to a Windows 2000 Server Web site and will not have to undergo a separate authentication (logon) to use other resources.
In addition, Windows 2000 Server now also supports the following standard authentication protocols, which are applicable to Web-based users and ordinary network users alike:
* Digest Authentication: the latest authentication standard of the World Wide Web Consortium (W3C), the organization that sets standards for the Web and HTML.
* Server-Gated Cryptography (SGC): used by financial institutions to transmit private documents via the Internet.
* Fortezza: The U.S. government security standard.
Secure Communications Secure Sockets Layer (SSL) 3.0 and Transport Layer Security (TLS) provide a secure way to exchange information between clients and servers. In addition, SSL 3.0 and TLS provide a way for the server to verify who the client is before the user logs on to the server. In IIS 5.0 programmers can track users through their sites. Also, IIS 5.0 lets administrators control access to system resources based on the client certificate.
Digest Authentication Digest Authentication enables secure authentication of users across proxy servers and firewalls. It offers the same features as basic authentication, but improves on it by "hashing" the password traveling over the Internet, instead of transmitting it as clear text.
For those who choose not to use Digest Authentication, Anonymous, HTTP Basic, and integrated Windows authentication (formerly called Windows NT Challenge/Response authentication) and NT LAN Manager (NTLM) authentication are still available.
Server-gated Cryptography SGC, an extension of Secure Sockets Layer (SSL), lets financial institutions with export versions of IIS use strong 128-bit encryption. Although SGC capabilities are built into IIS 5.0, a special SGC certificate is required to use SGC.
Security Wizards These security wizards simplify server administration tasks:
* Certificate Wizard simplifies certificate administration tasks, such as creating certificate requests and managing the certificate life cycle. Secure Sockets Layer (SSL) security is an increasingly common requirement for Web sites that provide e-commerce and access to sensitive business information. The new wizard makes it easy to set up SSL-enabled Web sites on Windows 2000 Server - administrators can easily establish and maintain SSL encryption and client certificate authentication. (A client certificate contains detailed identification information about the user and organization that issued the certificate.)
* Permission Wizard walks administrators through the tasks of setting up permissions and authenticated access on an IIS Web site, making it much easier to set up and manage a Web site that requires authenticated access to its content.
* Certificate Trust Lists (CTL) Wizard lets administrators configure certificate trust lists (CTLs). A CTL is a list of trusted certification authorities (CAs) for a particular directory. CTLs are especially useful for Internet service providers (ISPs) who have several Web sites on their server and who need to have a different list of approved certification authorities for each site.
IP and Internet Domain Restrictions Administrators can grant or deny Web access to individual computers, groups of computers, or entire domains.
Kerberos Version 5 Authentication Protocol Compliance IIS is fully integrated with the Kerberos v5 authentication protocol implemented in Microsoft Windows 2000. This means administrators can pass authentication credentials among connected computers running Windows.
Certificate Storage IIS certificate storage is now integrated with the Windows CryptoAPI storage. The Windows Certificate Manager provides a single point of entry that lets administrators store, back up, and configure server certificates.
Fortezza IIS 5.0 supports the U.S. government security standard, commonly called Fortezza. This standard satisfies the Defense Message System security architecture with a cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and systems. These features can be implemented both with server and browser software and with PCMCIA card hardware.
Essentially all software is licensed not sold.
A "copy" is the medium on which the program is fixed, i.e. the physical DVD-ROM on which Windows YQ ships. Copies of mass-market software are generally sold. Most EULAs state: "You own the copy, but we retain title to the program."
In the United States, the owner of a copy of a computer program has specific rights under 17 USC 117. The difference between grandparent's "commercial" and "licensed commercial" is that a "licensed commercial" case is a software rental in which the copyright owner retains ownership of the copy.
Will I retire or break 10K?
Negligence in software development costs other people/entities money. Cleary, liability is an issue.
I'm not sure, however, if all you programmers really want this cat out of the bag. Could you imagine someone suing you because something you developed didn't work and caused someone to lose money?
-Sean
He is the greatest unlicensed doctor ever. Unfortunately, like most other good things, he lives in the world of anime.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
This would vastly reduce the number of software firms and the availability of low-priced specialty software.
Hi, long time listener, first time caller and all that.
I think the question (ultimately) may come down to where the finger gets pointed. I saw a post reference to certifications for programmers, which KIND of goes to my point. Then, I read the post on gun companies getting sued for the actions of their customers. Getting closer. THEN, I read the post by "The Eric Conspiracy" about Doctors, Engineers, Lawyers, etc, and what they are liable for. This is what I was thinking.
In a corporate networked environment (I am narrowing it down here, I know, but bear with me), who IMPLEMENTS buggy software? How about the Sysadmin? Maybe not his or her IDEA, but they actually implement it. It ain't Joe Blow at his workstation who uses it. You are the one that put it out there for him.
"Hey, our software was tested at M$ (or wherever) and found to run ok. What's YOUR problem?" If it hoses your network, or you get rooted, or whatever, it happened on YOUR system! Your firewall, your OS mix, your internal and external apps.
I know this sounds far fetched, but look at Enron. They played fast and free with almost everything they did, and Arthur Anderson went along with it. Now, since AA got convicted, the Enron stockholders are going after THEM instead of Enron. Responsibility was neatly deflected from one to the other because it was EASY to.
If you implement software onto your network, my guess is that EVERYONE that had ANYTHING to do with making it will be pointing to you as the (ahem) "root" of the problem. After all, it happened on your watch. And, odds are, YOU have some certifications! Tsk, tsk, you should have KNOWN better!
Paranoid? Probably. Hopefully, anyway. But look at everything that has happened from day one on this planet. When something either goes wrong finally, or has gone wrong for long enough that people complain, the finger of blame always swings over to the easiest target.
All programs have bugs.
All programs are bloated.
Therefore, every program can be reduced to a single instruction that doesn't work.
I'll go for a license if it means: a.)anyone in marketing without a license loses the argument with me when I say a feature doesn't belong in there, and b.) anyone in management loses the argument with me when I say that the product isn't ready for release.
Comment removed based on user account deletion
Other vendors also do this; not to limit their liability - but primarily to reduce the scope (and consequently reduce the costs and time of testing and development) and thus improve product quality.
Evil ZEN Scientist
As long as software is offered "as is" and EULA contains a contract tantamount to selling ones soul to eternal evil, my monitary complience will remain "as is" and I'll do with it what I want.
:P
Whats good for the goose is good for the gander.
Any sufficiently advanced influence is indistinguishable from control.
Right. Software is more complex than anything else because you don't understand it. That's not true, unfortunately. For example, a car is much more complex to design, engineer, and manufacture than most pieces of software. Yet, car manufacturers are liable for the quality of their cars, especially if there is a design defect that causes them to be unsafe or unreliable. The car companies don't go out of business because: - they hire competent engineers - they perform strict quality assurance - they use proven development methods So how is software different?
That's something that companies like Microsoft won't admit to. Simply say that, make it clear, on all your software, and you don't have worry about liability. Just say: "Use at your own risk" /admit/ it. Admit when your product could potentially suck ass, and you'll be fine, legally.
It's what you do with Microsoft products, but Microsoft won't
-- 'The' Lord and Master Bitman On High, Master Of All
(background: proposing certification for software developers, and then comparing such certs to driver's licenses and amateur radio licenses)
Lets see, if [ham and driver licenses] were similar, you would have three levels of drivers license
The state of Indiana has graded driver licenses: state ID (no driving privileges), learner's permit (requires 21yo driver with standard license in passenger's seat), probation driver's license (issued to young drivers; if carrying passengers, one must be a 21yo driver with standard license), the standard operator's license, public passenger chauffeur (can haul people in a taxi/limo for money), and commercial driver's license (drive buses and semis). Motorcycle licenses are somewhat separate, but motorcycle credentials can be carried on the same card.
The higher licenses would require a demonstration of advanced driving skill, driving an obstacle course at high speeds, without hitting anything, (sort of like police traning).
Such a level of driver's license would be called a "badge."
Will I retire or break 10K?
"the only environment with legal resources adequate to deal with such liability has been the megalithic corporate one."
For "deal with" substitute "avoid"
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
I think mandatory licensing for developers is stupid. Last thing anyone needs is a new bureaucratic office dedicated to extracting fees from developers.
But warranties are a different matter. If you market your software as a commercial product, then it should have the same warranties as any other commercial product. This is common courtesy. It's also known as being ethical and moral.
If you claim that your software is suitable to be marketed by actually marketing it, then you need to back that up by NOT disclaiming merchantibility. If I buy a toaster and it doesn't work as a toaster, it has a warranty that says I can get it repaired or return it for a refund. Commercial software should be the same. If I spend $199 on a word processor and it fails to process words I want recourse. If a patch is available then I want to be able to get that patch without having to pay for it. If no patch is available, then I want my money back. Is this so hard to understand?
But before you all get your panties in a twist and start crying out that warranties will kill off Open Source, remember that this only applies to commercially sold software. No one expects merchantibility for freely downloaded software. Second, the warranty should reside with the seller, not the developer. So Redhat can sell your software and you are off the hook, because it is Redhat that is claiming the software is merchantable and not you.
(liability is a different matter. I believe that every competent business should have liability insurance. But I don't see any problem with disclaiming liability so long as the recipient knows of the disclaimer before using the software)
My current software has a warranty disclaimer. That's okay because I am not selling my software. If you wish to purchase my software, you will get a warranty with it. This warranty will cover replacement or repair of the software for one year.
A Government Is a Body of People, Usually Notably Ungoverned
A liability has nothing to do with warranties or with cost.. A good example is the tragic death of the little kid who drown at a birthday party. The party was free and was even "open" because parents could attend too but there is no question that the homeowner (and his insurance company) will be held liable for the death. OTOH a warranty is basically a guarantee or contract.. Anyone can offer something without warranty unless it is forbidden by law (new car lemon laws..).
We do not yet have a central body of knowledge for software engineering that people recognize.
I believe ACM attempted this problem before but withdrew the software engineer licensing proposal. IEEE probably has attempted too but I'm not sure what the status is right now.
The level of liability in other industries is dependant upon the job/product contract
where included in the contract may be a required level of liability coverage and like
insurance, the more coverage you pay for the greater amount of liability you are
covered for.
And I'd imagine that like health insurance where you get a discount on the cost
of the coverage for being a non-smoker or practicing preventitive medicine, the
same sorts of liability coverage would apply and take into account software
licenses approved by the OSI, such as GPL.
SQL Server 2000, the world's fastest database, has won numerous awards for its performance, scalability, and impact on cost of ownership. But don't take our word for it--read the articles below and see for yourself.
DM Review magazine names top 100 Microsoft Honored as a Leader in Business Intelligence
SQL Server 2000 Analysis Services earned Microsoft a top 10 spot in the 2001 DM Review 100, a prestigious award recognizing the top 100 business-intelligence vendors as chosen by the readers of DM Review.
SQL Server 2000 is a CRN Channel Champion SQL Server 2000 Is a CRN Channel Champion
SQL Server bested Oracle9i and IBM DB2 in four out of five technical criteria in the 2002 CRN Channel Champions survey, with a 10.4-point lead over Oracle in price/performance.
Thanks to Customers, Partners for an Award-Winning Year
In 2001, SQL Server 2000 won awards for scalability, reliability, total cost of ownership, and leadership in business intelligence and XML, affirming that SQL Server 2000 is the database of choice for customers and partners.
Microsoft in the Intelligent Enterprise Dozen for 2002
Intelligent Enterprise magazine named Microsoft one of the most influential IT solution providers for 2002 for its contributions to the development of intelligent enterprises with products such as SQL Server 2000 Analysis Services.
SQL Server 2000 Analysis Services Trounces the Competition
SQL Server 2000 confirmed its Business Intelligence leadership in the 2001 Online Analytical Processing (OLAP) Survey, besting the competition across the board. More than 644 OLAP users from 46 countries participated in the survey, which is conducted by Survey.com and published by The OLAP Report.
SQL Server 2000 Named Best Overall Database
SQL Server 2000 was named the overall winner in the database software category in this year's VARBusiness Annual Report Card. Learn how SQL Server swept all three sub-categories.
SQL Server 2000 Sweeps CRN Channel Champions Competition
SQL Server 2000 swept the database category at this year's CRN Channel Champions competition. Microsoft bested last year's winner, Oracle, and the other competititors by a comfortable margin. Visit CRN to find out more.
Data Warehousing and Business Intelligence Product of the Year 2000
SQL Server 2000 was the hands-down winner of the Datamation Product of the Year for 2000 in the Data Warehousing and Business Intelligence category, garnering 44 percent, or 118 votes.
Microsoft Customers Win Grand Prizes in Database Scalability Program
Winter Corporation announced that two Microsoft Corporation customers have won Grand Prizes in Database Scalability Program 2000. Database Scalability Program 2000 analyzes the characteristics of the world's largest databases and examines databases supporting the world's largest workloads.
To top of page
"This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
Does this not mean shit to anybody? If you're worried about code being buggy, you would have to be mentally retarded to run an application which has a license that states this.
Maybe the license should say "This code might fuck your shit up. In the event that this happens, we are not liable." Eh?
How long does it take a Palestinian whore to make a bomb?
9 months!
This will probably be viewed as a troll but I feel I have to say it:
The problem with software is that when a virus/cracker compromises your system, any resulting damage can not logically be attributed to the software developer.
Nobody is out there expressly trying to break and/or compromise Firestone tires. They were sued because the tires malfunctioned of their own accord.
If IIS blew up on it's own and erased your disk you would have a legitimate case. As soon as a third party maliciously tries to compromise it, the case is off.
If someone broke into your house would you sue the lock maker? Likewise, if someone deflates your tires you have no case against Firestone.
If you can show me one case where code in IIS itself was responsible for damage (i.e. damage occurred while the code was running normally without any provocation) then I'm all for this, otherwise (as much as I hate to stick up for MS) you can't possibly blame them for Code Red etc.
The real solution is just to get a better product; if you are having a problem with break-ins buy a better lock, don't just try to shift blame for your bad purchase decisions on someone else.
...and I wish they'd pass a liability law, 'cause then I'd sue Larry Wall for a refund of the entire amount I paid him for it.
Find free books.
How about x times the price of the software....
So for webservers maybe it could be: liable up to 20,000,000 times the price of the software...
apache: $0 times 20,000,000 = 0
MS IIS: $200 (?)times 20,000,000 = $ 40 billion....
MS's cash on hand : )
Im not here now... Im out KILLING pepperoni
Several (or more) years ago ABET asked IEEE to look into the feasibility of accrediting Software Engineer programs in the US. IMO, doing that would be the best thing that could happen for the discipline. Google turns up other interesting links on the topic.
Exemption for Open Source!
Exemption for Open Source!!
Exemption for Open Source!!!
Liability makes sense for closed-source software, since the user has no power to procure fixes.
But leave open source software out of any liability provisions - the availability of source surely strengthens the caveat emptor line.
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
So, let me get this straigt... people will ask me to to become "licensed" and then not pay may any more.
Jibe!
Maybe the law should be changed so that at the point of purchase in a shop, the EULA should be shown to you to sign by the store assistant? Much like buying mobile phones, etc.
In business-business transactions, EULAs are generally found to be enforcable. Hence the webpage stating "This software is provided as is, not guarantees, etc, check here for security updates" will be adequate to protect the open source programmer.
Obviously a sensible measure for a company distributing software would be that they have to contact every customer for each security update, etc, to ensure that notification has been given, with instructions for the upgrade. Any hacks that happen after the upgrade are the customers problem, and before the company's. That would ensure rapid security fixes. And a tonne and a half of email from Redmond every day.
Consistent failure to provide a secure product should be something that companies can sue over. Point in case - Outlook. This product clearly does not meet reasonable e-mail/PIM specifications for security, and thus shouldn't be sold in a similar manner to electronic goods having electrical standards to meet. Yes, submerge a kettle in water and you will get zapped, but you don't expect it in normal operation. And Outlook zaps you in normal operation all the time. It is clearly unsafe software, and there should be a product recall until such time that the software is fixed.
And this is the liability that people want to enforce upon software companies.
Your example is too simplistic for the issues that must be resolved. Instead, consider:
Motherboard "A" works fine with SoundX soundcard VideoV video card. You (the consumer) hear about the new VideoVx with 3 trillion instructions per second it makes quake look like a movie.
Now you install the new card VideoVx. After doing so, the system crashes. You pull out the sound card and everything is fine.
Now who is at fault?
The Video card maker:
Do we force every hardware update to be backwards compatible with every combination of hardware?
The Sound Card maker:
VideoVx was not even available when SoundX was created. Do we force every hardware maker to test and supply fixes for every new piece of hardware made available everyday?
The mother board maker:
They let the hardware conflict in some fashion or the system would not have died? Picture the permutations of hardware that would need to be tested to ensure that every possible combination of sound, video, cd, dvd, scanner, camera, hard drive, chipset, bios and operating system worked in any combination.
The OS supplier:
Face it, they did not prevent the interaction that allowed the failure. Of course, everyone was using them as stated, this specific combination however was not forseen when you bought the OS two years ago.
People keep mentioning architects/structural engineers/etc. Consider building a bridge where the materials changed four times a year. Would you know that mixing bolts of MaterialX with sleeves of material "Z" were an issue until a reaction (created by runoff from the surface of the road) happened? Of course not, nor do we expect them too.
This is why new materials are so slow to move into construction. We cannot afford to have buildings fall down.
I'm a firm believer that, in general, ALL SOFTWARE (including Linux, BSD, and Windows) is full of show-stopper bugs, with a probability in proportion to the number of lines of code raised to some power. If one piece of software seems more secure, it's just because the bugs haven't been found yet. And this will get worse as time goes by.
(How the bugs are handled after they are found is another story, perhaps we should be focusing on that instead.)
Microsoft has lots of smart people working for them. Free Software has many smart people looking at the code. Yet, most of this code has bugs. When I write a 10-line Perl script, it has bugs (for instance, what does it do in a full disk situation? What does it do when run by root? What does it do if a Perl library is missing or upgraded?).
Making software writers/distributers liable for bugs is simply impractical. Software is simply not like a bridge or a toaster. Software is incredibly complex, and it runs on machines that are also highly complex, connected to other machines with equal complexity. All the interactions can't possibly be comprehended.
And just what is a bug? If the program malfunctions under certain unforseen circumstances, but when it was written it met all the specs, is that a bug? If you use a formal system to "prove" correctness, are the rules correct? Did anybody make a typo setting it up? Is the program that does the check itself bug-free?
I can understand that if Microsoft promises you a secure webserver, and it's found not secure, you feel Microsoft is to blame. But perhaps a "secure webserver" cannot exist. Even if it did, once installed, it would interact with other software to create a security hole (example: Apache + PHP + anonymous uploads into the web-accessible area + MySQL running as root).
If a law for software liability were passed, it would instantly kill all but a few software companies. Free Software would wither or go underground because no programmer would want to touch it. You would get zero support for your software, unless your setup was 100% EXACTLY the same as the one the corps will support. This would probably be enforced with some draconian DRM. Our lives would get worse.
Of course you say, they could make an exception for Free Software. But what would the criteria be? Exception for no-cost? No, that would mean you can't charge for Free Software beyond the cost of media. No more PayPal buttons on your web site, no corporate sponsorship. And Microsoft would just turn IIS into a free download. Exception for source-code-included? That would be better for little guy (no more binary-only distro though), but Microsoft could just invent a very-high-level language where MS Word is 5 lines, and distribute that along with it. They would find some other way to get around it. Any liability exception would be unfair to someone.
If anybody should be liable, it's the person or company who chose and installed a particular system. This entity put together the components, so this entity is responsible for knowing they all work together without bugs. But like I mentioned before, I don't think this is possible. And even just one small change or upgrade and you don't know any more if your system is still secure.
In 40-50 or more years, the software industry might stabilize to the point where all basic computer tasks are performed using well-known, publically available, stable components and formal systems, and then you could use the term "engineering" and you could conceivably have more predictable software. But I don't really think we're anywhere near that point now. Computer science is still in its infancy.
I'm not optimistic!
Say instead of being a software engineer, I was an enginner who built bridges. Can you image a boss coming up to me and saying:
"I need a bridge built in this location to move some things across the river. We will lose out to our cometitors if this takes any longer than three months, you have two and a half. Tell me tomorrow how much steel you need ordered and I will have the iron workers (actually guys off the street who could spell iron) to start putting it together."
Would you go across a bridge built like that? I wouldn't if I had a choice in the matter. How different is this from many software projects? Not very. Management doesn't care about the software quality since they don't understand it anyway, the coders are passivly taught not to care either because it costs more to write well architected, well tested code. Code can be solid if effort is placed on writing solid code. There will still be bugs, but nothing like is prevelent today in commercial software. Think of all the VB monkeys that managers consider real programmers. (Not that there are good VB programmers, but by and large...)
Welcome to the world of software. As long as the current market drivers are in place, nothing will change.
-Pete
Soccer Goal Plans
What the hell are you smoking.
For example, I use Yahoo mail through my web browser. I'm responsible for the suitability of my system and maintaining a connection to the Internet. No software (from Yahoo) was downloaded, purchased or licensed for me to do this. If I paid the money for POP3 access to my account, how liable should they be for nothing more than access to an IP and port?
It's not too much of a stretch for online providers to release their client for no charge to qualify as "non-commercial", but charge for the privilege of connecting to their servers. If the Everquest client was GPL'd, or Microsoft Office 2010 did nothing but VNC to central MS servers, would they be considered non-commercial? And if they are "commercial", wouldn't Gamespy/FilePlanet, Red Hat, and Ximian (which all charge for "premium" access but offer the same content free) be lumped in the same category?
If I owned a house that I'd determined (through some of my own testing) had a chimney which was more like ly to allow breakins because the architect has designed too large a hole at the top, and I then tried to publish information about the security concerns about that chimney, could the architect bring suit to stop me? I'd like to notify other homeowners to secure their chimneys, but the architect is trying to get laws passed saying that *I* am the danger to society - I'm causing more breakins - because I'm talking about the chimney. Is that right? That seems to be the direction the big boys want to move in (not just MS, but many large software companies, from what I gather).
creation science book
Maybe not. But if I were building a bank and the architect forgot something like a lock on the vault, I would feel justifiably aggrieved.
What's needed here is some concept of due diligence or reasonable expectations. As you say, it is impractical to expect software to be perfectly secure or robust. It is simply not viable with the nature of the beast, and with the methods known today, to provide such a product.
However, there are some tests that should be routine in any shop. If a software company allows its coders to write in a style that lets in buffer overflows, a common and well-known class of bug that is easily preventable with just about any development tools available today, then that should be treated as negligence. This is very different from expecting someone to write encryption algorithms today that can't be broken in 50 years with all the unpredictable advances in computing power and mathematics that may bring.
This is really no different to any other engineering discipline. I wouldn't expect someone architecting a bank to make the safe unbreakable in the face of the military weapons of 2050. I would expect them to put a lock on the front door and install an alarm system that did something useful in the event of a break-in.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I develop some software that I've released free (as in beer and speech) under the GPL. I have a simpler way to deal with this problem.
Anyone who downloads my software and isn't happy with it is entitled to a full refund for purchase price.
Since the price happens to be $0, I'm not concerned. Then again, I wasn't concerned in the first place because I doubt that any such laws that would be passed in the U.S. would pass in Canada too.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Like when the software want the servo to move from one position to another instantaneously, and the pesky servo is limited to the speed of sound?
Clearly, the fault lies in the servo...
Liability is always predicated on percentages, so even if you could "blame the hardware", that doesn't mean that you're going to get away with no damages, since everyone knows that "software is for fixing problems with hardware".
-- Terry
You mean just like when you implement IIS and didn't put patches on or take steps to adequately secure the box. You know, something you could have done. Not doing that is also your fault
freedom of speech and of the press are 2 different clauses of the first ammendment.
(In the USA) the following applies:
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press;...
The freedom of the press interpretations under our constitution are so strong as to effectively negate application of libel law to journalists.
I know of no freedom of speech issues wrt code having been brought before the courts which relate to freedom of the press. Also, I believe that press freedoms principally apply to journalism, not to publishing in general.
Cases which bear directly on source code as speech include the ITAR - based prior-restraint placed on Bernstein's Snuffle algorithm (academic / free speech) or PGP.
These cases both turned on ITAR violations, and substantially involved speech issues. PGP source was been legally printed in OCR fonts by the MIT press, which due to constitutional protection was not subject to prosecution under ITAR (yes the law is more bizarre in its detail than most perl code:-)).
The courts have been clear that source code may qualify as speech and enjoy first ammendment protections, but that compiled code at best has weak protection. Further, I am doubtful that proprietary (source or binary) code owned by a commercial entity would be qualify as protected speech.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Close, but that's not how software companies would build bridges:
"I need a bridge built in this location to move some things across the river. Our marketing guys say we need to get traffic on it with a month, and don't worry about it collapsing because it's more important that we get people lined up to use our bridge than to actualy get them across the river - that can wait for Bridge 2.0. Finally, we've already decided to use recycled steel (up to one ton, no more) 'cause I got a nice dinner at the local tittie-bar from their salesman - I don't want to hear any crap about tested structural steel and high-tension bolts. The decision has already been made, as has the placement of the piers. (A real professional can build on loose sand and clay, so I don't want to hear any more whining.) If you don't want to play by my rules (but take the blame when you can't meet my schedule or arbitrary restriction), we'll blacklist you as "unmanagable."
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Personally, I don't see what the big deal is, or what's so serious about the question with regards to OSS. Most Open Source software are distributed for free. If anyone decides to use it, they use it at their own risk. When you think about it, this is common practice in the Real World: if I let you pick an apple off my tree and you find a worm in it, are you going to hold me liable, and for what could you possibly hold me liable for? (Of course, if I knew that it had a deadly worm in it and still encouraged you to eat it, that's another story.)
This is in contrast to paid software (or services and goods in general), where there is some sort of bi-directional agreement (i.e. I give you product xyz, you give me money). If I buy a carton of milk and it's bad, it makes sense that I should be able to ask for a refund, or get a new carton. Similarly, if I buy a bad MS product that causes real damages, they should be held liable.
---
Open Source Shirts
OK, So I'm an Architect, and just finished working on a bank to boot.
You are right that there is a reasonable level of liability and quality expected within my design for the bank.
If the bank was to get robbed via force, I wouldn't be liable, for it was never represented by me, or required by my client, for the bank to be 100% robber-proof.
My design was required by my client to meet their needs for security and safety, so it's more important that the vault is secure and that someone can't easily hold hostages within the bank than it is to make it so that someone can't walk in with a shotgun and run out with a few thousand dollars. It's impractical to make the bank 100% robber-proof.
Now if a flaw in my design allowed someone from the Togo's next door to open a hole in the wall, and gain immediate and complete access to the vault- well then I would be liable, and rightly so. If I designed a bank with hidden corners and nooks where one could hold up and defend the bank in a hostage situation, and someone was gravely injured because of it, then I would be held liable. My design failed. I was negligent.
See there is a scale to this, a level of reasonable liability and requirements.
As an Architect, I am liable for everything I do, just like a lawyer or doctor or engineer. And just like a doctor or lawyer, I must complete tests and a certain amount of training to gain licensing to call myself an Architect and sign drawings as such.
Now any kid could design a house. That doesn't mean the roof won't leak and that it will survive an earthquake. That's the point of licensing in Architecture; I gain the legal right to sign drawings (a requirement for anything bigger than a house) and the legal right to call myself an Architect (that's right, all you 'software architects' our there are technically breaking the law- it would be like calling yourself a 'software doctor'- no one takes this seriously, but still that's the law) at the cost of accepting the liability for the work I do and the advice I give.
Now the software most Architects use is horrible. It doesn't perform as advertised, costs a fortune, and the licensing is draconian. It's frightening and sad. Now if it crashed now and then ok that's reasonable because there is no such thing as %100 stable software, just like there is no such thing as a %100 robber-proof banks.
However when there are GLARING deficiencies in a design, I believe that the people should be held liable for their work. In every other industry and business this is the case.
I don't think requiring licensing or liability for software development would have the 'sky-is-falling' response most of you geeks are saying it would. I think it would provide a much better, and respectable, industry in general.
To compare this to Open Source software; just because I design a house and freely publish the plans doesn't mean I am liable for every house that SOMEONE ELSE builds from my plans. If you bought my plans, and built the house I designed; well it's on your head to make certain the roof don't leak. But if you hire me to sign those drawings, or design the house or oversee it's construction then it's my legal and moral duty as an architect to make certain that the roof don't leak. See the difference?
(I am over-simplifying this; I know. But I'm proving a point here)
So if I download Debian, and compile it myself, the Debian project is not responsible for how I did it, nor has any control over how I did it, so therefore they shouldn't really be held responsible for my actions.
But if I hired someone to do it for me, or bought an off-the-shelf copy from Microsoft, and it has GLARING design deficiencies that cause it to fail in it's advertised abilities, well, I should be able to at the very least get my money back.
Software Developers should be ashamed that they don't hold themselves accountable for their own products.
Microsoft will actually sign with customers of big contracts agreements which assure that Microsoft will taking liability to ensure uptime, security and safety something.
One of the major bonehead CIO bloated to others that agreement and said "Now that's what we need - an assurance from a big corp.! What more can we ask for!"
Until I show him the following line:
8. LIMITATION OF LIABILITY.
Microsoft's entire liability and your exclusive remedy under this EULA shall not exceed five dollars (US$5.00).
God, he signed a $10,000 assurance agreement for a liability worths US$5.00. You gotta see his face when he figured this out.
On the other hand, I have found some of the responses educational.
One angle is the "follow the money" angle
Another, equally viable, is the "See the Source Code" angle.
As seen in this PDF file, property rights are often considered as a "bundle of sticks", a collection of rights which taken collectively create the concept of property and ownership. (although this is usually seen in land and realty situations, I can see how it applies elsewhere)
This ties directly into the license vs ownership arguments, etc. and would have to be sorted out in detail
"It is a greater offense to steal men's labor, than their clothes"
There are already codes of ethics for software engineers. Sure, they aren't mandatory, but I subscribe to them, and I'm sure that many (if not most or all) open source developers do as well (even if unconciously).
Nathan's blog
The risks,issues and solutions for providing a more secure operating and application enviroment have been known for decades. Those who do not already comprehend the issues and are willing to learn, should take some time out to listen to some of the speeches at Dr. Dobbs Journal's Technetcast security archives, starting with Meeting Future Security Challenges by Dr. Blaine Burnam, Director, Georgia Tech Information Security Center (GTISC) and previously with the National Security Agency (NSA)
The design and implementation of some applications and servers are just too unsafe to use in the "open ocean" of the internet.
Numerous security experts have railed against Microsoft's lack of security, best summed up by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc who rightly stated ...
However Microsoft's products are not alone in the presence of vulnerabilities, this is a major issue for Linux/BSD and Unix as well as any other OS and vendor.
In a recent speech Fixing Network Security by Hacking the Business Climate Bruce Schneier claimed that for change to occur, the software industry must become libel for damages from "unsecure" software, however historically, this has not always been the case, since most businesses can insure against damages and pass the cost along to the consumer.
The Ford Pinto and more recently the Ford Explorer's tires are two examples of public and media pressure being more successful than just threat of lawsuits. Even so, eventually though public pressure the governments around the world have to step in and pass regulations that set up a minimum set of requirements an automobile has to meet to be deemed "road worthy". This includes crash testing as well as the inclusion of safety equipment on all models. The requirement are not constant and change to meet the expectations and demands of the public and lawmakers.
The onus is not only on the automotive industry itself but also on the users. Most countries require that all automobiles undergo regular inspection and maintain an up to date "Warrant of Fitness".
In the same way, if you want a secure IT infrastructure, eventually the software design, implementation and each deployment will have to undergo the same type of regulation and scrutiny.
Damn!
:(
How do you guys do it? Time to change my root password again
There are two ways in which it would hurt the open source movement:
Companies wanting to open up software would quickly keep there source closed in fear of being sued for the bugs found. So while you may hurt Microsoft you have just turned every software company into Microsoft.
What if an open source coder has his/her program included into a distribution or linked into a another peice of software, then being sued for a bug in your code.
Seems like this short-sided idea has become a nightmare. Maybe I am over reacting but I just do not trust law makers (with no software experience) to make complicated software liability laws.
(From NT EULA)
:)
6. NO WARRANTY.
Any use of the software is at your own risk. The software product is provided for use only with Microsoft Windows NT Server. To the maximum extent permitted by applicable law, Microsoft and its suppliers disclaim all warranties and conditions either express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, and noninfringement.
7. NO LIABILITY FOR CONSEQUENTIAL DAMAGES.
To the maximum extent permitted by applicable law, in no event shall Microsoft or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever (including, without limitation, damanges for loss of business profits, business information, or any other pecuniary loss) arising out of the use of or inability to use the software product even if Microsoft has been advised of the possibility of such damages. Because some states and jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.
And my all time favourite:
8. LIMITATION OF LIABILITY.
Microsoft's entire liability and your exclusive remedy under this EULA shall not exceed five dollars(US$5.00).
It's effectively saying: You got what you asked for. Here's your five dollars, move along.
Somehow I think it's much worse than the big cap 'NO WARRANTY' in all GNU software license.
Some would say yes, I should have tested, but since the fault doesn't lie in my code, is it my fault.
Now what if two of the 3rd party components decide to conflict and the bug isn't in my code, am I liable, are they both liable?
The most important question is... Do we want lawyers *ucking up our business? Lawyers do not solve problems, they amplify them.
The key to software liability will need to be based off of more then lost productivity and will also need to include some conditions for rapid resolution of bugs. Just because a bug exists, a company shouldn't be liable IF they can fix the bug within a set period of time.
I don't promise my clients bug-free software... I promise them rapid fixes to their problems. I do Q&A, but when things get rushed, bugs appear, things conflict, and sometimes testing environments aren't enough.
Failure to fix bugs should be the bases of liability, not the fact that they exist.
Tournament Management Online &
Hopefully this would require licenses to code. Everyone who picks up a perl book thinks that he/she is a developer. I work in IT for a major corporation and waste too much time dealing with people who don't understand why ethics important. Such as getting paid $70K a year and providing undocumented hacks to get things to work for six months until another hack is necessary. A federal or state licensing board should be established. Even my barber requires to be licensed and that only costs me $12.00
Civil Engineering Liability, and Liability from the manufacturing of things like automobiles that go suddenly in reverse, or cribs with slats that are too wide are liable because they are dangerous to human life in the normal, or reasonable use.
And that they become liable when people become seriously injured or die.
Are the engineers liable when something out of scope happens, like a jetliner loaded with fuel hits a buildling? Or lets say a determined individual removes all of the nuts from a bridge?
Black Hat's discover weaknesses in communication protocals, exploit those weaknesses to wreak havoc.
This is the same sort of criminal behavior as those described as above.
Gun Manufacturers have not been held liable for guns that kids can shoot.
However, I think it would be quite reasonable to hold that operators of computer equipment that has not been properly configured, and continue to operate that equipment when it is known to be compromised or comprimisable without taking appropriate action, and putting themselves and others at monetary risk on the net should be considered liable. This is the same standard that drivers, and property owners are held to.
The vast majority of the security issues in any of the software products out there, Linux, MS or otherwise, have been attempts to defeat security protocals, by breaking protocal standards. IE this is NOT normal use.
MS is NOT alone in this regard, All vendors of server products have had security issues in their product from time-to-time.
First level liability should go to those that are responsible for operating their computers.
Hooking up computers to a public NETWORK is inherently dangerous. Operating them properly is the primary responsibility of the user. The manufacturer of the equipment and the operating system have an ongoing responsibility to provide patches to newly discovered vulnerabilities. But to level liability, gives too much credit to developers and testers to discover all weaknesses in advance, and it gives too little credit for hackers to determine weaknesses.
The problem of locating fault is not unique to computer science.
For example, take a building that collapses. One party may claim it was the geologists fault because the ground the building was built on was too unstable. Another party may claim the mechanical engineers didn't design the supports properly. Another party can claim the building operators overloaded the building and violated the specs. Yet another party may claim the beams were inferior and the supply company is really at fault. Still another group can claim the construction...
You get the idea.
The interconnectedness of the hardware, OS, software, drivers, etc... are no reason to grant computer scientists an escape clause.
I've been reading Slashdot for a bit over a year now and I have yet to see a good argument why code is free speech. Code is a product, a construct. Windows is not free speech anymore than a chemical plant is free speech. Hackers are paid to design programs just like a chemical engineer is paid to design a process.
That's not to say the content of the code is not free speech. The plot of Deus Ex is free speech, the code for the engine is not.
And, furthermore, if you want a secure IT infrastructure, it will cost you. A lot. This cost will be paid not only in higher software/hardware prices, but also in a greatly decreased diversity of options in available software. Why is this so? It is because this kind of regulation will produce overhead costs which cannot be borne by most small producers, producers who will then be forced to pull their products from the market.
The most vulnerable producers, of course, are the authors of Free Software. Currently, many of us produce code which we make available to others; in turn, we rely on this body of code for our own work. Many of us are not professional programmers, much less software engineers, but we do the job well enough that most things work, most of the time. Now, ask yourself how many of us will be able to continue this practice under the threat either of product liability or of draconian licensing requirements? Precious few! I've got enough work to do as it is; there's simply no way that I can do the work of a team of professional software engineers in addition to my primary occupation. Right now, I deal with this by telling users up-front that the (free) code they get is experimental and as-is....I do what I can to see that things work, but I make no promises. If I am not allowed to proceed in this fashion, I will have to pull my code. One small, very specialized project vanishes, which is no great loss...but how many of my peers are in similar straits?
Freedom and diversity, or security and quality insurance? You pays your money and you takes your choice. For the non-critical systems which make up the vast majority of user-level applications, I'll take the former any day. Alas, I fear that once the regulatory ball gets rolling we may lose the ability to make that choice for ourselves...and the price will be higher than many people anticipate.
-Carter
If the lawmakers are actually interested in doing good, they may say that open source software is exempt from liability requirements (because if there are problems you could have seen them in the source!). So, enforced liability could really be good for the FSF.
The question is whether the *law* will impose some kind of strict liability, which cannot be disclaimed, on software as is the case w/certain other products.
When an SUV rolls over someone dies.
When children's clothing chokes a child, someone dies.
When a doctor screws up a surgery, someone dies.
When IIS is hacked, L331 H4XOR OWNZORZ JOO.
No doubt there are bad programmers around, and the numbers are increasing mostly because corporations are trying as much as they can to reduce pay. Only crappy programmers are willing to take the low salaries that can compete against things like H-1B.
If the software is crap, blame first the company that sold it. Then let them review their procedures on how it got to be so crappy.
"We need this package done in 2 months." "OK, 2 months and it will be done. Then 7 more months and it will work right." You think that programmer gets to keep his job, even if he's telling the truth?
now we need to go OSS in diesel cars
please mod parent up as interesting or insightful.
(I've no mod-points today).
The reasoning behind is that with source in hand, anyone can verify the suitability of the software for a given purpose, absence of backdoors, critical bugs and things - and if a bug turns up, it can be corrected in a matter of hours or days, keeping actual business damage very low.
It would of course also carry all the usual benefits of Open Source, like transparancy, competence distribution, easy adaption for specific purposes, documented document formats and the like.
Good luck :)
I'm in a Unix state of mind.
If you had to prove code is solid, functional programming languages like LISP and ML would certainly make a come back. So it's not all bad. :)
Right now it's almost impossible to get good information on the quality of software. Heck there are even laws preventing it (like Oracles and Microsofts "no external benchmarking" BS).
How to do this right is a real problem. I would think though that one of the recognized bodies could set up some rules for the levels. (1. will not kill user, 2. will not format hard drive before use, 3. will not format the hard drive in standard use, etc..:) And the government would require software to carry a level that they promise the software will live up to.. even if it's no guarantees (the lowest level).
It just seems to me that software users need to be informed better what they can expect and then they will make the right decisions and over time their expectations/demands will increase.
DescSuit
I really think that this is a bad idea, mostly because of the lack of controlled environments. Yes, you can try to hold the engineer of a bridge responsible if it collapses, but when was the last time you saw a couple of thousand people gathered around the supports of a bridge whacking it with hammers ?
If I find an exploit in software, my community praise me. If I try to find an exploit in a bridge, I go to jail for vandalism or some such crime.
Seriously though, there is no way you can fix "all" bugs, so releasing ANY software will just open you up to various lawsuits.
There is also a matter of who will be allowed to sue. For example, someone discovers a flaw, sues Microsoft, gets paid lots of $$$, Microsoft fixes the bug, posts a patch on their site, and a month later some other nut gets effected by the same bug. Should Microsoft pay that other nut as well just because they didn't upgrade? Many software problems are fixed soon after they're discovered, yet a vast majority of the people never bother to patch. (that's why these internet worms can spread, etc.)
Another issue is that many problems arise from improper use of the software. Most buffer overflow is definitely "improper use"... it is a security hole? Sure! But is it "regular" use? No! Software is designed with some proper use in mind, if you start to improperly use it, then sorry to say, the software wasn't designed for it. (well, granted, buffer overflow shouldn't be allowed, but just making a point).
In general the liability strategy will degrade software reliability, since a company will do a lot of in-house testing, etc., not releasing it into the public in fear of being sued. Now, no matter how many QA testers Microsoft or anybody has, they will NOT find all the problems in their software (60 million lines of code in WinXP???), AND they'll find a LOT less bugs than the general public. I know it's not nice to use your users as beta testers, but that's how software becomes reliable. People find bugs, complain, company fixes bug, and software becomes better and more reliable for everybody.
Then there is this whole thing about it being next to impossible to prove the correctness of a program...
"If anything can go wrong, it will." - Murphy
I was in architecture for 4 years before I moved to IT. Atchitects are responsible for every build they built until they die. I believe they're estates can be sued if a building falls down. Point is, Software is getting more and more important to money, wellbeing, and the market today. Wouldn't we want venders and even coders to be accountable for they're work. Open Source work its great but its not exempt from accountability...unless you just keep your code to yourself.
I guess I wouldn't buy plans for my house from a guys on the street corner, so I guess I wouldn't secure my computer systems with open source written by some kid in his basement. Only problem in that is the kid probly writes better code the Microsoft.
-- Disclaimer: I can't really back up anything I post on
If you want some kind of reliability guarantee, can't you already outsource to a services company like IBM and say "keep this system running, doing this, with -figure- availability and -figure- mean time between failure"? And have a failure to meet this commitment result in significant loss of payment to IBM?
Of course, such contracts don't come cheap. But then, we're comparing the creation of software to the engineering of bridges, skyscrapers, and bank vaults, and last time I checked bridges weren't cheap either.
This is what I suggest: /. has for Micro$oft. The courts must recognise that the implicit trust consumers have for megacorporate EULAs is illegal because you don't read the agreement. A questionnaire should follow the following format:
Companies selling software with a market capitalisation of over $100,000 have their EULA's have no meaning in a court of law UNLESS they quiz the customer so that he understands the EULA. This'll stop the "implicit trust" that everybody apart from
Who is legally liable for a failure in this software? (you must answer - I, the user am solely responsible)
User types: Me, I am solely responssiible mommy
What use restrictions are on this software? (you must answer - only me on my own computer and laptop)
User types: Only me on my own computer and laptop.
This is the *ONLY* way to get Joe sixpack to think twice about "signing" the document. This way people that sign a stupid EULA are gonna look the same as that stupid woman at the used car lot saying, "I signed the paper without reading it, and they took my house away, I didn't know it was written in the contract."
A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
to design you a house,
then when he was almost done, said that the walls must be made from foam.
....except the one on thats in the swamp....
....and now that you've disigned one house, it shoudln't take you long to do a few more...
..and did i say there has to be a high speed rail link between them...It must travel faster than the speed of sound, but never hit any animals that happen to wander on to the track.
..and can you make that house bomb proof....
whys that house got walls made out of foam?
thank God the internet isn't a human right.
"Microsoft can't control that process. If the printer driver tanks the system, who do you hold liable?"
;-)
I, for once, would blame the moron that put lpd in group "root" rather than "lp"
Obviously, preventing people from coding would be a Bad Thing[tm], but something that says "if you sell something, you are liable for what you sell" is not necessarily bad. It would mean that Red Hat would be liable towards whoever they sell their distro to, but J. Random Hacker would not be liable towards RH for whatever code he has written that is in RHs distro. Unless, of course, RH was paying J. Random Hacker.
So, what RH would be selling, is something valuable; they will be selling a warranty. Of course, prizes for the distro would go up, but I wouldn't say that is a Bad Thing[tm] By Default. Moreover, suits will eventually understand what kind of product they're buying, and they will realize there is actually quite a lot of money in Free Software. Which isn't a Bad Thing[tm] By Default either. It may mean that distro-sellers can put an even greater effort in making things secure, which means better software for all of us.
Besides, we all know that Free Software is usually more solid than locked-up software, don't we? So, M$ will have something big coming their way, and that may be sufficient to open up the marketplace for Free Software, so that we can gain the foothold we need. If our software is better, M$ has a lot more to fear than we do. I mean, I'd love to sue them for the many megs of bandwidth Klez has robbed me of.
In conclusion, I don't think software liability is necessarily bad as long is it follows the money.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
The major difference between MS and open-source / hobbyist developers is that MS *does* make a claim as to its suitability for a specific purpose, and it *does* make a claim that it is secure.
The majority of open source software carries a disclaimer saying "Use At Your Own Risk". If you cant appreciate the risks, then you shouldnt be in the position to be deciding whether to use the software or not.
Let me make a suggestion: If you produce a closed source product where you release only the executables then you should be held liable for any damage the product causes. If, on the other hand, you release the complete source code for your product then caveat emptor. In the later case the user/purchaser has all the information necessary to (a) evaluate the safety and security of the product and (b) make any modifications necessary to bring the product up to their standards. If they don't have the wit or the will to do so then they're on their own.
I've always considered programming be be at least in part an art form anyways. I mean really, an nicely implimented algorithim is just as beautiful (in a weird, geeky kind of way) as a Van Gogh.
So how could you actually blame someone if their program didn't work? I mean if you buy a painting and it just doesn't fit in with the colour scheme of your house, do you sue the artist? If the piece doesn't go up in value like you wanted it to do you take the painter to court?
Of course not. That'd be silly. And while programming isn't completely analogous, there's a common thread there. The software doesn't work right with your hardware. Too bad - if it says in the manual that it might not work with "XXX" 32 MB Video Card and it blows your monitor then it's your own damn fault for not returning it before you peeled the shrink wrap off the CD (assuming the manual is packaged and is not included as an adobe document on the CD). If there's a bug in the program? Fine - if you bought the piece of software you have reasonable grounds to expect a bug patch quickly, but if you got the program for free?
It's really not worth going on any further about how illogical this law would be. All it would do is give more power to the ignorant masses who buy a $4000 computer to play minesweeper and use Excel.
What we need is a way of educating people how to use and understand their computers. Not a way for them to blame their ignorance on someone else.
Mundie said. "Microsoft can't control that process. If the printer driver tanks the system, who do you hold liable?"
I hold responsible the designer of an operating system so unstable that a printer driver can take it down. Is this the best excuse they can come up with? Because that sort of computing isn't "trustworthy" in my book.
God is imaginary
Liability, like patents, is a set of laws and regulations that will aid IBM and MS and will put an end to most small development.
If you don't understand why, then my guess is that you're under 18 and don't really understand much about business.
www.badsoftware.com, a collection of papers by Cem Kamer and others has some good reading on this subject, as do his texts.
"I should be entitled to have it fixed"
At most, you should be entitled to your money back.
On the other hand, lets say for 100 people MS Office works great; for you, it doesn't work.
Why?
Who should be responsible?
Should a developer be responsible for every permutation of software on your machine?
You're a silly user who wants your bottom wiped and powdered because you use a "magic box" that you don't quite understand.
When buggy commercial software is rushed to market, and it's failure costs it's users money, the manufacturers of the software, like any other product, should be held liable. Companies like Microsoft and Oracle would whine and complain, but consider if cars failed as often as Microsoft's products. Having car buyers accept a licence agreement wouldn't exempt the big 3 from liability.
The Uncoveror: It's the real news.
Though everything has already been said, I'll add my piece.
(1) All engineering fields are innovative, even brige building
(2) Innovation means change, change means uncertainty, and uncertainty means bugs
(3) Thus all engineering fields suffer from bugs (Tacoma Narrows, for example)
(4) All engineering fields have ways to minimize the effects of bugs when they arise, even if their precise nature isn't known (building to handle cases worse than expected, such as building to withstand up to richtor 9 earthquake when only up to a 6 is expected)
(5) Likewise, all fields have way to test designs for bugs before construction, or analyze implementation after construction (physics simulatations or models before, careful expections after)
(6) Therefore, all engineering fields have the option of minimizing the occurance and severity of bugs.
(7) Yet minimal bugs are only one factor in a project: time, cost, and asthetics are other factors.
(8) No factor can be perfectly achieved (there is no such thing as having something now that does not exist now, or for no cost, or at perfect asthetic elegance, or with no risk of failure).
(9) Thus, each project inovlves a balance between competing ideals.
(10) The people performing this balance are, by and large, rational actors that seek to maximize their gain and minimize loss.
(11) Thus, they seek to maximize profit, fame, customer happiness, competitive advantage, while minimizing legal liability, infamy, or customer disatisfaction, or market weakness.
(12) Though not entirely a zero-sum environment, in general each factor comes at a cost in the others.
(13) Thus, the rational actors evaluate which factors are the most important, and then plan accordingly.
(14) Many engineering-centric industries have legal liabilities for quality, but still exist.
(15) Though it's a point of much contention, I see no reason to believe that software as an industry would cease to exist were liability introduced, seeing as how it is fundamentally similiar to other industries.
(16) Granted, introducing liability would affect profit, market strength, and so forth.
(17) However, the purpose of introducing liability is not to improve the lot of the engineer, but the customer.
(18) Thus, whether or not it would be better for the industry itself (even though likely) is irrelavent.
(19) Changes in the requirements put upon product developers does not change the demand from product customers.
(20) Thus, as long as it is conceivably possible to still profit while satisfying customers, it's reasonable to expect that products would continue to be created.
(21) Accordingly, it's reasonable to expect that the changing market conditions/requirements would result in an evolution of new companies that can operate profitably in this new environment.
(22) Of course, any change in the environment creates disruption.
(23) So the goal is to find changes that create a level of disruption that is less than the gains the change brings.
So this is longer and more boring than I anticipated, but essentially it's my reasoning as to attempting to focus the discussion not on whether or not "liability" (undefined) is "good" or "bad", but instead on what *types* of liability would provide a net gain or loss. Do with it as you will.
"Freedom of contract" means that people may individually or collectively enter into whatever agreements they see fit, as long as force or fraud is not involved. If you want to be able to hold the maker of a software product liable for damages caused by bugs in the software, then find one who agrees up front to assume that liability. Of course, you'd probably end up paying $1000 for a simple word processing program.
OTOH, if you were willing to accept the risks inherent in using a particular product, you could get lots of software very cheaply or even free. (I believe the GPL explicitly states that the user assumes all risks associated with using a GPL'd product and holds the maker(s) harmless.)
The problem is, few people seem to support the principle of freedom of contract. For example, they want laws passed that hold employers liable for healthcare screwups that their insurers have paid for. GNazis like Richard Stallman want to forbid consenting adults from exchanging binary-only softare for money, under terms that would restrict the buyer's ability to redistribute that software. And now, there are some that want to make software producers always liable, regardless of what risks the user is willing to assume. And on and on.
Just as it does the auto industry. Only the largest corporations can afford to absorb risks and mitigate them.
How many people in their garage can just start making cars anymore? None. You have to have dozens of engineers who do nothing but ensure government regulations are met.
Once you involve 'licensing bodies' you incurr licensing costs and insurance fees..
Only high dollar companies would be able to survive in an environment like that. If you are doing Opensource and not charging, how can you afford to licence/insure.. ?
Something needs to be done, but im not sure that a blanket scheme is the answer..
---- Booth was a patriot ----
Reading the article from Reuters brings to mind a possible solution to two problems at once:
Make Microsoft solely liable for their software quality, as a "reward" for their monopoly status! Their deep pockets (earned from their evil monopolist ways) can then be used to repay customers who've suffered from their shoddy quality ("features first, quality later if we have to").
Making only monopolists liable for the quality of their software provides a simple way to let the market (expanded from sales to law suits) control the behavior of the monopoly violator.
. If the printer driver tanks the system, who do you hold liable?
The nitwits that designed the OS so a driver could tank it. Not to mention that incompatibility with drivers (which are not written by MS even when they are on the Windows installation disk) isn't the only problem. There are plenty of incompatibilities between Windows products!
A good OS should isolate different programs so one piece of runaway code is only going to tske down the functions it controls. Most versions of Unix do that pretty well. DOS didn't but it wasn't intended to be a good OS. It was a simple single-tasking single-user OS, and if something tanked you didn't lose too much by rebooting. Win 95/98/ME inherited some of DOS's weaknesses by design (to maintain compatibility), and due to the added complexity on a shaky foundation they were even more likely to tank - but they weren't intended for servers or heavy duty applications either. NT was supposed to be the server/heavy duty reliable OS - but it wasn't, and although it got better at each revision, even at rev 6.0 (XP) it still isn't really server grade.
The liability shouldn't be for writing crappy software, but for selling crappy software as if it were good software. False advertising...
1. If a program with the size/scale of TEX can be implemented with so few bugs, then clearly the "software is too complex to have liability contraints" argument is really a cover for poor and untrained engineers.
2. As to Ballmer's argument...I have a cell phone with a whole lot of code on it, which enjoys widespread popularity, and which appears to have few if any defects. Clearly besting his low bugs per capita Windows.
3. Since the intended use is often different than
the actual use I have a hard time with liability lawsuits going after Windows for $1000000 when the software was purchased for $199. Now, if the limit was set at the price tag ($199), we might have a solution for both the commercial and OSS realms.
> The argument is: an architect designs a house that doesn't blow over, or a bridge that handles the traffic load without collapsing.
Architects design houses. Engineers make sure they don't blow over (structural engineers, civil engineers), Engineers design and build bridges.
The only things architects do are play with popsicle sticks. Anyone who doesn't go past basic calculus shouldn't be doing anything complicated with numbers.
and if you're a consultant you pretty much have to have it to subcontract. So yeah, it costs $600/yr for $2M in insurance and then they can sue you if you accidentally delete a database or something.
The revolution will NOT be televised.
In a sense, i agree that there should be some form of incentive or liability for creating crappy software. In both open source and closed source arenas, there are some real doozies out there.
But in the same sense, i'm afraid that it may turn out to where there are quite a number of unreasonable demands placed on software developers. It may not happen all at once, but it could creep in over the next decade or so. Look at the differences of complexity of automobiles over the last 30 years. It used to be that a monojet carburetor, mechanical ignition and high-octane gasoline was just great for driving down the road. But now with all the emissions/fuel consumption/crash regulations, and on and on, cars are so complex that the average person can't even adjust thier idle settings or change sparkplugs without proprietary tooling, unneccesary effort or expensive shop rates.
And i'm probably going to get modded to down for this, but the thing that i hear over and over "just use linux!" doesn't hold any merit either. Sure, linux is (insert trumpet sequence) *open source* and all. But linux (or gnu/linux if you prefer) has its share of issues too.
And really now. Yes you have full and complete unadulterated access to all source code for just about anything. But who's got the time, knowledge and ability to sift through millions of lines of code in multiple programming languages looking for potential bugs and security holes?
It's not intended obscurity, but it is obscurity.
Then there's also the issue of well-meaning but inexperienced/careless linux admins that have had thier servers and things wide-open for attacks for years now. Just because IIS is/was target #1, don't think that there will never be a time when linux machines become a full-blown target as well.
The thing with liability law is that you can sue someone for your cock-up. You wrote the program/allowed the virus in/lost our data. Don't mention the fact that I didn't research the program properly, just assuming that because it's widely used that it must be good. Don't mention that I was using a free anti-virus program and didn't update the definitions as often as I should. Don't mention that I didn't backup as often as I should.
If there's anything that's highly noticable in these situations, it's that the vast majority of people are highly ignorant of computers. Many of the computer systems I get to see in my job are either:
There are a lot of system admins out there who get ignored by managers who believe all of the marketing spiel or who have had so much heaped on them due to limited resources that inappropriate or misconfigured, or unpatched software gets used.
Poor management too has a part in all this for not attaching sufficient import to systems until they go down, at which point they look for ways to cover their arses - hence calls for liability laws.
Rather aptly, the quote at the bottom of my slashdot window is "Ignorance is the soil in which belief in miracles grows."
Who's fault is it? Probably not Microsoft (for once) - their software is attacked primarily because it is very widely used. GNU/Linux would probably face a similar effort against it if it had Microsoft's market share (whether they'd have a similar number of successful break-ins is a matter of debate which cannot be answered). If anyone at Microsoft is to "blame", it's their marketing department who encourage Steve Ballmer to say stuff like "The products are even less buggy than others, in terms of per capita usage".
Business is to blame for not properly investing: in time for researching product alternatives or the resources to properly maintain the systems.
Another aspect of blame is marketing departments defining release dates months in advance and shipping even if they know there are serious problems - some sort of liability law might actually be useful here. In addition, liability law could (and probably should) be brought into play in cases where companies have been informed of vulnerabilities and then proceeded to do nothing about them.
The problem with liability is that we all are, to some extent.
The problem with software liability is that almost all software depends on the OS for stability also. If the OS allows memory leaks and such, then how can a piece of software be liable? The lawyers destroy every industry!(Look at what the medical malpractice suits are doing to the insurance premiums)
While this doesn't translate directly to the Free software world, the idea that the damages are limited to the amount paid in the first place is useful (and obviously workable, or this wouldn't be a standard feature of so many contracts). The issue over functionality is trickier - in the Free Software world, often people add features just because they think they're neat - and often they turn out to be. Where liability exists you need to worry about the extra liability you are taking on as a result of adding all these extra features, though.
Companies could supply software for (nearly) free without worrying too much about liability. Once the income from software sales becomes a signficant part of your turnover though, you start needing to ensure that the software is properly designed and adequately tested (of course thorough testing is no substitute for good design).
I'm unsure about how well this kind of measure would survive a transplant from a contract to a license agreement (since I'm not a lawyer).
and the snake oil salesman who limits his liability the least (the stupid ones) will probably make the most sales and end up the most penniless.
Well, just consider that most of the product disclaimers you see are the direct result of somebody doing the thing that they say not to do. Do not operate hairdryer in water came about because somebody was trying to dry their hair in the bathtub (which doesn't make sense anyway, since you'll likely get it wet again, being in the tub). And so on...
And we're the same species as some of those people? Man, doesn't bode well for the species.
Quite frankly, you don't know what you're talking about.
Your bank is ONE bank for a SPECIFIC client for a SPECIFIC purpose in a SPECIFIC location. barring furniture and wallpaper it probably won't change over the course of it's life and if the buildings around it are knocked down and replaced with something new, it probably won't be affected in any way.
Imagine building that same bank 1000 years ago with only the knowledge and tools from that time. Image that the building can be sold to anyone, in any location, for any purpose and that the building interacted with (or at least could be affected by) the buildings around it. Are you going to say it's your fault that someone put the damn thing in sand or on top of an unsafe ledge or that they are constantly knocking building down around it? Of course not...
What about if you were to put a Ford-engineered part into a Honda engine? If it breaks do you blame Ford? Honda? the person using it? The fact is that other engineering disciplines have the benefit of knowing BEFOREHAND exactly how their product will be used, exactly how it will NOT be used and the products are designed for a SPECIFIC purpose. Software is *NOT* like that.
When we design and build a system it has to do X many things, work in an environment that we have no control over, interact with components we don't have control over, may be used in ways we have no control over and is still expected to work.
How well do you think your bank would hold up if every 6 months you had to knock down parts of it and redesign those parts because the owners wanted new functionality? How long before a weakness would develop and your precious bank would no longer be so secure?
Sorry, but you're comparing apples to oranges and, with all due respect, you don't know what you're talking about. Software is a FAR more complex art than any other form of engineering. The fact that it works at all is amazing enough. As it matures your arguments will begin to hold water but right now, I'd say we're at the same stage of evolution structural engineering was at 1000 years ago and having a slightly better percentage of success.
Well, I think you're the one who doesn't know what you are talking about;
To object:
1. The Bank WILL change a lot over the course of it's life. It's not 'static'. Don't be so myopic in your vision. People will be changing 'my' bank in the future- new tenants will move in next door and change the building, the bank will change it's security systems, the roof will get re-done, maybe the building will get renovated and added on to. The building will be changing every six months, and sometimes in ways that will effect my design. HOWEVER I am still responsible for MY PORTION of the work. That's life in the real world. The Bank's owners are responsible for the BUILIDING. I am responsible for the DESIGN. Yes, their actions can affect my design and I can get sued over it. It happens all the time. That's why most Architects I know won't do Condos anymore; the condo owner's association sues the pants off of the architect the moment the roof leaks even tho' the architect had nothing to do with the problem. That's life. You try to prove that the roofers were the problem (if that's the case) or you pay and move on if it was your fault.
2. What's your point with the '1000 years ago' point? I don't understand what you are trying to say.
3. I disagree that other engineering disciplines know EXCACTLY how their product will be used. They don't. But they do know that they have to MEET CERTIAN REQUREMENTS in both safety and performance. Yes, Ford knows that their cars will be used as cars; but they have no idea how I will modify and change their car once I own it. and if I change it, and it kills someone because of my change- well that's my fault. Or if I use the car in a way that wasn't intended, like living out my Dukes of Hazzard fantasies- remember that I can try to sue Ford, but it's pretty obvious that Ford is say that the car is safe UNDER CERTIAN CONDIDTIONS and not ALL CONDITIONS. The courts mostly understand this too.
4. 'When we design and build a system it has to do X many things, work in an environment that we have no control over, interact with components we don't have control over, may be used in ways we have no control over and is still expected to work.' ---- Welcome to real life, kid.
5. 'Software is a FAR more complex art than any other form of engineering.' --- this is just sad, and shows your complete ignorance of anything outside of software development. You really need to look beyond yourself, and see that there is more to the world than your invisible cathedrals of code, man.
Look, I'm just saying that if/when a product doesn't perform as it is advertised as that I should at the very least be able to return it and get my money back. ANY OTHER THING IN THIS WORLD that would be the case. I buy a CD and it doesn't play- I go get my money back. I buy a tire for my car and it blows out in thirty days- I get my money back. Why is software so different?
Jeffrey McGrew
The printer driver wouldn't have such an impact if the operating system had been designed properly.
Instead it's designed to expect everything to work perfictly all the time so a minnor defect in an idle printer driver could crash compleatly unrelated programs like security software ripping massive holes in the system.
Windows was designed to be a multitasker for Dos programs. Reliability wasn't a big deal as compeating multitaskers would usually crash simply becouse the dos application wasn't coperating. Users expected this.
But with Windows no longer running "I want total control dam it" Dos applications it continues to have the same design.
Operating systems that are made to be operating systems don't tank when a printer driver screws up.
When a video driver crashes you lose video.. that sucks... but everything else works...
Keyboard driver crashes... shut down with the mouse.
When I had video, keyboard and mouse drver problems I ran a TV 100 on my box.. at worst the computer continues to work.
Yes Microsoft can't be called to blame when a printer driver tanks.. they can when that causes a BSOD.
The damage should be limited to the printer driver....
On anything else it would be...
I don't actually exist.
A copy is the program itself, regardless of medium.
OK, I was unclear. By "the copy is the medium", I was referring to the definition of "copies" in 17 USC 101: "'Copies' are material objects, other than phonorecords, in which a work is fixed by any method now known or later developed, and from which the work can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device." Thus, a CD containing the Windows operating system is a copy of Windows, and a hard disk with Windows installed on it is a copy of Windows.
"You own the copy, but we own the program."
Will I retire or break 10K?
If someone sends me a spreadsheet with macros in it does that mean that they are a software developer and supplier?
If not, then what about an application written on top of a DBMS?
What about a web site containing dynamically generated pages?
If not any dynamic web site then what if it performs the same function as a piece of software - i.e. if it is a web front end to an application?
If the last is not what about a application provided by an ASP where users some other type of client? This could include most applications that could be provided as shrink wrapped software.
What about a Java applet in a web page?
I suspect that if this happens it will have to be narrowly defined. Ideally it will be targetted at software vendors so as to avoid hitting people who send out spreadsheets with macros in them. But the moment a word like sale is used it lets free software off the hook.
Maybe I am being optimistic but this could work out very well indeed if it happened - although I think it is unlikely that it will as the entire software industry will claim that they will go under (think of the jobs! think of the children!) if it does.
Most of what I've seen here is people complaining about how it can't be done, how it will wipe out opensource or just whining about how hard it is.
Just create a new "Category" of software, call it "industrial strenth" or something like and the ftc can let you place the "Industrial" seal upon it. Charge outrageous rates for your industrial software. (of course you have to put your money where your mouth is) Some deveopment firms will be up for the challenge.
If peeople are losing 60B a year on buggy software, you can be assured that they will pony up for industrial strength software. Frankly, the world needs it.
I think he was trying to bring in the idea that the software world changes far far faster than any other engineering profession (save perhaps electrical engineering) and that, say, something designed 30 years ago in the software world is like a civil engineer trying to work with buildings built a thousand years ago. It's a fairly flawed analogy, and besides that it doesn't make much sense.
5. 'Software is a FAR more complex art than any other form of engineering.' --- this is just sad, and shows your complete ignorance of anything outside of software development. You really need to look beyond yourself, and see that there is more to the world than your invisible cathedrals of code, man.
Actually I've heard of this before, occasionally from engineering professors with experience in many disciplines. I wouldn't go so far as the original poster and say it was "FAR more complex," and it's obvious the original poster underestimates what is required from other disciplines.
I buy a tire for my car and it blows out in thirty days- I get my money back. Why is software so different?
Because then you start getting copyright protection arguements. I used to see a few places that would rent out PC games like 7th Guest when they first came out, but you don't see that anymore, because of the piracy worries. Once you open the package, it's bonded to you for life. :P You can exchange it.. but only for the same package, since it's assumed that if the package is opened, then you still have the software installed on your computer. That's why you can't return software if you don't like it. That covers bugs and non-bug concerns.
when the software industry has licenses and accreditions. Those who can pay the tests will make more money and have more control over the software development process. If some design is bad, I can refuse to sign it and force a new better design.
Basically software developers well be able to gain more power over the process and how software is developed.
If such laws get created and take effect, then programmers had better get paid way better than they are now. Programming is the only "professional" career choice that's considered blue-collar and whose workers get treated as such. Same thing with networking and support. They expect us to work 24/7, take tons of tests, yet accept lowly pay. What's up with that? If we have to behave like doctors, then pay us!
Let me add one more item to your excellent list:
Microsoft set the standard for reliability (or lack thereof), and the driver writers simply followed suit. Blame goes to: Microsoft
Microsoft is the only company that can afford it. Do you think companies like VA Software can?
The day such a law passes, I will sell everything I own & buy as much MSFT stock as I can.