Slashdot Mirror

← Back to Stories (view on slashdot.org)

Outlining a World Where Software Makers Are Liable For Flaws

Posted by timothy on from the mattress-has-a-pea-beneath dept.

CowboyRobot writes with this piece at the ACM Queue, in which "Poul-Henning Kamp makes the argument for software liability laws. 'We have to do something that actually works, as opposed to accepting a security circus in the form of virus or malware scanners and other mathematically proven insufficient and inefficient efforts. We are approaching the point where people and organizations are falling back to pen and paper for keeping important secrets, because they no longer trust their computers to keep them safe.'"

20 of 508 comments (clear)

  1. Sure by recoiledsnake · · Score: 5, Insightful

    It will just cost 100x more, just like healthcare with the torts. Time to take out software developer insurance, similar to the healthcare insurance of approximately 1 million dollars a year paid by doctors these days.

    --
    This space for rent.
    1. Re:Sure by maliqua · · Score: 3, Insightful

      and software development grinds to a halt. opensource vanishes who's going to donate time to a liability.

    2. Re:Sure by Anonymous Coward · · Score: 4, Insightful

      It's very important we decimate the last industry the US has that's still mostly functional, profitable, and productive

    3. Re:Sure by mandelbr0t · · Score: 4, Insightful

      Give me a fucking break. First I was hired as a hacker, then I was told that I no longer had the required credentials to work in software, and now you want to tell me the degree I've gotten is the wrong one? Go fuck yourself. I have no problem carrying liability insurance, but this shared delusion that only engineers can possibly write good code is merely an attempt to make software development an activity of the elite. And people wonder where groups like Anonymous and LulzSec come from.

      --
      "Please describe the scientific nature of the 'whammy'" - Agent Scully
    4. Re:Sure by Amouth · · Score: 3, Insightful

      so a PE can get out of being liable for a badly designed bridge by putting the blueprints and the bill of materials on a sign before you get on the bridge?

      there is a point where i agree that the programmers should be liable for their code - to the extent that it shows negligence. the fact that software for so long has gotten away with "good luck, thanks for the cash" mentality is kinda sad.

      I am a programmer - and i would be willing to stand behind my code used in the environment for which it was intended.. but at the same time i would want to be compensated for the risk.. same way a PE gets compensated based on the scope of work they have to sign off on.

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
    5. Re:Sure by Daniel+Dvorkin · · Score: 3, Insightful

      Ah, idealism! The proposed law, with Clause 1 in place, and enforced, doesn't sound too bad. Do you really think that's the way it would work? In the real world, any software liability law would be written by lobbyists working for Microsoft, Oracle, Adobe, EA, et al., and there is no way in hell it would make life easier for open source developers than for the big commercial developers.

      --
      The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
    6. Re:Sure by 0123456 · · Score: 1, Insightful

      If Console game developers can put in the added effort to make a product that is reasonably bug free, or is otherwise unplayable, back before consoles could update the software then I'm sure MS can debug Office a little bit better before shipping.

      Office has a heck of a lot more code than Atari 2600 Space Invaders. And a heck of a lot more ways to interact with the user.

      Office bugs aren't 'I press the left button and go right', they're 'I embed an Excel spreadsheet with 500,000 columns and when I change the font to 96-point Comic Sans the first column displays in the wrong font'.

    7. Re:Sure by slippyblade · · Score: 4, Insightful

      am a programmer - and i would be willing to stand behind my code used in the environment for which it was intended..

      ROFL! Wow, you actually expect liability to be limited to the scope the product was INTENDED? That ranks up there with lawsuits against toys because little jimmy choked on a Lego brick or Peggy Sue shoved a jet fighter figure up her nose and shot the plastic missile into her sinus. There is no limit to the stupid and out of intended uses people will put things. There is NO SUCH THING AS IDIOT PROOF. The world keeps making better idiots. If this becomes law, at some point you WILL be sued. No ifs, ands, or buts about it.

    8. Re:Sure by Anonymous Coward · · Score: 4, Insightful

      the fact that software for so long has gotten away with "good luck, thanks for the cash" mentality is kinda sad

      Genuinely critical software isn't usually handled like this.

      The whole premise is retarded. You want guarantees? Great, we already have a handy tool of commerce for that. They're called contracts. Just a heads-up... it's going to cost more.

    9. Re:Sure by dohnut · · Score: 5, Insightful

      No, licensed engineers just cover their asses better.

      Or do you think the engineer should be held liable when someone parks a 30 ton vehicle on a bridge rated for 10 tons and the bridge fails? Well, then why should a software developer be held liable when the software asks you to enter your name and, instead, you feed it data which causes a buffer overrun which allows you to root the database server and steal everyone's credit card numbers? If you would have just entered your name correctly that never would have happened. A clear case of misuse if I ever saw one.

      I think software developers should be liable but the liabilities need to be defined first. And if someone hacks the software outside of the scope of the security standards and practices that have been set by the government, put in place correctly by the developer and verified by the assigned regulatory bodies then there is no liability if something goes wrong.

      Meanwhile the cost and time required to develop software will skyrocket. If you need any evidence of that, just look at how much time and money it takes to build a bridge these days.

      --
      Stupider like a fox! - H.S.
    10. Re:Sure by Microlith · · Score: 4, Insightful

      They already have the beginnings in place.

      It's called "patent indemnification," which they insist that vendors must have. Yes, effectively "patent violation insurance" to keep other companies off your back. Granted it's not entirely "liability insurance" but it's a step towards the state where you cannot develop software independently, but instead must be under the thumb of some larger corporation (or somehow have millions in insurance) to write and distribute software.

  2. Another law? No thanks. by PhxBlue · · Score: 2, Insightful

    "There should be a law!"

    No. No, there shouldn't. There also shouldn't be disclaimers that "this coffee can burn your ass," "don't point this gun at your face" or "don't use this curling iron to stir your bathwater while it's plugged in."

    If organizations see pen and paper as the only alternative, then they're probably getting the quality of IT support that they're paying for.

    --
    !#@%*)anks for hanging up the phone, dear.
    1. Re:Another law? No thanks. by shutdown+-p+now · · Score: 3, Insightful

      The buyers bewared, ganged up together, and started to act pre-emptively.

    2. Re:Another law? No thanks. by Ichijo · · Score: 3, Insightful

      The author is talking about making the producer of bad software liable, just as we would hold a gun manufacturer liable if the gun blows up in a person's face.

      --
      Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
  3. Great idea by grimmjeeper · · Score: 1, Insightful

    Yeah, let's drive the cost of software through the roof. That will solve everything! Companies will employ a lot more people to do testing but will still have to invest in huge insurance policies just in case they miss something. Your next copy of Windows will cost more than a well equipped car.

  4. Engineering liability by Anonymous Coward · · Score: 2, Insightful

    I need you to design a bridge. We've already promised the customer that it'll be light and strong, but we only have budget for paper (so we're ok on 'light', just make sure that it's strong), and the deadline is next Monday.

    If you think it can't be done, I have the "outsourcing provider" on the phone telling me that there are 500 engineers who would do it. I need an answer in two hours. I know that you've just bought a house and have a new baby on the way, so think again before you protest.

    By the way, we've also accepted liability. If anything goes wrong, I'll say that you told me it wasn't a problem.

  5. People need to stop equating software to buildings by Derekloffin · · Score: 5, Insightful

    You can overbuild a house, it generally makes it stronger. You over code a piece of software it just adds to the number of possible points of failure. The two really aren't good analogies for each other. That doesn't even consider things like how maintenance of both is handled, interactions of hardware, varying setups, and just simple complexity.

  6. Re:From TFA ... by bloodhawk · · Score: 1, Insightful

    So what the law is actually proposing is a way to punish commercial companies while letting open source developers off. I would love to see better security from everyone (open source developers included), but idiotic laws like these wold just drive up costs of development to ridiculous levels.

  7. I proposed something similar in 2000 by Animats · · Score: 3, Insightful

    I proposed, back in 2000, that Microsoft be required to provide a full warranty on their products as part of their antitrust remedy. "Full warranty" has specific meaning in US law; see the article. A few vendors have provided full warranties and not found it too expensive. Notably, GTech, which builds gambling systems, is held financially responsible for errors made by those systems. This costs GTech less than half of one percent of their revenue.

    It's time for the computer industry to grow up and take on warranty responsibilities. The auto industry had that forced on them by Congress in the 1960, over the screams of the auto industry. Cars rapidly became safer and more reliable.

  8. Re:Crash! (Web of responsibility) by Paul+Fernhout · · Score: 3, Insightful

    "Wouldn't you hold the software developer accountable for that?"

    Which gets to why this idea by itself won't work.

    First, who is the "software developer" of a system that uses lots of modules from a variety of vendors (including hardware aspects)? You have an entire ocean of people involved with a big project like that from designers to coders to testers to users...

    Second, companies will just use corporate law to create liability shields where each part that could go wrong will be in its own sue-able unit with minimal assets.

    Third, let's say something does go wrong, and you can point at a bit of offending code. But, was that really the problem? What about the compiler not smart enough to catch a *semantic* error? What about the simulators that were not good enough to discover the bug in advance? What about the testing procedures? What about the broken CS training programs that focus on theory and not practice? What about the managers who picked a poor development platform because it was popular? When you can go up a chain (or web) of responsibility, why blame the coder at the bottom when there are so many factors involved in making that accident, some of which operate on different timescales?

    This whole issue is part of the reason why things like Forth and Smalltalk were so wonderful as small and understandable self-reflective systems, but we got mainstream adoption of buggy C/C++ and bloated Java instead. When the plane crashes from a pointer error, maybe we should blame those who did not choose to support Smalltalk decades ago?

    --
    A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.