Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Developers Be Sued For Security Holes?

Posted by samzenpus on from the who's-to-blame dept.

An anonymous reader writes "A Cambridge academic is arguing for regulations that allow software users to sue developers when sloppy coding leaves holes for malware infection. European officials have considered introducing such a law but no binding regulations have been passed. Not everyone agrees that it's a good idea — Microsoft has previously argued against such a move by analogy, claiming a burglary victim wouldn't expect to be able to sue the manufacturer of the door or a window in their home."

24 of 550 comments (clear)

  1. Nah by Anrego · · Score: 5, Insightful

    I think excessively poor software should result in some form of negligence ... but general “can happen to anyone” type bugs.. no.

    You can buy software with a (real) warrantee attached. In general this costs a fuck tonne of money because they are accepting a fair amount of liability. Even in a very horizontal market, the price increase for accepting that liability is going to be way more than anyone can afford.

    You get what you pay for. Want software that is very secure and unlikely to have serious bugs.. you can get it.. but it’s gonna cost more than you are willing to pay if you don’t really _need_ that level of support.

    1. Re:Nah by Mitreya · · Score: 4, Insightful

      excessively poor software should result in some form of negligence ... but general âoecan happen to anyoneâ type bugs.. no.

      And how do you define the difference?
      Based on the quality of code?
      Based on the amount of unit testing that was (provably) performed?

      This will start a slew of software that is only warranted under specific OS/software configurations (and then installing an aggressive anti-virus or not error-checking your RAM chips regularly would void your warranty).

    2. Re:Nah by mcvos · · Score: 4, Insightful

      Some things, like allowing SQL injection, might be considered negligence. But no programmer can possibly guarantee a complete absence of bugs, and any bug can be a security hole. It takes time and money to track them down. If you don't give them that time and money, you can't expect perfect security.

    3. Re:Nah by Shikaku · · Score: 4, Interesting

      Simply requiring encryption when handling something sensitive like credit card info is a start. See: Sony and the PSN disaster.

    4. Re:Nah by tomhath · · Score: 4, Insightful

      So how do you define "sensitive"? There's no end to it; once you open the door a good lawyer can can convince a jury anything.

    5. Re:Nah by marcello_dl · · Score: 5, Funny

      I dunno, as an indie dev you can change the warranty in the license of your software, stating that
      "This software will occasionally test your hardware by deadlocking it, perform random functions regardless the user inputs, and make hardware resources available to the cloud, specifically to the latest botnet makers."

      So it always performs as planned :)

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
    6. Re:Nah by ColdWetDog · · Score: 5, Insightful

      Are you guys crazy?

      Do you realize how much bridges cost?

      --
      Faster! Faster! Faster would be better!
    7. Re:Nah by Opportunist · · Score: 4, Insightful

      The problem is that the market is by definition asymmetric. The customer usually knows jack about the implications of security concerns. If people had any idea of security, Facebook wouldn't be a success.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    8. Re:Nah by rtb61 · · Score: 4, Interesting

      What really needs to be tackled is the insane and deceitful difference between software marketing, software warranties and software EULA's. The worst examples of corporate disinformation and outright lies ever seen by man. It's like the very worst of snake oil con men from the 19th century all joined the software sales business, with all sorts of lies printed on the outside of the label but once to consume it's contents all the disclaimers, once hidden by it's contents appear on the inside of the label and this is insanely and corruptly enough is now accepted as normal practice, led by M$.

      --
      Chaos - everything, everywhere, everywhen
  2. Would stop a lot of development by Burdell · · Score: 5, Insightful

    If it was possible to prevent all security holes, this wouldn't be a bad idea. However, it is provably impossible to do so. This would just create a new inurance industry, profiting from others' mistakes. It would really only serve to cut down on development, especially from small companies and individuals that couldn't afford to make a single security mistake (or insurance against lawsuits).

    1. Re:Would stop a lot of development by arth1 · · Score: 4, Informative

      If it was possible to prevent all security holes, this wouldn't be a bad idea. However, it is provably impossible to do so.

      This is true. However, I still think it should be possible to sue for gross negligence. Like lack of input validation, or storing passwords in plain text, or installing everything world writable.

      That's like a bike lock manufacturer whose locks open if hit with a shoe, or a car manufacturer whose cars start if you roll them dowhill and put them in gear, even without an ignition key. Both existed, but would be considered gross negligence today.

      I don't expect software to be perfect, but I do expect it to not be outright stupid.

    2. Re:Would stop a lot of development by VortexCortex · · Score: 4, Interesting

      Turing already did. This reduces to the halting problem.

      That's incorrect. The halting problem deals with finding a general purpose algorithm that applies to all cases, but we're talking about solutions to specific problem sets, which absolutely can and do exist.

      I've written assembly programs, especially drivers, that were provably free of all bugs: Every series of opcodes did EXACTLY what it was supposed to do under all possible inputs. It's infeasible to develop all software in such a rigorous manner only due to cost, not due to some fault of the hardware or its software (the opcodes).

      I didn't have to test my driver over an infinity of inputs because the hardware had a finite set of possible inputs. The bits are limited -- We don't have Turing's infinitely long tape as a CPU word size.

  3. Sure by BigSlowTarget · · Score: 5, Insightful

    What we need is more and richer lawyers and frightened software developers with malpractice costs bigger than doctors. Perhaps we can eventually make sure all code is only developed by giant corporations made up primarily of legal defense teams dedicated to patent exploitation and liability control with tiny development arms tagged on the end.

  4. Windows by MrEricSir · · Score: 4, Funny

    Microsoft has previously argued against such a move by analogy, claiming a burglary victim wouldn't expect to be able to sue the manufacturer of the door or a window in their home.

    Interesting choice of words there!

    --
    There's no -1 for "I don't get it."
  5. Bad Analogy by ZombieEngineer · · Score: 4, Informative

    You can not sue a door or window manufacturer for failure of your action (leaving the door / window open).

    You should be able to successfully able to sue a door / window manufacturer for failing to provide the request product (i.e. seal the opening).

    That then hits the ugly question of what is "reasonable". Did the manufacturer provide a reasonable product that provided the expected level of security?

  6. Engineering Discipline by DemonGenius · · Score: 4, Insightful

    If software development was an official engineering discipline that required P.Eng designation, then maybe this case would have more legs. Even then I'd be in disagreement. Otherwise, hell no, HELL NOOOOOOOOOOOO!!!!!!! That is definitely one way to drive people away from a career in software development. This actually seems like a sneaky way for management to evade culpability if their product harms a customer/user.

  7. Betteridge's law of headlines by fiannaFailMan · · Score: 4, Insightful

    Sue the actual developer? How would you propose to do that if they're working for an incorporated company with limited liability?

    --
    Drill baby drill - on Mars
  8. Re:Short answer: No by Anrego · · Score: 5, Insightful

    It'll have very little impact on actual code quality.

    All that will happen is:
    - software prices will increase
    - a whole insurance industry will spring up around it (think malpractice insurance)..
    - people will specifically seek out stuff developed by small shops and try to break it specifically so they can sue..
    - producing software will become so expensive and require so much up-front investment that indie devs will be SOL
    - the big guys will keep producing shit, and just protect themselves behind lawyers (and feed the cost back to the customer)

  9. Re:For "sloppy coding"? Definitely! by Ronin+Developer · · Score: 4, Insightful

    Why should FOSS get a bye? What user really has the time to validate the code, line by line, to search for security weaknesses BEFORE using it? No. Users expect the software, free or commercial, to work as advertised. And, given the "superiority" that FOSS pro-ports over commercial software, maybe they should be held to an even higher standard? Didn't think you'd want to go there.

    In many ways, FOSS would find itself encountering lawsuits despite the "good samaritan" approach it provides. Loss, whether it be from something you paid for free, is still a loss and, in our litigious society, fair game.

    No, leave it to an academic to propose making individual developers liable for each line of code they right. This will destroy the entire IT industry (and, most institutions) in a sweeping blow. Who could afford the "malpractice" insurance given the wide-spread dissemination of most commercial and FOS software?

     

  10. For those who didn't RTFA by dkleinsc · · Score: 4, Informative

    They aren't talking about suing the individual programmers, they're talking about suing the software companies. Specifically, they want to disallow this kind of language very common in EULAs (this is taken from an actual EULA, name omitted to protect the guilty):

    _______ and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this product, including all implied warranties and conditions of merchantibility, fitness for a particular purpose, title and non-infringement. In no event shall _______ and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of this software.

    The translation of this clause out of legalese is "No matter what happens, you can't sue us, we're not responsible. We don't promise that this software is even remotely like what we advertised it to be."

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  11. Re:like other engineering fields by Todd+Knarr · · Score: 5, Insightful

    OTOH a professional engineer differs from a software developer in one key way: he can't legally be overridden on safety matters. If management orders him to use steel that doesn't meet spec for the bridge's designed load, he can refuse to sign off on the plans and if the company tries to fire him the company is the one who'll end up in legal hot water after he reports them. If you want to make software developers responsible in that same way, you need to give them the same authority and immunity to repercussions for using that authority.

  12. Doors vs Vault Doors by holophrastic · · Score: 4, Interesting

    Just like anything else, pay for whatever guarantee you desire. If you want your software created in record time, for a low cost, then the bugs are a part of the equasion. If you want secure coding, then you'll get to pay for it in time and money. It's always been that simple. You don't sue the manufacturer of your house door, but you do sue the manufacturer of your bank vault door. The difference in cost is tremendous.

    It's rare that my clients ask for proper security. But for the elements that they do indeed want to protect, they pay for me to do my very best work. And you'd better believe that they hold me responsible and often accountable for significant problems should they result.

    But in the end, it's all just insurance anyway. If a client of mine wants a particular e-commerce feature to be super-secure, then they'll ask me to pay for any dollars lost due to bugs. I know that I'm not perfect, and of the thirty possible bugs, there's a small chance that I'll fall into one or two of them, and a partial chance that I won't catch it before it's exploited. So while much of the added price is for me to sit there and check things closely, the rest of the added price is for me to accumulate in the event that I need to pay it back. Over multiple clients and multiple exploits, that's the only way to do it.

    The obvious alternative of checking things even closer winds up being far more money, and is only really relevant when physical safety is an issue.

  13. It would be the end of OSS by Sycraft-fu · · Score: 4, Insightful

    While OSS zealots like to think it is bug free, it isn't. Bugs can and do happen in OSS. Well who the hell is going to contribute to a free project if they know they can be sued for it?

    Also it would lead to way less flexibility in software. Vendors would restrict what you could run and how you could run it. That is what you find in real high end systems where problems aren't ok. They are very expensive, they only do what they are designed to do, no installing arbitrary software, and upgrades are very slow in coming.

    So long as you want your system to be the wild west where you can install whatever you like, use it in any way you like, and be nice and cheap then you have to accept that problems can and will happen. If you want verified design you can have that, however you need to be prepared to pay the price both in terms of money and in terms of restrictions.

  14. Re:Short answer: No by Anonymous Coward · · Score: 5, Insightful

    As a professional engineer in a closely related field (industrial control systems), I disagree. What is required is a degree of rigour in design to remove systematic errors as much as is humanly possible. Engineered products still fail, and end-users may sue, but the test is simply whether the engineer, or developer in this case, took all *reasonable* measures to limit errors.

    Long overdue in the software development profession, IMO. It's time we grew up.