Negligence and Open Source

icing asks: "With the story about the Melissa trial, some people argue that Microsoft is partly to blame. Negligence in making a product safe to use, cannot be excused. And again, software is compared to real world things like cars and how car makers could not get away with what Microsoft is doing. Does not the same argument apply to makers and distributors of open software? Could makers or distributors of Open Source be held liable? Under which conditions? Or do we have a double standard here?" Hmmm...a touchy issue. What are your impressions?

Not a double standard

[bravehamster]

I think the difference here lies in the fact that Microsoft (or whoever) is selling them a closed product. Because it's closed, it's Microsoft's responsibility to make sure that everything in the code is "safe", and they should be held liable if it isn't.

I think the best analogy to use in this case is something like kit airplanes. If you buy a whole, complete airplane from a manufacturer (closed source) and it blows up in midair, you naturally and rightfully blame the company that made it. However if you buy a kit plane, put it together yourself, and the engine drops out of the plane in midair, you have only yourself to blame.

So, following this analogy, closed source companies should be held liable, because some things are hidden from the consumer, and open source companies should not, because the customer is able to see _exactly_ what they're getting. This would encourage many companies to switch to an open source model, don't you think?

Implied Responsibility

[NotQuiteSonic]

By selling the software to an individual, Microsoft should have a responsibility to make "safe" software. Comparing it to auto manufacturers is reasonable. Microsoft should hire "software engineers" who are professionally licenced and insured to sign off product as safe.

Open source on the other hand shouldn't have this responsibility because it is given out for free. The the responsibility exists with the individual who implements the systems. If I designed a car and left the drawings open source. I would never be held liable for the car if it proved to be a defective design. If I sold the designs, I would.

If someone else sells my free drawings, maybe they should be liable as well.

It's Much Less Of A Problem With Open Source

[Bruce+Perens]

Disclosed source-code software has much less of a problem with negligence since the user and distributor are able to perform due diligience on their own - if the user has something to lose they can check the code or read other people's reviews of the code and protect themselves from damage. If there is damage due to negligence, the fault is at least in part the user's because they had the power to protect themselves.

This is not the case with Microsoft's non-disclosed-source-code software - they don't give the customer the power to check or fix their negligence, thus the negligence is all theirs.

True Open Source in general declines warranties because the software is distributed gratis or at very low cost. Of course, you have the option to make a contract with a support provider who might provide you warranties against negligence. I don't think it's likely that a provider of gratis software, Open Source or not, would be found liable for damages he explicitly disclaims. I'd like to hear of any cases where this has happened.

Thanks

Bruce

What about support contracts?

[dsplat]

While both open source and shrink wrap licenses disclaim liability, what about support contracts? When a security hole is known, especially when it is reported to the company providing the support by someone with a support contract, I would think that the courts would be much more likely to find that company liable if they made no attempt to remedy the problem or at least warn their customers of it.

Let history repeat itself...

[evil9000]

Let history repeat itself. It took car manufactures well over 20 years to start incorporating saftey features into their vechicles, but until that happened, the only people complaining about how unsafe cars were were the people who cleaned up after the accidents (ie Doctors, nurses, etc).

This all changed with the Nadar report - and the publicity it generated in the media and the public eye.

What needs to be done is to increase people's awareness of how bodgy the Micro$ server code is, and how only the micro$ exchange servers were the ones that were affected adversly by the Melissa virus...

All software is Buyer Beware

[NateTG]

There have been several posts claiming that Open Source software has less necessity for security, or safety. That the GPL somehow exonerates OSS in some way that the MS EULA does not. All of this is bunk.

If OSS software is really a general purpose solution then it must meet as stringent a security requirement as any other such solution. For all of those Linux evangelists out there, we can't claim security as an advantage in on sentence, and then claim less resposibility for it in the next without sounding silly.

What Linux does have is a better testing system, a more heterogenious and reliable user base, and a significantly better bug response method.

The concerns about safety, be they virus propogation, data integrety problems, or uptime/essential systems issues. Are the responsibilty of the system's administrator. Any system can be made secure by a careful admin, and any system can be made unsafe by running unknown (read closed) software.

The reality is that computers are so complicated that Admin's (for that matter developers) cannot go through the code checking all cases in some perverse proof of correctness. Making software engineers sign off just means that someone who really isn't responsible for having a buggy or defective piece of softwar can be canned for the zealous marketing and management of his company.

If a company claims that a system is secure - e.g. NT according to MS or perhaps Open BSD then the company could be considered liable if:
a) It fails to take reasonable measures to make sure that said product is secure.
b) Refuses to respond to security issues as they arrive.

The software you buy is always as is. Beware.

Re:Double Standards

[coyote-san]

Much of the "double standard" you refer to are due to the profound differences in the way each group operates.

All proprietary software vendors operate with the implicit (or not so implicit) assumption that They Know Best. They may give lip service to serving the customer's needs, but when push comes to shove they (or in a few cases, a client with a very thick wallet) decide what is done, how it is done, how long it is supported, etc. Because the customer can't look after his own interests, the company is required to assume some measure of responsibility for doing it on the customer's behalf.

In contrast, all open source projects operate on the assumption that the Customer Knows Best. We hope that our code solves the problem as-is, but we embrace customers who are willing and able to modify the source to fit their needs exactly. In general, all we ask in return is feedback (in the form of modified source code) so that we can drift the main source tree towards the customer's requirements, if there's general consensus that the changes are improvements. Not every customer is competent to judge whether the open source project poses an acceptable risk, of course, but they *can* take a hint from the fact that other customers can and do provide updates to the source code.

Besides the staggering difference between these two ideals (and what it appears to do to the psychological profile of each camp), there's a fundamental difference in terms of the law. A proprietary software vendor can, and is expected to, maintain exclusive access to the software. This incurs a significant legal obligation since they, alone, can modify it. In contrast, an open software vendor not only does not maintain exclusive access to the software, he can't force the people downstream to use the latest version of the software or to retain changes made for the purpose of minimizing risk. Meta-legally, you can only be held responsible for acts you control. (That's why many people are *deeply* troubled by the laws that criminally punish parents for the acts of their minor children.)

Finally, it is worth noting that the courts can (and IIRC occasionally *do*) negate the "disclaimer of liability" statements found in shrinkwrap and open licenses.

They even come with a warning label

[Sloppy]

Damn straight! When someone buys Microsoft products, they know what they are getting into. All this whining about Microsoft products executing arbitrary code sent to them has been going on for years. When these products first came out, it was Microsoft's fault. But it's old news now. If you buy a known defective product with the expectation that when (not if, but when) it blows up, you can just sue the maker, then you are the negligent one. These products all come with a warning label in huge letters: the Microsoft trademark. How can a person possibly pretend they were ignorant of the danger?

I bet more people know about Microsoft these days than even the Ford Pinto.

The best way to improve software quality is for people to start taking responsibility for their decisions. If you buy an Internet product for your company from Microsoft -- a company with an established reputation and a known and consistent track record of repeatedly making horribly defective product after horribly defective product -- then you should get fired. It's as simple as that.

For people to keep blaming their problems on Microsoft is immoral. It's 1999 and if you're still using Microsoft products, then you deserve what's coming to you.

It's like you buy a '74 Ford Pinto, and it blows up and kills your son. That's bad, and it shouldn't have happened. You go to the pub to drown your sorrows in beer, and everyone else is also talking about how their Pintos also blew up and killed a loved one. Then you buy another Pinto. It blows up and kills your daughter. You buy another one, and it blows up and kills your wife. Who is your wife's ghost going to haunt: Ford, or you?

---

Charging $$$ and making false claims

[jabber]

I don't know if this is redundant, but...

The main differences between open source and commercial software on this matter is cost and claims. Lets look at a few points:

• M$ makes claims about the security of NT. They shout from a mountain top that NT is C2 compliant, and that higher security can only be achieved by disabling the networking features. (I worked at a software store when NT first came out. I wish I still had access to some of the 'sales point memos' that we got to help us sell NT.)
  
  
• M$ charges money for NT, and you presume that you're paying money for that security. After all, these are the advertised features of the product that you're paying for, right? Maybe there's a legal loophole to jump through in there somewhere (EULA?), but it seems pretty common-sense to me.
  
  
• M$ then fails to deliver on those marketting claims. What's more, M$ tactics 'require' that you buy new versions of software, which sidestep whatever security is in NT to begin with. (Word, Outlook - these products open up security holes you could drive a truck thru).
  
  
• For the OS bugs, M$ releases 'get-it-yourself' patches, or better still charges more money for the features you thought you paid for in the first place. And, M$ will not support the application induced flaws, because they're not part of the OS service contract.
  

It's akin to claiming to make an impenetrable door. Selling the customer a version with a doggie-door and plastic hinges instead. Then strong-arming the contractor into installing it with built-in plate-glass Windows. Then charging the customer for shutters, metal hinges and, oh yeah, a lock.

Linux is the alternative. It's free, and everyone knows (and keeps repeating) that it's written by the community. The quality disclaimer is implicit - it's written for fun, in spare time, by people who know (and love) what they're doing. You can look inside the door jambs and see how reinforced it is. You can put in a steel plate if you want - and there's plenty of people willing to tell you, and help you, get it done. For free.

Not only are you able to do this, but you are encouraged to do this. And, if security matters to you, you are given the means to take responsibility for the security of your system. This way, the responsibility is divided. You can check that the developer did his job, and if not, or if your needs differ enough to make it a special case, then you can remedy the situation.

With closed software, you are not given the choice of taking responsibility. Logically then, the full responsibility rests squarely on the shouders of the people who made the product.

If you don't like Linux, you can go out back, drag home one of the reinforced BSD doors, and hoist it into place youself. The cost? Your time.

The cost of securing an OS, be it from a big closed-source shop or from some freak in a Bazaar, is time. In the case of the former it's also money. And you don't get to see why it needs securing in the first place so you end up guessing or taking a priest at his word.

In the case of the latter, you can pore over the code to find the flaw, fix it and take it back to the freak. He won't give you money for your efforts, but he'll give your suggestion to his freaky friends for review - and you might get a free beer out of it.

-- Did anyone notice that the latest security innovation in NT2k is Kerberos security?