Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.

Create an account

Subscribe to LWN

Return to the Press page

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page

Weekly edition	Kernel	Security	Distributions	Contact Us	Search
Archives	Calendar	Subscribe	Write for LWN	LWN.net FAQ	Sponsors

Linux guru argues against security liability (ZDNet UK)

[Posted January 18, 2007 by cook]

ZDNet UK reports that Alan Cox addressed a House of Lords hearing on the topic of software security liability. "Cox said that it would be difficult to make open-source developers liable for their code because of the nature of open-source software development. As developers share code around the community, responsibility is collective. "Potentially there's no way to enforce liability," he said. The question of open-source liability becomes more complex because of how the code is used, added Cox. Open-source code is generally given away, but companies use that code to develop their own products. Cox said that there was a question of how liability would move from the initial developers to the companies."

(Log in to post comments)

Posted Jan 18, 2007 21:43 UTC (Thu) by stumbles (guest, #8796) [Link]

Who would have thought 15 years ago open source software would be
addressed in the House of Lords or a kernel maintainer would be there to do the
speaking..... this is a good thing.

Linux guru argues against security liability (ZDNet UK)

Posted Jan 22, 2007 22:15 UTC (Mon) by LowWeeklyNoise (guest, #39498) [Link]

Here's an excerpt from the GPL, for those that don't already know ;)

* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.

The argument that free software developers are liable for their software is nothing more than a load of FUD in the hope that people stop sharing code out of fear.

Of course I would not be suprised if some professional lobbyist have managed to get this on the agenda.

As read from the article with regard to free software development:
"Cox said that there was a question of how liability would move from the initial developers to the companies."

Cox misses an important point, free software developers are never liable to begin with, and is only spreading the confusion.

Linux guru argues against security liability (ZDNet UK)

Posted Jan 23, 2007 2:13 UTC (Tue) by malor (subscriber, #2973) [Link]

They're not liable NOW, but they could be. Governments are mulling making it illegal to sell or give away code without taking responsibility for any bugs it might have.

The clause denying responsibility doesn't mean jack if it's superseded by law.

liability vs. cost

Posted Jan 18, 2007 21:46 UTC (Thu) by stevenj (guest, #421) [Link]

Whether software-sellers should be liable for bugs, especially security bugs in their products, is an interesting question. Cox argues against it, even for proprietary software, because he claims liability would encourage vendors to prohibit use of third-party software (to prevent unforeseen interactions). Bruce Schneier makes a good argument on the other side, that a direct financial interest is the best way to make vendors secure their products.

Regardless, it seems clear that liability should not be used to destroy a key property of software: its zero marginal cost. Liability should certainly not be incurred when no money changes hands, e.g. when you download code from my web site.

liability vs. cost

Posted Jan 18, 2007 21:58 UTC (Thu) by stumbles (guest, #8796) [Link]

Yes I think holding either camp liable would not really solve anything. OTOH,
perhaps it should be looked at from a time frame point of view. If a software
seller does nothing with a bug for say, 3 months, the time frame would depend
on it's complexity, then let some liability clause kick in. Though I'm not
particularly fond of that idea either.

liability vs. cost

Posted Jan 18, 2007 22:47 UTC (Thu) by NZheretic (guest, #409) [Link]

From June 14 2002

In a recent speech "Fixing Network Security by Hacking the Business Climate", also now on Technetcast, Bruce Schneier claimed that for change to occur the software industry must become libel for damages from "unsecure" software. However, historically this has not always been the case, since most businesses can insure against damages and pass the cost along to the consumer.
The Ford Pinto and more recently the Ford Explorer's tires are two examples of public and media pressure being more successful than just threat of lawsuits. Even so, just as with the automotive industry, eventually though public pressure the governments around the world have to step in and pass regulations that set up a minimum set of requirements an automobile has to meet to be deemed "road worthy". This includes crash testing as well as the inclusion of safety equipment on all models. The requirement are not constant and change to meet the expectations and demands of the public and lawmakers.
The onus is not only on the automotive industry itself but also on the users. Most countries require that all automobiles undergo regular inspection and maintain an up to date "Warrant of Fitness".
In the same way, if you want a secure IT infrastructure, eventually the software design, implementation and each deployment will have to undergo the same type of regulation and scrutiny.

Read the rest in Our Data:an appeal - a "Plimsoll line" for apps

liability vs. cost

Posted Jan 19, 2007 14:47 UTC (Fri) by Tr0n (guest, #42662) [Link]

Does this apply to M$ stuff too?
:)

Linux guru argues against security liability (ZDNet UK)

Posted Jan 18, 2007 22:23 UTC (Thu) by cventers (subscriber, #31465) [Link]

I very much agree with Cox... and while I have much respect for the
champion cheerleader on the other side of the argument (Bruce Schneier) I
think the whole idea of putting liability for flaws on the vendor is
flawed.

I think that what should happen is that parties that actually control
sensitive information should be held liable for mishandling the
information. Companies will probably end up getting insurance, and
insurance will be cheaper depending on who your software vendor is, what
your procedures are and whether or not your network is certified by some
security standard. Insurance companies will have an interest in
determining whose solutions really are the most secure, and the lower
premiums offered by using those solutions will put pressure on companies
to choose those solutions, which should put pressure on the vendors to
offer secure solutions.

Putting liability on the vendors is insane -- what if the party that
actually lost the data was misusing the product or not keeping it up to
date? Should the software vendor then be forced to defend its good name
in court?

Liability is fraud

Posted Jan 18, 2007 23:23 UTC (Thu) by ncm (subscriber, #165) [Link]

This argument has been thoroughly debunked, many times. Experience with negligent liability in other industries, such as medical, demonstrates that the only beneficiaries are insurance companies and lawyers, in that order. Insurance companies don't vary their rates according to any criterion that helps matters; everybody pays through the nose no matter what their quality standards. Lawsuits are filed or not on spurious grounds.

For example, analyses of medical lawsuits show that who gets sued and for how much is almost completely independent of competence, and correlates overwhelmingly with a single quality: poor bedside manner.

Liability is fraud

Posted Jan 18, 2007 23:50 UTC (Thu) by JoeBuck (subscriber, #2330) [Link]

While it's true that liability lawyers sometimes profit unjustly, the gutting of government safety regulations caused by appointing former corporate lobbyists as chief regulators leaves no other check on those who would unsafely cut corners. Also, the lawyers take these cases on contingency, so if they lose, they get nothing for (in complex cases) years of work.

Also, especially for non-Americans: "American jury awards some idiot millions" makes your news, while "Appeals court throws out the idiot jury's verdict" usually does not.

Liability is fraud

Posted Jan 19, 2007 0:15 UTC (Fri) by drag (subscriber, #31333) [Link]

Well the 'check' that remains is the people themselves. In many situations people quite successfully regulate businesses that have no official government regulation.

In fact it's a cornerstone of a successfull capitalist society. Some people like to take that all the way and say that self regulation is quite superior to government regulation, but I don't take it that far. I figure the best solution depends heavily on the situation and only in a tiny minority of cases is government regulation justified.

There is quite a bit difference though from the standpoint of a company being liable for creating buggy software versus a company being liable for purposely creating buggy software to cut costs.

If, for instance, Microsoft produces a server that has a bug and that bug gets used to compromize a system, but Microsoft did release a bug fix in a resonable amount of time... then that is not Microsoft's fault.

However if Microsoft works specificly to obsifgate the problem and attempt to silence people trying to educate the public on problems... and that causes admins who are otherwise diligent to have vunerable servers that causes a data loss.. Then Microsoft is VERY liable.

Same thing with Open source companies, or any other software company.

In other words:

If a company produces bad code, then that's natural and people are able to regulate that company without any need for government. They can use public data produced by business/orginizations that monitor this sort of thing (example: Open source vunerability database, or Secunia) and educate themsevles. If a business consistantly produces bad code, then that business is going to go out of business. No need for government intervention.

However if that same company attempts to subvert the public's ability to regulate by doing things like lying about vunerabilities and attempting to hide the truth from people... as well as actively making it very difficult for people to fix the problem themselves, or discover the problem themselves, or replacing the bad software they produce with good software other people produce.... Then I absolutely seeing this becoming a issue for civil lawsuits.

Liability is fraud

Posted Jan 25, 2007 13:07 UTC (Thu) by ekj (subscriber, #1524) [Link]

True. But you gotta figure, when insurance against malpractice-claims for doctors in many states costs like literally a years salary, there has to be significant risk.

It's true the insurance-companies probably take a big thick profit, but there's still *some* competition in the insurance-business, so it's probably fair to assume that the real risk is in the 50-75% of what the premiums would indicate.

Which is, frankly, ridicolous.

There are several kinds of mistakes;

It *was* in actual fact a mistake, but given the information available at the time the decision had to be made, it was not possible at that point to see that the decision was bad. This is the most common type of mistake. (you decide to drive to work, the brakes are faulty. However you didn't *know* that they where faulty, and had no clear indications this was so)
It was in actual fact a mistake, but given the information available at the time the decision had to be made, it was perfectly understandable. It migth not have been the optimum choice, but it's the sort of mistake anyone will do sometimes. People are human. Humans err. (you decide to drive to work, the car has been pulling sligthly to the left when braking hard lately, you however decide it's probably a detail which can safely be left until the next routine-check-up in 2 months.)
It was a mistake, and it wouldn't have happened if the person responsible had been paying attention. (you decide to drive to work without a seatbelt on.)
It was a mistake, and it wouldn't have happened if the person responsible hadn't been behaving recklessly. (you just had half a bottle of vodka, but decide to drive back home anyway since it's freaking cold.)

It seems sometimes that large sums are paid in the US for mistakes that atleast appear to be of the first or second type. I ain't just talking of medical malpractice either, the above applies to tort in general.

In most of europe, there's not a cent to be had in situation 1. In situation 2 damages are limited to actual direct damages (not a cent for "emotional suffering" or similar)

Liability is fraud

Posted Jan 19, 2007 16:48 UTC (Fri) by stevenj (guest, #421) [Link]

"everybody pays through the nose no matter"

According to the Congressional Budget Office, "malpractice costs account for less than 2 percent" of health-care spending.

For example, analyses of medical lawsuits show that who gets sued and for how much is almost completely independent of competence, and correlates overwhelmingly with a single quality: poor bedside manner.

According to a recent study in the New England Journal of Medicine, the majority of claims (62%) involve medical errors, while an even larger majority (> 80%) of successful claims involve such clear errors.

On the other hand, the evidence of a deterrent effect on negligence from liability is apparently quite limited, although it seems that this is not an easy thing to prove either way.

Linux guru argues against security liability (ZDNet UK)

Posted Jan 18, 2007 22:41 UTC (Thu) by ibukanov (subscriber, #3942) [Link]

I also very much agree with Alan's arguments. On the hand I wish that users would not be that tolerant to bugs and would not accept software that crashes. If people refuse to buy products that crashes, more proprietary software vendors would open they code just for the sake of extra eyes.

Linux guru argues against security liability (ZDNet UK)

Posted Jan 19, 2007 0:06 UTC (Fri) by wahern (subscriber, #37304) [Link]

Still, in the state of Nevada you--as an individual medical doctor--might expect to pay upwards of $500,000/year for insurance. On the flip side, some surgeries which could take 6 months to schedule in British Columbia (because of the waiting lines and lack of specialists), can be done within 6 days in Nevada. Not sure what the implications are; likely none which are straight-forward.

Linux guru argues against security liability (ZDNet UK)

Posted Jan 19, 2007 8:53 UTC (Fri) by niner (subscriber, #26151) [Link]

But how would people know, that a software crashes, before they have bought it and experienced those crashes?

Linux guru argues against security liability (ZDNet UK)

Posted Jan 19, 2007 9:15 UTC (Fri) by ibukanov (subscriber, #3942) [Link]

Users can simply refuse to pay for software where the vendor rejects any liability. Then if software crashes or works badly the user can require the vendor to address the bugs.

In fact I have no problems with a law that states that users can get their money back for buggy software that does not meat the stated quality level while continuing to use it.

Linux guru argues against security liability (ZDNet UK)

Posted Jan 19, 2007 1:30 UTC (Fri) by error27 (subscriber, #8346) [Link]

I always call for Full Disclosure rules.

In California, business have to notify you if they lose your data. But software vendors like Microsoft can sell software claiming it's the most secure ever and they don't have to notify you if a vulnerability is found. So your business gets ripped off and you have to bear all the legal responsibility for Microsofts bugs.

Open source vendors like RedHat should have to notify you as well if they have vulnerabilities. Non profit software would be exempt.

Liability and binary-only software

Posted Jan 19, 2007 11:47 UTC (Fri) by dark (✭ supporter ✭, #8483) [Link]

I think the best policy is that you're liable for vulnerabilities in software you publish, unless you also publish the source code so that people can check for themselves.

Liability and binary-only software

Posted Jan 19, 2007 13:40 UTC (Fri) by forthy (guest, #1525) [Link]

Sounds clever, but I'm not sure how long that would last. Some idiot could always claim that the source code is unreadable (obfuscated), and therefore actually useless. And mind you, the last bittorrent page corruption bug showed that there is obfuscated code even in Linux.

As others said, the consequence of being liable in terms of money are insurances and lawyers, but not better software. I suggest the following: If a vendor is found liable, he has to free the source code, so that the customers can help themselves. Being liable depends on how long it takes for bugs to be fixed, and how often bugs are discovered - both signs of a poor quality standard.

Liability and binary-only software

Posted Jan 19, 2007 15:32 UTC (Fri) by nix (subscriber, #2304) [Link]

That code wasn't obfuscated, it was just convoluted. Obfuscation implies intent to conceal (or at least intent to be unnecessarily arcane, as in the IOCCC).

Liability and binary-only software

Posted Jan 25, 2007 13:10 UTC (Thu) by ekj (subscriber, #1524) [Link]

The source-code definition in the GPL will do.

Source-code is the prefered form for editing. Sometimes that is arcane, but that can't be helped.

If the program in question is your entry to the obfuscated C contest, and you infact wrote it this way by hand, then that *is* the sourcecode.

If however you used a program to obfuscate the code, then the input to that program would be your sourcecode. Despite the fact that the output from the program is also, technically, valid C-code.