Weekly Edition
Return to the Security page
| |||||||||||||
Schneier on free software and liability
Bruce Schneier has often argued that software problems (security-related
and otherwise) will not go away until software vendors are made to take on
liability for failures. Now he writes
that such a regime would not affect free software. "The key to
understanding this is that this sort of contractual liability is part of a
contract, and with free software -- or free anything -- there's no
contract. Free software wouldn't fall under a liability regime because the
writer and the user have no business relationship; they are not seller and
buyer. I would hope the courts would realize this without any prompting,
but we could always pass a Good Samaritan-like law that would protect
people who distribute free software."
(Log in to post comments)
Congress would give us a "fair compromise" Posted Jul 29, 2008 17:22 UTC (Tue) by dmarti (subscriber, #11625) [Link] In theory this makes sense. But in the US political system, the big telcos, cable companies, incumbent IT and CE vendors, and copyright cartels "compromised" on the DMCA without including authors, readers, or libraries (or Bruce Schneier).So why wouldn't big software companies and large software customers "compromise" on a software liability measure that excludes direct-to-user free software? The Radio Act of 1927 took a thriving broadcast amateur radio scene (the first sports broadcast was a ham covering a boxing match) and effectively shut it down -- no music or general interest talk allowed. Liability could easily give us something similar for sites hosting free software.
Congress would give us a "fair compromise" Posted Jul 29, 2008 17:59 UTC (Tue) by drag (subscriber, #31333) [Link] They (closed source vendors) have tried to do this to stop people from using Free software for anything involving government or state contracts that involve crypto. When OpenSSL tried to get it's FIPS certification over and over again closed source vendors raised objections after they received the cert and got it stripped. It took many successful certifications until they got one that stood up against the closed vendor's objections. ---------- BTW.. The other open source library that is approved is NSS. Which is probably one of the big reasons Redhat is trying to standardize it's distribution around that single crypto module. Which, from my perspective, is pretty good idea. So if anybody reads this that cares it would be advantagious to make sure that any crypt you write into programs can be made to use NSS or OpenSSL. :)
Congress would give us a "fair compromise" Posted Jul 31, 2008 11:02 UTC (Thu) by cortana (subscriber, #24596) [Link] Out of interest, what is that FIPS certification good for? Does it cover a particular release of OpenSSL? Binaries of it complied with particular options? Binaries of it compiled on particular systems with particular compilers and linking against other libraries that were compiled with particular options? What happens when a distributor comes along and distributes their own version? I'm thinking of a certain Linux distribution that was in the news not-so-long-ago here... :)
FIPS certification Posted Jul 31, 2008 16:43 UTC (Thu) by james (subscriber, #1325) [Link] https://fedoraproject.org/wiki/FedoraCryptoConsolidation says:Products that perform cryptographic operations must be formally validated against the FIPS 140 specifications in order to be sold to the US Government. In addition, some businesses use FIPS 140 as a measure of quality of a given technology.and NSS, in contrast, allows all applications to inherit the NSS FIPS validation status by following some simple rules detailed in the NSS security policy document.Hope this helps.
FIPS certification Posted Aug 1, 2008 11:05 UTC (Fri) by dps (subscriber, #5725) [Link] I work for an company thay sells hardware security modules that are FIPS 140-2 level 3 certified in various shapes. One of the options is to limit the hardware to FIPS 140-2, and the documentation explicitly states this does not improve security. The certification allows organisations that want it to tick a FIPS 140-2 level 3 box. I am fairly sure that your FIPS compliance certificate only applies to a single version: any change inside the security boundary requires a new certificate. OpenSSL and NSS cannot achieve FIPS 140-2 level 3 because this includes some physical security properties which is clearly impossible for downloadable software to implement.
Congress would give us a "fair compromise" Posted Jul 30, 2008 0:24 UTC (Wed) by clugstj (subscriber, #4020) [Link] In what "theory" does this make sense? The last thing we need is more government intervention. Software is buggy because the customers put up with it for the price they pay. When customers care more about quality than they do "features", the quality will go up (and so will the price by the way).
Schneier on free software and liability Posted Jul 29, 2008 19:02 UTC (Tue) by shlomif (guest, #11299) [Link] I think Schnier is wrong on this, and thought so for a long time. We don't need vendor liability for any kind of software. Furthermore "free software" and "gratis software" are hard to properly define. Would Red Hat Enterprise Linux be considered as software under liability. I'd rather see more activity by users and open source developers on finding bugs in software, improving its quality, adding tests, and updating the system (a la Debian's apt-get) than enforcing software liability by law, which is likely to kill the software world as we know it, including the FOSS ecosystem.
Schneier on free software and liability Posted Jul 29, 2008 20:38 UTC (Tue) by NAR (subscriber, #1313) [Link] I disagree with you. Software is a product just like e.g. a shaving machine. If the shaving machine breaks down within two years, I can bring it back to the shop and get a new one. If I buy e.g. a game (which costs more than the shaving machine) and it doesn't work (i.e. incompatible with my videocard), I don't get back anything, only the readabilty of the DVD is guaranteed for 90 days. Actually there are companies producing and selling software with liabilities - of course, they are not for general consumption.I'd rather see more activity by users [...] on finding bugs in software I think that's a wrong idea. Would you expect car drivers to find bugs in e.g. the braking system of the car? Generally users shouldn't find bugs. is likely to kill the software world as we know it I'm not sure if it's such a bad idea. In the software world as we know it, users are expected to tolerate crashes, hangs, reboots, blue screen of deaths, etc. and companies can make fortune from buggy code.
Schneier on free software and liability Posted Jul 29, 2008 23:08 UTC (Tue) by drag (subscriber, #31333) [Link] The way modern economics work out it'll probably still end up being cheaper to write buggy code and do the pay off then it would be to do it correctly.
Schneier on free software and liability Posted Jul 30, 2008 7:12 UTC (Wed) by ketilmalde (guest, #18719) [Link] NAR wrote:If I buy e.g. a game (which costs more than the shaving machine) and it doesn't work (i.e. incompatible with my videocard), I don't get back anything,I believe the laws at least in my jurisdiction, I'll be entitled to a refund for non-working software as well. But that's beside the point, we're talking about liability for security problems here, not just working or not. Software is a product just like e.g. a shaving machine. If the shaving machine breaks down within two years, I can bring it back to the shop and get a new one.There are a couple of differences here. A non-working shaver is simple to replace, and it'll only cost the production and distribution costs. Software with security issues can cost an unbounded amount. No way any software vendor will accept this kind of liability. No way any user is willing to pay the price for this kind of insurance. A better analogy is that your shaver electrocutes your cat, and I'm not going to discuss liability in that case, as it's likely complex (and what kind of sick person are you anyway?) Anyway: I think Schneier is a bit naïve, the principle is good, but this will be decided (for all of us) in Washington, where many agendas meet. -k
Schneier on free software and liability Posted Jul 30, 2008 10:19 UTC (Wed) by NAR (subscriber, #1313) [Link] There are a couple of differences here. A non-working shaver is simple to replace, and it'll only cost the production and distribution costs. Software with security issues can cost an unbounded amount. No way any software vendor will accept this kind of liability. No way any user is willing to pay the price for this kind of insurance.Actually many software vendors do care about fixing bugs - they release patches even though it costs money and the patches can be downloaded for free. A better analogy is that your shaver electrocutes your cat, Actually (at least in Hungary) all electronical devices have to pass some kind of tests, so they are safe to use and don't electrocute the cat. Every year there are some Christmas tree lights that are banned, because they would set the tree on fire and this is not good. I wonder if it would be possible to create a similar kind of tests for software.
Schneier on free software and liability Posted Jul 30, 2008 13:35 UTC (Wed) by clugstj (subscriber, #4020) [Link] "I wonder if it would be possible to create a similar kind of tests for software." No, it wouldn't be feasible. Software is orders of magnitude more complicated than a "shaver". I would recommend that you don't connect any high tension wires between your computer and your cat.
Schneier on free software and liability Posted Aug 7, 2008 7:47 UTC (Thu) by ketilmalde (guest, #18719) [Link] > Actually many software vendors do care about fixing bugs - they release > patches even though it costs money and the patches can be downloaded for > free. Sure, because it's sometimes in their interest to provide this kind of service to their customers. But they won't accept any liability for the consequences of those bugs. > all electronical devices have to pass some kind of tests Can you come up with a test that is sufficient to deem software (an operating system, say) secure?
Schneier on free software and liability Posted Aug 1, 2008 12:49 UTC (Fri) by smitty_one_each (subscriber, #28989) [Link] Also, there is a substantial difference in complexity between the shaver and a software system. A shaver is simple enough that a "reasonable person" can be expected to use one, if not design and manufacure it. Any non-trivial codebase can defeat all but the supreme masochist.
Schneier on free software and liability Posted Aug 8, 2008 14:14 UTC (Fri) by Baylink (subscriber, #755) [Link] Certainly RHEL would be something Red Hat would have a liability to you for -- IF YOU PAID THEM FOR IT. I can't understand why this isn't clear to anyone who read TFA. RH engaged in a commercial transaction with me, so they are liable to me. CentOS didn't, so I take the software *AT MY OWN RISK*, *just* like it says in the licence.
Schneier on free software and liability Posted Jul 31, 2008 19:35 UTC (Thu) by ddaa (guest, #5338) [Link] I am not sure that Schneier is right here, although he is certainly in the top percentile of cluefulness in the computing community about such issues. I am however certain that we do need some sort of liability for insecure software. Currently, a pay-big-bucks software vendor can sell something insecure as hell, to users that won't perform security upgrades, letting bad guys compromise a bunch of systems and use them for antisocial purposes. In the status-quo, the liability lies with whoever is performing the antisocial activity. But the job of bad guys is greatly facilitated by the carelessness of the rest of the society. In effect, insecure software vendors and users are polluters. They pollute the internet with exploitable systems. The current situation is a case of tragedy of the commons. The only way to fix tragedies of the commons is to turn externalized costs into internalized costs. In the context of software, that means making either the users or the vendors liable for insecure software. Please prove me wrong.
Schneier on free software and liability Posted Aug 9, 2008 5:14 UTC (Sat) by Duncan (guest, #6647) [Link] My preferred approach ends up pretty much the same place Schneier does, but gets there differently. I'd simply make the EULA bit about disclaiming liability entirely unenforceable (they can't disclaim it) if the code wasn't available to examine or to have a trusted representative (for those who don't read code themselves) examine. If it's a black-box, they don't get to disclaim responsibility for what's in it. If it's a transparent box, the code is available to examine without fear of being sued for using the same ideas (even if it's not entirely free to copy/modify), then and only then could they disclaim liability. The effect would be not to /ban/ code without source available, but to drive up the cost and provide a strong incentive to make the sources available for examination, at a minimum. If they didn't, they'd simply have to provide liability coverage, which someone like MS might afford on its own (we'd soon see how much they believed their own security talk and later how practical it was, by how much they upped the price in ordered to cover that liability), but which most proprietaryware companies would have to buy, with the insurance companies exercising due diligence before agreeing to cover it, and charging accordingly. I've not thought a whole lot about where gratis but non-libre software would fit, but Schneier's contract idea might work there, allowing gratis but non-libre software to still exist (at least as long as there wasn't a EULA, which might be seen as a contract anyway, even for gratis software... and then there's the whole adware and etc thing to worry about) -- if the provider could justify it economically, either as a hobby or as a loss-leader, of course. In any case, I now choose not to agree to EULAs as it is, gratis or not, for two reasons. If they don't respect my rights, not only will I not sign them away, but I don't trust their word on the black-box they are providing either, and certainly won't take on myself liability for what they are disclaiming. Thus, effectively, I don't and can't install proprietaryware, even if I might otherwise want to. So regardless of whether such a thing ever comes to pass by law, it's already effective if they're dealing with me. If they don't respect my rights including the four software freedoms, I don't trust them enough to run their software. Simple as that. Duncan
|
|||||||||||||