Linux guru argues against security liability (ZDNet UK)
Cox said that it would be difficult to make open-source developers liable for their code because of the nature of open-source software development. As developers share code around the community, responsibility is collective. "Potentially there's no way to enforce liability," he said. The question of open-source liability becomes more complex because of how the code is used, added Cox. Open-source code is generally given away, but companies use that code to develop their own products. Cox said that there was a question of how liability would move from the initial developers to the companies."
Posted Jan 18, 2007 21:43 UTC (Thu)
by stumbles (guest, #8796)
[Link] (2 responses)
Posted Jan 22, 2007 22:15 UTC (Mon)
by LowWeeklyNoise (guest, #39498)
[Link] (1 responses)
* This program is distributed in the hope that it will be useful,
The argument that free software developers are liable for their software is nothing more than a load of FUD in the hope that people stop sharing code out of fear.
Of course I would not be suprised if some professional lobbyist have managed to get this on the agenda.
As read from the article with regard to free software development:
Cox misses an important point, free software developers are never liable to begin with, and is only spreading the confusion.
Posted Jan 23, 2007 2:13 UTC (Tue)
by malor (guest, #2973)
[Link]
The clause denying responsibility doesn't mean jack if it's superseded by law.
Posted Jan 18, 2007 21:46 UTC (Thu)
by stevenj (guest, #421)
[Link] (3 responses)
Regardless, it seems clear that liability should not be used to destroy a key property of software: its zero marginal cost. Liability should certainly not be incurred when no money changes hands, e.g. when you download code from my web site.
Posted Jan 18, 2007 21:58 UTC (Thu)
by stumbles (guest, #8796)
[Link]
Posted Jan 18, 2007 22:47 UTC (Thu)
by NZheretic (guest, #409)
[Link] (1 responses)
The Ford Pinto and more recently the Ford Explorer's tires are two examples of public and media pressure being more successful than just threat of lawsuits. Even so, just as with the automotive industry, eventually though public pressure the governments around the world have to step in and pass regulations that set up a minimum set of requirements an automobile has to meet to be deemed "road worthy". This includes crash testing as well as the inclusion of safety equipment on all models. The requirement are not constant and change to meet the expectations and demands of the public and lawmakers.
The onus is not only on the automotive industry itself but also on the users. Most countries require that all automobiles undergo regular inspection and maintain an up to date "Warrant of Fitness".
In the same way, if you want a secure IT infrastructure, eventually the software design, implementation and each deployment will have to undergo the same type of regulation and scrutiny.
Posted Jan 19, 2007 14:47 UTC (Fri)
by Tr0n (guest, #42662)
[Link]
Posted Jan 18, 2007 22:23 UTC (Thu)
by cventers (guest, #31465)
[Link] (5 responses)
I think that what should happen is that parties that actually control
Putting liability on the vendors is insane -- what if the party that
Posted Jan 18, 2007 23:23 UTC (Thu)
by ncm (guest, #165)
[Link] (4 responses)
For example, analyses of medical lawsuits show that who gets sued and for how much is almost completely independent of competence, and correlates overwhelmingly with a single quality: poor bedside manner.
Posted Jan 18, 2007 23:50 UTC (Thu)
by JoeBuck (subscriber, #2330)
[Link] (2 responses)
Also, especially for non-Americans: "American jury awards some idiot millions" makes your news, while "Appeals court throws out the idiot jury's verdict" usually does not.
Posted Jan 19, 2007 0:15 UTC (Fri)
by drag (guest, #31333)
[Link]
In fact it's a cornerstone of a successfull capitalist society. Some people like to take that all the way and say that self regulation is quite superior to government regulation, but I don't take it that far. I figure the best solution depends heavily on the situation and only in a tiny minority of cases is government regulation justified.
There is quite a bit difference though from the standpoint of a company being liable for creating buggy software versus a company being liable for purposely creating buggy software to cut costs.
If, for instance, Microsoft produces a server that has a bug and that bug gets used to compromize a system, but Microsoft did release a bug fix in a resonable amount of time... then that is not Microsoft's fault.
However if Microsoft works specificly to obsifgate the problem and attempt to silence people trying to educate the public on problems... and that causes admins who are otherwise diligent to have vunerable servers that causes a data loss.. Then Microsoft is VERY liable.
Same thing with Open source companies, or any other software company.
In other words:
If a company produces bad code, then that's natural and people are able to regulate that company without any need for government. They can use public data produced by business/orginizations that monitor this sort of thing (example: Open source vunerability database, or Secunia) and educate themsevles. If a business consistantly produces bad code, then that business is going to go out of business. No need for government intervention.
However if that same company attempts to subvert the public's ability to regulate by doing things like lying about vunerabilities and attempting to hide the truth from people... as well as actively making it very difficult for people to fix the problem themselves, or discover the problem themselves, or replacing the bad software they produce with good software other people produce.... Then I absolutely seeing this becoming a issue for civil lawsuits.
Posted Jan 25, 2007 13:07 UTC (Thu)
by ekj (guest, #1524)
[Link]
It's true the insurance-companies probably take a big thick profit, but there's still *some* competition in the insurance-business, so it's probably fair to assume that the real risk is in the 50-75% of what the premiums would indicate.
Which is, frankly, ridicolous. There are several kinds of mistakes;
It seems sometimes that large sums are paid in the US for mistakes that atleast appear to be of the first or second type. I ain't just talking of medical malpractice either, the above applies to tort in general.
In most of europe, there's not a cent to be had in situation 1. In situation 2 damages are limited to actual direct damages (not a cent for "emotional suffering" or similar)
Posted Jan 19, 2007 16:48 UTC (Fri)
by stevenj (guest, #421)
[Link]
According to the Congressional Budget Office, "malpractice costs account for less than 2 percent" of health-care spending.
According to a recent study in the New England Journal of Medicine, the majority of claims (62%) involve medical errors, while an even larger majority (> 80%) of successful claims involve such clear errors.
On the other hand, the evidence of a deterrent effect on negligence from liability is apparently quite limited, although it seems that this is not an easy thing to prove either way.
Posted Jan 18, 2007 22:41 UTC (Thu)
by ibukanov (subscriber, #3942)
[Link] (3 responses)
Posted Jan 19, 2007 0:06 UTC (Fri)
by wahern (subscriber, #37304)
[Link]
Posted Jan 19, 2007 8:53 UTC (Fri)
by niner (subscriber, #26151)
[Link] (1 responses)
Posted Jan 19, 2007 9:15 UTC (Fri)
by ibukanov (subscriber, #3942)
[Link]
In fact I have no problems with a law that states that users can get their money back for buggy software that does not meat the stated quality level while continuing to use it.
Posted Jan 19, 2007 1:30 UTC (Fri)
by error27 (subscriber, #8346)
[Link]
In California, business have to notify you if they lose your data. But software vendors like Microsoft can sell software claiming it's the most secure ever and they don't have to notify you if a vulnerability is found. So your business gets ripped off and you have to bear all the legal responsibility for Microsofts bugs.
Open source vendors like RedHat should have to notify you as well if they have vulnerabilities. Non profit software would be exempt.
Posted Jan 19, 2007 11:47 UTC (Fri)
by dark (guest, #8483)
[Link] (3 responses)
Posted Jan 19, 2007 13:40 UTC (Fri)
by forthy (guest, #1525)
[Link] (2 responses)
Sounds clever, but I'm not sure how long that would last. Some idiot
could always claim that the source code is unreadable (obfuscated), and
therefore actually useless. And mind you, the last bittorrent page
corruption bug showed that there is obfuscated code even in Linux. As others said, the consequence of being liable in terms of money are
insurances and lawyers, but not better software. I suggest the following:
If a vendor is found liable, he has to free the source code, so
that the customers can help themselves. Being liable depends on how long
it takes for bugs to be fixed, and how often bugs are discovered - both
signs of a poor quality standard.
Posted Jan 19, 2007 15:32 UTC (Fri)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted Jan 25, 2007 13:10 UTC (Thu)
by ekj (guest, #1524)
[Link]
Source-code is the prefered form for editing. Sometimes that is arcane, but that can't be helped.
If the program in question is your entry to the obfuscated C contest, and you infact wrote it this way by hand, then that *is* the sourcecode.
If however you used a program to obfuscate the code, then the input to that program would be your sourcecode. Despite the fact that the output from the program is also, technically, valid C-code.
Who would have thought 15 years ago open source software would be Linux guru argues against security liability (ZDNet UK)
addressed in the House of Lords or a kernel maintainer would be there to do the
speaking..... this is a good thing.
Here's an excerpt from the GPL, for those that don't already know ;)Linux guru argues against security liability (ZDNet UK)
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
"Cox said that there was a question of how liability would move from the initial developers to the companies."
They're not liable NOW, but they could be. Governments are mulling making it illegal to sell or give away code without taking responsibility for any bugs it might have. Linux guru argues against security liability (ZDNet UK)
Whether software-sellers should be liable for bugs, especially security bugs in their products, is an interesting question. Cox argues against it, even for proprietary software, because he claims liability would encourage vendors to prohibit use of third-party software (to prevent unforeseen interactions). Bruce Schneier makes a good argument on the other side, that a direct financial interest is the best way to make vendors secure their products.
liability vs. cost
Yes I think holding either camp liable would not really solve anything. OTOH, liability vs. cost
perhaps it should be looked at from a time frame point of view. If a software
seller does nothing with a bug for say, 3 months, the time frame would depend
on it's complexity, then let some liability clause kick in. Though I'm not
particularly fond of that idea either.
From June 14 2002liability vs. cost
In a recent speech "Fixing Network Security by Hacking the Business Climate", also now on Technetcast, Bruce Schneier claimed that for change to occur the software industry must become libel for damages from "unsecure" software. However, historically this has not always been the case, since most businesses can insure against damages and pass the cost along to the consumer.
Read the rest in Our Data:an appeal - a "Plimsoll line" for apps
Does this apply to M$ stuff too?liability vs. cost
:)
I very much agree with Cox... and while I have much respect for the Linux guru argues against security liability (ZDNet UK)
champion cheerleader on the other side of the argument (Bruce Schneier) I
think the whole idea of putting liability for flaws on the vendor is
flawed.
sensitive information should be held liable for mishandling the
information. Companies will probably end up getting insurance, and
insurance will be cheaper depending on who your software vendor is, what
your procedures are and whether or not your network is certified by some
security standard. Insurance companies will have an interest in
determining whose solutions really are the most secure, and the lower
premiums offered by using those solutions will put pressure on companies
to choose those solutions, which should put pressure on the vendors to
offer secure solutions.
actually lost the data was misusing the product or not keeping it up to
date? Should the software vendor then be forced to defend its good name
in court?
This argument has been thoroughly debunked, many times. Experience with negligent liability in other industries, such as medical, demonstrates that the only beneficiaries are insurance companies and lawyers, in that order. Insurance companies don't vary their rates according to any criterion that helps matters; everybody pays through the nose no matter what their quality standards. Lawsuits are filed or not on spurious grounds.Liability is fraud
While it's true that liability lawyers sometimes profit unjustly, the gutting of government safety regulations caused by appointing former corporate lobbyists as chief regulators leaves no other check on those who would unsafely cut corners. Also, the lawyers take these cases on contingency, so if they lose, they get nothing for (in complex cases) years of work.
Liability is fraud
Well the 'check' that remains is the people themselves. In many situations people quite successfully regulate businesses that have no official government regulation.Liability is fraud
True. But you gotta figure, when insurance against malpractice-claims for doctors in many states costs like literally a years salary, there has to be significant risk.Liability is fraud
Liability is fraud
"everybody pays through the nose no matter"
For example, analyses of medical lawsuits show that who gets sued and for how much is almost completely independent of competence, and correlates overwhelmingly with a single quality: poor bedside manner.
I also very much agree with Alan's arguments. On the hand I wish that users would not be that tolerant to bugs and would not accept software that crashes. If people refuse to buy products that crashes, more proprietary software vendors would open they code just for the sake of extra eyes.Linux guru argues against security liability (ZDNet UK)
Still, in the state of Nevada you--as an individual medical doctor--might expect to pay upwards of $500,000/year for insurance. On the flip side, some surgeries which could take 6 months to schedule in British Columbia (because of the waiting lines and lack of specialists), can be done within 6 days in Nevada. Not sure what the implications are; likely none which are straight-forward.Linux guru argues against security liability (ZDNet UK)
But how would people know, that a software crashes, before they have bought it and experienced those crashes?Linux guru argues against security liability (ZDNet UK)
Users can simply refuse to pay for software where the vendor rejects any liability. Then if software crashes or works badly the user can require the vendor to address the bugs. Linux guru argues against security liability (ZDNet UK)
I always call for Full Disclosure rules.Linux guru argues against security liability (ZDNet UK)
I think the best policy is that you're liable for vulnerabilities in
software you publish, unless you also publish the source code so
that people can check for themselves.
Liability and binary-only software
Liability and binary-only software
That code wasn't obfuscated, it was just convoluted. Obfuscation implies intent to conceal (or at least intent to be unnecessarily arcane, as in the IOCCC).Liability and binary-only software
The source-code definition in the GPL will do.Liability and binary-only software