Laws to Punish Insecure Software Vendors?

Gambit Thirty-Two writes "An influential body of researchers is calling on the US Government to draft laws that would punish software firms that do not do enough to make their products secure." Yeah that'll work.

open source

What will this mean for open source? OSS companies/programmers will be just as liable as closed source ones.

Re:open source

that gets exploited

A critical point, I think. Keep in mind that these security holes are not exactly akin to a lock with a pink sticker that says "This lock doesn't actually work". A lot of research and experimentation is necessary in order to exploit those security holes. Research and experimentation carried out by criminals. As much as I would love to see software companies held accountable for the generally terrible state of software quality industry-wide, I'm not sure it's fair to hold Microsoft responible for making possible the actions of a malicious hacker. Is it Honda's fault a slimjim opens the door of my Civic?

A Certain Level

> I'm not sure it's fair to hold Microsoft responible for making
> possible the actions of a malicious hacker. Is it Honda's fault a
> slimjim opens the door of my Civic?

Well, to get a realistic comparison, you'd need to compare on even ground. Pretend for a moment that your car door locks went to "locked" when you pushed the lock button, and "unlocked" when you pushed the unlock. However, they didn't actually engage the tumblers in the door, so when it's locked, the handle still opens the door. Now, there's a switch inside the door that you can get to by pulling the door side off, and when you throw it the tumblers connect and when the door says "locked" it now really means it.

Now, would you blame Honda if they didn't set the switch to "on" at the factory, and didn't tell anyone about the switch, and only acknowledged that it exists when someone in the field finds it and threatens to tell the general public?

I'd bet you would. That's a fairer comparison, and so yes, I think the companies that produce easily exploitable software should be forced to reckoning for it.

Virg

Re:open source

OSS companies/programmers will be just as liable as closed source ones.

It does not have to be that way. Why not put in exemption for software that comes with source code? The presumption could be that releasing source code allows the user to take responsibility for the correct operation of the software. Also consider that the OSS writer has little or no control over changes the user might make (and that's one of the main points, isn't it?)

Just like a LLP

The software producer's liability should be limited to the amount of their financial return on the software, except in cases where gross negligence is apparent. If I never made a dime of the sale of the software, I should be liable only for that $0.

Re:open source

The presumption could be that releasing source code allows the user to take responsibility for the correct operation of the software.

That's a bit like saying a car company shouldn't be held responsible for putting faulty brakes on a car, since after all, the car owner could have replaced the brakes with something that worked.

Re:open source

It does not have to be that way. Why not put in exemption for software that comes with source code? The presumption could be that releasing source code allows the user to take responsibility for the correct operation of the software. Also consider that the OSS writer has little or no control over changes the user might make (and that's one of the main points, isn't it?)

What needs to be made illegal are EULAs that absolve the software creator of guilt for flaws. Ford is liable for putting the wrong tires on SUVs and causing people to die. Ask Explorer owners (if you can talk to people that would buy one nowadays) how they would have reacted to such a license, and imagine how the courts would have reacted.

You've also made an excellent point about the futility of the GPL, but I digress.

How to track liability

Your post is interesting, especially in light of the difficulty a court may have in accurately assigning liability to the correct party.

For instance, am I liable if I use the standard C function gets() in a program? I, as the program vendor, can argue that that's what was taught in my undergrad CS course, or I could point the finger at the language designer or C library vendor.

What about a program I write that communicates w/ other software via a standard protocol, and works perfectly if the other software adheres strictly to that protocol but fails in combination with another program which implemented that protocol incorrectly; am I to blame, or is the other vendor? What if the spec is vague?

As I've said in other posts, the potential for good legislation along these lines is there, but only with *heavy* involvement of people who understand issues such as these, along side of the industry lobbyists, consumer advocates and politicians.

Join the Libertarian Party

Be careful what powers you give to the government.

Everyone would be in violation

Linux, Solaris, HP-UX, MS WIndows and a bunch of other products have holes in them that SANS tells others about. Has there ever been a piece of software with no security holes?

Re:Everyone would be in violation

A law like this would benefit two camps. One would be large software companies, since the smaller competetition would be squashed as the cost of doing business reaches prohibitive levels. The other benefactor would be the insurance agency. They would increase premiums for software businesses greatly, since this would be the best way for businesses to protect themselves. Consumers would only suffer.

Fine them?

Your software is insecure. Please pay your fine by credit card at http:// ...

Oh my, the irony

You know, it used to seem like the software security and freedom communities were pretty closely related. Apparently the NAS doesn't have the same lassaiz fairre attitude as most of the freedom advocates.

It's always interesting when those who call for freedom and security for themselves can only figure out how to do it by reducing the freedom of others. Now they want to legislate software standards? Come on, you have to be against that.

Freedom of Speech

This raises some constitutional issues - Do I have the right of freedom of speech ( as code has been found to be in some cases ) to utter an incorrect program?

An additional question would be should all software now come with a warrently that specifically disclaims the implied warrenty and states that there is no warrenty? Would it be legal under the proposal?

Re:Freedom of Speech

This raises some constitutional issues - Do I have the right of freedom of speech ( as code has been found to be in some cases ) to utter an incorrect program?

Do you have the right of freedom of speech to utter other potentially hazardous comments? Yelling "FIRE!" in the middle of a crowded theatre is dangerous, and illegal. If you're engineering a bridge, does "freedom of speech" give you the right to design it so that it will collapse when people try to use it?

There is a wide legal history for freedom of speech ending when it causes harm to others.

Re:Freedom of Speech

There is a wide legal history for freedom of speech ending when it causes harm to others.

You don't need to open that whole kettle of worms at all, in this case. The right to say something does not equate with the right to sell it - unless it is sold for the purpose of communication (which commercial software is not.)

People who write software and then sit on it, or only give it to a few friends, cannot and should not be able to be held accountable for their software not working - unless (like yelling "FIRE!" in the middle of a crowded theatre) there is clear evidence of malicious intent (computer viruses.)

Someone who distributes software for free ought to be required to disclaim any warranties, which they allready do, and that is fine.

On the other hand, when you sell a piece of software there is an implied warranty of merchantability that you cannot disclaim. Extending that warranty to include security is not a free speech issue. Your right to write any code you want is still protected, you just cannot necesarilly sell it.

By extension, however, code written for the purpose of communication - including "here is how you write DeCSS" or the example code in a CS textbook - would still be protected, and you'd still have a right to sell it, whether or not it worked or was secure.

Be careful of what you wish for

If you are talking about imposing rigid design and coding standards to software that is released to the public, it could have a far more adverse effect on small software publishers and open source projects than it does to, oh say Microsoft.

Seems to me this will have the least impact on those who need to pay attention to security the most(large software companies) while having the potential to make it harder for the "little guy" to write and publish software.

What about the click-thru EULA?

Anyone ever read their full End User Licence Agreements, especially MS?

It always has a limit that anything bad that happens while using their product is not their fault.

Now IANAL but I thought that by clicking I Agree, that you were actually agreeing to that.

Boon to Corporate America

I suspect that this would ensure far less software gets produced by smaller vendors and individuals who can't afford the liability.

Another good move for corporate America.

Microsoft is able to defend itself against the government. Are you?

Other Microsoft Failings...

But Windows XP is not the only Microsoft product with security failings.

For example Microsoft Bob.

I've been waiting for a service pack for it for years. I'm just not as comfortable hooking Bob up to the internet as I once was. Bob has gotten more viral infections than an old French Whore in a port town.

-Rothfuss

I agree (Sort of...)

Laws that make a vendor produce a secure and safe product should apply to software too.

Ford and GM shouldn't be allowed to produce cars that kill people, simply because they couldn't be bothered to make them safer - like exploding gas tanks - ok, so that's not such a great example... (grin)

But really, but the responsibility where it lies. If I put a system out on the net, and don't take some steps to make it secure, I should be liable for damages it causes when it's compromised. Same for SW companies. If you produce a product that doesn't meet the "reasonable" man test for care in producing the product, the maker should be liable for negligence.

I might go even further though, and add some criminal penalties too.

Software can be more reliable and bug-free and secure. (Go read the "Software Conspiaracy") Sure it will cost more, but what do you think all the virus outbreaks costs business and individuals. It's just a hidden tax. MS (and others) are just shifting the burden of producing software that works to the users. It's cheaper for MS to produce the software, but lots more expensive for the user to use them.

Finally, the legal system _IS_ part of the free market. The threat and actual loss of damages to a plaintiff balance the system of the market. It's not just buyers and sellers - and a wild wolly mess...
It just bugs me when "free market" proponents want to proclaim that the courts are unneccessary in the free market - bull! They are important and the market will not function correctly without them!

good concept

While the concept to "punish" vendors for flawed products is a good one, trying to get the _government_ to do it is a bad one. For one reason, the government is very easily corrupted, and often looks the other way.

A better solution is to allow people to sue software companies that produce software that does not do what it is supposed to do. For example, if Microsoft says they have the most secure servers on the market, they damn well better be that.

As soon as a few lawsuits are filed, things will change for the better. There's too much being "protected" by microsoft software for them to continue business-as-usual for long if they get sued for every nimda/code red/etc out there doing damage.

However, if the company puts out patches (such as through windowsupdate) and the user fails to apply them in a timely manner, it's the user that screwed the pooch, not the producer.

Before we decide this is such a great idea . . .

. . . we might want to consider that while "security" can mean keeping your machine from being 0wn3d, it can also mean "security" as in the Security Systems Standards and Certification Act [petitiononline.com], otherwise known as the "Enforced Copy Control and Free Operating System Elimination Act."