how-to block ads
|
|
Uniqs:
1940 |
Share Topic
 |
 |
|
|
|
 BeesTeaNetwork JanitorPremium,VIP
join:2003-03-08
00000 | Information security: How liable should vendors be quote:
Computerworld
»www.computerworld.com/securityto···ml?f=x73
Opinion by Bruce Schneier,
Counterpane Internet Security Inc.
OCTOBER 28, 2004 (COMPUTERWORLD) - Information insecurity is
costing us billions. We pay for it in theft: information
theft, financial theft. We pay for it in productivity loss,
both when networks stop working and in the dozens of minor
security inconveniences we all have to endure. We pay for it
when we have to buy security products and services to reduce
those other two losses. We pay for security, year after year.
The problem is that all the money we spend isn't fixing the
problem. We're paying, but we still end up with insecurities.
The problem is insecure software. It's bad design, poorly
implemented features, inadequate testing and security
vulnerabilities from software bugs. The money we spend on
security is to deal with the effects of insecure software.
And that's the problem. We're not paying to improve the
security of the underlying software. We're paying to deal
with the problem rather than to fix it.
The only way to fix this problem is for vendors to fix their
software, and they won't do it until it's in their financial
best interests to do so.
Bruce Schneier is the author of Applied Cryptography, Secrets and Lies, and other excellent books. He is considered one of the foremost experts in Information Security.
Cheers,
-BeesT
--
echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlb xq |dc | |
 RdaxPremium
join:2001-05-18
El Dorado, AR | The only person liable is the one behind the keyboard if they don't know how to secure their system.  | |
 hpguruCurb Your DogmaPremium
join:2002-04-12 | said by Rdax:The only person liable is the one behind the keyboard... Amen to that!
--
FOUR MORE YEARS!! - of fear. | |
x539
join:2003-08-23
Oklahoma City, OK | reply to Rdax
Re: Information security: How liable should vendor quote:
The only person liable is the one behind the keyboard if they don't know how to secure their system.
Sorry, but that's just BS.
Schneier isn't referring to (mis)configuration issues here, or users that don't patch their systems when vendors release patches.
Suppose you run a corporate IIS webserver, have locked it down according to all best practices, yadda yadda. IIS is a closed-source product, so even if you were uber-programmer and wanted to inspect every char you couldn't. Suppose there is a buffer overflow inside IIS that can be remotely exploited to fully compromise the server. You're saying that would be the server admin's fault? I hardly think so.
When you're providing services to the public like WWW, SMTP, or any number of other things, you HAVE to expose them to the internet, which is an inherently hostile environment. You can lock things down all you want, and that will help to a large extent, but there have been, are, and will be lurking software flaws that you don't know about just can't defend against.
Even if you go with a 100% open-source solution, it's highly unlikely that your employer is going to want to pay you for the years it will take you to scour every line of code in your OS and daemons. Even if you did get payed to do so, you're just as human as the programmers who wrote the code, and probably at least as fallible, so that would be no guarantee. | |
 TearAbiteD'oh
join:2001-07-25
Rancho Cucamonga, CA
kudos:2 | reply to BeesTea
Re: Information security: How liable should vendors be .
Do the automobile manufacturers pay every time theives figure out how to get around a fancy new "anti-theft" device and a car gets stolen?
A few years back it was discoverd you could unlock the doors of many forigen cars by jamming a pencil in side of the door handle.. resulting in many stolen cars, stolen stereos (mine included!), and stolen personal stuff.. I dont recall them owing ME any $$ ..
..
NOTHING is 100% secure, and theives/hackers will always be there to remind us of this.. Just a thought.. 
.
--
Click HERE to see my FAKEz | |
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to x539
Re: Information security: How liable should vendor said by x539: Even if you go with a 100% open-source solution ... which will cease to be an option if software vendors are held liable for bugs.
I believe very much in the "incentive" system (as those who have seem me post here may recall), and I think there is something to be said for making vendors hurt when they make a mistake, but if there is civil or criminal liability for bugs, it will completely dry up the Open Source world (at least in countries with working legal systems).
If I am getting paid for something, sure, I'll accept some liability for my own actions, but not if I'm doing it for free.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | | |
|
x539
join:2003-08-23
Oklahoma City, OK | quote:
... which will cease to be an option if software vendors are held liable for bugs.
Open source != free software.
Besides that, if you read the article, the author is referring to software that has been purchased. He's saying that if you pay for something, you should be guaranteed recourse against the company that sold it to you - not the author of the code itself, unless said code author happens to work for the company you paid to purchase the product. | |
davePremium,MVM
join:2000-05-04
not in ohio
kudos:7 Reviews:
 ·Verizon FiOS
 ·Verizon Online DSL
| said by x539: Besides that, if you read the article, the author is referring to software that has been purchased. He's saying that if you pay for something, you should be guaranteed recourse against the company that sold it to you - not the author of the code itself, unless said code author happens to work for the company you paid to purchase the product. Three points:
1) Unless all software publishers are equally liable, whether they happen to be Microsoft or people who put code at www.kernel.org, then it would seem easy enough to circumvent the scheme. For example, it seems like some clever wording will show that I didn't actually 'purchase software' when I acquired my copy of Windows.
2) Since I did in fact pay for my home copy of Debian Linux (judging that it was more efficient to pay someone twenty-odd bucks to burn 7 or 8 CDs than it was to do it myself), on what grounds, according to the proposed vendor-responsibility laws, should the CD burning company -or- the software author escape responsibility for security problems?
3) Are you proposing that the purchaser NOT be allowed to sign a contract absolving the vendor of responsibility? It's a good thing I'm not a libertarian, otherwise I'd have a problem with that. My point being, of course, that if it's legal for no-responsibility agreements to exist, you'll find the no-responsibility price is $200 and the responsibility-assumed price is $200,000. | |
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| reply to BeesTea
Re: Information security: How liable should vendors be I strongly agree that programmers have to improve their coding practices, however its not that simple. Most coders work in a world of unreal deadlines and such and are rarely allowed the luxury of considering security when doing the initial design (if there even is one), or coding for security or testing for security. Yes programmers have to improve the quality of the code they are producing and that isn't going to happen until companies value security and that isn't going to happen until consumers start demanding it. Microsoft has heard the consumer's demands and their products have improved a lot since then, their internal practices have made security an important feature and worthy of design and coding and testing considerations. Hopefully companies who don't get it, will go out of business as their clients look elsewhere for secure products. Now on the flip side is all the BS in the security world which makes it almost impossible for consumers to know what is really happening and what their priorities should be, and this is one of the things that bothers me the most, all the agenda's different security companies have which are used to sell their products (cookies as evil spyware for example).
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
x539
join:2003-08-23
Oklahoma City, OK | reply to dave
Re: Information security: How liable should vendor quote:
3) Are you proposing that the purchaser NOT be allowed to sign a contract absolving the vendor of responsibility? It's a good thing I'm not a libertarian, otherwise I'd have a problem with that.
*I* am not proposing anything. When I awoke this morning I was still female, and did not possess the mind of a brilliant cryptographer. 
quote:
My point being, of course, that if it's legal for no-responsibility agreements to exist, you'll find the no-responsibility price is $200 and the responsibility-assumed price is $200,000.
An interesting point, and one not entirely without precedent. See for example the price difference between Solaris and Trusted Solaris. AFAIK that doesn't specifically allow purchasers legal recourse against Sun in the event of compromise due to a 0-day remote exploit in Trusted Solaris. I do think it is pretty safe to assume that heads would roll due to pressure from all the government agencies who paid additional money for the product. "Responsibility assumed" agreements that are linked to increased software prices are a natural outgrowth of this. Enterprise software vendors like Sun will supply what the market demands. If the market demands vendor accountability, I'm sure they'll be happy to sell it - for a price. | |
1 edit | reply to Rdax
said by Rdax:The only person liable is the one behind the keyboard if they don't know how to secure their system. Including going to the extremes of being forced to implement their own operating system, simply because current commercial OS vendors refuse to, and therefore there is truthfully no other real choice?
Is that really a realistic request?
It's like saying, well, Ford Explorers have a safety problem, and so do all other car mfgs (for the sake of argument here), but yet, it's still the driver's fault in all of this? Where do you draw the line? Should we all ditch our "information superhighway vehicles" here, because they are unsafe? Should we be forced to build our own cars instead? What is the realistic solution?
Or should the gov't step in, and impose safety regulations (in the case of physical vehicles), and impose computer-system security regulations (in the case of commercially-sold software)?
Bottom line - should software security be regulated by the gov't? On one hand, gov't regulation always becomes a morass of bureaucracy and favoritism, and on the other hand, vendors don't seem to be doing much in terms of implementing real security, or if they are, they are moving so slowly, as to milk every last dollar of profit from their existing software systems, before they go in for the radical "rip and replace" step, that would possibly make all existing systems obsolete and incompatible in one fell swoop. (Longhorn with TCPA, perhaps?)
What really gets me, is that currently, software publishers are allowed to disclaim and and all responsibility for the quality, reliability, or operability of their software - in direct contrast to nearly all other established industries.
Would a "key-insertion EULA", attached to the Ford Explorers, that disclaimed any liability arising from mfg or design defects, without restrictions, including loss of life, fly in a courtroom today? Why are "software companies" allowed to effectively get away with murder these days, scot-free?
Also, for those that would claim this would kill open-source/free-software - I don't believe that it would, because if you didn't pay for the software, then their is no seller that has any sort of implied contractual liability.
Now, estabilishing some sort of arbitrary statutory liability, outside of the normal existing frameworks for "fitness for purpose", that wouldn't differentiate between commercial and non-commercial software - that much I would *not* go for.
I believe that if you sell something for money, to a customer, and they have expectations, then you as the seller should be held responsible. However, giving away something "AS-IS", surely, would be reasonable to allow disclaimer of liability. But the real crime here, is that currently, software companies are allow to do both - profit in a commercial market for their goods, as well as disclaim full liability for anything remotely related to them. It's an insult and an affront to civilized, responsible society, and that factor, more than anything else, is what is at the base responsible for the existing of things like network worms, malware, etc.
The system is broken, let's fix it. It starts by taking responsibility in a commercial environment. | |
davePremium,MVM
join:2000-05-04
not in ohio
kudos:7 Reviews:
·Verizon FiOS
·Verizon Online DSL
| reply to BeesTea
Re: Information security: How liable should vendors be So who's going to be legally responsible for the Debian Linux CDs I paid $20 for? Suppose I get attacked through the ptrace vulnerability in 2.4 kernels, who am I going to sue? Does www.linuxcentral.com even have enough money to cover the damage I suffered?
If www.linuxcentral.com is not responsible, why not? As far as I'm concerned, I paid for software. | |
x539
join:2003-08-23
Oklahoma City, OK | Re: Information security: How liable should vendor quote:
If www.linuxcentral.com is not responsible, why not? As far as I'm concerned, I paid for software.
As far as linuxcentral.com is concerned, you paid for media.
From their website:
quote:
LINUX CENTRAL GPL CD-ROMS We do not warrant or guarantee the software on these CD's. We only guarantee the media. We accept returns of Linux Central GPL CD-ROMS within 30 days on defective media only. (Please see "Obtaining an RMA" below.)
If you want to pay for software, buy from a commercial operating system from a software vendor, not CDROM set from a 3rd party with non-commercial software burned onto it. | |
davePremium,MVM
join:2000-05-04
not in ohio
kudos:7 Reviews:
·Verizon FiOS
·Verizon Online DSL
| reply to BeesTea
Re: Information security: How liable should vendors be And how long would it take Microsoft to word its contracts accordingly?
The relevant points to me seem to be that (a) I paid money, and (b) I received software.
And yet it's somehow ok for Linux Central to say "we are not responsible", but not for Microsoft to say "we are not responsible"?
Microsoft could presumably set up a similar arrangement whereby Microsoft does not sell software to the public. Instead, it allows Windows Central to copy CDs. Windows Central sells the CDs, but it is not responsible for what's on them.
In fact, Microsoft already insists that I didn't pay for the software, I paid for the right to use the software.
(Microsoft can afford some sharp lawyers: it shouldn't take them too long to figure out their way around this.)
I think it's pure fantasy that you can somehow make Microsoft responsible for their OS kernel (which is what we're all talking about really, right?) and not make the people who produce Linux responsible for their OS kernel. Especially given that the Linux guys publically tout their stuff as being 'more secure'. | |
x539
join:2003-08-23
Oklahoma City, OK | Re: Information security: How liable should vendor quote:
And yet it's somehow ok for Linux Central to say "we are not responsible", but not for Microsoft to say "we are not responsible"?
I didn't see anybody make any value judgements on what's ok for Microsoft or Linux Central. But are you seriously suggesting that Microsoft and Linux Central have a comparable business model, product, or market presence? Come on now.
From the article (you did read it, didn't you?):
quote:
If we expect software vendors to reduce features, lengthen development cycles and invest in secure software development processes, it needs to be in their financial best interests to do so. If we expect corporations to spend significant resources on their own network security -- especially the security of their customers -- it also needs to be in their financial best interests.
Neither Debian nor Linux Central is a software vendor. Debian doesn't sell software. In fact, Debian doesn't sell anything. Linux Central sells CDROMs, hardware, and a bunch of other stuff, but they don't develop software or sell it. Obviously Schneier is not talking about either of them in this article.
quote:
Microsoft could presumably set up a similar arrangement whereby Microsoft does not sell software to the public. Instead, it allows Windows Central to copy CDs. Windows Central sells the CDs, but it is not responsible for what's on them.
Sure they could. And if it comes to it, I'm sure they will. Like I said, it's all about supply and demand. I sincerely doubt that the SOHO market will demand or be willing to pay extra for vendor liability on their software. However, the enterprise market may very well be. So it would make sense to offer two separate products/licenses. | |
| reply to dave
said by dave:So who's going to be legally responsible for the Debian Linux CDs I paid $20 for? Suppose I get attacked through the ptrace vulnerability in 2.4 kernels, who am I going to sue? Does www.linuxcentral.com even have enough money to cover the damage I suffered? It depends. Did you pay for the license to own a copy of that copyrighted software, or was that license given to you freely, and you simply paid a fee for the service of distribution and duplication of the media?
said by dave:If www.linuxcentral.com is not responsible, why not? As far as I'm concerned, I paid for software. Is it GPL'ed software? If it is, then you didn't pay for it directly, as generally GPL software is licensed for no cost, under the terms of the GPL. In that case, there would be no liability, at least how I see it. | |
 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
 ·Callcentric
| reply to BeesTea
How liable should vendors be? Addressing only that question, I believe that they should be liable to the extent they commit in their licenses and to the extent buyers are willing to pay for as part of the product cost.
Given that, how much liability software makers accept will depend on how much they're willing to spend on development, testing, liability insurance or liability pools. For operating systems with millions of lines of code, the statistical probability of errors or omissions is high enough that underwriters would price unlimited liability protection at prohibitive levels. Even a small program widely distributed could raise insurance rates to astronomical levels if the covered risks are broad.
Which brings us to the other side of the equation, how much would the buyer be willing to pay for a product that includes extensive liability acceptance? After all, offering acceptance of liability is no different than offering function, support and feature. It's a line item in the cost of the product.
For an unscientifically estimated pricing model, a user would not likely be willing to pay $5000 for a copy of Zone alarm guaranteed to provide liability reimbursement for a defect or vulnerability as opposed to $40 USD under the present license agreement.
Same type of reasoning could apply to operating systems. Price versus features, reliability and guarantees being considered features. If users are willing to pay to cover the liability issue there will be some entrepreneur that will step forward to provide it as a means to capture market share.
Another point - think of it in terms of your own job. Would you be willing to accept personal liability if you screw up on your job and it costs a customer or your company several thousand dollars? I know one company in Central Ohio who tried that on their employees who were on their Y2K team. The members all walked rather than sign the agreement as a term of employment.(the company relented, but some had already taken other jobs  )
Bottom line how much liability commitment does the buyer want to have and how much is it worth to them?
--
IEC703 DISK ERRORABEND | |
| reply to dave
Re: Information security: How liable should vendor said by dave:And how long would it take Microsoft to word its contracts accordingly? The relevant points to me seem to be that (a) I paid money, and (b) I received software. No, the relevant point would be that you paid money for a license for that copyrighted work.
said by dave:And yet it's somehow ok for Linux Central to say "we are not responsible", but not for Microsoft to say "we are not responsible"? In my state, the "lemon law" as it applies to the sale of used vehicles, does not apply if the vehicle is sold below a specific (but very low) minimum price.
said by dave:Microsoft could presumably set up a similar arrangement whereby Microsoft does not sell software to the public. Instead, it allows Windows Central to copy CDs. Windows Central sells the CDs, but it is not responsible for what's on them. If the software is copyrighted, then the user must have a "license" to own a tangible, fixed copy of that work. (Not use - copyright law does not restrict private use of copyrighted works.)
So is MS selling you a license to the copyright-protected works stored tangibly on that CD, or just a CD with "pirated" software on it? If it is licensed, not "stolen", and that license is not sold, then the only other possibility is for it to be given to you for free. In that case, no, MS wouldn't incur liability, but that would also mean that other people could also obtain a license for that software for free too.
(You do realize, that MS does sell media containing a tangible copy of their copyrighted works, but only for the price of the media, and does not include a license with that purchase, right?)
said by dave:In fact, Microsoft already insists that I didn't pay for the software, I paid for the right to use the software. Which is actually incorrect, the law does not restrict you that way. You paid for a license to own a copy of that copyrighted work. Without said license, ownership would be copyright infringement. Any restrictions on private use of that work, after the terms of the sale, are not derived from copyright law. (Usually by an unlawful after-the-fact attempt at an adhesion contract, often called a "EULA".)
said by dave:(Microsoft can afford some sharp lawyers: it shouldn't take them too long to figure out their way around this.) Why should they bother to have to find a way around the law. They steamroll right over it with abandon. Why should they care, I mean, what is the worst that could happen to them, as a corporation? The US DOJ investigate them? Puh-leeze. :P
said by dave:I think it's pure fantasy that you can somehow make Microsoft responsible for their OS kernel (which is what we're all talking about really, right?) and not make the people who produce Linux responsible for their OS kernel. Especially given that the Linux guys publically tout their stuff as being 'more secure'. I think that it is pure delusional fantasy (that 99% of software users have bought into), that someone that sells goods onto the commercial market, should somehow magically not be responsible for those goods to perform as expected by the buyer. There is a long tradition in law and practice along those lines, that has only been very recently disrupted (relative to the backdrop of the course of history), with the advent of US software corporations, specifically with their playing "fast and loose" with the law, and other people's rights under the law.
If someone wants to sell commercial licenses to GPL'ed software, then they can do so, I suppose, but they would also in doing so, be assuming liability for it. Obviously, a market for "software liability insurance" would develop as well. "Safer" software would obviously also cost less to insure, as the statistical methodology that insurance companies use is pretty rigorous. Perhaps that would settle the question once and for all what types of software tend to be of higher quality or better security overall.
In spite of all of the potential disadvantages that I could also see arising from that, I think that it would still be worth it, in terms of benefit to society as a whole. The dark side of that question is, would those same insurance companies basically spring up to in order to profiteer and leech off of other major software companies like MS? Perhaps those insurance companies should be gov't regulated non-profits, in order to remove that factor. | |
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| reply to dave
Hi Dave,
Actually, I think under the law you paid for the media production and delivery if it's the totally open source GPL version. For modified GPL software, you paid for the modifications, added features, etc. Kinda like free kittens but you chose to pay somebody to bring them to you
At least that's what I've seen in other stuff like IBM's Linux for i-Series. Any corrections appreciated.
EG
--
IEC703 DISK ERRORABEND | |
| reply to x539
said by x539:From the article (you did read it, didn't you?): quote:
If we expect software vendors to reduce features, lengthen development cycles and invest in secure software development processes, it needs to be in their financial best interests to do so. If we expect corporations to spend significant resources on their own network security -- especially the security of their customers -- it also needs to be in their financial best interests.
That's an important example of how the "insurance liability costs" would affect a software producers bottom-line, in a very real way that current customer market-demand apparently has not*, that would force them to implement better design and engineering practices, and actually build better software, for once.
* (While some may view my comments as promoting gov't intrusion and interference with what is essentially supposed to be a free-market system, if you accept that gov't has a legitimate reason to exist at all, then you must also accept that it does have a responsibility to protect the safety of the people, collectively, in those cases in which the people, invidually, are not able to protect themselves. Gov't regulations in relation to vehicle safety standards, and working conditions, are two excellent examples, that I think that anyone is hard-pressed to argue against their necessity, given what standards and conditions existed before.
Likewise, the current failing of the current "free-market" software system, is because the "invisible hand" doctrine assumes perfect knowledge, on both sides of the buyer/seller equation, and that simply isn't true in this case. The technology field, more than anything else, has a very biased version of that equation. The vast majority of software consumers these days, have absolutely no idea of what kind of secure, reliable software could exist, if they so demanded it. And yet the current state of in-secure, un-stable, un-reliable software, has found its way intertwined almost everywhere in our daily lives, especially in terms of our working lives. It's hard to "make a choice" in terms of the market, when you don't have all that much of a choice, due to other factors. It is at that point that the gov't needs to step in, and start protecting the people, and mandating at least some minimum standards in this area, and/or letting private insurance costs dictate some of the necessary changes that the software producers need to make.) | |
|
