Security smackdown
October 20, 2005 5:25 PM Subscribe
This post was deleted for the following reason: Poster's Request -- Brandon Blatcher
Yeah mullingitover is right, who's going to take on unlimited liability for the sale of a few dollars.
Morans.
posted by caddis at 5:47 PM on October 20, 2005
Morans.
posted by caddis at 5:47 PM on October 20, 2005
"Who the hell would be dumb enough to write this section in the EULA?"
A company that doesn't plan on being in business for long.
posted by bat at 5:54 PM on October 20, 2005
A company that doesn't plan on being in business for long.
posted by bat at 5:54 PM on October 20, 2005
We'll have fewer vulnerabilities when the entities that have the capability to reduce those vulnerabilities have the economic incentive to do so. And this is why solutions like liability and regulation work
He's suggesting it should be illegal to sell that crap called software..or maybe compliant with some obscure standard to "protect" the children or whatnot.
Matter of fact the industry will send him an horse head in his bed as a response for his modest proposal of regulating markets... in which capitalists take *gasp* RISKS instead of offloading them onto buyers with excuse, fine print and lawyer menaces.
I mean...work for profit ? Risk for profit ? Really a novel concept, according to some.
posted by elpapacito at 5:55 PM on October 20, 2005
He's suggesting it should be illegal to sell that crap called software..or maybe compliant with some obscure standard to "protect" the children or whatnot.
Matter of fact the industry will send him an horse head in his bed as a response for his modest proposal of regulating markets... in which capitalists take *gasp* RISKS instead of offloading them onto buyers with excuse, fine print and lawyer menaces.
I mean...work for profit ? Risk for profit ? Really a novel concept, according to some.
posted by elpapacito at 5:55 PM on October 20, 2005
Schneier is basically right. You can't hold an individual developer responsible for his or her crap, under-tested, Swiss-cheese code when the ethos of the capitalist system he or she works in demands semi-arbitrary deadlines to meet unrealistic client expectations, unrealistic budgets and swivel-eyed marketing bullshit. If they try to make developers responsible for poor code, HELLO, you just kissed goodbye to any chance of getting a sign-up to an estimate of under three weeks for a "Hello World" program.
The company is responsible for satisfying the client. And the company is responsible for employing suitable people.
posted by Decani at 6:07 PM on October 20, 2005
The company is responsible for satisfying the client. And the company is responsible for employing suitable people.
posted by Decani at 6:07 PM on October 20, 2005
Schneier right, Schmidt wrong. Yes, software needs to be more impervious to malicious hack but last I saw, the company brand is what goes on the outside of the "package" and the gain from the sale does not go directly and solely into the pcoket of the developer "responsible" for the security hole. The concept Schmidt endorses puts all of the risk on a sole person who does not accrue all of the gain. the gain is shared, the risk must needs be also.
posted by beelzbubba at 6:11 PM on October 20, 2005
posted by beelzbubba at 6:11 PM on October 20, 2005
Who is to say companies who develop software are not currently liable? Certainly, there must be some negligence litigation going on in this area... anyone know what the outcome has been?
posted by ph00dz at 6:13 PM on October 20, 2005
posted by ph00dz at 6:13 PM on October 20, 2005
I am all for it, as long as it only applies to software I buy and not software I sell. Can they put that in there?
posted by StickyCarpet at 6:19 PM on October 20, 2005
posted by StickyCarpet at 6:19 PM on October 20, 2005
Sorry -- just to follow up. I'd imagine that this system kind of already exists. Here's the scenario: Company A's software for Company B gets hacked and causes massive damage. Company B sues Company A and wins. Company A goes, "Well, what the heck? That jerk in IT said it was secure... " and goes after said jerk.
posted by ph00dz at 6:20 PM on October 20, 2005
posted by ph00dz at 6:20 PM on October 20, 2005
Also, security in what context? Security is often a matter of a tall software stack, the end programmer of which may have very little control over. The operating environment is a factor. I can make Windows perfectly secure. Just don't connect it to any network. If I operate Linux without Iptables, I'm surely asking for it. Schmidt didn't do much thinking here.
Certainly, there must be some negligence litigation going on in this area
Hee!
posted by 3.2.3 at 6:25 PM on October 20, 2005
Certainly, there must be some negligence litigation going on in this area
Hee!
posted by 3.2.3 at 6:25 PM on October 20, 2005
As usual, I largely agree with Schneier. Companies should be responsible for the quality and safety of the products they create and sell. It frustrates me to see that our country has abandoned the notion of corporate responsibility to the extent it has.
Histrionicslike those put forth by mullingitover aside, responsibility for the safety of your product can be dealt with in a way that doesn't open a company to "unlimited liability". You can buy relatively inexpensive car seats for your kid or you can buy top of the line, super duper car seats. There are choices in the market. But all of those options have to serve their basic stated function in a safe, reasonable manner when used as directed. Those that do not, they face liability. Those that do, they don't face great risks of liability.
An interesting question to me though is how product liability would work in the case of non-commercial, open source applications. If there is no "company" and there is no revenue stream, where would liability rest? I'd be curious to hear what MeFi lawerly types think of that issue.
posted by afflatus at 6:31 PM on October 20, 2005
Histrionicslike those put forth by mullingitover aside, responsibility for the safety of your product can be dealt with in a way that doesn't open a company to "unlimited liability". You can buy relatively inexpensive car seats for your kid or you can buy top of the line, super duper car seats. There are choices in the market. But all of those options have to serve their basic stated function in a safe, reasonable manner when used as directed. Those that do not, they face liability. Those that do, they don't face great risks of liability.
An interesting question to me though is how product liability would work in the case of non-commercial, open source applications. If there is no "company" and there is no revenue stream, where would liability rest? I'd be curious to hear what MeFi lawerly types think of that issue.
posted by afflatus at 6:31 PM on October 20, 2005
Wouldn't even Schier's suggestion essentially end open source, individual/hobbyist development, or even small companies? Most projects coming from there don't have pockets to afford the inevitable phalanx of lawyers, risk analysts, and insurance you'd need. The *technical* hurdles to producing software of any complexity are absorbing enough; making bigger legal ones won't encourage things.
Even if you had unusually sane and knowledgeable policymakers shaping this kind of law and carving out the right exceptions for stuff, this sounds rife with potential to shut out a good chunk of developers.
That said, I agree with Schneier's analysis of why companies frequently produce stuff with only shoddy security is on. I just don't think automatic liability for even a company is the answer.
posted by weston at 6:41 PM on October 20, 2005
Even if you had unusually sane and knowledgeable policymakers shaping this kind of law and carving out the right exceptions for stuff, this sounds rife with potential to shut out a good chunk of developers.
That said, I agree with Schneier's analysis of why companies frequently produce stuff with only shoddy security is on. I just don't think automatic liability for even a company is the answer.
posted by weston at 6:41 PM on October 20, 2005
I'd love to see liability for retarted I/S departments that jump on the Microsoft bandwagon... replacing a UNIX solution that's worked and scaled well for a decade... with software with higher hardware requirements... as well as requirements for software to keep it safe from malware of all sorts... in a company that builds unix based supercomputers.
posted by substrate at 7:11 PM on October 20, 2005
posted by substrate at 7:11 PM on October 20, 2005
They're both off the mark. If Corporate Program X relies on Corporate Library Y, which in turn has a dependency on a BSD licensed Library Z written by some dude in Estonia, and Library Z has (for example) an improperly written printf() call that can trigger a format exploit when presented with unchecked user input ... who do you blame and sue?
posted by cmonkey at 7:11 PM on October 20, 2005
posted by cmonkey at 7:11 PM on October 20, 2005
Schneier more or less claims software can be made completely secure just by spending a bit more time and a bit more money on it, which makes him an idiot.
posted by cillit bang at 7:13 PM on October 20, 2005
posted by cillit bang at 7:13 PM on October 20, 2005
Yes, exactly, the Schmidt proposal would drive open-source out of the software world. Schmidt is an ex-Microsoft exec and is probably still connected with them. His statement is a troll for the anti-OSS camp.
For Schneier's counter proposal not to have a similar defect, there would have to be a condition that liability applies only in the case of commercial software. Schneier has been generally on the non-evil side of issues. In this case he may have failed to perceive that Schmidt is a corporate shill.
posted by jam_pony at 7:22 PM on October 20, 2005
For Schneier's counter proposal not to have a similar defect, there would have to be a condition that liability applies only in the case of commercial software. Schneier has been generally on the non-evil side of issues. In this case he may have failed to perceive that Schmidt is a corporate shill.
posted by jam_pony at 7:22 PM on October 20, 2005
My preceding was @ weston and afflatus. Cillit and cmonkey, I understood the proposal to be, not a standard of perfection, but something to apply in egregious cases - say, vendor knows about vulnerability and fails to fix it for a long time, though it could have.
posted by jam_pony at 7:24 PM on October 20, 2005
posted by jam_pony at 7:24 PM on October 20, 2005
Well alright, on second reading, it's not even clear what he thinks this will achieve. Sometimes he's talking about eradicating "insecure" software. Sometimes all he's asking for is "more secure" software. It's very sloppy writing.
posted by cillit bang at 8:59 PM on October 20, 2005
posted by cillit bang at 8:59 PM on October 20, 2005
cilliit bang: I am a programmer. If I had time and budget to do more testing I know my software would probably have fewer bugs. Is this not what Schneier was arguing?
posted by Foaf at 9:25 PM on October 20, 2005
posted by Foaf at 9:25 PM on October 20, 2005
The problems of cross liability that you raise could be fairly dealt with and are under english consumer law.
For example, I buy a product from company A that is an amalgam of parts from companies B, C & D (think computer hardware). If it goes wrong then I sue Dell and not the amalgam of other companies CLearly, from a consumer perspective this could happen with software; the company made the choice to include software X from someone else so they take the liability for it.
Free software could be excluded from this as it could be incorporated into some sort of exception for non-commercial transactions.
But none of this will happen.
posted by lerrup at 11:30 PM on October 20, 2005
For example, I buy a product from company A that is an amalgam of parts from companies B, C & D (think computer hardware). If it goes wrong then I sue Dell and not the amalgam of other companies CLearly, from a consumer perspective this could happen with software; the company made the choice to include software X from someone else so they take the liability for it.
Free software could be excluded from this as it could be incorporated into some sort of exception for non-commercial transactions.
But none of this will happen.
posted by lerrup at 11:30 PM on October 20, 2005
If a car maker sold you a vehicle with bad locks, knowing that the locks were bad, and your car gets stolen, shouldn't you be allowed to hold the car maker liable?
posted by Rothko at 3:11 AM on October 21, 2005
posted by Rothko at 3:11 AM on October 21, 2005
If I had time and budget to do more testing I know my software would probably have fewer bugs.
Well, as I see it, your software is still going to have bugs either way, which you apparently deserve to be sued for. Bringing in the threat of legal action is a huge deal, and I think the effect will be that software developers put loads more resources into not being sued rather than improving security. As I said in my first comment, it's not like you can spent just a little more money and have something that's 100% secure.
posted by cillit bang at 4:48 AM on October 21, 2005
Well, as I see it, your software is still going to have bugs either way, which you apparently deserve to be sued for. Bringing in the threat of legal action is a huge deal, and I think the effect will be that software developers put loads more resources into not being sued rather than improving security. As I said in my first comment, it's not like you can spent just a little more money and have something that's 100% secure.
posted by cillit bang at 4:48 AM on October 21, 2005
Basically some company wants to sell me a product which turns out not to be fit for purpose and wants to have no responsibility for its failure.
The question should not be whether they should be liable or exempt from being liable but whether liability can be proven in any meaningful way.
posted by biffa at 5:25 AM on October 21, 2005
The question should not be whether they should be liable or exempt from being liable but whether liability can be proven in any meaningful way.
posted by biffa at 5:25 AM on October 21, 2005
You know, it's just the same old song...
- White house sez coders are to blame
- White house sez politicans are to blame
- White house sez abusive soldiers are to blame
- White house sez disloyal citizens are to blame
- White house sez liberal media are to blame
- White house sez freedom haters are to blame
- White house sez low morals are to blame
- White house sez poor mothers are to blame
Now was it Bragg or Guthrie that sang something like that?
posted by buzzv at 8:49 AM on October 21, 2005
- White house sez coders are to blame
- White house sez politicans are to blame
- White house sez abusive soldiers are to blame
- White house sez disloyal citizens are to blame
- White house sez liberal media are to blame
- White house sez freedom haters are to blame
- White house sez low morals are to blame
- White house sez poor mothers are to blame
Now was it Bragg or Guthrie that sang something like that?
posted by buzzv at 8:49 AM on October 21, 2005
If a car maker sold you a vehicle with bad locks, knowing that the locks were bad, and your car gets stolen, shouldn't you be allowed to hold the car maker liable?
Most locks -are- bad. Not so much the ignition but door locks tend to be fairly punchable. And lets not even talk about the windows. Hell, I drive a rag-top and I don't even lock the doors because the -top- is insecure.
The problem with drawing analogies between software and the physical world is that there aren't hordes of people lining up in the physical world to exploit weaknesses. If you had the same volume of people trying to break into your car as scanning for online vulnerabilities, you'd have a -lot- more break-ins.
The electronic world still doesn't have the law on its side yet -- its still evolving.
posted by Ogre Lawless at 3:51 PM on October 21, 2005
Most locks -are- bad. Not so much the ignition but door locks tend to be fairly punchable. And lets not even talk about the windows. Hell, I drive a rag-top and I don't even lock the doors because the -top- is insecure.
The problem with drawing analogies between software and the physical world is that there aren't hordes of people lining up in the physical world to exploit weaknesses. If you had the same volume of people trying to break into your car as scanning for online vulnerabilities, you'd have a -lot- more break-ins.
The electronic world still doesn't have the law on its side yet -- its still evolving.
posted by Ogre Lawless at 3:51 PM on October 21, 2005
Schmidt is an ex-Microsoft exec and is probably still connected with them.
When I first read this I thought, "this Schmidt guy seems like he's spent an evening or two reading about this 'software' thing, synthesizing his knowledge from the press of the 'security' problem with an incomplete understanding to create a 'solution' that won't work if you look at it too closely. Not quite there yet, my friend, but thanks for playing. A- for effort."
Then you pointed out he's a hack. Now it's just sad.
posted by Vetinari at 10:37 PM on October 22, 2005
When I first read this I thought, "this Schmidt guy seems like he's spent an evening or two reading about this 'software' thing, synthesizing his knowledge from the press of the 'security' problem with an incomplete understanding to create a 'solution' that won't work if you look at it too closely. Not quite there yet, my friend, but thanks for playing. A- for effort."
Then you pointed out he's a hack. Now it's just sad.
posted by Vetinari at 10:37 PM on October 22, 2005
« Older Super Mario World level editor | Art of the States Newer »
This thread has been archived and is closed to new comments
2.7.5 No Limit of Liability. THE MANUFACTURER WILL BE LIABLE TO YOU, OR ANY OTHER PERSON OR ENTITY, FOR ANY LOSS OF USE, REVENUE OR PROFIT, LOST OR DAMAGED DATA, OR OTHER COMMERCIAL OR ECONOMIC LOSS OR FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, STATUTORY, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES WHATSOEVER RELATED TO YOUR USE OR RELIANCE UPON CD SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF SUCH DAMAGES ARE FORESEEABLE. THIS LACK OF LIMITATION SHALL APPLY EVEN IN THE EVENT OF A FUNDAMENTAL OR MATERIAL BREACH OR A BREACH OF THE FUNDAMENTAL OR MATERIALTERMS OF THIS AGREEMENT.
It's a cornerstone of software development that the manufacturer is not liable for your use of the product, no?
posted by mullingitover at 5:42 PM on October 20, 2005