Vendors held liable for security holes in products? (S5E3)

[Aq]

As per Season 5 episode 3, should software vendors be held responsible for security holes in their products? You've heard what we think: tell us your thoughts!

[lord_rel]

the discussion confused physical, financial and mental damages

cars and washing machines that might cause physical damages are obvious, but the damages from common software security problems (zombification) of getting a slow machine, being blacklisted for sending spam and getting malware being installed are not clear, considering the amount of zombies it seems that people are not aware of the software being a problem or dont care and suffer. financial and mental (damn american litigation system) damages are the only ones that would make sense.

since many of the security problems are caused by the user doing stupid things such as opening mail attachments from unknown senders, installing software from dubious origins and not using any securty software it could be considered that those damages are self inflicted.

it could be applied for vendors not fixing well known bugs or providing patches or upgrades in a timely fashion, and it could provide an exemption for open source software that gives the user an option fork and fix bugs as the source is available for anyone to fix.

[Aq]

since many of the security problems are caused by the user doing stupid things such as opening mail attachments from unknown senders, installing software from dubious origins and not using any securty software it could be considered that those damages are self inflicted.

it could be applied for vendors not fixing well known bugs or providing patches or upgrades in a timely fashion, and it could provide an exemption for open source software that gives the user an option fork and fix bugs as the source is available for anyone to fix.

Think about washing machines again. If I buy a washing machine and it explodes, the manufacturer is liable. If I buy a washing machine second-hand and it explodes because of some design flaw then the manufacturer is still liable. In a similar way, if I download software from "dubious origins", the manufacturer of that software could still be held as liable, no matter where I got it from. If your point is not that I got legitimate software from a dubious place, but that the software I got was itself dubious, then the manufacturer of that software could still be liable.

In a similar way, an exemption for open source software seems like wishful thinking to me. If my washing machine comes with a full schematic and manual, and it explodes, the manufacturer can't disclaim liability.

I'm not necessarily sure that I think that the idea of liability is a good idea, but I think it's something worth thinking about.

Aq.

[chrisp]

This is one of those things that looks like a really cool idea untill you get past the microsoft bashing and try to actually frame a law to do it that doesn't kill the free (and most of the commercial) software community stone dead while everyone goes through every line of code looking for security flaws. OpenBSD have done this and still get a security hole every 5 years or so, when any flaw could bankrupt you personnally would you take the risk? most developers wouldn't and most small to medium sized companies that would be bankrupted by lawyers fees even if they won wouldn't.

The alternative is it has the kind of loopholes that you can drive a truck through.
"I got hacked so I'm going to sue you" "did you have a firewall like it says in paragraph 7 sub-paragraph 32 clause 17 - 'A user must make every reasonable measure to secure their system'?" "yes" " ahh well you if you set it up right you wouldn't have been hacked so thats your fault, we win and you pay our costs"

You could exempt software for which source code was available on the grounds that it was impossible to tell if the developer introduced the flaw or the user themselves, but I'm not sure that would do anything except get a lot of code published under "look but dont touch" licenses that wouldn't help us at all.

[mrben]

This is why EULAs exist in the first place. The vendor "accepts no liability" appears on pretty much every license agreement, _including_ free software licenses.

[Aq]

This is why EULAs exist in the first place. The vendor "accepts no liability" appears on pretty much every license agreement, _including_ free software licenses.

Agreed. And EULAs are (debatably) legal at the moment. However, for real physical items (washing machines again!) the vendor is legally prohibited from disclaiming liability; the question is "would it be a good idea to also enforce this on software"?

[morchuboo]

I think that if such a law was passed it would certainly be the end of the "release early, release often" paradigm as people would not be willing to release programs that by the paradigms definition are not final versions.

[garwaymatt]

A potential way around this theoretical problem would be to keep everything in beta , as surely then it would be a testing version, but that happens to be used by a lot of people.(gmail anyone?)

Also, there may be an issue with trying to get this adopted worldwide, as different countries have varying views on software. I think the laws would be too fragmented for it to have any real effects.

[tingyster]

I think that if you pay for it the vendors should be liable. If your using some open source software, it crashes and creates dammages. the vendor should not be liable. if you want someone to be responsible for the dammages that you have suffered then use the alternative that you do need to pay for and have piece of mind . It should be a type of customer support feature. its like ok our software cost you money then it screwed up ok we'll support our software. if open source software screws up don't seek compensation for the dammages, you didn't even pay for the software in the first place. It all comes down to choice really, if you choose to use linux then you shouldn't seek compensation because it was free to begin with. But if you choose to use microsoft and it causes dammages they should back up their sale and pay for dammages. if a software distributor want to sell you saftware that you could get for free they should provide some sort of piece of mind. when you look at the example of the washing mashine, you bought the machine the company should support their product.

[Allix]

Xyz piece of software is discovered to have a security vunerability , the developers have xyz days to fix the software or face a punishment if the fix is not delivered in time. The length of time and punishment is something that can be debated on each circumstance.

This way it would seem fair, programming secure software is a art , given a realistic time to fix the flaw, software flaws would be fix instead of being ignored and everyone would benefit from secure software in the long run...

[mrben]

Xyz piece of software is discovered to have a security vunerability , the developers have xyz days to fix the software or face a punishment if the fix is not delivered in time. The length of time and punishment is something that can be debated on each circumstance.

This way it would seem fair, programming secure software is a art , given a realistic time to fix the flaw, software flaws would be fix instead of being ignored and everyone would benefit from secure software in the long run...

As was pointed out in the show, actually financial figures are usually based on damages, not necessarily that a flaw was discovered. In the situation you describe, what you would end up with is companies deliberately attempting to find flaw in their competitors products, hoping that they would fail to fix it in time, resulting in a fine. While this would lead to bulletproof software, it would probably also result in a reduction of software companies.

[mikeb01]

I wonder if, rather than making the distributor liable for damages, making the organisation that sells a support contract for the software should be liable.

Most large ISVs (e.g. Microsoft, IBM, etc.) already sell support contracts on top of license fees, so many existing users would be covered

It provides a workable business model for "Open Source Companies" such Canonical and Redhat, which generally don't have license fees. I assume that any insurance premiums would go up with respect to the number of customers a company has, because the probability of damage being incurred by one of your customer's is much higher. By basing the liability on a support contract, the organisation has a income that it can use to cover the increased insurance premium

It doesn't penalise independent F/OSS developers

The user/customer then also assumes a level of responsibility for ensuring that their critical systems are covered

Another side issue is, how do you determine if the vendor is really liable? Does it come down to proving that the designers of the software were negligent? What happens if the customer sets up the software in a manner that is insecure (e.g. disables secure authentication)?

Mike.

[Aq]

Another side issue is, how do you determine if the vendor is really liable? Does it come down to proving that the designers of the software were negligent? What happens if the customer sets up the software in a manner that is insecure (e.g. disables secure authentication)?

Absolutely you have to prove it. I don't want to keep harping back to washing machines, but exactly the same process takes place with physical devices; if my washing machine blows up and destroys my house, I have to sue and demonstrate that the manufacturer was negligent, and they'll be trying to prove that I set it up incorrectly.

[Mez]

November 2000 -- National Cancer Institute, Panama City. In a series of accidents, therapy planning software created by Multidata Systems International, a U.S. firm, miscalculates the proper dosage of radiation for patients undergoing radiation therapy.

Multidata's software allows a radiation therapist to draw on a computer screen the placement of metal shields called "blocks" designed to protect healthy tissue from the radiation. But the software will only allow technicians to use four shielding blocks, and the Panamanian doctors wish to use five.

The doctors discover that they can trick the software by drawing all five blocks as a single large block with a hole in the middle. What the doctors don't realize is that the Multidata software gives different answers in this configuration depending on how the hole is drawn: draw it in one direction and the correct dose is calculated, draw in another direction and the software recommends twice the necessary exposure.

At least eight patients die, while another 20 receive overdoses likely to cause significant health problems. The physicians, who were legally required to double-check the computer's calculations by hand, are indicted for murder.

From: http://www.wired.com/software/coolapps/ ... rentPage=2

[EDIT]Lots more can be found here: http://www.cs.tau.ac.il/~nachumd/horror.html[/edit]

[Allix]

As was pointed out in the show, actually financial figures are usually based on damages, not necessarily that a flaw was discovered. In the situation you describe, what you would end up with is companies deliberately attempting to find flaw in their competitors products, hoping that they would fail to fix it in time, resulting in a fine. While this would lead to bulletproof software, it would probably also result in a reduction of software companies.

Presuming each competitor has to fix this bug, I don't see how this would necessaries reduce the amount of software companies, would it not just make the release cycles longer?