back to article Make vendors liable for exploits

Academics are calling for comprehensive security-breach notification in Europe and sanctions against ISPs that fail to clean up botnets as part of a series of measures designed to make insecure systems unprofitable. A paper commissioned by the European Network and Information Security Agency (ENISA) attempts to apply …

COMMENTS

This topic is closed for new posts.
  1. amanfromMars Silver badge
    Alien

    Going dDutch ...... IT's UnReal/Virtually Real.

    Might I suggest that Pioneering CyberSecurity XXXXPerts, who Volunteer 42 Allow Privileged OverSight of Control Parameters, be Paid to Build AI Virtual Operating System at the Quantum Level and in ITs Many Tributary Feeds.......... Basic Needs.

    Hackers and/or Crack Coders would like to Tempt U 42 Show ...... Global Leadership.

    A Sign just to Show Us All that you Know where We are All Going...... Boldly.

    Whenever the Internet is your Computer ie you Use the Internet as a Computer/Global Operating Device, there is nothing that you cannot do Perfectly Well.

    And for that one reason alone, IT is Well Worth the Magical Mystery Turing Trips ... :-) ...[which some may ponder and venture with XXXXTended Psychotic Episode, but that would AIMisDiagnosis if the Episodes are Part of a Chain/String.......... of ......... Being ... Consciousness.]

  2. Greg

    Might I suggest?

    Might I suggest that you post something relevant and with at least a tiny bt of sense rather than a litany of words that translate in meaningless sentences?

  3. Jason DePriest
    Heart

    he has spoken

    amanfromMars once again astounds us with his amazingly insightful comments

    woe unto those who are too underevolved to understand the wisdom contained in the few crumbs he allows to fall to our waiting, ravenous maws

    whether advanced bot or schizophrenic geek, amanfromMars is the way to enlightenment

  4. Ash

    @Greg; amanfromMars translation

    "Might I suggest that Pioneering CyberSecurity XXXXPerts, who Volunteer 42 Allow Privileged OverSight of Control Parameters, be Paid to Build AI Virtual Operating System at the Quantum Level and in ITs Many Tributary Feeds.......... Basic Needs."

    Give the specs to the experts in cyber security, listen to their input, and build a decent system from the ground up. Don't listen to bespoke manufacturers "almost does it" solutions.

    "Hackers and/or Crack Coders would like to Tempt U 42 Show ...... Global Leadership.

    A Sign just to Show Us All that you Know where We are All Going...... Boldly."

    The informed of us are concerned with the direction you're taking us in regarding surveillance. Prove that it's not all smoke and mirrors, and this will actually help protect us without stripping us of even MORE liberty.

    "Whenever the Internet is your Computer ie you Use the Internet as a Computer/Global Operating Device, there is nothing that you cannot do Perfectly Well."

    Open platforms are the way forward. Peer review keeps everyone happy. Let us see what you're doing, so we understand the mechanisms. Maybe we can help make it better?

    "And for that one reason alone, IT is Well Worth the Magical Mystery Turing Trips ... :-) ...[which some may ponder and venture with XXXXTended Psychotic Episode, but that would AIMisDiagnosis if the Episodes are Part of a Chain/String.......... of ......... Being ... Consciousness.]"

    You will always have ney-sayers (don't know how to spell that particular phrase, sorry!), but out of the few which are tin-foil hat wearing schizophrenics who vent at their being CCTV at the front of shops, there will be some who actually have a decent amount of input to give you. Strip out the tripe and listen to the people who make sense, but don't dismiss us all as 12 year olds with chips on our shoulders because a nameless few want to ruin it for everyone else.

    Happy?

    (Some of this may be wrong, but i'm doing the best I can!)

  5. Ash
    Joke

    @Me... A bit of a misunderstanding!

    I was considering amanfromMars's comments in the context of the TruVision T-wave camera article. I am a fool.

    Seems that amfM can be interepreted in many ways...! Is he Jesus?

  6. Sceptical Bastard
    Alien

    @ Greg

    You can suggest - but you'll be wasting your breath. That troll always posts gibberish.

    Oddly, his infantile spastic jabs over the keyboard seem to have won him fans among El Reg readers. And, even more oddly, his posts slip through Vulture Central's moderation.

    Ignore him. At worst, he's merely a minor nuisance, just a bit more irrelevant white noise on the network

  7. Godwin Stewart
    Flame

    ISPs cleaning up their act?

    Are they about to break the deadlock that I described in this article a while back?

    http://blog.lamproie.eu/themes/blog.php?id=10

    I'll believe it when I see it.

    Cynically yours,

  8. amanfromMars Silver badge
    Thumb Up

    Relevance Provided. ........ In Parallel Relativity Matters/Memes

    A few Words that are Worth a Thousand Pictures, Greg.

    A Japanese IntelAIgents Thing...... An EMPathy with the Rising Sun Houses .... Lovers Domains and Dominions.

    You know how Really Clever they are at Games...... Wanna Bet that they haven't Virtualised Reality Beautifully?

  9. A J Stiles
    Linux

    Be Sure it's Safe

    One of the best ways to ensure that the software that you use is safe and secure is to show the Source Code to several independent experts of your own choosing, who are unconnected with the software itself or any of its competitors.

    Any product whose vendor whose vendor is unwilling to allow you to do this should be dismissed instantly as insecure.

  10. Karl Lattimer
    Happy

    Wouldn't this be an economic nightmare...

    For Microsoft?

    If vendors are made responsible for their security in way of fines or sanctions, then surely MS would be broke in a week.

    Roll on the legislation

  11. lglethal Silver badge
    Coat

    Analogy with car industry

    I don't believe very many companies would be willing to give their code to independent sources for verification as suggested by AJ Stiles. This is because code is usually proprietary, expensive to develop and protected IP that companies will go along way to keep secret.

    If you make the assumption that your software code is like a car, the car manufacturer is not going to give all of the details of the car, its manufacture, new technologies and design criteria to another independent car manufacturer just to prove that its safe. As that would soon see a very similar car out on the market probably at a much cheaper price because the 2nd company doesnt need to develop the technologies independently.

    What happens instead is that the car manufacturers join forces and have an independent regulatory body that the car details are provided to and who make a decision on just how safe the car is (usually by crashing it into a brick wall at high speed).

    What the software industry needs is a single independent qualification body that will accept code, maintain that code's secrecy, test the code and then award appropriate security qualifications which the whole industry accepts. If the code is particularly bad, it will be rejected as unsafe and cant be released until fixed. This would need all software company's to sign up to it and abide by it (which will probably render it nothing more then a flight of my imagination) but it would be a good solution to the problem of poor security in programs.

  12. Keith T
    Gates Horns

    Liability -- The end of freeware

    If vendors, authors and testers are made liable for the bugs in their software, contributors to freeware and people who make free contributions to open source will find themselves liable for lines of code and algorithms that they gave away for free, and for testing they did on charitable basis.

    I'd expect non-employee authors, testers and project managers would be jointly and severally liable, meaning that basically all the authors, testers and project managers would be responsible for the final product. A user would be entitled to bankrupt each contributor to the product until sufficient funds were acquired to cover his loss due to the vulnerability. (Employees are generally protected from liability for work they do for their employer by the employer. The employer assumes responsibility and liability for their work, and arranges insurance for themselves.)

    On a second note, to AJ, the infallibility of open source is just a myth the newbies and hobbiests spout. Lots of open source products have vulnerabilities.

  13. Slaine
    Boffin

    I think I actually understood amanfrommars, what hope have I?

    Ah haaaaa... YES. IF software is SOLD (ie if financial transaction occurs, where one party benefis from funds from a trusting consumer, the exchange of monetary units) then there bloody ought to be some recourse to obtain for the hapless soul financial compensation, especially should that software later prove to be a: not as described, b: unstable, c: a security risk, d: detrimental to ANY previously installed software or, the catch all - NOT FIT FOR THE PURPOSE for which it was advertised/sold/purchased.

    AND - if software is "beta", or "glitchy", or "inconsistent" or due for patching straight after launch, or in need of constant updates... it is, at BEST "untested" and therefore should be FREE (for testing purposes).

    Arrrrrrrhemm... anything springing to mind, Mr W. Gates 3rd.

  14. A J Stiles
    Flame

    Open Source = no liability

    Ah, the anti-Open Source crowd have crawled out from beneath their little stones to spout their misinformation! (The inability to spell "hobbyist", and its use as a perjorative, is a good clue. It is well known that anything motivated primarily by external reward tends to be done to a lower standard than something similar done primarily for the love of doing it.)

    Source Code is the absolute best way of telling a (knowledgeable) user *exactly* what a program does, warts and all; because Source Code *is* the program, just presented in a more human-friendly form. If a program can cause something to happen, then a thorough examination of the Source Code will reveal under exactly what circumstances it can happen.

    To put it quite simply, if a program is doing anything other than *exactly* what the Source Code says it should do, then it must be the fault of the compiler / interpreter or the computer itself.

    Open Source authors, therefore, absolutely will *not* be held liable for anything that happens as a consequence of people running code they have written. Because as long as the user has been given the opportunity to examine the Source Code, and warned to assess its suitability for a particular purpose before proceeding, if they went ahead and did so anyway then whatever happens next is their own responsibility. If you are in full possession of the facts, then you cannot plead ignorance.

    Authors of freeware -- software which is distrubuted gratis but as binary executables only -- would, however, be in exactly the position that you describe. And shed them no tears; if they are giving away binary executables gratis, they would have nothing to lose by giving away the Source Code as well.

    The enormous disservice done to users by keeping Source Code secret from them would cease to be economically viable in a good many cases: many would find it cheaper simply to supply users with the Source Code and an exhortation not to copy it -- withholding the Source Code has done precisely nothing to prevent unauthorised copying of Microsoft Windows and Office -- than to insure themselves against the potential liability associated with concealing the Source Code.

    And to answer lglethal's point, nothing that a piece of software does is particularly "special" and just because a program took you a long time to write, doesn't mean it's worth anything. Keeping secrets is a sign that you have little confidence in your own abilities. I do not believe that people would have due cause to say nasty things about the code that I write; therefore, I am quite prepared to show it to them. I would stand to gain precisely nothing by concealing it anyway; because what any program is supposed to do is evident, and somebody else could always write their own program to do the same thing (and, of course, they would then have the Source Code, and so be in position to ruin me by distributing that. Given a choice between two programs which perform identical functions, one supplied with Source Code is obviously more desirable than one supplied without Source Code).

  15. amanfromMars Silver badge
    Alien

    Lead Protocols/Social Graces

    "I think I actually understood amanfrommars, what hope have I?

    By Slaine Posted Tuesday 11th March 2008 09:42 GMT

    Eternal, Slaine. :-) ........ For LIFE in Open Lives....... Shared Pleasures BEST Constantly ReTested ........ for Continuity and Fitness for Purpose.

  16. Chris C

    Stupid, dangerous, and slippery slope

    How can you possibly place fault with the vendor over unpatched software? it is the USER (the computer's OWNER) who determines when and if he/she wants to patch the software. It is NOT anybody else's decision. You cannot blame the software vendor for the actions or inactions of the software user.

    Even if you only want to hold vendors responsible for vulnerabilities for which they have not yet released a patch (regardless of whether users have installed released patches or not), that's a bad idea as well. As stated above, it will almost completely kill freeware, shareware, and FOSS. And if you think software is expensive now, just wait until the vendors have to buy risk insurance to cover the possibility of vulnerabilities.

    As for ISPs, how can you possibly blame the ISP for something their customer does? Do we blame Verizon when bad people communicate through the telephone? Do we blame Verizon Wireless, Sprint/Nextel, or AT&T when a cell phone is used to remotely detonate explosives? Did we blame the Postal Service when anthrax was sent through the mail? No, no, and no. So why would we blame ISPs if their customers purposely or unknowingly do something bad?

  17. Slaine
    Gates Horns

    blame game, but...

    ...is it not the failure to provide a "working" solution that is under the proverbial eyeglass here?

    I understand perfectly the need to correct an unforeseen error, particularly when that error might later result in a loss of credibility, reliability or even life; but I will always balk at being charged top dollar for what amounts to a car for which claims are made that it will do 250mph... but only if you forego on the warranty once you go over 50mph and, regardless, tolerate a tendency to stall randomly, change gear without warning and which will, on occasion, dump the contents of the sump over one's favourite petunias. If the car was free, I'd still be in a position to complain bitterly about the cost of fuel and the state of the road.

    ...Oh Chris C, good points but in the good ole' EULA you will find that it is NOT the owner who decides when and how to patch their computer.

  18. yeah, right.

    @ Chris C

    If the ISP wants to get rid of net neutrality and get people to pay more for different types of traffic, and wants to be able to filter traffic to suit themselves, then they also take on the liabilities of no longer being a "common carrier". That includes, but is not limited to, liability for allowing harmful traffic over their network.

    If, however, they agree to be completely neutral to any type of traffic then they should be protected, like the phone companies.

    Their choice. Their move.

  19. Andrew Molyneux
    Stop

    @A J Stiles

    I'm generally in favour of open source myself, and I agree with a lot of what you're saying, but some of what you've said seems unsupportable to me.

    "Open Source authors, therefore, absolutely will *not* be held liable for anything that happens as a consequence of people running code they have written"

    This would very much depend on how the law ends up being written. Open source authors certainly *should* not be held liable, for the reasons you cite, but that ain't necessarily what will happen.

    "Authors of freeware -- software which is distrubuted gratis but as binary executables only -- would, however, be in exactly the position that you describe. And shed them no tears; if they are giving away binary executables gratis, they would have nothing to lose by giving away the Source Code as well."

    Well, that depends. For example, what if the code was written based on information received under NDA, or includes 3rd-party source code the author is not free to redistribute?

    "I would stand to gain precisely nothing by concealing it anyway; because what any program is supposed to do is evident, and somebody else could always write their own program to do the same thing"

    What the program is supposed to do might be evident, but HOW it does it often isn't. Even if you have both the "what" and the "how", it still takes time to design and construct the software. By concealing their source code, proprietary software companies gain quite a lot; their competitors (open source or otherwise) will need to invest considerable time and human resources to catch up. You're not seriously asserting that this isn't the case, are you?

  20. lglethal Silver badge
    Thumb Down

    @ AJ Stiles

    I honestly cannot agree with some of your comments AJ.

    Firstly, assume you've spent 3 months creating a program. Thats 3 months worth of research, development, testing and writing. All of which costs you money. So naturally, you have to sell that program at a price that allows you to recoup the money it took you to develop the product over the previous 3 months.

    If you then, hand that finished open source code to someone else and they go along reverse engineer it, edit all the comments that say you wrote it, to say that they wrote it, maybe add a couple of minor changes in function to make it a tiny bit less obvious that it is just your rebadged code. Say this process takes only one month. They can then price their rebadged product so that they only need to recoup one months costs. This will obviously make them a LOT cheaper. Sure they'll be a month behind you but when the difference in product cost is 1/3 your going to lose a lot of money.

    Most closed source products AREN'T because a company is trying to hide bad code but because there trying to prevent competitors gaining an unfair advantage by being able to copy their products without going through the months/years of product development that they had to pay for.

  21. Rich
    Unhappy

    Why not let people choose

    People should be able to choose the level of security they want and buy products accordingly. The level of *loss* from security issues is vastly exaggerated - usually by people like Sophos and Symantec who have a vested interest.

    I haven't seen an actual live security problem since 2000 and the Chinese website defacing.

This topic is closed for new posts.