Forwarded from: Kurt Seifried <kurtat_private> "That's unpossible!" (to quote "The Simpsons" (TM)). Let's examine this shall we: You can hold several sets of people responsible: The creator of the software. [software firm, open source project, etc.] The implementer of the software. [third party consultant, OEM vendor, end user, application hosting company, millions of possibilities] The administrator/user of the software. [can't say user because we now have web based apps, remote application hosting, etc.] So we hold the creator responsible. Cool, go to the source (bad pun!). Problems: Warranties and disclaimers of liability, you can bet we're going to court. What happens to OpenSource projects and other free software? How far do we go, must the software be 100% bug free? Any unintended behavior can potentially be a security flaw. How do we hold foreign software companies responsible? So we hold the implementers of the software responsible. Cool, these guys should know how to install it securely, right? What if the software can't be installed "securely", products have been found to contain hardcoded passwords, security bugs, even when you have the source and the ability to create new executable cannot simply be squashed, Bind, Sendmail, Apache, etc. have large amounts of code, understanding and auditing this is non-trivial to say the least. What if the client won't let them install it securely? This often happens, poor password policies, open firewalls, etc. So we hold the end user/administrator responsible. I mean this is the person buying it, they should make sure it's secure right? What if the end user/admin is not fully informed of the product, witness the "1234" passwords in a few tens of thousands of DSL modems that is poorly documented. What if the end user canot afford a support contract for the updates, or has some other issue installing the updates (witness the recent Windows update only available to Internet Explorer, what happens if some security concious person removed IE?). What if the end user does not have enough access to the product to properly secure it (i.e. closed source application with poor documentation?) What if the end user MUST configure it in a slightly insecure manner so that it actually fulfills the needed function? These are just a _few_ of the problems that come immediately to mind. Then we have this gem: > Companies view security as just any other business risk and make > security decisions to minimize costs, says Bruce Schneier, chief > technology officer of Counterpane Internet Security. As long as the > costs of ignoring security outweigh the benefits of extra security, > little will change. I think they meant to say "As long as the benefits of extra security outweigh the costs of ignoring security little will change" because that sentence makes no sense to me as it is. In any event we have the equation: Cost of insecurity < [cost of securing something - benefits of securing it] Which essentially boils down to "don't spend $100,000 to protect a $500 asset" which can also be stated "risk management". Well duh. Liability will increase the $cost_of_insecurity, but whether it will increase it enough to significantly change things remains to be seen. In any event liability laws would have to have so many exceptions/etc that they would be largely meaningless, if they were ironclad a lot of "innocent" people would get caught up in them as well. Oh and are we talking criminal liability here, or "simple" civil liability. If civil liabilty is the case then we already have laws in place that deal with this, I'm not sure we need more For the people pointing out that warranties/etc disclaim all liability and that we need laws to deal with this that enters a whole new can of worms, such as OpenSource/ShareWare/Free software/etc. If you think of information/computer security along the lines of a public health problem it starts to make a LOT more sense. Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 00:34:15 PST