Re: [ISN] If tech companies were liable for security holes, cyberspace would become safer

From: InfoSec News (isnat_private)
Date: Tue Feb 11 2003 - 22:31:03 PST

  • Next message: InfoSec News: "[ISN] State of Alert Evident At CyberCrime Session"

    Forwarded from: Kurt Seifried <kurtat_private>
    "That's unpossible!" (to quote "The Simpsons" (TM)).
    Let's examine this shall we:
    You can hold several sets of people responsible:
    The creator of the software. [software firm, open source project, etc.]
    The implementer of the software. [third party consultant, OEM vendor, end
    user, application hosting company, millions of possibilities]
    The administrator/user of the software. [can't say user because we now have
    web based apps, remote application hosting, etc.]
    So we hold the creator responsible. Cool, go to the source (bad pun!).
    Warranties and disclaimers of liability, you can bet we're going to court.
    What happens to OpenSource projects and other free software?
    How far do we go, must the software be 100% bug free? Any unintended
    behavior can potentially be a security flaw.
    How do we hold foreign software companies responsible?
    So we hold the implementers of the software responsible. Cool, these guys
    should know how to install it securely, right?
    What if the software can't be installed "securely", products have been found
    to contain hardcoded passwords, security bugs, even when you have the source
    and the ability to create new executable cannot simply be squashed, Bind,
    Sendmail, Apache, etc. have large amounts of code, understanding and
    auditing this is non-trivial to say the least.
    What if the client won't let them install it securely? This often happens,
    poor password policies, open firewalls, etc.
    So we hold the end user/administrator responsible. I mean this is the person
    buying it, they should make sure it's secure right?
    What if the end user/admin is not fully informed of the product, witness the
    "1234" passwords in a few tens of thousands of DSL modems that is poorly
    What if the end user canot afford a support contract for the updates, or has
    some other issue installing the updates (witness the recent Windows update
    only available to Internet Explorer, what happens if some security concious
    person removed IE?).
    What if the end user does not have enough access to the product to properly
    secure it (i.e. closed source application with poor documentation?)
    What if the end user MUST configure it in a slightly insecure manner so that
    it actually fulfills the needed function?
    These are just a _few_ of the problems that come immediately to mind.
    Then we have this gem:
    > Companies view security as just any other business risk and make
    > security decisions to minimize costs, says Bruce Schneier, chief
    > technology officer of Counterpane Internet Security. As long as the
    > costs of ignoring security outweigh the benefits of extra security,
    > little will change.
    I think they meant to say "As long as the benefits of extra security
    outweigh the costs of ignoring security little will change" because that
    sentence makes no sense to me as it is.
    In any event we have the equation:
    Cost of insecurity < [cost of securing something - benefits of securing it]
    Which essentially boils down to "don't spend $100,000 to protect a $500
    asset" which can also be stated "risk management".  Well duh. Liability will
    increase the $cost_of_insecurity, but whether it will increase it enough to
    significantly change things remains to be seen.
    In any event liability laws would have to have so many exceptions/etc that
    they would be largely meaningless, if they were ironclad a lot of "innocent"
    people would get caught up in them as well.
    Oh and are we talking criminal liability here, or "simple" civil liability.
    If civil liabilty is the case then we already have laws in place that deal
    with this, I'm not sure we need more  For the people pointing out that
    warranties/etc disclaim all liability and that we need laws to deal with
    this that enters a whole new can of worms, such as OpenSource/ShareWare/Free
    If you think of information/computer security along the lines of a public
    health problem it starts to make a LOT more sense.
    Kurt Seifried, kurtat_private
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 00:34:15 PST