RE: [ISN] Security expert: Make vendors liable for bad code

From: InfoSec News (alerts@private)
Date: Mon Feb 19 2007 - 01:28:33 PST

Forwarded from: Andrew Kalat <akalat (at)>

With all due respect to Mr. Schneier's great contributions to the world 
of encryption, perhaps he should steer clear of tort economics.

Today's security software is so complex, and so configurable, that 
administrators cause at least as many of their own headaches as do bad 
code. When liability and lawsuits start to fly, you're going to have a 
huge amount of vendor finger-pointing at the customer, alleging the 
customer mismanaged the firewall, or didn't patch, or didn't use a 
strong password, ad infinitum. The vendor, to assume any liability, 
would have to own the operation of their device. Much like a car maker 
is not liable if you crash into a huge brick wall, the vendor cannot be 
held responsible if you mismanage your IT infrastructure.

Credit card fraud is a simple, easily understood, problem. Securing 
computer systems is quite the opposite. Laying blame and assuming 
responsibility will cause nothing but pain for both sides, both 
customers and vendors) in this huge problem.

The free market is still the best determiner. If ultra-secure code were 
truly demanded, the market would create that need. Microsoft, to single 
out one vendor of many, feels tremendous pressure to secure their code. 
To say they suffer no consequence of the bad press and customer 
defections when they are insecure is simply not correct. This is doubly 
true of all security companies in the mix.

Not to borrow to liberally from political rhetoric, but this idea is a 
bit too much like IT via Socialism. I still prefer IT via capitalism, as 
that system has proved itself to me as the best influencer of society we 
have tried thus far. The same complaints about lack of care have been 
leveled at capitalism, but we seem to muddle along, self-correcting as 
necessary. Let's please not start a IT security hippy movement. ;)

Andrew Kalat

-----Original Message-----
From: isn-bounces (at) [mailto:isn-bounces (at)] On
Behalf Of InfoSec News
Sent: Thursday, February 15, 2007 3:09 AM
To: isn (at)
Subject: [ISN] Security expert: Make vendors liable for bad code

By Todd R. Weiss
February 14, 2007

NEW YORK -- When U.S. courts ruled more than a decade ago that consumers 
weren't liable for fraudulent use of their credit card numbers after the 
first $50, credit card companies -- which were left holding the huge 
bill -- took notice and dove into fighting fraud and losses.

That's the same approach needed now in the software industry to help 
drastically improve IT security, according to Bruce Schneier, a security 
expert, author and CTO of Mountain View, Calif.-based enterprise 
security vendor BT Counterpane. Today's more secure credit card systems 
were "built because the credit card companies were forced to assume the 
liability for fraud," Schneier said today at the opening keynote of the 
first LinuxWorld OpenSolutions Summit held here this week. "The trick 
here is to align responsibilities with capabilities."

A major problem with IT security, he said, is that even as new software 
patches and other fixes are posted, not every company or home user 
installs them. Instead, many users, both at work and at home, aren't 
motivated to keep up with security because vulnerabilities are often 
unseen, leaving them unaware that they are risking their own operations 
-- and the larger global system of networks, Schneier said.

"I think things are getting worse, not better," he said.


Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Mon Feb 19 2007 - 01:34:15 PST