Forwarded from: Andrew Kalat <akalat (at) lerg.org> With all due respect to Mr. Schneier's great contributions to the world of encryption, perhaps he should steer clear of tort economics. Today's security software is so complex, and so configurable, that administrators cause at least as many of their own headaches as do bad code. When liability and lawsuits start to fly, you're going to have a huge amount of vendor finger-pointing at the customer, alleging the customer mismanaged the firewall, or didn't patch, or didn't use a strong password, ad infinitum. The vendor, to assume any liability, would have to own the operation of their device. Much like a car maker is not liable if you crash into a huge brick wall, the vendor cannot be held responsible if you mismanage your IT infrastructure. Credit card fraud is a simple, easily understood, problem. Securing computer systems is quite the opposite. Laying blame and assuming responsibility will cause nothing but pain for both sides, both customers and vendors) in this huge problem. The free market is still the best determiner. If ultra-secure code were truly demanded, the market would create that need. Microsoft, to single out one vendor of many, feels tremendous pressure to secure their code. To say they suffer no consequence of the bad press and customer defections when they are insecure is simply not correct. This is doubly true of all security companies in the mix. Not to borrow to liberally from political rhetoric, but this idea is a bit too much like IT via Socialism. I still prefer IT via capitalism, as that system has proved itself to me as the best influencer of society we have tried thus far. The same complaints about lack of care have been leveled at capitalism, but we seem to muddle along, self-correcting as necessary. Let's please not start a IT security hippy movement. ;) Andrew Kalat -----Original Message----- From: isn-bounces (at) infosecnews.org [mailto:isn-bounces (at) infosecnews.org] On Behalf Of InfoSec News Sent: Thursday, February 15, 2007 3:09 AM To: isn (at) infosecnews.org Subject: [ISN] Security expert: Make vendors liable for bad code http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9011271 By Todd R. Weiss February 14, 2007 Computerworld NEW YORK -- When U.S. courts ruled more than a decade ago that consumers weren't liable for fraudulent use of their credit card numbers after the first $50, credit card companies -- which were left holding the huge bill -- took notice and dove into fighting fraud and losses. That's the same approach needed now in the software industry to help drastically improve IT security, according to Bruce Schneier, a security expert, author and CTO of Mountain View, Calif.-based enterprise security vendor BT Counterpane. Today's more secure credit card systems were "built because the credit card companies were forced to assume the liability for fraud," Schneier said today at the opening keynote of the first LinuxWorld OpenSolutions Summit held here this week. "The trick here is to align responsibilities with capabilities." A major problem with IT security, he said, is that even as new software patches and other fixes are posted, not every company or home user installs them. Instead, many users, both at work and at home, aren't motivated to keep up with security because vulnerabilities are often unseen, leaving them unaware that they are risking their own operations -- and the larger global system of networks, Schneier said. "I think things are getting worse, not better," he said. [...] ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Mon Feb 19 2007 - 01:34:15 PST