Forwarded from: Frank Knobbe <frank (at) knobbe.us> On Mon, 2007-02-19 at 03:28 -0600, Andrew Kalat wrote: > [...] > > Much like a car maker is not liable if you crash into a huge brick > wall, the vendor cannot be held responsible if you mismanage your IT > infrastructure. But if the crash into the brick wall is caused by a steering wheel that fails to perform as advertised (and required to safely operate the vehicle), then the vendor is responsible. Mr. Schneiers argument is based on the fact that the consumer are waiving their rights by accepting the EULAs. If automakers would be able to sell cars with a disclaimer that any malfunction is not their problem, I'm sure a lot of people would still buy cars from them, until the amount of fatality crashes starts a flood of lawsuits and in the end causes a change in the law. That is the "next step" we, the consumers, need to take in regards to software security. As you said, the free market will determine the outcome. But, although we live in a litigious society, the current environment just doesn't appear conducive for consumers to start litigation against software makers. For one, there is a knowledge barrier on the consumer side. There is also a far smaller pool of lawyers willing or able to take on these cases, probably because it is not well-charted and well-litigated territory (compared to, say, medical malpractice). Your argument about finger-pointing in court is correct, but it's just par for the course. What we need is a mechanism that allows the consumer to demonstrate in court that the software, as bought and as configured as recommended, failed to perform the advertised function. Slashing through the legal jungle and points of configurability of software is tricky, but I believe we can still show that certain core parts of the software are faulty and thus do not perform as advertised, regardless of the configuration by the user. But in the end, does the cause warrant all of this? A death of a human in a car accident may well change the law. But a partial loss of business in an enterprise? Probably not as such losses are expected and covered through insurance. So what possible cause might warrant a change of law? Disclosure of your social security number? Hardly, as anyone can buy that information for $20 from a PI or other information broker. Loss of function of your home computer? Perhaps that can be covered with home owners insurance. Loss of life due to medical software malfunction? That might just be cause enough. So, I partly agree with you. Capitalism will solve the problem through consumers using their buying power (by choosing software that doesn't produce a lot of loss). But I also agree with Mr. Schneier in that changes in the legal framework are required if any of the larger losses are to be tried in a court of law. Completely dismissing the need for a change in liability is certainly not the correct response. We don't need to start a fire outright, but we should allow for the opportunity of a spark. Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Mon Feb 19 2007 - 23:21:59 PST