RE: [ISN] Security expert: Make vendors liable for bad code

From: InfoSec News (alerts@private)
Date: Mon Feb 19 2007 - 23:15:06 PST

Forwarded from: Frank Knobbe <frank (at)>

On Mon, 2007-02-19 at 03:28 -0600, Andrew Kalat wrote:

> [...] 
> Much like a car maker is not liable if you crash into a huge brick 
> wall, the vendor cannot be held responsible if you mismanage your IT 
> infrastructure.

But if the crash into the brick wall is caused by a steering wheel that 
fails to perform as advertised (and required to safely operate the 
vehicle), then the vendor is responsible.

Mr. Schneiers argument is based on the fact that the consumer are 
waiving their rights by accepting the EULAs. If automakers would be able 
to sell cars with a disclaimer that any malfunction is not their 
problem, I'm sure a lot of people would still buy cars from them, until 
the amount of fatality crashes starts a flood of lawsuits and in the end 
causes a change in the law. That is the "next step" we, the consumers, 
need to take in regards to software security. As you said, the free 
market will determine the outcome.

But, although we live in a litigious society, the current environment 
just doesn't appear conducive for consumers to start litigation against 
software makers. For one, there is a knowledge barrier on the consumer 
side. There is also a far smaller pool of lawyers willing or able to 
take on these cases, probably because it is not well-charted and 
well-litigated territory (compared to, say, medical malpractice). Your 
argument about finger-pointing in court is correct, but it's just par 
for the course. What we need is a mechanism that allows the consumer to 
demonstrate in court that the software, as bought and as configured as 
recommended, failed to perform the advertised function. Slashing through 
the legal jungle and points of configurability of software is tricky, 
but I believe we can still show that certain core parts of the software 
are faulty and thus do not perform as advertised, regardless of the 
configuration by the user.

But in the end, does the cause warrant all of this? A death of a human 
in a car accident may well change the law. But a partial loss of 
business in an enterprise? Probably not as such losses are expected and 
covered through insurance. So what possible cause might warrant a change 
of law? Disclosure of your social security number? Hardly, as anyone can 
buy that information for $20 from a PI or other information broker. Loss 
of function of your home computer? Perhaps that can be covered with home 
owners insurance. Loss of life due to medical software malfunction? That 
might just be cause enough.

So, I partly agree with you. Capitalism will solve the problem through 
consumers using their buying power (by choosing software that doesn't 
produce a lot of loss). But I also agree with Mr. Schneier in that 
changes in the legal framework are required if any of the larger losses 
are to be tried in a court of law. Completely dismissing the need for a 
change in liability is certainly not the correct response. We don't need 
to start a fire outright, but we should allow for the opportunity of a 


It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Mon Feb 19 2007 - 23:21:59 PST