lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308261657.h7QGvU0T070841@mailserver3.hushmail.com>
From: dhtml at hush.com (dhtml@...h.com)
Subject: GOOD: A legal fix for software flaws?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We need to hear more of this type of noise. Unleash the repo man on the
puppy mill owner and his cohorts.


http://news.com.com/2100-1002_3-5067873.html?tag=fd_lede2_hed

A legal fix for software flaws?


By Declan McCullagh
Staff Writer, CNET News.com
August 26, 2003, 4:00 AM PT


Thomas Leavitt, a system administrator and veteran of three Silicon Valley
start-ups, has dealt with computer worms and viruses before.
But the severity of last week's Sobig.F and MSBlast.D attacks got him
thinking harder than ever about a cure. Finding and punishing their anonymous
authors would be a start. But shouldn't Microsoft also be partly to blame?


"Civil engineers very rarely make a mistake, and when they do it's a
career-ending one," Leavitt said. "The software we're using at this point
has the potential to create damage as bad or worse."



Microsoft's security failings may draw repeated beatings in the court
of public opinion, but they will likely never be tested in a court of
law unless current product liability statutes are rewritten, legal experts
agree.

Problems with physical products routinely yield multimillion-dollar verdicts
and settlements in litigation-happy America. But software vendors are
largely protected from product defect claims thanks to unusual exemptions
enshrined in typical software licenses--boilerplate known in the industry
as End User License Agreements (EULAs) or "shrink-wrap" licenses, so
called because they're often printed inside the shrink-wrapped box containing
the product or incorporated into the software itself.

These agreements normally take effect as a condition of installing software,
 and they ordinarily require customers to waive their right to sue over
alleged defects. Such EULAs have been repeatedly upheld by the courts.


"Unless someone is injured or dies, it is almost impossible to successfully
sue a software publisher for defective software," said Cem Kaner, an
attorney and professor of computer science at the Florida Institute of
Technology. "The serious proposals to change software law have primarily
been to reduce software vendors' liability even further. The most recent
battles involve embedded software. You might soon discover that when
you buy a car, the body is covered by one set of laws but the software
that controls your brakes, fuel injectors, etc., is covered by a different
set of laws that are more manufacturer friendly."

Microsoft's security practices have been in the spotlight before over
alleged lapses, but the astonishing speed with which Sobig.F and MSBlast.D
overwhelmed corporate networks has put the finest point on the problem
in years.

A plague of viruses
Computer Economics, a research company based in Carlsbad, Calif., predicted
that some 75 new computer viruses will be identified this month, including
MSBLast.D and Sobig.F. The company put the cost of computer attacks in
August 2003 at about $2 billion. That's a record pace, the company reported,
 although well below the damage estimated from 2000's Lovebug virus,
the worst in history with an estimated $8 billion in damage from lost
productivity and system restoration costs.

Microsoft's security problems were further underscored last week when
the software giant revealed additional vulnerabilities in Internet Explorer
and Windows, reminded users of a patch to fix a vulnerability disclosed
last month that was used by MSBlast.D, and suggested that it may make
security patches install automatically in the future.

Microsoft did not respond to phone calls seeking comment.

Liability exemptions for software vendors have survived despite persistent
bugs and increasingly severe consequences. A programmer's decision not
to restrict zeros from acceptable input disabled the U.S. Navy's USS
Yorktown, a missile cruiser, in 1997. A nuclear power plant in Ohio was
hit in January by the Slammer worm, although the attack reportedly posed
no safety hazard, as the plant had already been shut down. And the New
York Times was hard hit by last week's batch of malicious code.

Such repeated failures are leading some irked security experts to press
for changes in software liability law to better motivate companies to
fix buggy and insecure code.

"If the laws got changed that forced software makers to be held liable-
- -criminally, civilly, financially--for their products, we'd see a marked
increase in product quality, security and stability," said Richard Forno,
 an author and security consultant. "The EULA is the slickest 'Get out
of jail free card' I can think of in recent years."

MSBlast.D takes advantage of a critical security hole that could allow
an attacker to take control of computers running any version of Windows
except Windows ME. A group of Polish hackers and independent security
consultants known as the Last Stage of Delirium discovered the flaw and
worked with Microsoft to fix it. Microsoft issued a patch to plug the
vulnerability in July, but many users failed to install it, leading the
software giant to suggest that it may resort to automatic software updates
in the future.

When software goes bad
Programmers tend to defend the current state of affairs by saying that
security is a very difficult problem to solve. Most programming languages
were designed with speed, not security, in mind. They also argue that
programming is a difficult task to begin with. Current software is brittle
and runs into problems if it encounters even one error. In addition,
software engineering is a young discipline compared with traditional
forms of engineering.

But critics say its time to stop coddling software companies and create
real incentives for improvement.

"Unfortunately, the only way to effect change in the software makers'
philosophy to business is to hit them where it hurts, namely, in the
pocketbook," Forno said. "All it takes is a few large (customers) to
say 'enough is enough' and move to an alternative operating environment,
 and it'll be all the incentive Microsoft needs to revamp its products
quickly and effectively."

The Florida Institute of Technology's Kaner, who has written a book titled
"Bad Software: What To Do When Software Fails," said that he favors new
laws that would take moderate steps, such as requiring companies to disclose
known defects in their products and telling potential customers what
might trigger the problems.

When dealing with monopolistic companies such as Microsoft, Kaner said,
 stricter laws may be necessary: "The problem is more difficult in monopoly
markets because disclosure can't create a competitive impact. The monopolist
might release a product with appalling defects, but if the customer has
no other vendor to go to, there's not much pressure on the monopolist
to make it better."

New laws
Such changes would require a major overhaul of current software liability
statutes and case law, which provide general immunity for technology
vendors accused of selling defective products.

In a 1994 case brought against IBM, the Transport Corporation of America
sued over a disk drive failure that cost it an estimated $473,079 in
business interruptions. The 8th U.S. Circuit Court of Appeals sided with
the computer company, saying "IBM properly disclaimed implied warranties"
in the contract that its customers signed. The same federal court said
a year later, in a second case, Rockport Pharmacy v. Digital Simplistics,
 that a Kansas company that sold software to pharmacies was not liable
for programming problems. The judges rejected claims for breach of contract
and negligence.

EULAs remain somewhat controversial among individual end users, but judges
tend to view them as legitimate agreements that are just as valid as
any other form of a contract. Probably the most influential case has
been ProCD v. Zeidenberg, in which the 7th U.S. Circuit Court of Appeals
in 1996 upheld a "shrink-wrap" agreement.

Written by the noted jurist Frank Easterbrook, the opinion said: "ProCD
proposed a contract that a buyer would accept by using the software after
having an opportunity to read the license at leisure. This Zeidenberg
did. He had no choice, because the software splashed the license on the
screen and would not let him proceed without indicating acceptance."


While no law prohibits a software vendor from drafting a EULA that permits
customers to seek damages through the courts, nearly all such agreements
tend to immunize the company instead.

R. Polk Wagner, an assistant professor at the University of Pennsylvania
Law School, said "in theory there might be liability for these sorts
of serious deficiencies, especially if Microsoft knew or should have
known about them prior to the release of the relevant software product."
But in practice, he added, "this is one of the features of shrink-wrap
licensing: software companies can and do generally disclaim all such
liability. And at least for now, courts seem willing to uphold these
contracts."

Proposed changes to software liability laws have pushed to expand, rather
than pull back, liability protection. One legislative proposal called
the Uniform Computer Information Transactions Act (UCITA) would eliminate
any remaining doubts about the validity of shrink-wrap agreements by
explicitly allowing software publishers to sell their products 'as is'
and to disclaim liability for defects. But it has stalled in state legislatures.


Of course, Congress could always veer in the opposite direction and curb
the scope of shrink-wrap agreements. But one probable consequence of
changing the law would be an increase in the cost of software: Firms
would have to spend more money testing their products, or spend more
money purchasing liability insurance, or both.

Sonia Arrison, a technology policy analyst at the free-market Pacific
Research Institute in San Francisco, says one reason the current state
of the law is reasonable is that "software is inherently different from
(physical products such as) tires since it's more difficult to know beforehand
what vulnerabilities will occur."

Even some victims of serious software failures remain skeptical of new
laws that would open up software vendors to civil judgments.

Leavitt, the system administrator with the clogged in-box, says he's
leery of asking Congress or state legislatures to intervene despite headaches
caused by last week's attacks.

"As a legal solution, it's probably likely to create as much of a mess
as anything it would fix," Leavitt said. "I'm a little bit nervous about
letting the Congress loose and letting them define the liabilities. I
have some doubts about their competence in such matters."



- -

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj9LkUsACgkQTAj0ZSCgbx50OgCgupd66H1MYkgMkg4oO5j01MWN/2AA
oLMzRcHluPHi2kWgOE5Q47h2UOjh
=uJ4L
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ