Linux Guru Argues Against Security Liability

“Alan Cox, one of the leading Linux kernel developers, has told a House of Lords hearing that neither open- nor closed-source developers should be liable for the security of the code they write.”

I beg to differ. There should be a limit as to how much “stupid” or “malicious” a developer can be. This is like saying that a house built with bad quality parts should not hold liable the house builder that picked them and used them and that eventually led to the destruction of the house even with a 5 Richter earthquake. I can tell you right now that my father (a house/roof builder) is liable if this happens. So if my father is liable, why a developer can’t be? Loss or destruction of someone’s information on a PC can ultimately be more expensive than losing a house or a roof.

Of course, there is absolutely no software that is 100% secure (sometimes might even be a combination of different libraries working together, or the compiler itself that is buggy), this is why such a potential law should be flexible. When a developer has a track record of badly written software, or way too many holes are found in one of his programs, or if the software is way too popular and the developer didn’t take care of it properly, or when security patches were sent to him and failed to follow up on them in a timely manner etc etc, then that developer should be hold liable.

This might sound preposterous right now, because everyone thinks “hey, it’s just software”. But you know, times change. What you call “just software”, today has evolved to be part of our lives and integral part of businesses. While 10 or 20 years ago such a law would indeed be preposterous (simply because it would only affect very few people or businesses), today it is not so. No matter if software is a hobby for someone or not, there is a responsibility that comes with it if released to the public.

Someone said in the OSNews forums “wouldn’t that kill the freeware scene?”. Well, maybe. But at least your computer will be safer. There is a price to pay for everything in this world. If you want security (and the majority of people want just that, out of the box), someone will have to be more careful as to what he/she releases to the public.

Look, this is similar to the practicing license for doctors. Back in the day you didn’t need a license to practice it. When the law got in place I am sure it was greeted with the same kind of skepticism. 200 years later, I say we are better off with licensed doctors rather than random people knocking in our door to sell us snake oil.

Yes, I trade the freedom of an individual who expresses himself via software, for security. Thing is though, in the case of software, other people use it, and they can indeed get hurt by it, financially or otherwise. If there was a way to become blind because you stared at Mona Lisa, then I am sure Leonardo da Vinci would be held liable AS WELL. So if a law helps my PC become more secure, I don’t care how Joe Developer actually does it, as long as he/she takes the right steps to do so. It will make the development of software more expensive and tedious, but as a user, this is something I can live with.

13 Comments »

Oliver Herold wrote on January 19th, 2007 at 11:19 AM PST:

>I say we are better off with licensed doctors rather than random people knocking in our door to sell us snake oil.

I wouldn’t count on it or not anymore.

>Thing is though, in the case of software, other people use it, and they can indeed get hurt by it, financially or otherwise.

It this so? In my opinion its maybe 30% mistakes by the developers and 70% mistakes by the users. Just to draw a number ;)

This would certainly kill any open source development, you cannot compare it to financial backed closed-source development. This is really nonsense.

>So if a law helps my PC become more secure, I don’t care how Joe Developer actually does it, as long as he/she takes the right steps to do so.

You will live with false promises in future, because your ideas are only successful in a perfect world. But in fact you live in a world full of corruptness, selfishness and pressure groups. So the winner would be closed-source – but your “world” wouldn’t be more secure than today.

Open source is based on voluntariness – you don’t have to take it, it’s your free will. But if you’re buying a product, well *this* is different.


This is the admin speaking...
Eugenia wrote on January 19th, 2007 at 11:42 AM PST:

You can also get a “voluntary doctor” too. But that doesn’t make him a real doctor. If security kills open source or freeware, then so be it. I don’t personally care.

> You will live with false promises in future, because your ideas are only successful in a perfect world.

If the law is flexible enough and it is followed with objectivity, I don’t think that it would be any problem.

> In my opinion its maybe 30% mistakes by the developers and 70% mistakes by the users.

There is one thing to say that someone “forgot to turn on his firewall” and another to say that “this program has a buffer overflow”. I am refering to the second case.

And besides, today users ARE hold liable for their own goofy acts: RIAA is suing people who have had open WiFi networks and neighbors used it to pirate songs and movies. And yet, these users are in the court today, even if they are innocent. So if the user CAN be hold liable for his own stupidity, why not hold the developer of a truly unsecured program too?

Sorry, but you see software as an romantic hobby, a kind of a geek holy grail of sorts. It ain’t. It is a TOOL. And if a tool can be dangerous to its user because its developer did not take as many precautions as he could have taken, then put that developer in jail. End of story.

I feel the same way about cars, chairs, tampons and anything else that is indented for the average consumer.


Albygil wrote on January 20th, 2007 at 1:51 AM PST:

I agree with you Eugenia, Imho the only way to improve general quality of software is to hold the distributor liable for the security of the code they distribute. But only for severe negligence, and not only in the coding phase, but especially after the bug is exposed.
What I see is that through contractual obligations this is someway already happening. Often Freeware/Floss software have a dual licensing scheme, where developers make a revenue from paying customers giving assistance and some guarantee against data loss.


Oliver Herold wrote on January 20th, 2007 at 3:40 AM PST:

And what about the users, Eugenia? How to measure an application toward quality or in terms of security? How to measure the possibility that the user is just not able to cope with this certain kind of application in a proper way? Tell me the formula for handling this in the daily routine. I can tell you something … this would end in lots of courd hearings.

>but especially after the bug is exposed.

This for example is something i agree, because most of the time developers just don’t care – afterwards – about the security. This is true but you cannot trivialise it. By the way, I could call you romantical too (according to software), because you’re seeing the tools only – but most consumers are seeing eyecandy and features only. And to be true, you cannot mix security, new features and eyecandy. So in the end it’s self-made problem of the costumers.


This is the admin speaking...
Eugenia wrote on January 20th, 2007 at 7:31 AM PST:

>Your point is, some developers don’t care about security

NO, I never said that. It’s just some people don’t KNOW how to code with security in mind. In these cases, they should only be coding for themselves and not publicising their efforts.

> How to measure an application toward quality or in terms of security?

I explained this in the article. A lawsuit can be filled if an app later on found to have too many holes.

And regarding secure software, there are ways and steps to follow. As I explained above, it makes coding boring, but if someone is serious to release his pet application to the world, he better be ready for it.


Richard wrote on January 20th, 2007 at 11:28 AM PST:

I think it’s difficult to make such a bold statement, and then expect that it fit’s every situation.

Software is such a wide field, that general rules won’t work. I believe that software can actually be some kind of Artistic Expression. I can do a lot of stuff with software that might be dangerous, crazy, useless, fun whatever. And as a form of Artistic Expression I would really like to publish my work without strings attached.

Additionally it is also a problem that there are no clear borders between “Artistic Software” and “Useful Software”.

Other than that, it is also a matter of price. For example I could build a simple tool that works well for 10.000 EUR. I could build the same tool for 5.000 EUR, but then it will be a little crappy, and will likely need fixing. Should I be held reliable in the same way for both products? Should I refuse to work below my standards?

And even if such I law was established, which I doubt. That could likely spawn a giant black market of anonymously developed software, that is distributet very much like warez is distributed today, and people would happly run that stuff on their machines.

It would be interesting though to try and come up with a general set of rules and standards that a software business could go for voluntarily as a public statement for quality. However, I am not so sure whether a process and fixed development schemes would lead to “great” software. Because as we all know, great software needs dedication, inspiration, creativity and solid skills as well.

Cheers
-Richard


This is the admin speaking...
Eugenia wrote on January 20th, 2007 at 11:40 AM PST:

>Should I refuse to work below my standards?

You should refuse to work below generally accepted standards regarding speed, security, optimizations etc., not your standards.


Luis wrote on January 20th, 2007 at 9:12 AM PST:

Say you have a company and need some software. You go to a shop but find that the software you need is very expensive, so don’t buy it. Then you find a free alternative that makes no promises, says in it’s license that it’s provided “as is” and that you’re free to use it at your own risk. You take the risk, use it and everything goes well. You make good money out of it. Then one day the software crashes and you lose some money because of it. Would the developers be liable?

I think that we don’t need a law that goes further than the current one. Software is not a risk for your health and life (I mean normal software), and therefor it should be enough with the private contracts between software makers and users. Liability exists to the extent of such contract. If you want full protection you can surely find someone who will give it to you. It just might be expensive.

Comparing it with doctors and house builders is not a good example, since those things can be a huge risk for peoples lives. And even in the case of doctors I love to have the freedom to go to a non-licensed doctor who won’t be liable for not curing me. I like to be responsible of my own decisions and not have someone be my father all the time.


Oliver Herold wrote on January 20th, 2007 at 12:03 PM PST:

Maybe I see software “romantical” (this is strange, isn’t it? ;) ) but in fact I see software in a similar category like books. It’s culture in my opinion. And would you do the same things with books? Books can be tools too. But what is a tool?

I don’t believe in good laws anymore, I’m from Germany and I see what’s going on in the USA. We don’t need new laws, maybe abused by some closed-source company in future, but we need more quality – maybe some codex.
Your point is, some developers don’t care about security – but to be honest, nobody in history did care about security by the invention of some new tool. That’s a “no-brainer”, you can look for security after the invention of a tool – that’s the fact in history.
A law, a license does not create quality at all, there are many doctors out there with licenses and no quality at all.


David Flores wrote on January 21st, 2007 at 1:28 AM PST:

This is being discussed here also: http://forums.pcbsd.org/viewtopic.php?t=7213


Oliver Herold wrote on January 21st, 2007 at 1:49 AM PST:

>In these cases, they should only be coding for themselves and not publicising their efforts.

This is dictatorship in my opinion, it has nothing to do with democracy or freedom at all. It’s up to average joe to choose. Somebody could argue most of the people aren’t able to cope with computers, so they should stay way from such complex machines. Or the should do something like a driving license for computers.
Is the highway more secure because of airbags or driving licenses? Is your town more secure because you forbid to use weapons? You would kill opensource within a year.

>As I explained above, it makes coding boring,

No it kills evolution.

A knife is a tool, a very simple tool – but people hurt themselves every day with it. Where would you begin with Linux for example? A never-ending story, decades of stuff for every court.
What would you pay for such heavily tested software? 2000$ or more? Would be the death for many nations, especially development countries, but countries like Greece too. Nobody could afford it and courts couldn’t cope with it. There are more important problems in the world, than a romantic dream about the perfect software.
There is NO 100% secure software, so someone could go to court every time he want to – and the end, no software anymore because of astronomical costs!

No sorry, I like your rants, I’am not always with you, but this is pure nonsense.

Freedom is freedom to express too and if I put my software on my page, it’s up to you whether you use it or just go away. Nobody presses you to use it. Take a fictional book, like one of Agatha Christie, some murder and …? It could be a howto … but to be honest, this would be a mockery of every logical mind.
We could play this game of liability in every part of our life. You’re writing articles for OSNews – I could make you liable for some mistakes in articles for example. Why? Because I made a false descission according to your article. This would be nonsense, wouldn’t it? Courts would certainly argue this way and you couldn’t do anything against it.
Laws in a democracy are based on causality, not personal gusto.
“I’ve written this artice to the best of one’s knowledge” would be your answer to me. Prove it and be happy with your trial.


Oliver Herold wrote on January 21st, 2007 at 8:19 AM PST:

“A person who never made a mistake never tried anything new.”

Albert Einstein

Just an add-on and a sorry for some rough edges in my comment.

Cheers,

Oliver


This is the admin speaking...
Eugenia wrote on January 21st, 2007 at 8:25 AM PST:

Honey, I don’t expect *programmers* to get behind my position. I *am* a developer too, it’s just that after spending years reviewing crappy software, I don’t even want to touch that “bad software”. This is what has generated my position on my matter. I mean, when I was reviewing things like mandrake a few years ago and writing that it was a piece of shit (and it was indeed a buggy piece of shit), and then I was called out a bitch for it, there is only one position that I could have generated from the whole experience of 6 years: FIX your damn software, or don’t write it.

I HATE bad software. I don’t want it to exist and being offered to the public, not even if it’s free. But I don’t expect you to understand this. You have not being in my shoes and you only care about doing your hobby. Well, do your hobby, but if you know that your application has bugs and was not developed using strict standards, then keep it for your friends and family and don’t publish it on the web. If you want to publish it on the web, do so in a password protected area of your web page and under no circumstances allow your software to get distributed via software repositories or distros.

Either learn to write software, or change your profession. That’s my final position.


Comments are closed as this blog post is now archived.

Lines, paragraphs break automatically. HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

The URI to TrackBack this blog entry is this. And here is the RSS 2.0 for comments on this post.