oss-sec mailing list archives
Re: Thoughts on Shellshock and beyond
From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Thu, 09 Oct 2014 15:19:19 -0400 (EDT)
On Thu, 9 Oct 2014 08:28:23 -0700, Tim <tim-security () sentinelchicken org> wrote:
Seriously though, I agree with you that some form of liability ought to be introduced in order to create the business incentive to change development practices. However, the devil is in the details, and as Michal pointed out, you don't want to squash open source innovation.
I am more skeptical, because unless you get the details right for liability, the cure is worse than the disease. One problem is that there needs to be broad agreement on "what is not acceptable and thus is okay to sue for". Without that, liability is just a system for enriching lawyers. This has been challenging to do in software; process standards typically fail to keep up, and we don't know how to ensure that product standards are met ahead-of-time. Those interested in software liability should read "Cybersecurity as Realpolitik" by Dan Geer (Black Hat USA 2014) at http://geer.tinho.net/geer.blackhat.6viii14.txt https://www.youtube.com/watch?v=nT-TGvYOBpI He proposes: 0. Consult criminal code to see if damage caused was due to intent or willfulness. 1. If you deliver your software with complete and buildable source code and a license that allows disabling any functionality or code the licensee decides, your liability is limited to a refund. 2. In any other case, you are liable for whatever damage your software causes when it is used normally. I'm skeptical of this specific list, to be honest. It's very difficult to identify a liability scheme that would make sense. On the other hand, clearly the current system could stand improvement :-). --- David A. Wheeler
Current thread:
- Re: Thoughts on Shellshock and beyond, (continued)
- Message not available
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 12)
- Re: Thoughts on Shellshock and beyond John Haxby (Oct 12)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 14)
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 09)
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)
- liability (was: Re: Thoughts on Shellshock and beyond) Solar Designer (Oct 09)
- Re: liability dmc (Oct 09)
- Re: liability (was: Re: Thoughts on Shellshock and beyond) Źmicier Januszkiewicz (Oct 10)
- Re: Thoughts on Shellshock and beyond Tim (Oct 09)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 09)
- Message not available
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)
- Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 08)
- Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 08)
- Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 08)
- Re: Thoughts on Shellshock and beyond ArkanoiD (Oct 08)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 08)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 08)