Re: Thoughts on Shellshock and beyond

["David A. Wheeler" <dwheeler () dwheeler com>]

On Thu, 9 Oct 2014 08:28:23 -0700, Tim <tim-security () sentinelchicken org> wrote:
> Seriously though, I agree with you that some form of liability ought
> to be introduced in order to create the business incentive to change
> development practices.  However, the devil is in the details, and as
> Michal pointed out, you don't want to squash open source innovation.

I am more skeptical, because unless you get the details right for liability,
the cure is worse than the disease.  One problem is that there needs to
be broad agreement on "what is not acceptable and thus is okay to sue for".
Without that, liability is just a system for enriching lawyers.

This has been challenging to do in software; process standards typically fail to keep up,
and we don't know how to ensure that product standards are met ahead-of-time.

Those interested in software liability should read
"Cybersecurity as Realpolitik" by Dan Geer (Black Hat USA 2014) at
http://geer.tinho.net/geer.blackhat.6viii14.txt
https://www.youtube.com/watch?v=nT-TGvYOBpI
He proposes:
0. Consult criminal code to see if damage caused was due to intent
   or willfulness.
1. If you deliver your software with complete and buildable source
   code and a license that allows disabling any functionality or
   code the licensee decides, your liability is limited to a refund.
2. In any other case, you are liable for whatever damage your
   software causes when it is used normally.

I'm skeptical of this specific list, to be honest.  It's very difficult to
identify a liability scheme that would make sense.  On the other hand,
clearly the current system could stand improvement :-).

--- David A. Wheeler