Re: If tech companies were liable for security holes, cyberspace would become safer

[InfoSec News <isn () c4i org>]

Forwarded from: Kurt Seifried <kurt () seifried org>

"That's unpossible!" (to quote "The Simpsons" (TM)).

Let's examine this shall we:

You can hold several sets of people responsible:

The creator of the software. [software firm, open source project, etc.]
The implementer of the software. [third party consultant, OEM vendor, end
user, application hosting company, millions of possibilities]
The administrator/user of the software. [can't say user because we now have
web based apps, remote application hosting, etc.]

So we hold the creator responsible. Cool, go to the source (bad pun!).
Problems:
Warranties and disclaimers of liability, you can bet we're going to court.
What happens to OpenSource projects and other free software?
How far do we go, must the software be 100% bug free? Any unintended
behavior can potentially be a security flaw.
How do we hold foreign software companies responsible?

So we hold the implementers of the software responsible. Cool, these guys
should know how to install it securely, right?
What if the software can't be installed "securely", products have been found
to contain hardcoded passwords, security bugs, even when you have the source
and the ability to create new executable cannot simply be squashed, Bind,
Sendmail, Apache, etc. have large amounts of code, understanding and
auditing this is non-trivial to say the least.
What if the client won't let them install it securely? This often happens,
poor password policies, open firewalls, etc.

So we hold the end user/administrator responsible. I mean this is the person
buying it, they should make sure it's secure right?
What if the end user/admin is not fully informed of the product, witness the
"1234" passwords in a few tens of thousands of DSL modems that is poorly
documented.
What if the end user canot afford a support contract for the updates, or has
some other issue installing the updates (witness the recent Windows update
only available to Internet Explorer, what happens if some security concious
person removed IE?).
What if the end user does not have enough access to the product to properly
secure it (i.e. closed source application with poor documentation?)
What if the end user MUST configure it in a slightly insecure manner so that
it actually fulfills the needed function?

These are just a _few_ of the problems that come immediately to mind.

Then we have this gem:

> Companies view security as just any other business risk and make
> security decisions to minimize costs, says Bruce Schneier, chief
> technology officer of Counterpane Internet Security. As long as the
> costs of ignoring security outweigh the benefits of extra security,
> little will change.


I think they meant to say "As long as the benefits of extra security
outweigh the costs of ignoring security little will change" because that
sentence makes no sense to me as it is.

In any event we have the equation:

Cost of insecurity < [cost of securing something - benefits of securing it]

Which essentially boils down to "don't spend $100,000 to protect a $500
asset" which can also be stated "risk management".  Well duh. Liability will
increase the $cost_of_insecurity, but whether it will increase it enough to
significantly change things remains to be seen.

In any event liability laws would have to have so many exceptions/etc that
they would be largely meaningless, if they were ironclad a lot of "innocent"
people would get caught up in them as well.

Oh and are we talking criminal liability here, or "simple" civil liability.
If civil liabilty is the case then we already have laws in place that deal
with this, I'm not sure we need more  For the people pointing out that
warranties/etc disclaim all liability and that we need laws to deal with
this that enters a whole new can of worms, such as OpenSource/ShareWare/Free
software/etc.

If you think of information/computer security along the lines of a public
health problem it starts to make a LOT more sense.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.