Return-Path: <sentto-279987-4102-1008772207-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 19 Dec 2001 06:33:07 -0800 (PST) Received: (qmail 1484 invoked by uid 510); 19 Dec 2001 14:30:10 -0000 Received: from n8.groups.yahoo.com (216.115.96.58) by all.net with SMTP; 19 Dec 2001 14:30:10 -0000 X-eGroups-Return: sentto-279987-4102-1008772207-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.165] by n8.groups.yahoo.com with NNFMP; 19 Dec 2001 14:30:05 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_3); 19 Dec 2001 14:30:06 -0000 Received: (qmail 65844 invoked from network); 19 Dec 2001 14:30:06 -0000 Received: from unknown (216.115.97.167) by m11.grp.snv.yahoo.com with QMQP; 19 Dec 2001 14:30:06 -0000 Received: from unknown (HELO red.all.net) (12.232.125.69) by mta1.grp.snv.yahoo.com with SMTP; 19 Dec 2001 14:30:05 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fBJEVE130572 for iwar@onelist.com; Wed, 19 Dec 2001 06:31:14 -0800 Message-Id: <200112191431.fBJEVE130572@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 19 Dec 2001 06:31:14 -0800 (PST) Subject: [iwar] [fc:Save.the.Net,.Sue.a.Software.Maker] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Save the Net, Sue a Software Maker Safety standards and civil liability made automobiles safe. It can work for software too. By David Banisar Dec 16 2001 11:01PM PT A joke recently spread through the Internet posits that Bill Gates and the president of General Motors had an exchange comparing technology development in their respective fields. According to the joke, Bill Gates says, "If GM had kept up with technology like the computer industry has, we would all be driving twenty-five dollar cars that got 1,000 miles per gallon." The president of GM responds by stating that a computer-industry built car would have to be replaced every time the lines in the road were repainted, would only work for one person unless you bought an upgrade and additional seats, and would crash twice a day for no reason. To account for the current level of security in most shipped system, the fictional GM press release should have added that the car would have no locks on the doors, windows that never roll up, and a defective alarm system -- but the hubcaps would be really shiny. Cars used to be quite insecure, unreliable and dangerous devices to use. When automobiles first came out, many states required that someone walk ahead of a moving car, warning people. For years, many cars did not include basic safety devices like seat belts and structural designs to prevent them from rolling over, exploding, etc. This changed when consumer activists such as Ralph Nader starting advocating for better, more reliable cars and using lawsuits to force manufacturers to redesign them. Today, we are in a similar situation with computers and their security protections. New systems are regularly released with countless bugs and holes in them, many known before release. The burden is on users to constantly track every known bug, figure out the unknown bugs, and fix them before they are exploited. 'Imagine every person having to install their own airbags and seatbelts in their cars.' It is like Ford designing a car that a twelve-year-old can cause to crash by remote control from his garage using paper clips and an old AM radio. Thus far, solving the problem has been left to the manufacturers, who are generally absolved of their liability for their failure to write good code through license agreements. This gives the companies only limited incentives to make fundamental improvements. There is more pressure from stockholders and financial analysts to get a new product to market and worry about patches later than to make sure it is secure in the first place. Sure there are some market forces that favor security: the PR people for the companies have to dodge arrows for a bit when yet another worm, virus or Trojan hits and takes out thousands of computers, Yahoo gets shut down by another DDoS, or NASA gets hacked again by another teenager living in a tent using starving dogs on a treadmill to power his laptop. But nothing seems to change. It is time to start considering imposing some legal liability when companies release products that have gaping security holes in them. Unsafe at Any Clock Speed If the companies are more concerned about getting the product to market than they are about making sure it is a good, reliable and secure product, they should have to pay for the damage that their lapses cause. Why is software, which is now essential for everyday living, not held to the same standard as cars and children's toys? Perhaps a few lawsuits would get the insurance companies, perhaps the only organizations in the U.S. scarier than the CIA and Microsoft, to force them to try a bit harder. The insurance companies already are working on the user end, writing clauses in their policies on security that may end up influencing which systems companies will use. Already, one insurance company charges fifteen percent higher premiums for using IIS than Apache in its e-commerce policy. As Peter Cassidy, a researcher at ActuariNet, an MIT research project, told me: "For very large users, the cost of the insurance will be factored into decisions about acquiring and using technologies, if the underwriters indirectly punish insecure technologies by applying higher premiums." That same policy could be applied to companies using Outlook. Sooner or later, those insurance companies are going to want to recoup their losses resulting from bad code. Why should they pay for buggy code that causes them to lose money? The computer industry has continued insisting that users are completely responsible for the buggy software they purchase by promoting click-wrap contracts and UCITA, a law which absolves the industry of liability. Imagine every person having to install their own airbags and seatbelts in their cars. Some courts have refused to enforce click-wraps, and UCITA is law in only two states because of opposition from consumer groups and state Attorneys General, but the industry's power is immense and they continue to push liability limits forward. The White House seems unwilling to oppose them: when I asked Richard Clarke, the White House special adviser for cyberspace security about it last week at a forum at MIT, he shrugged his shoulders and cited UCITA as law, clearly uninterested in using his office to demand changes to the status quo. Now we see efforts by Microsoft to limit dissemination of bug information, which seems more designed to improve corporate PR than security. Imposing liability and setting minimum standards has greatly increased auto safety in the last thirty years. In 1966, there were 5.5 fatalities per 100 million miles traveled by the American public, according to the consumer watchdog group Public Citizen. By 1999, that ratio had dropped to 1.5 deaths per 100 million miles. Now I don't expect that legal liability will solve all of the problems. As Public Citizen's auto safety division notes, over 40,000 Americans die on the nation's highways every year. Users still have to be responsible in the same way that drivers are. And plenty of manufacturers still put profits in front of safety and do cold cost evaluations on deaths vs. costs, as we saw with the Ford "exploding-gas-tank" Pinto, and the current investigations into Ford and Firestone over the Ford Explorer's tendency to roll over when it hits a leaf on the road. But it is time to slay this sacred cow, and start sharing the burden with those who are responsible for it. David Banisar is a research fellow at the Harvard Information Infrastructure Project at the Kennedy School of Government at Harvard University and Deputy-Director of Privacy International. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Need new boots for winter? Looking for a perfect gift for your shoe loving friends? Zappos.com is the perfect fit for all your shoe needs! http://us.click.yahoo.com/ltdUpD/QrSDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST