Comments on: Security Liability Laws are NOT the Answer http://blog.onefreevoice.com/2004/11/01/security-liability-laws-are-not-the-answer/ a blog about databases and stuff Wed, 03 Dec 2008 21:14:02 +0000 http://wordpress.org/?v=2.6.1 By: Davi Ottenheimer http://blog.onefreevoice.com/2004/11/01/security-liability-laws-are-not-the-answer/#comment-53 Davi Ottenheimer Mon, 08 Nov 2004 17:19:23 +0000 http://blog.onefreevoice.com/archives/2004/11/01/17/#comment-53 Agreed. Legislation like SOX and AB1950 will continue to make a huge difference. Increased demand for security among new generations of consumers will help as well. But legislation works both ways. Remember when Reagan opposed airbags because he said it would hurt the U.S. car makers? Only consumer demand was left standing once the government was pandering to large corporate lobbyists. Agreed. Legislation like SOX and AB1950 will continue to make a huge difference. Increased demand for security among new generations of consumers will help as well. But legislation works both ways. Remember when Reagan opposed airbags because he said it would hurt the U.S. car makers? Only consumer demand was left standing once the government was pandering to large corporate lobbyists.

]]> By: Emergent Chaos http://blog.onefreevoice.com/2004/11/01/security-liability-laws-are-not-the-answer/#comment-52 Emergent Chaos Sun, 07 Nov 2004 16:36:46 +0000 http://blog.onefreevoice.com/archives/2004/11/01/17/#comment-52 <strong>Corporate governance goals impossible</strong> There's a fascinating article in the Register about the impact of new rules: In some cases, the law has made IT managers legally responsible for adherence to corporate governance rules. Colao says that this may not necessarily be a... Corporate governance goals impossible
There’s a fascinating article in the Register about the impact of new rules: In some cases, the law has made IT managers legally responsible for adherence to corporate governance rules. Colao says that this may not necessarily be a…

]]> By: Schneier on Security http://blog.onefreevoice.com/2004/11/01/security-liability-laws-are-not-the-answer/#comment-43 Schneier on Security Thu, 04 Nov 2004 17:13:49 +0000 http://blog.onefreevoice.com/archives/2004/11/01/17/#comment-43 <strong>Computer Security and Liability</strong> Information insecurity is costing us billions. We pay for it in theft: information theft, financial theft. We pay for it in productivity loss, both when networks stop working and in the dozens of minor security inconveniences we all have to... Computer Security and Liability
Information insecurity is costing us billions. We pay for it in theft: information theft, financial theft. We pay for it in productivity loss, both when networks stop working and in the dozens of minor security inconveniences we all have to…

]]> By: Gregory Haase http://blog.onefreevoice.com/2004/11/01/security-liability-laws-are-not-the-answer/#comment-42 Gregory Haase Thu, 04 Nov 2004 00:47:10 +0000 http://blog.onefreevoice.com/archives/2004/11/01/17/#comment-42 Personally, I think my opinion suffers from having a lot of foresight and perhaps a touch of tin-foil hat. I refuse to accept your analogy. Comparing hard or durable goods such as automobiles or pharmaceuticals to soft goods such as software is like comparing apples to oranges. It takes millions of dollars in research and development, equipment costs, testing, etc in order to bring a car or a drug to market. Where application development can occur solely on an investment in personal time. For example, 5 guys from around the world can decide to create an application, use CVS repositories from sourceforge, use equipment they already own, and can build wonderful and viable applications. Ask 5 guys to get together and build a car using nothing but resources that are already available, and I don't think they're going to get very far. For one thing, they're going to have to crash test the thing, and then basically start again from scratch. Compare that to crash testing an application, where again, you can do it with only a time investment. Of course, if 5 guys could get together and build a car and bring it to market with no investment, then I'm pretty sure that the world would have Open Source car technologies. We'd probably all get much better mileage, but all suffer when we need to change the fuel source and find that section of the manual hasn't been written yet. Yes, I agree... the difference is where you draw the line. But where would <b>you</b> draw it? How about critical services. In fact, let's talk about web servers, since without them we probably wouldn't be picking up all these nasty little viruses in our web browsers. Right now you have two major players in the market. According to <a href="http://news.netcraft.com/archives/web_server_survey.html">Netcraft</a> Apache holds close to 68% of webservers, and IIS holds over 21%. Now lets assume that Bruce's proposed liability law is put in place. Since Apache is open source, it's financials rely solely on donations and individual member investments. IIS, on the other hand, belongs to Microsoft. Now, under our new liability laws, all it would take to snow Apache under would be 5 - 10 completely bogus legal claims against it. They would be completely crippled just trying to get those cases thrown out. Microsoft could and would do nothing (except maybe connect investors to start-up companies whose sole profit model is sue Apache). Now Apache is gone. Suddenly almost 68% of the webserver market is shopping for a new web server. While some of these companies are already using Microsoft Servers and can make an easy switch, a lot of them are not only going to have to replace their webserver, but also their server OS. Microsoft will make an incredibly fat margin on such a deal. So much so, that would have little need to worry about this security liability law. Now, I don't think that would actually really happen, but it's possible. Hell, after following "SCO vs World" for a year and half now, I wouldn't be that suprised. But where the world really suffers is not so much there, but in software innovation and development in general. What happens to the more than 90,000 projects on <a href="http://sourceforge.net">SourceForge.net</a>. What about other great open source applications that businesses both small and large can't live without? What the hell would we do without <a href="http://www.isc.org/index.pl?/sw/bind/">BIND</a>. This topic is security focused... who doesn't want <a href="http://www.insecure.org/nmap/">namp</a> and <a href="http://www.nessus.org/">nessus</a>. I got an idea... lets create a security liability law that puts security tools in jeopardy. No, I'm not saying that Bruce's idea is really bad. At first glance, it's a solid idea. But like many laws and initiatives out there, I think it's a bit short-sighted. It takes a bit of the "cut off the nose to spite the face" attitude towards software. When proposing things of this magnitude, it helps to think objectively about the future and look at it from both sides. You can't just past consumer initiatives without looking at how it impacts the manufacturer. You have to work up some scenarios in your head and look at all the pros and cons. When I first starting reading the article, I thought it was a good thing too. It would be really nice to not have to worry about shotty code and faulty security. Particularly when it's imbedded in the very development tools we all use to create additional software products. But as I stated earlier, where would <b>you</b> draw the line? Personally, I think my opinion suffers from having a lot of foresight and perhaps a touch of tin-foil hat. I refuse to accept your analogy. Comparing hard or durable goods such as automobiles or pharmaceuticals to soft goods such as software is like comparing apples to oranges. It takes millions of dollars in research and development, equipment costs, testing, etc in order to bring a car or a drug to market. Where application development can occur solely on an investment in personal time. For example, 5 guys from around the world can decide to create an application, use CVS repositories from sourceforge, use equipment they already own, and can build wonderful and viable applications. Ask 5 guys to get together and build a car using nothing but resources that are already available, and I don’t think they’re going to get very far. For one thing, they’re going to have to crash test the thing, and then basically start again from scratch. Compare that to crash testing an application, where again, you can do it with only a time investment.

Of course, if 5 guys could get together and build a car and bring it to market with no investment, then I’m pretty sure that the world would have Open Source car technologies. We’d probably all get much better mileage, but all suffer when we need to change the fuel source and find that section of the manual hasn’t been written yet.

Yes, I agree… the difference is where you draw the line. But where would you draw it? How about critical services. In fact, let’s talk about web servers, since without them we probably wouldn’t be picking up all these nasty little viruses in our web browsers. Right now you have two major players in the market. According to Netcraft Apache holds close to 68% of webservers, and IIS holds over 21%. Now lets assume that Bruce’s proposed liability law is put in place. Since Apache is open source, it’s financials rely solely on donations and individual member investments. IIS, on the other hand, belongs to Microsoft. Now, under our new liability laws, all it would take to snow Apache under would be 5 - 10 completely bogus legal claims against it. They would be completely crippled just trying to get those cases thrown out. Microsoft could and would do nothing (except maybe connect investors to start-up companies whose sole profit model is sue Apache). Now Apache is gone. Suddenly almost 68% of the webserver market is shopping for a new web server. While some of these companies are already using Microsoft Servers and can make an easy switch, a lot of them are not only going to have to replace their webserver, but also their server OS. Microsoft will make an incredibly fat margin on such a deal. So much so, that would have little need to worry about this security liability law.

Now, I don’t think that would actually really happen, but it’s possible. Hell, after following “SCO vs World” for a year and half now, I wouldn’t be that suprised.

But where the world really suffers is not so much there, but in software innovation and development in general. What happens to the more than 90,000 projects on SourceForge.net. What about other great open source applications that businesses both small and large can’t live without? What the hell would we do without BIND. This topic is security focused… who doesn’t want namp and nessus. I got an idea… lets create a security liability law that puts security tools in jeopardy.

No, I’m not saying that Bruce’s idea is really bad. At first glance, it’s a solid idea. But like many laws and initiatives out there, I think it’s a bit short-sighted. It takes a bit of the “cut off the nose to spite the face” attitude towards software. When proposing things of this magnitude, it helps to think objectively about the future and look at it from both sides. You can’t just past consumer initiatives without looking at how it impacts the manufacturer. You have to work up some scenarios in your head and look at all the pros and cons. When I first starting reading the article, I thought it was a good thing too. It would be really nice to not have to worry about shotty code and faulty security. Particularly when it’s imbedded in the very development tools we all use to create additional software products. But as I stated earlier, where would you draw the line?

]]> By: zdw http://blog.onefreevoice.com/2004/11/01/security-liability-laws-are-not-the-answer/#comment-41 zdw Wed, 03 Nov 2004 21:54:26 +0000 http://blog.onefreevoice.com/archives/2004/11/01/17/#comment-41 I think that your opinion on this issue depends on the weight of the problem. If you consider software security to be on the level of say, automobile safety, rather than graffiti, then Bruce is correct. Regulation is necessary for some things (the aforementioned car safety, drug and food safety, etc.) but not for other things (anyone can sell you a misbehaving VCR). The difference is where you draw the line. I think that your opinion on this issue depends on the weight of the problem. If you consider software security to be on the level of say, automobile safety, rather than graffiti, then Bruce is correct. Regulation is necessary for some things (the aforementioned car safety, drug and food safety, etc.) but not for other things (anyone can sell you a misbehaving VCR). The difference is where you draw the line.

]]> By: israel torres http://blog.onefreevoice.com/2004/11/01/security-liability-laws-are-not-the-answer/#comment-40 israel torres Wed, 03 Nov 2004 21:16:19 +0000 http://blog.onefreevoice.com/archives/2004/11/01/17/#comment-40 ... build your church on sand and only faith can hold it from falling apart... for it is the faithless that get blamed and such must stop. Israel Torres … build your church on sand and only faith can hold it from falling apart… for it is the faithless that get blamed and such must stop.

Israel Torres

]]> By: Ed C. http://blog.onefreevoice.com/2004/11/01/security-liability-laws-are-not-the-answer/#comment-39 Ed C. Tue, 02 Nov 2004 13:58:06 +0000 http://blog.onefreevoice.com/archives/2004/11/01/17/#comment-39 Greg, I really liked you rant and I agree with what you say. Security needs to be designed in from the beginning and consumers (including, and especially, large corporations). Greg, I really liked you rant and I agree with what you say. Security needs to be designed in from the beginning and consumers (including, and especially, large corporations).

]]>