Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Outlining a World Where Software Makers Are Liable For Flaws

timothy posted about 2 years ago | from the mattress-has-a-pea-beneath dept.

Software 508

CowboyRobot writes with this piece at the ACM Queue, in which "Poul-Henning Kamp makes the argument for software liability laws. 'We have to do something that actually works, as opposed to accepting a security circus in the form of virus or malware scanners and other mathematically proven insufficient and inefficient efforts. We are approaching the point where people and organizations are falling back to pen and paper for keeping important secrets, because they no longer trust their computers to keep them safe.'"

cancel ×

508 comments

Sorry! There are no comments related to the filter you selected.

Sure (5, Insightful)

recoiledsnake (879048) | about 2 years ago | (#37560048)

It will just cost 100x more, just like healthcare with the torts. Time to take out software developer insurance, similar to the healthcare insurance of approximately 1 million dollars a year paid by doctors these days.

Re:Sure (3, Insightful)

maliqua (1316471) | about 2 years ago | (#37560062)

and software development grinds to a halt. opensource vanishes who's going to donate time to a liability.

Re:Sure (4, Informative)

sqlrob (173498) | about 2 years ago | (#37560144)

What liability?

Clause 1. If you deliver software with complete and buildable source code and a license that allows disabling any functionality or code by the licensee, then your liability is limited to a refund.

Re:Sure (3, Insightful)

Amouth (879122) | about 2 years ago | (#37560268)

so a PE can get out of being liable for a badly designed bridge by putting the blueprints and the bill of materials on a sign before you get on the bridge?

there is a point where i agree that the programmers should be liable for their code - to the extent that it shows negligence. the fact that software for so long has gotten away with "good luck, thanks for the cash" mentality is kinda sad.

I am a programmer - and i would be willing to stand behind my code used in the environment for which it was intended.. but at the same time i would want to be compensated for the risk.. same way a PE gets compensated based on the scope of work they have to sign off on.

Re:Sure (1)

Anonymous Coward | about 2 years ago | (#37560490)

Bridges are slightly harder to modify than software

Re:Sure (4, Insightful)

slippyblade (962288) | about 2 years ago | (#37560498)

am a programmer - and i would be willing to stand behind my code used in the environment for which it was intended..

ROFL! Wow, you actually expect liability to be limited to the scope the product was INTENDED? That ranks up there with lawsuits against toys because little jimmy choked on a Lego brick or Peggy Sue shoved a jet fighter figure up her nose and shot the plastic missile into her sinus. There is no limit to the stupid and out of intended uses people will put things. There is NO SUCH THING AS IDIOT PROOF. The world keeps making better idiots. If this becomes law, at some point you WILL be sued. No ifs, ands, or buts about it.

Re:Sure (4, Insightful)

Anonymous Coward | about 2 years ago | (#37560532)

the fact that software for so long has gotten away with "good luck, thanks for the cash" mentality is kinda sad

Genuinely critical software isn't usually handled like this.

The whole premise is retarded. You want guarantees? Great, we already have a handy tool of commerce for that. They're called contracts. Just a heads-up... it's going to cost more.

Re:Sure (3, Insightful)

Daniel Dvorkin (106857) | about 2 years ago | (#37560332)

Ah, idealism! The proposed law, with Clause 1 in place, and enforced, doesn't sound too bad. Do you really think that's the way it would work? In the real world, any software liability law would be written by lobbyists working for Microsoft, Oracle, Adobe, EA, et al., and there is no way in hell it would make life easier for open source developers than for the big commercial developers.

Re:Sure (1)

migla (1099771) | about 2 years ago | (#37560396)

Dang. Stupid reality. Maybe stones and bombs could help. Where should we put them? ;) Just kidding. I don't wish to stone and/or bomb anybody. We must forgive them, for they don't know what they're doing. Or so I'm told.

From TFA ... (2)

khasim (1285) | about 2 years ago | (#37560156)

and software development grinds to a halt. opensource vanishes who's going to donate time to a liability.

From TFA:

Clause 1. If you deliver software with complete and buildable source code and a license that allows disabling any functionality or code by the licensee, then your liability is limited to a refund.

So if you're distributing the source code (and license it correctly) the most you'll be out (aside from malicious intent) is a refund.

Re:Sure (4, Insightful)

Anonymous Coward | about 2 years ago | (#37560072)

It's very important we decimate the last industry the US has that's still mostly functional, profitable, and productive

Re:Sure (0)

ackthpt (218170) | about 2 years ago | (#37560500)

It's very important we decimate the last industry the US has that's still mostly functional, profitable, and productive

You mean Protect companies like Microsoft, who have profited in the hundreds of billions of dollars, but taken a completely lax (and reckless) attitude toward software security - going so far as to recommend the George W. Bush administration brand (and try) people who expose their security holes as terrorists?

I'll be no apologist for billionaires who like to give their largess away, but didn't expend enough of it keeping their crappy software secure for the last 15 years.

Re:Sure (1)

h4rr4r (612664) | about 2 years ago | (#37560134)

1. That is medical industry bullshit. They just want tort reform to improve their profit margins.
2. When you make 250k+/year a million worth of insurance is not something too surprising. People routinely insure homes that cost more than 4 times their yearly income.

Re:Sure (2)

tmosley (996283) | about 2 years ago | (#37560226)

80 years ago doctors were members of the middle class. Doesn't that strike you as odd?

Re:Sure (2)

h4rr4r (612664) | about 2 years ago | (#37560266)

Define middle class.

It used to mean all the wealth of aristocracy and none of the privilege. So then there has not been much change by that metric.

If you mean they were considered middle income and paid like other white collar workers. Then we can be pretty sure this is the result of the regulations they have protecting them.

Re:Sure (1)

ackthpt (218170) | about 2 years ago | (#37560614)

Define middle class.

It used to mean all the wealth of aristocracy and none of the privilege. So then there has not been much change by that metric.

If you mean they were considered middle income and paid like other white collar workers. Then we can be pretty sure this is the result of the regulations they have protecting them.

40 years ago I went to public schools with children of Dow Chemical CEOs.

Re:Sure (0)

idontgno (624372) | about 2 years ago | (#37560150)

Licensed engineers with legal liability. Real engineering fields do it. Only computer (software, systems) engineers and sanitation engineers get away without it, and in the latter case the consequences only extend as far as trash spilled on the street.

Re:Sure (0)

Anonymous Coward | about 2 years ago | (#37560216)

Licensed engineers with legal liability. Real engineering fields do it.

This is a US site.

Re:Sure (4, Insightful)

mandelbr0t (1015855) | about 2 years ago | (#37560230)

Give me a fucking break. First I was hired as a hacker, then I was told that I no longer had the required credentials to work in software, and now you want to tell me the degree I've gotten is the wrong one? Go fuck yourself. I have no problem carrying liability insurance, but this shared delusion that only engineers can possibly write good code is merely an attempt to make software development an activity of the elite. And people wonder where groups like Anonymous and LulzSec come from.

Re:Sure (2)

medv4380 (1604309) | about 2 years ago | (#37560184)

If Console game developers can put in the added effort to make a product that is reasonably bug free, or is otherwise unplayable, back before consoles could update the software then I'm sure MS can debug Office a little bit better before shipping.

Re:Sure (1, Insightful)

0123456 (636235) | about 2 years ago | (#37560356)

If Console game developers can put in the added effort to make a product that is reasonably bug free, or is otherwise unplayable, back before consoles could update the software then I'm sure MS can debug Office a little bit better before shipping.

Office has a heck of a lot more code than Atari 2600 Space Invaders. And a heck of a lot more ways to interact with the user.

Office bugs aren't 'I press the left button and go right', they're 'I embed an Excel spreadsheet with 500,000 columns and when I change the font to 96-point Comic Sans the first column displays in the wrong font'.

Re:Sure (0)

Anonymous Coward | about 2 years ago | (#37560458)

... 96-point Comic Sans ...

had to laugh at this...

Re:Sure (0)

sqlrob (173498) | about 2 years ago | (#37560634)

Because GTA III is of the same complexity as Atari 2600 Space Invaders. Gotcha.

Re:Sure (1)

frog_strat (852055) | about 2 years ago | (#37560254)

Software quality problems are pervasive and annoying to dangerous. I wouldn't mind seeing this if insurance companies were prohibited from offering the insurance, and it was offer by co-op.

Re:Sure (1)

SlippyToad (240532) | about 2 years ago | (#37560326)

just like healthcare with the torts.

What statistics do you have to demonstrate the cost savings "tort reform" would bring to healthcare?

Or, did you just lazily accept what you were spoon fed by people who don't want to be responsible for their actions?

Re:Sure (1)

h4rr4r (612664) | about 2 years ago | (#37560460)

If the medical industry was serious about this it would already be the case. You could get your surgery X% off if you sign some tort limitation form. That would however go counter to what they want, which is to limit tort and pocket the cash.

Re:Sure (1)

Swarley (1795754) | about 2 years ago | (#37560544)

I have one. The total cost of insurance, legal fees, and payouts amounts to 0.5% of the total cost of healthcare. I've seen different numbers in different places, as low as 0.16% in one estimation. All of them have been a fraction of a single percent.

Re:Sure (0)

Anonymous Coward | about 2 years ago | (#37560604)

My insurance premiums have never gone down. Never. And my state, Texas, did pass tort reform.

Tort reform is a tiger-repelling rock, and anybody who says otherwise is trying to sell you something.

Another law? No thanks. (2, Insightful)

PhxBlue (562201) | about 2 years ago | (#37560086)

"There should be a law!"

No. No, there shouldn't. There also shouldn't be disclaimers that "this coffee can burn your ass," "don't point this gun at your face" or "don't use this curling iron to stir your bathwater while it's plugged in."

If organizations see pen and paper as the only alternative, then they're probably getting the quality of IT support that they're paying for.

Re:Another law? No thanks. (0)

spidercoz (947220) | about 2 years ago | (#37560264)

Word. Whatever happened to "let the buyer beware"?

Re:Another law? No thanks. (1)

thePuck77 (1311533) | about 2 years ago | (#37560302)

This. Employers that do the best they can to spend as little as they can have no reason to complain when they get what they pay for nothing...nothing to very little.

Re:Another law? No thanks. (1)

exomondo (1725132) | about 2 years ago | (#37560612)

There also shouldn't be disclaimers that "this coffee can burn your ass," "don't point this gun at your face" or "don't use this curling iron to stir your bathwater while it's plugged in."

No, there should be laws that make the people who made such things liable! If i'm stupid i should be able to profit from it dammit! I tried to snort my latte and starbucks didn't stop me, i deserve 1 million dollars!

Good luck (0)

Anonymous Coward | about 2 years ago | (#37560098)

The problem, of course, is that nobody wants to pay that much. So it's not going to happen.

Great idea (1, Insightful)

grimmjeeper (2301232) | about 2 years ago | (#37560108)

Yeah, let's drive the cost of software through the roof. That will solve everything! Companies will employ a lot more people to do testing but will still have to invest in huge insurance policies just in case they miss something. Your next copy of Windows will cost more than a well equipped car.

Re:Great idea (1)

Shimdaddy (898354) | about 2 years ago | (#37560630)

Actually, in a world where software can be a liability, testing isn't the answer -- the answer is formal methods. It's still under active research (as it's not immediately applicable to certain types of programs) but when used correctly, formality not only reduces errors, but reduces costs as well.

A terrible idea... (2)

Lohrno (670867) | about 2 years ago | (#37560124)

Software is complex enough that even the most diligent programmers produce bugs. It's nigh impossible to create 100% bug free code. I think this would pretty much kill the industry as well as be detrimental to hobbyists.

Re:A terrible idea... (0)

CohibaVancouver (864662) | about 2 years ago | (#37560228)

It's nigh impossible to create 100% bug free code.

No it's not, it's just very expensive.

There's a good article here...

http://www.fastcompany.com/magazine/06/writestuff.html [fastcompany.com]

...that talks about the nearly bug-free code that ran on the Space Shuttle:

But how much work the software does is not what makes it remarkable. What makes it remarkable is how well the software works. This software never crashes. It never needs to be re-booted. This software is bug-free. It is perfect, as perfect as human beings have achieved.

Re:A terrible idea... (2)

obarel (670863) | about 2 years ago | (#37560398)

I'm sure you are aware of the fact that even NASA don't always get it right.

http://en.wikipedia.org/wiki/List_of_software_bugs [wikipedia.org]

It's a great article, by the way. But still...

"...on a dollars-per-line basis, it makes the group among the nation's most expensive software organizations."
"The specs for that one change run 2,500 pages, a volume thicker than a phone book."

Re:A terrible idea... (0)

Anonymous Coward | about 2 years ago | (#37560256)

That's why there is testing. How diligent are you if you aren't thoroughly testing your code?

That said, is it unreasonable to try and fix all bugs? Sure. Impossible? No. Of course, there is always the issue of the platform. Any software will only be as stable as the platform it runs on. You can't really blame that on the application developers though.

Re:A terrible idea... (0)

Anonymous Coward | about 2 years ago | (#37560288)

Automobiles are complex enough that even the most diligent automotive designer will produce bugs. It's nigh impossible to create 100% bug free autos. I think this would pretty much kill the industry as well as be detrimental to hobbyists.

See how foolish it sounds when you start crying like the sky is falling?

Guess what, you SHOULD be liable for writing shit code that actually damages other people's systems through your own negligence. Just like doctors are liable for taking out the wrong kidney, or giving you a vasectomy when you were in for Lasik. Just like architects are liable for designing a home without support columns that collapses and kills your family. Just like a chef would be liable for feeding you rat poison. If software engineers want to be taken seriously as a legitimate profession, then they need to assume some liability for the errors they make and flaws they create through their own negligence.

Liability laws haven't killed any other industry, but they have gone a long way towards prompting those industries to codifying a set of professional best practices. It's time for software engineers to stop acting like everything they do is this vast unknowable unpredictable mystery, and start behaving as if they are, as they claim to be, an engineering field, or even a (gasp) computer science.

Re:A terrible idea... (1)

0123456 (636235) | about 2 years ago | (#37560386)

Automobiles are complex enough that even the most diligent automotive designer will produce bugs. It's nigh impossible to create 100% bug free autos. I think this would pretty much kill the industry as well as be detrimental to hobbyists.

See how foolish it sounds when you start crying like the sky is falling?

What's foollish about that? Automobiles routinely ship with potentially disastrous bugs, particularly now they're full of software; one big manufacturer recently had a recall because repeatedly switching between drive and reverse on some of their auto transmissions could destroy the transmission due to a bug in the transmission controller software, for example.

If you want a car with no bugs, you'd better be prepared to pay $500,000 for a Honda Civic.

Re:A terrible idea... (0)

Anonymous Coward | about 2 years ago | (#37560474)

Right - autos routinely ship with some bugs. And the manufacturers are liable for repairing their errors, and paying damages where their bugs actually hurt or kill people. But significantly more testing and analysis goes into the auto design than is put into the typical "LOLBETA" piece of software, and adding liability would change that.

My point about foolishness is that people are whining about how adding liability will make software "too expensive" or "kill the industry" - of course it won't. It hasn't with any other industry out there.

Nobody demands a car with no bugs, but they do demand that Toyota pay damages if a faulty accelerator causes you to crash your car, and we do expect Toyota to eat the cost of *repairing* that flaw when it comes to light.

Re:A terrible idea... (1)

Sperbels (1008585) | about 2 years ago | (#37560462)

See how foolish it sounds when you start crying like the sky is falling?

...like doctors are liable for taking out the wrong kidney...
...giving you a vasectomy when you were in for Lasik...
...architects are liable for designing a home without support columns that collapses and kills your family...
...chef would be liable for feeding you rat poison...

Wait. Who's using crying that the sky is falling, My Hyperbole?

Re:A terrible idea... (1)

Anthony Mouse (1927662) | about 2 years ago | (#37560320)

If you read the proposal, it isn't likely to harm hobbyists much -- it basically exempts open source from the requirements. The likely result will be for proprietary software companies to either go out of business and become service companies, and for software to be developed in the future as open source by hardware and service companies.

Which I suppose wouldn't be the end of the world.

Cost - Infinity (0)

Anonymous Coward | about 2 years ago | (#37560140)

In a world with software liability laws, the costs would be prohibitively expensive. You'll create a new industry for "programmer insurance" where the premiums will be astronomical. Open source would die because who would put themselves at risk of a lawsuit for contributing to an open source project.

The few software products that survive will turn out updates only once every few years because beta testing time would need to be increased.

Finally, software companies would raise their prices to cover the inevitable losses they would take from bug-related lawsuits.

BAD IDEA!!!

Re:Cost - Infinity (1)

hedwards (940851) | about 2 years ago | (#37560304)

As opposed to the current system where the cost of incompetent software development is borne almost entirely by the people buying the software or third parties. If there's a vulnerability in say IE that allows people to get their hands on my password for my bank, it's not going to be MS that's out the money, it's either going to be me or the bank.

Introducing some liability for companies that release buggy software then hold off on providing patches until the last minute is exactly what we need. Otherwise MS isn't going to get the picture that withholding tested patches for the next patch Tuesday isn't acceptable practice.

You can't trust code ... (5, Informative)

LordNimon (85072) | about 2 years ago | (#37560146)

"You can't trust code that you did not totally create yourself."

I can't trust the code that I did totally create myself, either.

Re:You can't trust code ... (1)

cobrausn (1915176) | about 2 years ago | (#37560236)

A-Freaking-men.

You know, it just occurred to me that there really isn't a secular alternative to 'Amen' that gets the point across quite as well (at least not one I know of).

Re:You can't trust code ... (1)

Tynin (634655) | about 2 years ago | (#37560420)

A-Freaking-men. You know, it just occurred to me that there really isn't a secular alternative to 'Amen' that gets the point across quite as well (at least not one I know of).

I think that is what the new batch of kids are using the word, "This!" for... even though it doesn't quite jive with the cut of my jib. :-)

Re:You can't trust code ... (1)

idontgno (624372) | about 2 years ago | (#37560578)

Well, the old-school Parliamentary call of "Hear, hear!" is kinda cool, although it's somewhat laden with political overtones.

Re:You can't trust code ... (0)

Anonymous Coward | about 2 years ago | (#37560628)

A-Freaking-men.

You know, it just occurred to me that there really isn't a secular alternative to 'Amen' that gets the point across quite as well (at least not one I know of).

No shit!

Re:You can't trust code ... (4, Interesting)

amicusNYCL (1538833) | about 2 years ago | (#37560298)

That reminds me of an anecdote one of my CS professors mentioned. When fly-by-wire technology for passenger planes was starting to get rolled out, they polled some people about their willingness to fly on a plane that was controlled by a computer. The group that had one of the largest negative response was programmers. For everyone else the software is just magic.

Re:You can't trust code ... (2)

DriedClexler (814907) | about 2 years ago | (#37560472)

Some quote (approximate) from Knuth or some other guru:

"Be careful: I've only proven the code to work; I haven't actually run it or anything."

FTFA- (1)

Anonymous Coward | about 2 years ago | (#37560550)

In strict mathematical terms, you cannot trust a house you did not totally create yourself, but in reality, most of us will trust a house built by a suitably skilled professional.

not my fault (0)

Anonymous Coward | about 2 years ago | (#37560154)

Just another effort in our modern crusade to make everything Not Our Fault. Push the blame to someone else, then sue them when things go awry. Lovely.

Engineering liability (2, Insightful)

Anonymous Coward | about 2 years ago | (#37560162)

I need you to design a bridge. We've already promised the customer that it'll be light and strong, but we only have budget for paper (so we're ok on 'light', just make sure that it's strong), and the deadline is next Monday.

If you think it can't be done, I have the "outsourcing provider" on the phone telling me that there are 500 engineers who would do it. I need an answer in two hours. I know that you've just bought a house and have a new baby on the way, so think again before you protest.

By the way, we've also accepted liability. If anything goes wrong, I'll say that you told me it wasn't a problem.

Re:Engineering liability (1)

Amouth (879122) | about 2 years ago | (#37560284)

and any PE would walk away..

not my fault (1)

rish87 (2460742) | about 2 years ago | (#37560174)

Just another attempt in the modern crusade to make everything Not Our Fault. Push the blame to someone else and sue when things go awry. Lovely.

Re:not my fault (1)

Sez Zero (586611) | about 2 years ago | (#37560212)

Exactly-- that just what software development needs: more lawyers. Amirite?

Re:not my fault (1)

hedwards (940851) | about 2 years ago | (#37560334)

Nice trolling. So, if there's a vulnerability in a browser that reveals their password, it's obviously the end users fault for having chosen to use a browser programmed by incompetent people.

I'm not sure how one can be expected to personally audit every piece of software that they install on their computer. At some point it ought to be the responsibility of the people creating the product to do the necessary QA and patching to prevent such things.

It's not likely to be 100% effective, which is why due diligence typically comes into play.

OpenBSD vs Linux (0)

Xugumad (39311) | about 2 years ago | (#37560188)

Beyond the arguments about it being more costly, developing software to the degree of security we're talking will basically cause it to grind to a halt. Look at the popularity of Linux (with all its modern features) vs OpenBSD (with all its security).

> other mathematically proven insufficient and inefficient efforts

What are you going to do, have all software put through mathematical proof? I'm not even sure it's in any way feasible...

People need to stop equating software to buildings (5, Insightful)

Derekloffin (741455) | about 2 years ago | (#37560202)

You can overbuild a house, it generally makes it stronger. You over code a piece of software it just adds to the number of possible points of failure. The two really aren't good analogies for each other. That doesn't even consider things like how maintenance of both is handled, interactions of hardware, varying setups, and just simple complexity.

Re:People need to stop equating software to buildi (1)

rcw-home (122017) | about 2 years ago | (#37560346)

You can overbuild a house, it generally makes it stronger. You over code a piece of software it just adds to the number of possible points of failure.

In this context, "over coding" software refers to, for starters, defensive programming techniques (i.e. checking the return values of all the functions you call, fully validating external inputs, etc). It does not reduce the number of points of failure, but it does require the programmer to consider them and the gracefully handle them or transparently report the problems it can't handle. It does bloat the code somewhat, making it less concise, and it usually increases the amount of time required to make changes, but the transparent reporting of issues to the user significantly reduces the amount of time needed to debug flaws. Fewer bugs escape testing and the bugs that do escape can be accurately reported, are more likely to be reproducible, and are more easily fixed.

Re:People need to stop equating software to buildi (0)

Anonymous Coward | about 2 years ago | (#37560492)

Ensuring software quality is not about building more. It is about testing more.

Engineering is a profession (2)

Talennor (612270) | about 2 years ago | (#37560208)

Hey, engineering in general is a profession. Bridges and skyscrapers get built. And if the engineers mess up people can die. And there's liability for flaws.

Should all software hold to this standard? No. I didn't involve a civil engineer building a clubhouse as a kid. But there are places where correctness does matter and is worth the extra discipline and professionalism.

Re:Engineering is a profession (2)

Billly Gates (198444) | about 2 years ago | (#37560512)

No because 90% of coding is working with pre-existing frameworks in code.

70% of the job is working around bugs in IE 6/7, MFC, and Win32 for all software development in the real world. Believe it or not people need to memorize race conditions in IE 6 as sometimes code will work in a test release but in real life it wont work randomly etc.

Sure, this is slashdot and someone may may reply they code in C, but that is niche 3% of all programmers. No one designs things from scratch all by themselves from the ground up like a real engineer

Now if the IE 6 only site fails I can be held liable? Fuck that as the bug probably has nothing to do with me at all and is hidden in 12 year old buggy code.

CIOs may just move to India and have all the coders and IT professionals sell cars and serve coffee at Starbucks, where I.T. company owners do not have to worry about liabilities, regulations, and other things that these 3rd world countries become so attractive. In the end you are the one then who loses out.

Re:Engineering is a profession (1)

Xugumad (39311) | about 2 years ago | (#37560590)

Sure; but this is not about a few corners being cut, this is about an order of magnitude difference in costs. The design requirements, implementation, and QA are all massively increased.

That's fine if you're building a nuclear power plant's control systems, or an autopilot, but to be blunt, people are happy with Windows because it makes the right compromises for them.

Re:Engineering is a profession (1)

CAIMLAS (41445) | about 2 years ago | (#37560600)

"For everything else, there are poorly paid, incompetent Indian programmers"? Because that's what it comes down to.

Can be had, at a cost (0)

Anonymous Coward | about 2 years ago | (#37560210)

Can be had, at a cost. My clients procure their systems that way. I advise them (amongst other things) on keeping risks and liability squarely in the vendor's court.

Nope (1)

gwstuff (2067112) | about 2 years ago | (#37560214)

I vote against it. -Software developer

Re:Nope (1)

hedwards (940851) | about 2 years ago | (#37560364)

OK, then who precisely should have to pay for the cost of the exploits and who has the ability to actually influence the number of exploits in the software?

As long as the developers are the only ones with the ability to patch those bugs, they're going to have to shoulder some responsibility for the vulnerabilities that exist in the software. I'm not sure who else has that level of responsibility for the software package.

Re:Nope (1)

maxume (22995) | about 2 years ago | (#37560564)

You are really beating that drum.

The problem is most people probably don't really want to pay the prices that would be charged if vendors faced legal liability for every issue with their software.

(And currently they don't actually try to deny liability, they just claim that their software shouldn't be used for anything that might incur liability...)

no thanks (1)

AmiMoJo (196126) | about 2 years ago | (#37560246)

All that would happen is vendors lock down the system totally and only allow signed, vetted code. Approved websites only. Pre-scanned emails only.

I'll take my chances.

Treat software as an Engineering process (1)

Platinumrat (1166135) | about 2 years ago | (#37560252)

In effect we are building machines, albiet virtual ones. You don't get to drive cars on the road, that haven't gone through an engineering design and approval process.

Unfortunately, that costs both time and money. It requires that you have a formal systems engineering approach; Independent Verification & Validation; Testing and first of all; Formal Requirements that are traced to the implementation.

You can't get away with doing it "On the cheap". I don't know many countries that allow Rail Traffic Control system to run their railways, without formal process. Most of those that don't, are 3rd World countries and only pay lip service to the principle.

Re:Treat software as an Engineering process (1)

mandelbr0t (1015855) | about 2 years ago | (#37560342)

Spoken like a true engineer. Measure a thousand times, have a thousand meetings, and still screw up anyway. Somehow I don't think that your average corporate intranet application needs anywhere near this much effort, nor the software engineering team that you think you need to throw at it. I guess when you're an engineer everything looks like an engineering problem.

Re:Treat software as an Engineering process (0)

Anonymous Coward | about 2 years ago | (#37560456)

Software is very unlike houses, cars, or anything like that.
No amount of time and money will change that.

The value of software is in its ability to easily _change_.
This malleability is why so much functionality has moved from the hardware to the software.

Many attempts have been made and are being attempted today to apply rigid processes to software development, in order to make it predictable and "bug-free".

On one hand, this fails completely and only exacerbates the problem. I don't want to digress about why this is, since there's another angle that might be more interesting (at least for those readers which know that this is the case): since abstracting hardware to make it achieve more, different goals with trivial changes in code and data is the whole point of software, no one would want to use software which instead re-implement the rigidness of hardware in software.

All we need is Love (3, Interesting)

migla (1099771) | about 2 years ago | (#37560300)

... All we need is love and Free Software. And even the love is not strictly a requisite.

Let's say everyone owns Free software, so nobody (i.e. everybody) is liable for faulty Free software. Everybody (i.e. nobody) pays.

In other words, sure, let the proprietors of proprietary software pay for software behaving badly.

If the software is free it's everybody's and nobody's responsibility. It's like culture and language in general. We do it together.

Who's with me?

Standing on shoulders (2)

Sez Zero (586611) | about 2 years ago | (#37560314)

The solution seems a little too simplistic. Just look at any very large software project, like an operating system. Even a simple operating system like an iPod has a huge set of sub-licenses (go check out the Legal menu item, at least twenty on my nano). Large commercial projects often have code contributed from other sources; some open source, some not. If the problem comes from one of those contributions or sub-licenses, what happens?

I could definitely see Microsoft setup a fully owned subsidiary that gives free code to only Microsoft under Clause 1 (limited to refund) while the main shop sells it as a full operating system. "Oh, your computer is part of a bot-net? Sorry, that was a bug in the browser code. But since they gave that to us free, you get a refund of $0."

And people resort to writing trade secrets down on paper? Who knew there were so many luddites at ACM?!

Outlining a World Where No One Writes Software (2)

greg1104 (461138) | about 2 years ago | (#37560328)

There are already far too many lawyers sucking overhead out of software development companies. Increasing liability for code will drive up how much it costs; software is only cheap because it's relatively low risk to release.

I make my living working on open-source projects. Given how many imperfect components I work with, in a world with liability issues my full time job would become contract paranoia instead. It's already extremely dangerous to try and make a living from open-source work due to the huge patent minefields you're exposed to. If something like this happened, the only companies who would still be able to afford the risk of coding would be corporations with large legal departments. I'd have to move to a country that doesn't have these laws instead, which is exactly where all the software jobs will migrate to (even faster than they are already migrating now).

What would be SANE (1)

RobertLTux (260313) | about 2 years ago | (#37560622)

have things set so that REASONABLE EFFORTS are required. Now the lawyers can sort out the meaning of the term but if you have done everything possible (input checking and not using known unsafe code ect) then you should be safe from being sued.

Also if something is later found to be "unsafe" then the required patch/update should be given out free to existing customers (no fair bundling an error fix with a program feature update just to be able to sell the update). Now yes this should have a reasonable limit (you should not have to provide patches for an 12 year old program just because you have customers that have yet to upgrade to a current version) but trying to force updating just to get a bug fix should be forbidden.

Don't trust applications, ever (3, Interesting)

ka9dgx (72702) | about 2 years ago | (#37560366)

The responsibility for preventing security problems with PCs should strictly fall into 2 places, the User, and the OS.... however... not the way 99.99% of you are thinking about it.

The user should decide what resources a program NEEDS in order to do a task, such as which folder it can access, what network connections, etc. This allows the user to decide ahead of time what they are willing to risk. Once that determination is made, the user then would give that list, along with a pointer to the program, to the operating system.

The OS should then enforce the users choices.... if it's not in the list, the application shouldn't even be able to find it, let alone access it. If the OS fails to enforce the users will, then the OS is at fault.... if the User gave away the store, well... they gave away the store.

This requires a simple change to the base design of operating systems, instead of permitting everything, and limiting actions of a running program to that of the user's account... the OS should limit the actions of the program to a short list of resources supplied by the user... and nothing else. Of course, the refactoring of everything to add this additional layer of logic is a massive undertaking.

  There would still be the traditional user rights, access control lists, etc.... but there would also be a level of control where the user decides which of the resources they have should be given to the application. This is called "capability based security", or cabsec for short.

It's going to take somewhere between 10 and 15 years before people are fed up enough to make the switch.... but it will happen eventually.

Security isn't an application issue... it never was, and never will be.

Re:Don't trust applications, ever (1)

h4rr4r (612664) | about 2 years ago | (#37560400)

This is called SElinux. It already exists and is in wide use.

Re:Don't trust applications, ever (1)

ka9dgx (72702) | about 2 years ago | (#37560440)

No... it's not... SE Linux and App Armour enforce static rules.... not dynamic ones decided by users. However... it is a step in the right direction.

Re:Don't trust applications, ever (1)

h4rr4r (612664) | about 2 years ago | (#37560510)

You can make your own SELinux policy all you want. I fail to see how that does not fulfill this.

Re:Don't trust applications, ever (1)

0123456 (636235) | about 2 years ago | (#37560610)

You can make your own SELinux policy all you want.

Good luck with that.

Apparmor is hard enough for a typical user to configure, SELinux seems to be pretty much impossible unless you're an expert.

Are lawyers liable for flaws in laws? (0)

Anonymous Coward | about 2 years ago | (#37560368)

I've been told by a lawyer that some laws actually contain the equivalent of "memory leaks". In other words, a law will refer to another law that's been repealed. None of these legislators ever eat their own dogfood of course...

If this comes to pass... (0)

Anonymous Coward | about 2 years ago | (#37560394)

I will quit writing code and find another profession. Maybe Italian underwear modeling, who knows.

Users are the biggest problem anyway (1)

Tridus (79566) | about 2 years ago | (#37560410)

So who is held libel when the user gets an email that says they've won millions of dollars if they click this link, ignore the security warning telling them they probably shouldn't click the link, and proceed to install some malware from god knows where?

If you're telling me that I am... well that's fine, becuase you're no longer allowed to click links. Or install stuff. Or do anything other then what I've whitelisted. Congratulations, you no longer have a PC.

Re:Users are the biggest problem anyway (0)

Anonymous Coward | about 2 years ago | (#37560626)

liable

why not take some responsibility? (0)

Anonymous Coward | about 2 years ago | (#37560412)

Doctors don't have to be perfect to escape a law suit. They just can't be grossly negligent. In other words, if they make a mistake that the someone of their training and qualifications should have foreseen or avoided then they have a problem.

As a software developer, a law against bugs scares me a little but looking at our 'profession' I could see some value forcing us to take responsibility for our selves.

Not a week goes by that I don't read about some site, business or service that gets taken down or broken into because of a simple sloppy programming. Is it really asking too much to protect a website against SQL injection attacks? Is that beyond our skill set?

What if we were liable if we were grossly negligent as software developers? Let's say we used the "SANS TOP 25 Most Dangerous Software Errors" (http://www.sans.org/top25-software-errors/) as a starting point. If your software causes harm and a panel of software developers examine your source and see that you didn't take the most basic of precautions against these extremely well understood risks, you have to pay up.

Nothing wrong with paper (1)

gweihir (88907) | about 2 years ago | (#37560418)

The advantage for paper is that you need physical access to break its security. Paper in a safe is even better. And every educated person understands the characteristics of pen and paper, while understanding IT security requires an expert (I am one). I personally have some things on paper that I would not put on my computer.

So, yes, this is an indication of failure on the part of rolled-out IT security, but it is not a problem. At least I do not see one here.

More laws? (0)

Anonymous Coward | about 2 years ago | (#37560482)

Why are more laws always the first answer? If a company is concerned about losses due to software defects then I'm sure some private insurance company would be happy to sell them a policy. With that policy would come audits of software installed, browsers used, plugins used, etc. to determine the cost. You don't need to pass laws to make these sorts of agreements possible. In fact, some Playboy model just insured her boobs for $1 million, no laws required.

"used normally" (1)

DaveGod (703167) | about 2 years ago | (#37560496)

If you do not want to accept the information sharing in Clause 1, you would fall under Clause 2 and have to live with normal product liability, just as manufacturers of cars, blenders, chainsaws, and hot coffee do. How dire the consequences and what constitutes "used normally" are for the legislature and courts to decide.

An example: A salesperson from one of your longtime vendors visits and delivers new product documentation on a USB key. You plug the USB key into your computer and copy the files onto the computer. This is "used normally" and should never cause your computer to become part of a botnet, transmit your credit card number to Elbonia, or send all your design documents to the vendor.

I was under the impression that manufacturers generally are not held responsible for the consequences of a third person cutting through the break cable of a parked car, soldering out the safety catches or adding arsenic to a hot coffee on a desk.

The authors fobs off the real meat of the topic - what constitutes "used normally" - to the legislature and courts, but my understanding is they already do that. If a product ships with code that itself will do damage surely they're liable. Whether there is liability resulting from the actions of others is rather a difficult subject. Even the maker of a safety helmet may only be liable for a injury the helmet could reasonably be expected to protect from; something highly unlikely to include scenarios that involve a third person intentionally trying to injure the person.

Makes sense in some cases ... (1)

MacTO (1161105) | about 2 years ago | (#37560538)

If the consequences of the poorly written code are negligible, who cares.

If the user can take well known preventative measures to avoid damages, and don't, then they are liable.

If a software fault causes damage to life or property, then the liability of the developer is a serious consideration.

A lot of research has been done to improve software engineering practices to make software more reliable. A lot of research has been done in computer science to prove algorithms. If you're writing mission critical software and ignore that research then you are doing something wrong and perhaps you should be paying the price.b

why "back to"? (1)

holophrastic (221104) | about 2 years ago | (#37560540)

There's nothing wrong with pen and paper. Computers don't "replace" pen and paper, they "add" to pen and paper. That's always been the case. Just look at data storage. Pen and paper, subject to fire and flood, but otherwise reliable for ages. Computer storage can die for any number of reasons, but you can duplicate it thousands of times easily. That's the safety net.

Today, welcome to the internet, your computer is accessible -- by the way, you didn't need to plug it in -- so it's accessible to all. Blaming softway flaws is like blaming your locksmith because someone chiselled out your front door.

It's easy to build software without holes. About as easy as it is to build a lock for a bank. And it'll cost about the same.

But you never needed a perfect lock. Ethan Hunt can always get in. You wanted to deter, detect, and determine.

My home has a camera at each entrance. Not because they're anywhere near good enough to identify the person who stole the family jewels, nor to assist the police in catching the criminal. They are there to prove that the house was robbed -- to the insuance company. They decrease insurance fraud.

People forget the original intent.

Have you purchased windshield wipers for your car? Why? You can just take them off of any parked car you ever see.

Re:why "back to"? (1)

rkfig (1016920) | about 2 years ago | (#37560642)

Thank you. Exactly what I was thinking. What is so wrong with keeping company "secrets" on paper only? Not everything needs to be, nor should be, emailed, blogged, and tweeted about. Technology can be good, but is not implicitly better just because it's newer. For example, I will never prefer an e-reader to a good old fashioned book. Oh well. An obligatory get off my lawn!

bad idea (0)

Anonymous Coward | about 2 years ago | (#37560546)

Such a law would cripple open source / free programs while increasing cost of paid programs as well as killing off most software based companies. Security issues are a natural part of software. It's not the fact that they exist that worries us, it's the fact that companies don't proactively try to protect against them. Mozilla firefox is a good example of dealing with security issues yet they still have them due to the complexity and nature of the code.

A law dealing with intentions are also hard to prove so are useless as well. Rather then a laws, certification bodies would be a much better and more "capitalistic" solution. Something we already do for more security conscious places. And as shown, it's expensive to audit code as it takes alot of human effort.

Just does not make sense (0)

Anonymous Coward | about 2 years ago | (#37560554)

Can you sue your lawyer if you go to jail and you are later found to be innocent? and the judge?
Can you sue every car driver out there for global warming?
Can you sue the president if he did not performed all what you think is best for the country?

Already done in Contracts (1)

prefec2 (875483) | about 2 years ago | (#37560562)

In contracts for software projects, rules to guarantee certain safety and security levels are already present. In embedded systems and trading platforms, there are even laws in place which define how safe something has to be. For example the Safety Integrity Levels are used to define how many failures may occur before violating the law. Similar stuff exists for security. The real problem is, that no one in low risk areas is willing to pay for higher safety and security levels. Present end user software is too complex and to badly written to verify or validate them. They are not even using unit tests. And when they use them, they do not test the right thing.

You will have to rewrite most software and use verification and test methods alongside to ensure higher standards. If you establish SIL 2 or higher and similar security levels for software by law today. Most software can no longer be sold or used. As none of it will comply to these standards.

However, helping people to start using such methods might be a step in the right direction. And how can we apply such methods in OSS projects?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>