Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cure For Bad Software? Legal Liability

timothy posted more than 12 years ago | from the sue-the-bastards dept.

The Courts 456

satch89450 writes: "SecurityFocus had a column that I missed when it was first published a few days ago, titled 'Responsible Disclosure' Draft Could Have Legal Muscle, but I discovered it when researching an answer to a comment on the CYBERIA mailing list. In this article, Mark Rasch discusses how the Draft would set the rules for reporting security vunerabilities, and in particular define the boundaries of liability assumed by bug-disclosers. By adopting a "Best Practices" RFC, the IETF could help the reporters of security-related bugs do their job, and put the onus of fixing the bugs on the vendors who make the mistakes, where it belongs. (The RFC draft described in the article, 'Responsible Vulnerability Disclosure Process, is here at the ISI repository.) This is, of course, in direct opposition to the process that Microsoft's Scott Culp, Manager of the Microsoft Security Response Center, would like to see. As Microsoft is more part of the problem than part of the solution, I believe that the path to a formal process would better serve the entire community - and that community includes Microsoft's customers. I'm taking this seriously because the mainstream press is talking about the issue, and what it's going to take to fix it. Here is an example from BusinessWeek that scares me silly. I'm glad I'm looking to change careers from software development to something safe, like law."

Sorry! There are no comments related to the filter you selected.

As if programmers jobs aren't hard enough! (-1, Flamebait)

ringbarer (545020) | more than 12 years ago | (#3158443)

Yet more legal recourse to screwing the little guy. Well done, anti-Microsoft dickheads.

Fist Sport.

Re:As if programmers jobs aren't hard enough! (1)

prizzznecious (551920) | more than 12 years ago | (#3158544)

As it's first etc, this will probably get written off as a troll, but its insight is keen. We've seen it ALL before. Microsoft has more than enough money to fend off any possible lawsuits (believe me, a little security liability case is peanuts compared to a multistate anti-trust case--I don't care that they technically lost that one, it's a testament to their legal fortitude that we haven't actually seen any results from that loss).

However, smaller companies and Open Source companies will be easily trampled by larger companies if this sort of crap were in place. Small companies don't have huge legal budgets. They can't afford to pay a settlement to make someone go away. They can't afford to litigate for a long time. So they'll be deathly afraid to develop anything risky.

Why don't we stop hating Microsoft for a second and realize that if Linux were the dominant platform then we would have scores of security holes being exploited in that system instead of Windows. It has to do with marketshare and the people who write the exploits, not the people who write the software.

The Get Out of Jail Free Card (3, Funny)

ackthpt (218170) | more than 12 years ago | (#3158659)

Campaign Donor [×]

Non-Donor []

A check in the Campaign Donor box guarrantees the
holder insulation from legislation which may find
the card holder liable for any damages, further, the
card holder may be elligible for assistance from the
Department of Justice in legal matters.

baha (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3158444)


Open Source Software As Well (5, Insightful)

BWS (104239) | more than 12 years ago | (#3158457)

if we have software liabilities then we also open "Open Source" software to liabilities....

It would be crazy to say that "Open Source" have no liability while "Closed Source" do...

Re:Open Source Software As Well (2, Funny)

Anonymous Coward | more than 12 years ago | (#3158481)

So is OSDN legally responsible for not fixing page widening?

There's a lawsuit I'd follow!!

Re:Open Source Software As Well (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3158511)

What are you talking about? There hasn't been any page widening for weeks, and I know this because I browse every story at -1. I think your browser must be broken.

Re:Open Source Software As Well (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3158583)

Can you point me to the Web Standard that decrees why there is no page-widening problem on some browsers but there is on others? A specific citation would be helpful.

Otherwise, you're talking about 'proprietary extensions', and we all know how bad THOSE are viewed here at Slashdot.

Re:Open Source Software As Well (3, Interesting)

SuperDuperMan (257229) | more than 12 years ago | (#3158507)

I agree. I would never consider contributing to the OSS movement if I knew I could be held liable and there is no reason I shouldn't be because I did it for free vs being paid. Linux will not be held to be above this process.

I'd hate to be responsible for ZLib.

Re:Open Source Software As Well (1)

albat0r (526414) | more than 12 years ago | (#3158510)

No, it would be crazy since when you have access to the source, you can look by yourself if there's any bug in the software, and fix them if you find one. So you wouldn't be able to sue those who open their source.

Also, when it's open source, everyone can change what they what in it... so if there is a bug, who is the fault? Anybody who have seen the code can have been able to see/fix the bug... so are you gonna to bring every body that used that software into court for not fixing the bug?

Re:Open Source Software As Well (0)

Anonymous Coward | more than 12 years ago | (#3158578)

Similarly, everyone who owns a Ford Explorer should be held liable for the rollovers for not looking at the design and fixing the instabilities.

Re:Open Source Software As Well (0)

Anonymous Coward | more than 12 years ago | (#3158698)

Nah, everybody who owns a Ford Explorer should be held liable for blocking my view on the highway. GoodMichelin (god of driving) sees no difference between SUV drivers and minivan drivers.

Re:Open Source Software As Well (3, Interesting)

aridhol (112307) | more than 12 years ago | (#3158589)

so if there is a bug, who is the fault?

For every active open-source project, there is a maintainer. It is the job of this maintainer to ensure that released software is bug-free.

I think that, if we're going to have penalties for insecure open-source software, we should:

hold the maintainer liable

Only have penalties for release-level software. No alphas, betas, or cvs nightly builds. I also believe that a vendor or maintainer should be given a reasonable amount of time to fix a bug. There shouldn't be a penalty for a security hole that exhibits itself at one second after midnight on a full moon if the year is divisible by 7 when an attacker uses the root password as a user name. However, if this combination is discovered, and isn't fixed, then hold the maintainer/vendor liable.

OTOH, a crash that's caused by pressing the backspace key too many times [] should be fixable immediately or subject to penalties.

IMHO, of course.

Re:Open Source Software As Well (0)

Anonymous Coward | more than 12 years ago | (#3158662)

You're going to see a lot of open source software in perpetual beta, then.

Re:Open Source Software As Well (2)

aridhol (112307) | more than 12 years ago | (#3158702)

Most of it is. However, I wouldn't trust beta software for my business, so they lose liability and users at the same time.

Re:Open Source Software As Well (0)

Anonymous Coward | more than 12 years ago | (#3158705)

For every active open-source project, there is a maintainer.

Well, there won't be one if he could potentially be liable.

It is the job of this maintainer

Job !?! That implies a whole bunch of things that don't exist, like pay, and benefits, and liability insurance ...

Re:Open Source Software As Well (0)

Anonymous Coward | more than 12 years ago | (#3158609)

Bwaa haa haa.

Yes. And those people with the exploding Firestone tires could have hopped out of the car and fixed the tires. There's nothing 'closed' about the process used to make the tires.

Please engage in your Open Source handwaving in private, it just makes you look silly when you do it here in public.

Re:Open Source Software As Well (1)

saarbruck (314638) | more than 12 years ago | (#3158536)

With open source, I can go look at the code, satisfy myself that it's secure, and assume responsibility for running it.

With closed-source, I have no access to the code, and I have to take someone else's word for it that the software is secure. In that case, they should be liable since they've left me no way to assume the responsibility myself.

Re:Open Source Software As Well (1)

TulioSerpio (125657) | more than 12 years ago | (#3158549)

I think the Open Source Software mede YOU responsable of the soft since you can modify the code, if you want.

Re:Open Source Software As Well (0)

Anonymous Coward | more than 12 years ago | (#3158551)

This is moronic. You've paid nothing to the open source contributor. He, therefore, has no duty to you. There is no contract, no quid pro quo and hence no legal grounds for liability. It's free.

OTOH, you've PAID for commercial software. The company that sells the software has a legal responsibility because it *sold* you the product.

Try taking an elementary class in business law. You might learn something.


Re:Open Source Software As Well (0)

Anonymous Coward | more than 12 years ago | (#3158714)

This is moronic. You've paid nothing to the open
source contributor. He, therefore, has no duty to
you. There is no contract, no quid pro quo and
hence no legal grounds for liability. It's free.
look up 'merchantability'.

Re:Open Source Software As Well (0)

Anonymous Coward | more than 12 years ago | (#3158552)

The problem is that you can't fix closed source software. If you find out about a security hole in open source software, you have the source and thus the ability to fix it. With closed source software, you don't have that option. If a company won't give you the option to fix it yourself, then they should be held liable.

Re:Open Source Software As Well (3, Informative)

bay43270 (267213) | more than 12 years ago | (#3158556)

This would create a huge barrier to entry for the entire software industry. Joe Blow could no longer write software 'just cause the world needed it'. If you aren't hiding behind a corporate shield, you simply couldn't write software.

IMHO, even as buggy as Microsoft's software is, they are the best suited to defend themselves. In a liable industry, they might stand the best chance of surviving.

Re:Open Source Software As Well (0)

Anonymous Coward | more than 12 years ago | (#3158634)

IANAL, but ISTR that many jurisdictions will not consider a contract made (and there would need to be a contract for there to be a liability) unless a thing of value is exchanged, even a dollar.

There is no such exchange with GPLd software, so the writers of the code have no liability given they've received nothing of value in return.

This proposal is a little like "software patents" (4, Insightful)

tkrotchko (124118) | more than 12 years ago | (#3158671)

In theory, this should help the little guy and open source because they could be more responsible for their customer.

But in fact, it will have the opposite effect. It means that software will have to be "certified" before it could be released.

Little developers (guys in their basement) could never afford this. Big guys (Microsoft) could. Again, this favors big, established companies over upstarts.

But more seriously, lets look at the worst issue with having liability for unsecure software:

If I have a Firestone tire (as mentioned in one of the links), I expect that it will be safe to put on my car and drive up to the speed rating on the side. But if I used the tire as a swing in my backyard and I fell off and broke my arm, should Firestone be liable? After all, a lot of people use tires for swings, and they didn't do anything to make them safer for this purpose.

Silly? Maybe. But now apply to something like a computer operating system. What is its intended purpose? Basically its purpose is infinite. It will allow a piece of hardware to begin to have infinite possibilities. So now I have to make sure my software is safe in any possible circumstance that I can't even forsee!

Mind you, I'm not excusing bad software, but I don't see how this proposal will do anything, because a new license will come out that people will simply have to accept something like:

"I accept that if I use this software it is completely insecure and will allow bad people to do bad things to me and my computer. I completely waive all rights to bring legal action again the makers of this software, even if they knew there is or was a problem. "

This is a "good in theory, bad in practice" solution.

Re:Open Source Software As Well (2)

ChaosDiscordSimple (41155) | more than 12 years ago | (#3158699)

It would be crazy to say that "Open Source" have no liability while "Closed Source" do...

It's perfectly sane to hold Open Source software less liable than proprietary software.

Open Source software is more likely to be free (price) than proprietary software. If you get software for free (open or proprietary), lack of liability makes sense. Someone (or some company) gave you something for nothing, it seems a bit unfair to sue them when the free thing didn't meet your expectations.

Also, Open Source software is, well, open source. The software is guaranteed to behave as described in the source code (given a properly functioning compiler and computer). You're free to audit the software for fitness for your use, free to adjust it (or pay someone else to adjust it) to make it fit. With proprietary software, you're at the mercy of the supplier. If it doesn't work, well, tough luck.

Cure for page-widening (-1, Funny)

Klerck (213193) | more than 12 years ago | (#3158461)

There isn't one! I will forever widen your pages!

.I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling

Disadvantage: Small Business (5, Insightful)

FortKnox (169099) | more than 12 years ago | (#3158464)

MS has bigtime lawyers.
So does Oracle.
So does Sun.

But you're average startup? They don't have guarunteed paychecks, sometimes.

This only hurts the little guy.

Do you think this would even apply to MS? Sun? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3158526)

Doubtful. Considering they were found guilty of Monopolistic practices and got to choose their own punishment essentially.

Remember 2 things. Republicans suck, and anyone who votes for a third party is lying to themselves. Perot fucked George H. Bush, Nader fucked Gore. All morons do by voting for third party candidates is screw themselves. If you dont like the direction of your party then YOU CAN RUN as a candidate for that party and change the direction to your vision. Nader was |quote| too much of a pussywimp |/quoting Thorten Mellon| to try to change the Democratic party focus.

Re:Disadvantage: Small Business (1)

hs81 (62329) | more than 12 years ago | (#3158529)

>> This only hurts the little guy.
Agree 100%. What we need is a business climate that encourages individuals and small start-up's to innovate and take risks. This is not the solution.

omg... (-1)

HBD (450014) | more than 12 years ago | (#3158466) bout they start coding..see if they are capable of making bug-free code in time to meet production

Stop this wide shit (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3158471)

First REAL post, hold all the programmers responsible. And fix the wide shit here. Change your code choads!

All right!!! Who are these Einsteins? (-1)

bytes256 (519140) | more than 12 years ago | (#3158475)

Yes, that'll keep the economy moving...let's regulate the software industry to we did the railroads, and airways, and everything else that got too successful.

I mean Microsoft Word crashing is really serious...and of course a security flaw in Linux...that could be freakin' life threatening!

Gotta love American freedom to innovate!

Liability for bugs (4, Interesting)

Violet Null (452694) | more than 12 years ago | (#3158478)

Liability for a bug that's known for more than x amount of time and is not publicly disclosed is one thing; the company here is obvious being negligent in neither fixing the problem nor alerting its customers.

However, I shudder about the day where a company can be sued simply for a problem in the software. There's enough ways to sink a small company as it is, without the thread of "If your software isn't perfect[1], you're gonna pay".

1: And we know that no software is perfect.

Re:Liability for bugs (-1)

beee (98582) | more than 12 years ago | (#3158503)

listen, cunt, you obviously don't have any experience in software development or your 'opinion' would greatly differ.

please, in the future, keep your debate to subject areas that you aren't clueless in.


my cinnamon girlllllll

Re:Liability for bugs (1)

bob_clippy (562460) | more than 12 years ago | (#3158604)

Most of the complaints seem to be centered around security, and this is inherently more difficult for vendors to provide than general robustness (e.g. Y2K). Since you're not dealing with nature but the wily human hacker. Much as I admire Microsoft, I think we should go slow here in terms of new liability laws, etc.

Last post? (0, Offtopic)

s0l0m0n (224000) | more than 12 years ago | (#3158479)

I'm not sure, but that big ass banner really annoys the fuck outta me.

And, no, I don't wanna pay for something that's always been free (like beer).

If it weren't for the ranting OSS community here, and the occassional decent sci post, I'd have gone long ago.

However, with OSS in mind, How is this going to effect people like sourceforge?


Re:Last post? (0)

Anonymous Coward | more than 12 years ago | (#3158490)

I'll believe it when I see it, s0l0m0n

Re:Last post? (0)

Anonymous Coward | more than 12 years ago | (#3158515)

How is this going to affect people like sourceforge?

Did you see Deliverance? Think Ned Beatty.

There has to be some accountability (1, Insightful)

marian (127443) | more than 12 years ago | (#3158485)

Just consider that Microsoft is trying to get a version of Windows used by car companies for the computers that control various functions in the cars they sell. Regardless of what my opinion of Microsoft's business practices are in the marketplace, the thought of a Windows version controlling something like the fuel/air mixture in my vehicle terrifies me. Software vulnerabilities and bugs are moving into the realm of causing deaths. Is this what it takes to force accountability onto the companies who market buggy code?

Re:There has to be some accountability (2)

Graymalkin (13732) | more than 12 years ago | (#3158534)

Sigh. There are safety regulations in place that prevent software like Windows from controlling the fuel air mixture of your car's fuel. The reason for this is explicitly liability. No one would stick Windows on a system requiring real time control and processing. No one would stick Linux on them either. Go tilt at windmills someplace else.

Re:There has to be some accountability (0)

Anonymous Coward | more than 12 years ago | (#3158677)

There are companies embedding Windows NT and probably by now Windows XP into critical life care devices. I know because I recently left a company in the process of integrating embedded XP into their next generation system.

Don't wince and pee all over yourself: In an embedded application of that sort, there is one specific video driver, one specific group of applications, and it's all tested rigorously.

Windows becomes unstable mainly when a few hundred variable factors are introduced, leading to 100^2 combinations of potential bugs.

Linux becomes unstable under said conditions as well. Any competent admin knows if you have a critical server application you don't put extra crap on the machine.

There is accountability... (0)

Anonymous Coward | more than 12 years ago | (#3158559)

You can have a contract with a software developer or you can purchase a different product. This is where Linux has the best chance to succeed.

Re:There has to be some accountability (2)

SirSlud (67381) | more than 12 years ago | (#3158672)

Actually, since software bugs have not sufficiently been responsible for lots of deaths yet (unless you count the self-induced forehead traumas incurred by windows users), this would be a good thing.

It would finally level the 'expectations' playing field of software. Over promising and unreasonable expectations is what is KILLING this industry right now. Kill a few people with it, and maybe the suits might start wondering if software really
/can/ be what its cracked up to be in the business world.

Last Post? (1)

NWT (540003) | more than 12 years ago | (#3158500)

I'm not sure, but that big ass banner really annoys the fuck outta me. And, no, I don't wanna pay for something that's always been free (like beer). If it weren't for the ranting OSS community here, and the occassional decent sci post, I'd have gone long ago. However, with OSS in mind, How is this going to effect people like sourceforge? tom Have you ever noticed that conversation is a fluid medium?

There are two kinds of code.... (3, Insightful)

tiltowait (306189) | more than 12 years ago | (#3158505)

Perfect, and finished.

[Insert your own Daikatana lawsuit joke here]

EP (0)

Anonymous Coward | more than 12 years ago | (#3158513)

i claim this early post in the name of carp flounderson

All within reason, of course! (1)

ondelette (253185) | more than 12 years ago | (#3158514)

Legal liability is a necessary evil actually.

Now, take open source... Should Linus be responsible if my machine crash... No, because I did purchase anything from Linus... Now, RedHat on the other hand should be responsible.

This being said, if you buy RedHat Linux for 100$, it is not the same as buying a server for 10000$. The legal expections should go hand and hand.

Re:All within reason, of course! (2)

danheskett (178529) | more than 12 years ago | (#3158599)

See, there will be a bad side effect if legal software liablity comes to pass.

Companies like RH, who sell the fruits of individual coders labours, will be in a tough spot.

For example, the latest Zlib bug - the people here at work spent about 2 hrs fixing our boxes because of this problem. Should RH have to pay out $125/hr fee for that time? I mean, we bought the software from them! Its broken! They should fix it! Just like a car or anything else!

And that will be the problem. Suddenly, companies like RH have to charge 10x or 100x the amount they charge now for boxed distros.


Re:All within reason, of course! (2)

Graymalkin (13732) | more than 12 years ago | (#3158624)

If you want RedHat or any other software vendor to go out of business then sure opt for the idea of software liability. If a relatively simple bug in a 100$ piece of software I have on 10,000 machines causes me millions of dollars in damage I can sue you for my damages. If you're found liable for the fault (forgetting to close a back door lets say) you're going to owe me millions of dollars. How many software companies do you think can survive after paying out a compensation of several million dollars? Do you want to see RH tank because there was a bug somewhere in their code?

Re:All within reason, of course! (0)

Anonymous Coward | more than 12 years ago | (#3158665)

Ah but do you really buy the software from RHL? You pay them to put together a disk with a billion dollars worth of bits on it. Sure they should be liable if the disk is busted or unreadable, but not the content of the bits since you did't really buy it from them.

Seems to me the most reasonable approach is:

Liability_applicable = !(Source is freely available)

I.e. if you lock it down you gotta be responsible for the bugs. You set it free, you don't have to be responsible.

Of course the M$ of the world will complain that the great unwashed herds of users have accomplished something by getting their shoes tied in the morning and that it's unreasonable for them to have to audit code. Here's a counter, though: how about a new industry -- open source code vetting. You pay a company to make sure the code you are using meets some "standards and best practices" and they take responsibilty/fix it when it breaks. It's just another form of insurance.

Good idea, but don't scapegoat the vendors (2)

Embedded Geek (532893) | more than 12 years ago | (#3158519)

We've all seen errors tied not only to products, but just as often to the people installing, maintaining, and using those products ("What do you mean I shouldn't use my anniversary date as a password?"). These would not just be vendors, but also middlemen and in house people. Any standards for legal cuplabilility would have to take into account the role of every person who touched a faulty product, not just those who built it and shipped it. The communications & expectations between these folks must also be addressed, especially in the form of documentation (e.g. the User Manual dang well better spell out how to test a product for a correct installation and give corrective action, not simply assume it went OK).

On principle, I welcome the concept, but the implementation for this is likely going to be messy indeed.

no good (1)

Interfacer (560564) | more than 12 years ago | (#3158521)

this is not good. i am a software developer who works on project basis for creating proprietaary software for internal use in companies. so if a company rushes me to a deadline, and i have not enough development time to fully debug a program, i would be held responsible for the errors, even if they were the result of their failure to properley create a timeschedule. it is like a pedestrian being arrested for being run over.

Re:no good (2, Interesting)

Petersko (564140) | more than 12 years ago | (#3158582)

If you are a responsible employee, you're situation doesn't change. Right now, if you can't deliver quality on time, you should:

1) Inform your supervisor that the demands cannot be met with quality.
2) If that is ignored, inform him in writing.
3) If the expectation still does not change, then let the deadline pass. "I'm sorry, it's not ready. Here's why" - and show him the letter from #2.

I work in a similar environment to you - I design internal software for an industrial company. Deadlines slip - it happens. Life goes on. I will not provide half-assed code just because the timeframe is running long.

Re:no good (2)

chill (34294) | more than 12 years ago | (#3158584)

Except that as a programmer for a company, you wouldn't be the one being sued -- your company would. First time that happens they will wake up and adjust the deadlines, or they will soon be out of business.

Simple fact of business is that most marketing types don't know how to say "no, we can't do that". Customers need to be conditioned to hearing "no, that timeframe isn't reasonable".

Realistic deadlines might actually stop being an oxymoron.

Re:no good (1)

Xaoswolf (524554) | more than 12 years ago | (#3158642)

If you are a developer for you company, then you will see your liability for the software every pay day. Write good stuff, get nice raises, write kinda ok code, you don't get the raise, write downright shitty code, then don't even pick up the check. If they force you to release something early, then you better have documentation and signed papers stating that they want it put into use right then, or, yes, you are responsible.

Fallout (5, Insightful)

Petersko (564140) | more than 12 years ago | (#3158525)

Should such a situation come to pass, the fallout would include:

1) Higher development costs
2) Far fewer small companies in consulting
3) Shrinking job market for new grad coders
4) Larger legal costs on both sides on the fence

On the brightr side, it would also include:

1) Lessening of age discrimination - experience outweighs youth
2) Alteration of programming education to focus on security
3) Higher standard of programming excellence
4) Self-policing. Companies who fail to adhere will run themselves right out of business in short order.

Finally, legal liability for Open Source projects is not a bad idea at all.

Re:Fallout (5, Insightful)

danheskett (178529) | more than 12 years ago | (#3158568)

Finally, legal liability for Open Source projects is not a bad idea at all.

Yes, it would be the end of Open Source. Who in their right mind would code for a project part time if it meant they were legally liable for anything that might go wrong with it?

What about 3rd party items? (2, Insightful)

Anonymous Coward | more than 12 years ago | (#3158533)

If I'm using a tool, component, or class library from a 3rd party, what happens if the vulnerability is in their code? As a contractor would I have to spend $10,000 in legal fees just to prove it's Borland or MS or Sun's fault? Besides, how can you gurantee 100% that anything is safe? With the lawsuit happy society we have today the smallest mistake could put even a medium sized company right out of business. And if you think this will help open source, it won't. Would you use "free" software that has no liability while commercial software does? Would you get a "free" operation from a doctor with no liability or pay for one from someone who does.

Open source and liability (5, Interesting)

jms (11418) | more than 12 years ago | (#3158555)

Any liability law should offer an exemption for software that is distributed along with buildable, commented source code.

The reason is simple. The end-users of open source software are in a position to verify the integrity and correctness of the software. Even if such an end-user is not a programmer, they could, if they were concerned, pay someone else to inspect the code. They have been provided with the ability to protect themselves, because the source code accurately describes the actual operation of the product.

The end-users of proprietary software are in no such position. They are absolutely dependant on the software vendor to verify the integrity and correctness of the software. They are powerless to protect themselves, and without the source code, they are only left with a representation of the operation of the product. This is far less information then the source code, which specifies the actual operation of the software.

Therefore, only proprietary software vendors should be held liable for bugs in their software.

Re:Open source and liability (2)

BWS (104239) | more than 12 years ago | (#3158628)

that logic is faulty...

lets say that if Ford starts to include a book that explains how cars work and what each part does? will that exempt them from liability?

Re:Open source and liability (1, Informative)

Anonymous Coward | more than 12 years ago | (#3158648)

More imporantly, you've not paid for open source software. There is no contract, and therefore no obligation on the developer's part to fix anything that is wrong with it.

It is like somebody giving out free basketballs. If the free basketballs were made with defects, you have no basis for forcing the giver to fix your basketball. They have incurred no legal duty to you. There is no quid pro quo.

OTOH, if you paid for the basketball at a sporting goods store, the store and the manufacturer are liable for any defects in the product.


Re:Open source and liability (2)

BWS (104239) | more than 12 years ago | (#3158718)

Lets say that a company is giving away free sound cards. However, the sound card when used for more then 20 hour straight without rebooting will melt. Now lets say I had some MOBOs damanged by this... can I sue?

Re:Open source and liability (2, Insightful)

Petersko (564140) | more than 12 years ago | (#3158675)

Not reasonable. For a project of any complexity, verifying the integrity and correctness of the code is a financially gigantic undertaking. If you disagree, I have a favor to ask.

I'm kind of concerned about using this Apache product. Would you mind trundling off and verifying the integrity and correctness of all the source code please? Oh yeah - and if it includes standard libraries I need those verified as well.

Can you get that done before the weekend? I was hoping to install on Saturday.

Re:Open source and liability (4, Insightful)

danheskett (178529) | more than 12 years ago | (#3158700)

The end-users of proprietary software are in no such position. They are absolutely dependant on the software vendor to verify the integrity and correctness of the software. They are powerless to protect themselves, and without the source code, they are only left with a representation of the operation of the product. This is far less information then the source code, which specifies the actual operation of the software. Therefore, only proprietary software vendors should be held liable for bugs in their software.

Interesting, but this is all unncessary.

See, its all about what we need. For example, if I need a redudant system that never crashes, runs 24/7, and will power my mission critical applications I can certainly make that happen. I need the proper mix of software vendors, hardware vendors, support contracts and local personell.

The bottom line is that I of course can procure that level of quality. It will however cost me lots and lots of money.

On the exact opposite side of the fence, if my little brother Jimmy wants to buy a video game with proceeds from his part-time job, he can certainly purchase that video game. He goes into the store and looks over the selection - there are games ranging in cost from $20 to $100. And he of course can choose the game which bests suits him.

The point of it is, software security/reliability is a feature: look at Oracle for example and how they advertise their software ("Unbreakable").

The market has created clear categories of software that range from the rather unreliable (Windows, piddly silly games, etc) to the extremely reliable (commerical Unices, VxWorks, QNX, etc). Interjecting liability laws into this arena will only throw that balance off and eliminate the lower-cost alernatives (including maybe boxed Linux distros!).

The bottom line is that liability, for any vendor, will artifically move the well defined lines around and alter the software industry.

Re:Open source and liability (1)

slugfro (533652) | more than 12 years ago | (#3158708)

It may also be possible to make a point that Open Source software is not a finished product. Anyone at anytime can download the software in its current working form and modify as they like. In that case nobody could be sued for distributing a faulty finished product.

Blame Trend (3, Insightful)

ksw2 (520093) | more than 12 years ago | (#3158571)

This topic matched with the previous story about USAF laying blame on Microsoft seems to indicate a new trend... blame the software company! Does this mean that small companies will get sued out of existence? Yet another advantage for big business?

What about considering alternatives and choosing wisely? If it's such a crucial point, why not take open source and audit it thoroughly, like the NSA?

I think a lot of people will probably see this as a good thing, forcing M$ to take responsibility... but I think it has the potential to lay a huge disadvantage on the competitors as well.

careful what you wish for (1)

Lucas Bergman (564091) | more than 12 years ago | (#3158580)

Voluntary security and bug-reporting standards are all well and good, but be careful when calling for actual laws that make given parties liable for software bugs.

In particular, I would rather not see one or more laws that make software look less like information (read: speech) and more like a product. It is harder to claim that software is (possibly creative) speech, as in the DeCSS and Bernstein crypto cases, protected in the US under the Bill of Rights, if it is governed by "lemon" laws like cars.

If I want to be able to recover damages from WhateverSoft when their program breaks, I'll draft a contract with them saying so. (In fact, I'd be surprised if some precedent for this doesn't already exist in, say, health care systems.)

Who's to blame? (2)

Darth RadaR (221648) | more than 12 years ago | (#3158586)

This is my experience, but YMMV.

I'm sure that if such a lawsuit were to happen, there's gonna be a huge arseload of blame-storming going about. I can't count how many times I've said, "It's there, but I've got a few things that need to be sorted out.", which have been replied to with, "Screw it! We need it now. Just send a patch later.". After that comes having to prove that said person did say that to you (usually a saved email. You did make sure that person sent you the go-ahead in email, right?). That person goes on to say that his/her higher up gave the go-ahead or set time restrictions, and so on, and so on...

OTOH, even if it is the programmers fault, how are they going to prove an intentional oversite and what sort of testing standards will they have for software before it's unleashed?

Mea Culpa (0, Offtopic)

CrazyJoel (146417) | more than 12 years ago | (#3158596)

It's kinda funny that the guy opposed to this is named Culp.

RFC and Microsoft agree (1, Interesting)

delta407 (518868) | more than 12 years ago | (#3158600)

The RFC states that:

3) If another reporter has not properly followed the process and publicly announced the vulnerability, then the Reporter MAY announce that the Reporter was responsibly following the disclosure process with the Vendor and involved Coordinators.

...showing in a nutshell that the proper procedure is notifying the vendor and the vendor alone. Scott Culp says:

Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed.

Please, if you would -- explain how these two are "in direct opposition" of each other. (Good luck.)

Wrong (4, Insightful)

The Cat (19816) | more than 12 years ago | (#3158603)

Software companies don't spend enough time on design and testing the product before it's made public

No. Managers at software companies don't spend enough time listening to their own #%*@$*)(#^& engineers who are ignored, ridiculed, shouted down, laid off, downsized, or outright fired when they point out repeatedly that the product is being developed WRONG.

Of course, it's always better to be a team player. Just sign up for the donut list, keep your mouth shut and wear a big smile, BIG SMILE at all the meetings. That's how the job is kept.

Competence, craftsmanship and professionalism are no longer of any value in the workplace, and until they are, it will be impossible to fix these problems.

Legislation is not the answer! (2, Funny)

BetaRelease (110550) | more than 12 years ago | (#3158614)

If this works, next thing you know, Congress will try to repeal the "Law of Supply and Demand" :)

Think software is expensive now.... (0)

Anonymous Coward | more than 12 years ago | (#3158618)

I can't tell you how much you will have to pay me to program when I can be sued for a bug. Just look at doctors in this country. The cost of insurance to protect against human mistakes will just be passed on to the consumer. So if you guys want accountability your going to pay for it. Else no software. Not to mention good luck holding someone accountable that gave you the software for free.

More law is never the answer.


Proposals are not in opposition (2)

Krelnik (69751) | more than 12 years ago | (#3158620)

This is, of course, in direct opposition to the process that Microsoft's Scott Culp, Manager of the Microsoft Security Response Center, would like to see.

I openly dispute this statement. I'd like someone to carefully show me why the two proposals are in "direct opposition" to one another.

Culp merely says that we should not publish details on how to exploit vulnerabilities. I don't think the internet draft comes down explicitly one way or the other on this. Quoting from section 3.7.2:

"After the Grace Period, the Reporter MAY release additional details. The Reporter SHOULD carefully consider how much detail is needed by Customers and the Security Community.

"Note: in some cases, the nature of the vulnerability could make it difficult or impossible to release vulnerability details that do not allow someone to exploit the vulnerability."

Also, in its section 5.3 it references documents that come down on both sides of this long-running argument.

So back up what you are saying? How are these two proposals in opposition?

This is just a bad idea. (2)

NetJunkie (56134) | more than 12 years ago | (#3158621)

I'm not a developer, BUT, I can understand the amount of work that goes in to developing a large product. I would hate to think that you would be liable for some unforseen circumstance or combination of things that could cause an exploit that you would get sued for. We'd quickly see development slow down to a crawl.

Also, what happens now when a company compares a commercial product to open source? Let's see, we pay Microsoft $800 for Win2K Server...but if it's broken we can sue them. We use Linux.... That means we can't sue them since we didn't pay for it and have no contract, but our customers can sue us. They'd go with the $800 of "insurance".

Bad bad bad idea. That's not even considering the admins incorrectly configuring software. At least companies might start checking out admins before hiring the lowest bidder.

Always Nice (2)

The Cat (19816) | more than 12 years ago | (#3158622)

Microsoft employees pointed the finger at users who didn't safeguard their systems... But they left that task to users and, more often than not, it was ignored. "People didn't spend the two clicks to do it," says Craig J. Mundie, Microsoft's senior vice-president.

Always nice when you can blame your own customers.

WinZip 11, UL certified! (1)

Smallest (26153) | more than 12 years ago | (#3158632)

Will we (software authors) have to meet some minimum standards, in order to certify that the we did everything possible to ensure a correctly functioning product? Will we need a 3rd party agency to ensure that "yes, it does everything an app of this type should do, and doesn't do anything an app of this type shouldn't" - just like consumer electronics ?

I hope not.


All that it will cause... (1)

Axe (11122) | more than 12 years ago | (#3158638) three times more "documented due diligence" - means quality assurance process, ten more project managers per developer, daily "quality" meetings - so you can document it in court, that you were not negligent, and all the defects are the unevitable acts of God - which they are..

Or they will just cram more restrictive licenses down your throat. And they will - just look at C.A and the crap they manage to do with ther customers. No f&cking choice for them, that's for sure..

Source protects itself (2, Insightful)

juliao (219156) | more than 12 years ago | (#3158644)

How far can you take liability?

If I give you a car, am I liable for the fact that it has no brakes? What if I sell you a car?

What if I give you a tool? Am I liable that it breaks and breaks whatever you were trying to fix with it, too? What if I sell you one? What if I sell you one and say that it's rated for the work you're trying to do, but it still breaks?

See the differences?

Now for software:

What if I give you a binary? Am I liable that it doesn't work? Am I liable that it has flaws?
What if I sell it to you? Am I liable then?

Now for something completely different: Source Code What if I give you source code? It's available for your inspection... Can we say that source code documents itself? If you are worried about what the code does, you can read it, compile it, debug it, step-trace it. Source code is NOT a program, it's closer to an algorithm than to a program. Can I be sued for giving you instructions on how to tell you computer to do something?

If source code if just instructions, directions for a computer, then source code starts to look like something different, and precedent must come not from binary-software but from things like legal advice.

And you know how that goes... IANAL, so I can say anything, you take my word if you want to. So, if IANAP (not a programmer), can I give you whatever source code I want, and I won't be liable?

And who defines what a programmer is? The ACM?

Shift of Cost (2)

regen (124808) | more than 12 years ago | (#3158645)


IMNSHO, this would be a really good thing. One of the current problems with software (and a lot of other things) is that cost are shifted away from where they belong in order to make a product cheaper.

It is cheaper to write software that works most of the time, but has a few bugs than it is to have an proper design, implementation and testing process that prevents buggy software from being shipped too soon. In general the industry has the felling that it cheap and easy to release a patch for a bug later so the cost of not catching it early is small.

This is the exact opposite of hardware engineering, were companies go to extreme measures to try and debug the design be commiting to Si since it is very expensive to do this.

Increasing the cost of bugs to the software developer will decrease the quantity of code and increase the quality of code, something that is sorely needed.


The other side of the issue (1)

p7 (245321) | more than 12 years ago | (#3158647)

If you make the software company liable, the businesses and citizens should also be liable for damages they cause due to not patching. I don't believe we need legislation to stop this. We need awareness, most of the major worms/viruses were at their worst when a patch was available to fix it.

Caveat Emptor? (0)

Anonymous Coward | more than 12 years ago | (#3158649)

Surely there's a reasonable expectation of liability when something goes wrong, but to point monetary blame back to the developer when it breaks seems to be anti-progress. This would definitely be the case when open source or small business development is the problem.

If I shell out $$$ for a program, I expect it to work without fail. If it does fail, I expect support and a bugfix, but I'm not going to go as far as say that they owe me money for my loss because I was down for a week waiting for the fix.

Upgrades (2)

chill (34294) | more than 12 years ago | (#3158651)

This could have a wonderful effect on upgrades. No more mixing fixes and feature adds -- too dangerous (aka Service Packs).

Can you imagine MicroSoft's position? New license agreements with WinXP require users to upgrade every two years. MS will be held legally liable for the stability of those upgrades. They better damn well get it right.

Remember that U.S. Navy ship that switched to NT and was dead in the harbor? Imagine the Navy sending a bill to Bill. :-)

Merchantability (4, Insightful)

mcrbids (148650) | more than 12 years ago | (#3158657)

At heart here, and often forgotten, is the issue of "merchantability". What is that? It's the assurance that something is saleable, that reasonable expectations of performance can be made, and that the product does, in fact, perform its intended function.

Because of this, it can be SOLD. If I sell you a keyboard for $20, you now have the expectation of merchantability. It is expected to work, and both reasonable business sense and many local and federal laws require that if it does not, I either provide something that works, or give you your money back, within a reasonable period of time. (14 days in California)

If we re-institute the concept of merchantability in software, all that would happen is that you could get your money back - thus little to no effect on OSS software.

Red Hat may be impacted, but since they are already selling services rather than products (you can download all their stuff for free) even they would be minimally affected.

So, as an advocate of open source and "free" software, I welcome the issues of product liability and the enforcement of merchantability. It would improve the industry, force it to get better, and would finally provide its customers what they've been promised all along - a better, easier life!

What should happen? A date set for a software "merchantability horizon". All products released before that date would be exempt, any products released/sold after that date would have to fit the definition of merchantability, products sold before that point can continue on their merry way.

Can you imagine how many people would upgrade their Windows if they knew that MS would be liable thereafter if it screwed up?

One model of liability for software (2)

guerby (49204) | more than 12 years ago | (#3158663)

I believe a good model for liability in the software field is to move to the service and practitioner of the field model.

A customer asks a practitioner of the software field to solve a particular problem. The practitioner then writes and/or reuse and/or adapt existing software to solve the customer problem. Then the provider is liable for having provided a wrong solution according to current practices of the field.

For example delivering a closed source software with poor security track record as part of a contract specifying security as critical would rank as an obvious cause of liability, since the provider choosed it amongst various solutions, he/she will have to justify its choice before a court.

I believe the regular mechanism to cover potential liability damage in other fields, insurance companies, will play its cleaning up role by not accepting to cover software solution providers with poor practices.

It will probably also make the free software code base the center of most of these service providers, since it easy easy to customize, most of the code base have well known status, and there is no hairy licensing issues when you use them

As for shrink wrap software, it should install on the designated system, but after that you probably have no recourse at all if this doesn't work that well.

I attended a lawyer conference on software licenses and liabilities, and there are vague texts and no case law, and most lawyers were quite sure that the standard warranty disclaimer was with high probability invalid (under French law). They talked about services and "open source", and some recognized that using that as scientific knowledge and having practioners use it to deliver solution was like architects building bridges vs people creating mathematical models of gravity: the scientist is not responsible if an architect use his/her model (reviewed and published in good faith) to design a bridge and it falls down, it is obviously the architect responsability to choose a model that works, to the level of the accepted practice of the field of course. If the architect has a solid track record, if the phenomenom is beyond current knowledge, then it is up to insurance companies.

Since a piece of software shares a lot with a theorem applying to symbolic information I find this model of liability very pertinent to the software field.

Disclaimer: I am not a Lawyer

Cooool. (2)

El Camino SS (264212) | more than 12 years ago | (#3158664)

Does this mean we can get a class action against uncle George for making crappy Star Wars (TM) strategy games?

I think I'm going to get some money back for Force Commander!

More nitnoy lawsuits right around the corner. (0)

Tasty Beef Jerky (543576) | more than 12 years ago | (#3158668)

Hooray, all we need are more opportunities for lawsuits.

In my opinion, this is just going to be abused like every other law out there. It's just human nature. How long is it before Ed the plumber can't read his e-mail because Outlook crashed and he files a lawsuit?

No matter how good a job programmers do, software will always be buggy. It is impossible to test every single possible combination of inputs that a piece of software will have to handle. There will always be something unforseen.

How about a thought exercise?

Joe installs Windows XP2, and is rather happy with its performance. Joe doesn't want that nasty auto-update stuff, he wants to know everything that goes on. Joe turns off auto-update, and ties a string around his finger so he remembers to check for updates every day.

Meanwhile, Osama bin Cracker is working dilligently, and discovers a hole in XP2 that opens a webbrowser to unpleasant webpages. Osama's bug-exploiting virus makes it into the wild.

Microsoft releases a patch in a public easy to find place. People with auto-update have the bugs fixed. Joe is out of town.

Joe comes home, starts his computer, and is greeted with a man holding his rectum open. Joe sues Microsoft because there was a bug, and they are liable for their bugs.

Should Joe get the $1.5 million he asks for because Microsoft released a buggy piece of software, or is it Joe's fault for not downloading the patch?

In my opinion, it was Joe's responsibility to update, and he did not do so. No money for him.

Re:More nitnoy lawsuits right around the corner. (0)

stevenbee (227371) | more than 12 years ago | (#3158688)

I'm suing Europe for suing Microsoft.

/. has sold out (0)

Anonymous Coward | more than 12 years ago | (#3158676)

I got suspicious when I saw a banner ad for Microsoft .NET on /. imagine my surprise when I saw as the source. Cool! /. sold out!

Frivolous lawsuits (0)

Anonymous Coward | more than 12 years ago | (#3158678)

There are so many frivolous lawsuits these days (someone spills hot coffee and sues McDonalds, the threat of suing airlines for 9-11), that we don't need to open another floodgate for crooked attorneys to profit from software flaws. Fix the legal system, and then allow this.

I think it'd be nice, with a compromise. (0)

Anonymous Coward | more than 12 years ago | (#3158684)

Microsoft has a duty to take responsibility for their software. As does Sun, as does IBM, as do many 'open source' projects.

I think an idea of, "My system crashed - pay me $10k." won't fly. Microsoft can handle it. Sun and IBM can handle it. Many other commercial vendors can't, and most open source projects most assuredly can't.

What would be nice is legislation to force producers of software to alert users to bugs when they find out that they're there. Perhaps mandatory websites/etc. displaying known bugs (Most OSS projects do this already ;)).

This is dangerous ground, the idea that Microsoft could get sued into oblivion for flawed software is nice depending on your degree of zealotry - but you have to remember, open source software isn't exactly bug free. They've got the cash and legal shock troops to weather this sort of thing, we don't.

What is certain is that software vendors should have some sort of liability - again, disclosing known bugs would, I think, be enough. Users could see what's going on, and opt to wait for a patch, ditch an application, or not use an application.

No more GPL warranty clause (2)

heroine (1220) | more than 12 years ago | (#3158689)

Now if you want to give away software you'll really have to pay for it. Sooner or later a responsibility document was going to happen but the areas where it's going to hit hardest are not in mainstream press but in free software, where programmers won't have enough money to release anything in the first place.

Software liability vs 'real world' products (5, Insightful)

ip_vjl (410654) | more than 12 years ago | (#3158693)

Unlike the 'real world' example of the tire mentioned in the BW article ... software developers have a much harder time controlling the environment in which their software is used.

For example, If I buy a car tire from firestone, but instead use it on some home-build dune-buggy that I use to drive over lava fields in Hawaii and the tire blows (flipping me into the lava) should Firestone pay? I wasn't using the tire according to the specs that they call for the tire.

Imposing liability on software will only force software manufacturers to list hardware/software configurations on which they are willing to accept liability. If you use the software outside of that configuration, then you're on your own. My guess is that this would disqualify just about everybody, as they'll only be able to certify a limited amount of equipment (as it will entail actually owning that equipment to test).

I mean, would you accept liability on a product that can be used on a multi-use computer that may have god-knows-what software/hardware config?

So this will lead to something like:
  • the back of the software box listing the exact system requirments that the software is good for (and liable on) and if you use it outside of that environment, you're no longer using the software as it was intended.

    Which then just gives software companies even more reason to offer less support, as they'll then only need to offer support on their specific hardware, or risk the liability of condoning the use of their software on unsafe/untested environments.
  • more incentive to legislate the demise of the multi-use computer in favor of locked computing appliances ... which is exactly what a number of people would like (think DRM)

Think about it.

Liabilities... (2)

Fizzlewhiff (256410) | more than 12 years ago | (#3158704)

I've said it once and I'll say it again. CowboyNeal should be held responsible for these vulnerabilities. *grin* Anyway, here's a very similar slashdot discussion [] and the related article [] at eWeek which I don't believe is referenced in this new incarnation.

It can work, but.... (2)

CharlieG (34950) | more than 12 years ago | (#3158707)

you won't like it.

It will lead to VERY VERY strict licensing terms for software, and software development tool - sort of like Civil Engineering

Let's say I was Microsoft (or ANY other software vendor)

You buy a new motherboard - my answer is, "I do not approve of my software being installed on that hardware" - You will very quickly see things like "Approved Configuration Lists" - X Brand Motherboard, with Y brand Video Card, Z keyboard - ONLY. The "ONLY" other software I approve on the box at the same time is AAAA. Make any changes and your on your own

Heck, buy a car, change the suspension parts yourself to NON factory parts. Flip over due to your front wheel falling off - good luck suing the car mfg, you'll have to prove it was not YOUR changes

that depends on what "bad" means. (2)

trb (8509) | more than 12 years ago | (#3158709)

This article is talking about security problems. That's only one kind of bad. Other kinds of bad include unreliable (hangs, bsods, whatever), incompatible, obfuscatory, and so forth.

Microsoft might be able and interested to remove security bugs from their software, no downside for them there. But what if Microsoft would engage in some obvious "good software practices" to make their software less bad? Like what if they made their software simpler? More modular? Like if their OS could run whatever window system, window manager, file browser you wanted, a la UNIX. Or whatever web browser. Imagine.

What kind of idiotic system design is it that has all these user-mode applications inextricably woven into the fabric of the OS? What unfathomable nonsense. What person who ever studied software engineering buys this silly story?

How about if MS would use unobfuscated data formats, so that it would be easy to work with document data (let's grep through my .doc files!) or multimedia data (let's convert between .wma and .mp3!).

How about if they had a simple and stable API for writing software, so that it would be easy to port software between the MS OS and other OS's. Fat chance.

These are some of the things that make MS bad. Will they ever address them? Magic 8-ball says, "Outlook not so good."

How deep does the rabbit hole go? (3, Insightful)

gregfortune (313889) | more than 12 years ago | (#3158712)

Ok, so I'm currently working on a auction system that is in use by at least one company. They ask for a change in the software so the commission percentages that are charge to their consignors are handled in a slightly different way. I make the change and under certain conditions, it's now possible for the consignor to be charge half of what they should be. I can see there should possibly be some liability here especially if I were "selling" the product.

btw, none of the things I'm listing here ever happened, I'm just supposing...

Now, they ask for a change that resizes the storage size for the Notes for each customer. I make the change, but my code does not also make the change to their database schema. I provide a separate script that does that. The customer installs the upgrade, but does not upgrade the db. Who is liable? Can I be held liable for not making my upgrade *easy* enough if the client forgets to run the db upgrade script and loses data?

Let go even further. I use MySQL for the db, python-mysql for the db module, python for the language and Qt for the interface. ReportLab is being used for pdf generation, lpr for printing, X-windows for launching the program, KDE for the desktop manager, and Acrobat Reader to parse the pdf files into ps for printing. Without these things, the program will not run.

Now, due to a bug in MySQL, the company finds that it is losing n*$50 where n is the number of items in the auction for every auction. Perhaps the 50 entry fee is not getting stored correctly and suppose that's a database problem. Who's liable? Me, for leveraging off an existing system without it being totally stable? The db? Maybe in this case it's clear the db maker would be held responsible.

Now let's lose some data because MySQL was not *configured* correctly. Who's fault now? Customer, me, or MySQL?

Lastly, let's lose some data due to a bug in the database that was caused by a ambiguity in the API of glibc that allows a function to be called in a way that was not intended and works as expected most of the time, but is clearly not a bug when it doesn't work the expected way. Who now? MySQL? The library they used? Me for using MySQL? The customer for being stupid enough to hire me when I'm not even competent enough to ensure the tools I use have absolutly no bugs in them? ARGH!

I'll tell you one thing... I've never associating my name with a general library if this kind of thing goes through. Blame would very often be passed back down the chain as far as possible trying to find a scapegoat other than yourself.

liability a bad idea (1)

stu10 (566308) | more than 12 years ago | (#3158715)

A friend of mine is a civil engineer. When he signs the drawing for a building he is PERSONALLY liable as a professional engineer. He can have his lisence revoked and fined if the thing falls down. Of course what they dont tell you is that the companies competing for the contract, which he is employed by, continually underbid one another which ends up leaving him insuffient funds to complete the job properly and safely. Now imagine the same scenario where you are writing code for a heart monitor and the thing fails and someone dies. Gauranteed your company will put you up on a pedistal as the guilty coder if they can, if you are liable, when the managers underbid the contract in the first case. BAD IDEA!!!

Effects (0)

Anonymous Coward | more than 12 years ago | (#3158717)

Microsoft may get a massive fine that it can afford, but RedHat will get a smaller fine that forces it to declare bankruptcy and die. Yes, liability, the fastest way to kill opensource. Thank you.
Load More Comments