We have this issue in the automotive industry (as one example) right now. How many parts on your car do you think were actually made by the automaker corresponding to the badge on the lid?
On Tue, Apr 29, 2014 at 1:33 PM, Michael E. Locasto <loca...@ucalgary.ca>wrote: > I am cautiously supportive of the idea of liability (it might make me > look at each line of code I write twice as long, and in the long run, > that's probably a good thing)...but let me play devil's advocate: > > If I'm a random developer, and I happen to write a line of code that, > when run through a compiler (that I didn't write) with options (that I > didn't specify), and then placed in the context of a running system > (that I didn't write, in an executable format I didn't design), and then > when that system is bought, moved, or composed with some other software > or systems, a complex interaction creates a vulnerability, how much am I > liable? > > Who is the independent authority that will inform such decisions to > ascribe proportional blame? Is this really just a way to create work for > expert witnesses? > > -Michael > > On 4/29/14, 11:09 AM, Nils Dagsson Moskopp wrote: > > Jon Callas <j...@callas.org> writes: > > > >> On Apr 29, 2014, at 8:37 AM, Nils Dagsson Moskopp < > n...@dieweltistgarnichtso.net> wrote: > >> > >>>> Do we cheer if a licensing exam or liability stipulations are based on > >>>> compliance with LangSec-like principles? > >>> > >>> Liability, yes. Licensing exam, no. This is about software, not people. > >> > >> Is the effect on software licenses like BSD, etc., which claim no > >> liability -- presumably this would make such a license illegal -- a > >> bug or a feature? > > > > When you do sell a system (including software) for a particular purpose, > > if that system does not fulfill that purpose, should you be liable? > > > > When you make available a system for free without giving any guarantee > > of it working towards a particular purpose, should you be liable? > > > > I believe the answer is yes to the former and no to the latter. > > > > Why? Because currently vendors profit from insecure software, offloading > > the costs to the customers or the public. Bad press and angry customers > > are no big threat to companies. There are even companies known for their > > insecure products that just go on and on. This is completely rational. > > > > Schneier wrote on liability: <https://www.schneier.com/essay-025.html> > > > >> costs of adding good security to software products are essentially the > >> same ones incurred in increasing network security -- large expenses, > >> reduced functionality, delayed product releases, annoyed users -- > >> while the costs of ignoring security are minor: occasional bad press, > >> and maybe some users switching to competitors' products. Any smart > >> software vendor will talk big about security, but do as little as > >> possible, because that's what makes the most economic sense. > > > > Liability might also reduce software complexity. It is certainly > > possible to write software that converges to a bug-free state. > > > > Just look at the mountain of evidence provided by TeX. > > > >> Currently, there is no reason for a software company not to offer more > >> features, more complexity, more versions. Liability forces software > >> companies to think twice before changing something. Liability forces > >> companies to protect the data they're entrusted with. > > > > I think that those who do not profit from publishing insecure software > > should not be punished, as this might achieve chilling effects at best. > > > > Note: Many established industries do work fine with liability, without > > necessarily stifling research, hobbyist or do-it-yourself activity. > > > > _______________________________________________ > langsec-discuss mailing list > langsec-discuss@mail.langsec.org > https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss >
_______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
