I was wondering about everyones opinion on this quote..... Do you think internet security will increase if companies like Microsoft, Cisco, and others are to be held responsible for the security flaws in their products? Will hackers still get around the increased security, and what do you think should happen to a company if a product is flawed?Quote:
Until software vendors become liable for security flaws in their products, hackers will always find a way to bypass existing security controls.
Yup, but it would take longer time, and would be less effective.
"There is no such thing as SECURITY"
- Noia
Umm, security might become someone better, but it will never be perfect. The minute that vendors become liable for security flaws, they will be going out of buisness. I have never seen a perfectly secure OS. I truly don't think it is possible. Yes, with proper patching and everything, security can be very good, but look at thinkgs like apache, and the chunking problem. Who would have thought that was going to happen? That just took out open BSD's statement of "no remote explotes in 6 years....." How many companies were affected by that one small thing? So far, only roxen web server (as far as I know) has never had a hole. Look at sendmail.... That company would have gone out of business a long time ago, but its now pretty much a standard. Both qmail (which is supposedly very secure) and postfix talk about how they are "sendmail compatable."
In other words, I don't think its a good idea, because it would cause way more problems, and it would definatly slow down all new forms of technology.....
I agree with souleman here - software developement would be brought to a stand-still. And how would one enforce this on the open-source community?
Since the software by M$ and Cisco (etc) is closed source, proprietary and often times very,very expensive for licensing and more often times than not EXTRA for support, companies like these should be wholly responsible for flaws including security. If it is closed source, then there is nobody to depend on other than them right? Most of the time, sadly, it's not true.
many people do not realize EULAs have the "Not responsible for the fitness of software and should not be used for mission critical apps" or something to that effect only in legal gibberish.
Take M$ EULA which states:
Is that an admission of sorts?Quote:
NO OTHER WARRANTIES. To the maximum extent permitted by applicable law, Microsoft and its suppliers disclaim all other warranties and conditions, either express or implied, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement, with regard to the SOFTWARE PRODUCT, and the provision of or failure to provide Support Services. This limited warranty gives you specific legal rights. You may have others, which vary from state/jurisdiction to state/jurisdiction.
LIMITATION OF LIABILITY. To the maximum extent permitted by applicable law, in no event shall Microsoft or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising out of the use of or inability to use the SOFTWARE PRODUCT or the provision of or failure to provide Support Services, even if Microsoft has been advised of the possibility of such damages. In any case, Microsoft’s entire liability under any provision of this EULA shall be limited to the greater of the amount actually paid by you for the SOFTWARE PRODUCT or U.S.$5.00; provided, however, if you have entered into a Microsoft Support Services Agreement, Microsoft’s entire liability regarding Support Services shall be governed by the terms of that agreement. Because some states and jurisdictions do not allow the exclusion or limitation of liability, the above limitation may not apply to you.
And the Java statement:
Yikes. I would love to see them take the initiative to take all the reponsibility for security flaws and the like, but they are gonna do it in their own sweet time.Quote:
NOTE ON JAVA SUPPORT. THE SOFTWARE PRODUCT MAY CONTAIN SUPPORT FOR PROGRAMS WRITTEN IN JAVA. JAVA TECHNOLOGY IS NOT FAULT TOLERANT AND IS NOT DESIGNED, MANUFACTURED, OR INTENDED FOR USE OR RESALE AS ON-LINE CONTROL EQUIPMENT IN HAZARDOUS ENVIRONMENTS REQUIRING FAIL-SAFE PERFORMANCE, SUCH AS IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL, DIRECT LIFE SUPPORT MACHINES, OR WEAPONS SYSTEMS, IN WHICH THE FAILURE OF JAVA TECHNOLOGY COULD LEAD DIRECTLY TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE.
Just my 2 cents
Should companies be reponsible for security flaws.. That is a very good question, if a company comes out with a product with major security flaws, I personally think they should be held responsible. But you can't expect companies to go over every little detail to find flaws.. I mean, look at those chinese people that make most of our hardware, They don't know **** about security, they compile our products and ship them off.. I mean jeeze, they are smart enough to make high tech equipment, why can't they add in the security features? That is also a good quesion, Japanese shells are the easiest to crack next to the Australlian servers, you wonder why Osama and his little terrorist network attacked the wastedump next to that city in Australia? Thats and easy question, be cause they have little or no security, well, after that incident, they definately are working on security measures. Adding a security measure takes lots of time and money. The question isn't should companies be held responsible, it's do they want to spend their money to add a security measure for their product, simple answer, simple sollution, they need to be held responsible. Souleman has a very good point, they wouldn't be going out of buisness if they looked for security flaws beforehand when releasing their product, if your going to make a product, you should at least take responsibility for debugging the product, a security faw is a bug, don't release a product if you can't debug it..
I think there is a need for being responsible for ones product. Software is the only product that absolves the mfg of any and all liability and there are NO consumer protection laws for software products. If part of our critical National security is going to rely upon software product then security must be a main issue and accountability by the producers of software product. There should be a minimum security standard, not on like many things produced already, such as cars, produce, meats and poultry. Would accountability slow or stop the software industry I do not think so. It would reduce the sloppy, bloated code that are owned by but a few Corps, it also would reduce the update cycle where this is really cool but untested but we will issue patches later, M$ alone have what well over 200 last year to beyond 2 years. You make something believe it then stand behind the product be responsible for it and take the hits in the bank account if it is that sloppy. If it can be proven in a court of law the flaw could not have been known then nothing would happen, if it is a sloppy product then take the hits was your fault not mine if I bought the software.
i once heard someone say somewhere
"computers are the only things people EXPECT to come broken."
there are two very interesting sides to this argument.
on the one hand: if businesses are held accountable, technological advancement would slow, as the tech biz would allot most of its time to searching security flaws (great for hacker business, tho). also, there would be alot of money lost by the companies that have faulty programs now. which bring up another question: would existing software "grandfather" the law? and would shareware and freeware be up to the same scrutiny? if not, that would take open source out of the picture as well.
on the other hand: like i said earlier, those who know security the most would only profit. also, the industry would pay much closer attention to detail than they do now. so we would have to wait another two years to get WinXP… it wouldn't be as big as it is with all the patches (need another HD just for those).
there are many questions that will arrise in the creation of a law. i dont think i'm willing to leave it up to people qwho dont know the computer industry. i'd hate to see something bad happen.
sine que non.
Why are software companies not held responsible? Are not automakers, toaster makers and ship builders, etc? Another case of law not following quickly enough to new product types.
It's a very good question, but it won't happen any time soon. And, as long as there are determined hackers out there, there will always be security vulnerabilities. If someone is determined enough, they WILL get in--it's just a question of when. We always hear about the M$ products being compromised en-mass, but they are generally easy targets for the script-kiddies.
...aberration...
Notice that they recognize that the laws can , and often do supercedeQuote:
This limited warranty gives you specific legal rights. You may have others, which vary from state/jurisdiction to state/jurisdiction.
LIMITATION OF LIABILITY. To the maximum extent permitted by applicable law, in no event shall Microsoft or its suppliers be liable for
the language of the EULA.
These documents are nothing more than a "wish list", an opening gambit that
you can challenge in court, or ask your legislators to void by law.
I worked for years in the car repair business. On every repair order there is fine print
that says that the mechanic has permission to test drive your car, and if he crashes
it, the shop is not liable. But everyone knows that by law they are liable,
regardless of what the form says.
:cool:
I think it's important to differentiate between a company being liable for a flaw in their product and gross negligence on the part of the company. The recent quirk that allowed a script to be run when a user used WMP and a browser in close succesion isn't very obvious, and thus should probably be considered just a bug. I know we all hate bugs, but they are always going to exist, no matter what legislation gets passed. On the other hand, how often has Microsoft shoved a product out the door knowing that large security flaws existed, but figuring that they could fix it in a subsequent patch. And how many thousands of systems are compromised because they didn't wait that extra month to fix the obvious flaws? In my opinion, that's gross negligence and that's when a company should be punished.