From: InfoSec News (alertsinfosecnews.org)
Date: Tue Feb 20 2007 - 01:15:06 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Frank Knobbe <frank (at) knobbe.us>

On Mon, 2007-02-19 at 03:28 -0600, Andrew Kalat wrote:

> [...]
>
> Much like a car maker is not liable if you crash into a huge brick
> wall, the vendor cannot be held responsible if you mismanage your IT
> infrastructure.

But if the crash into the brick wall is caused by a steering wheel that
fails to perform as advertised (and required to safely operate the
vehicle), then the vendor is responsible.

Mr. Schneiers argument is based on the fact that the consumer are
waiving their rights by accepting the EULAs. If automakers would be able
to sell cars with a disclaimer that any malfunction is not their
problem, I'm sure a lot of people would still buy cars from them, until
the amount of fatality crashes starts a flood of lawsuits and in the end
causes a change in the law. That is the "next step" we, the consumers,
need to take in regards to software security. As you said, the free
market will determine the outcome.

But, although we live in a litigious society, the current environment
just doesn't appear conducive for consumers to start litigation against
software makers. For one, there is a knowledge barrier on the consumer
side. There is also a far smaller pool of lawyers willing or able to
take on these cases, probably because it is not well-charted and
well-litigated territory (compared to, say, medical malpractice). Your
argument about finger-pointing in court is correct, but it's just par
for the course. What we need is a mechanism that allows the consumer to
demonstrate in court that the software, as bought and as configured as
recommended, failed to perform the advertised function. Slashing through
the legal jungle and points of configurability of software is tricky,
but I believe we can still show that certain core parts of the software
are faulty and thus do not perform as advertised, regardless of the
configuration by the user.

But in the end, does the cause warrant all of this? A death of a human
in a car accident may well change the law. But a partial loss of
business in an enterprise? Probably not as such losses are expected and
covered through insurance. So what possible cause might warrant a change
of law? Disclosure of your social security number? Hardly, as anyone can
buy that information for $20 from a PI or other information broker. Loss
of function of your home computer? Perhaps that can be covered with home
owners insurance. Loss of life due to medical software malfunction? That
might just be cause enough.

So, I partly agree with you. Capitalism will solve the problem through
consumers using their buying power (by choosing software that doesn't
produce a lot of loss). But I also agree with Mr. Schneier in that
changes in the legal framework are required if any of the larger losses
are to be tried in a court of law. Completely dismissing the need for a
change in liability is certainly not the correct response. We don't need
to start a fire outright, but we should allow for the opportunity of a
spark.

Regards,
Frank

--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]