[LINK] Identity theft virus infects 10,000 computers

Rick Welykochy pirkeepie at yahoo.com.au
Wed Aug 16 15:20:57 AEST 2006 

--- Craig Sanders <cas at taz.net.au> wrote:

> On Wed, Aug 16, 2006 at 02:51:34AM +1000, Rick Welykochy wrote:
> > If you think that producing free (as in beer) software would exempt
> > the copyright holder from liability under such a law, think again.
> 
> i don't think it should be entirely exempt (particularly in the case of
> deliberately malicious intent) - but, the development of free software
> is an iterative process of "release early, release often" with feedback
> and patches from users being used to find and fix bugs and suggest new
> features. this is quite distinct from proprietary software which is
> released as (allegedly) finished, working product.

I doubt the law would care which development model is used. If a law
prohibits shoddy insecure software, that's the law. And that's what I
am debating here. And that's what I am proposing here.


> also, the fact that source code is available to be examined and fixed
> by the user (or their agent) is (or should be) a significant mitigating
> factor in any liability claim.

Why so? It is very impractical for every single user of every single
piece of FOSS to download the source, examine it for bugs, test it
for security and then make a supposedly informed decision as to its
security and safety. Far better to legislate the reliablility and
enforce that the testing and validation be done ONCE, at the source,
with the software writer. After all, the development team (which includes
the testers) are in the best position to test the final product 
against the initial requirements, don't you think?

I don't know if you develop software, craig. I can tell you that a read
of the source code cannot possibly uncover all the potential problems
that exist in software. The problem of software testing and validation
is very complex and very unsolved. Peer reviews and code walkthroughs
can uncover nasty programming habits and dud programmers, but will
never uncover all the bugs, security or otherwise.

Let's take an example: race conditions and the security holes they can
create. These are almost always detected in the wild, under conditions
of realistic stress and resource usage. I doubt examining source code
would uncover these errors. Or somewhat related: the problems of concurrent
programming and multiple access. These are not even visible in the source
code - the errors only emerge through concurrent usage.

Another concrete example for you personally. Do you really think even
with your skills and talents that you could possibly have detected the
security holes in SSL that were discovered in the wild back in
2001? I was using SSL on production systems at the time and certainly
(a) had no time to read the source code which had been available for
perhaps a year or two and (b) doubt I would have picked up the two
or three lines of code out of thousands that contained the compromise.

> strict liability for free software developers would effectively kill
> free software - it would be too great a risk (with no benefit at all)
> to release any free software. by contrast, proprietary/commercial
> developers can balance the risk against the financial reward (and,
> accordingly, incur obligations *because* they accept money for their
> product).

Have a read of Scheier. He doesn't make idle claims about software
liabilities without backing them up. This industry needs more responsibility,
respectability and liability for the software it produces. The way to
mitigate risks associated with the legal responsibility is the same as
is done in any field of endeavour: insurance. Commericial developers
can balance the risk, as you say, how? By purchasing liability insurance.
If they are good at their job, the software they produce will be low
in security bugs and safety issues, and their premiums low. OTOH if their
software is insecure grabage, they will pay the piper.

Yes, software liability legislation will have a chilling effect on
FOSS. It will also have a chilling effect on proprietary software. So
what? The goal is more reliable, secure and safe software. The outcome
depends on the ability to deliver the same. I have complete faith in the
FOSS community to deliver same. I DO NOT have faith in some of the
more prominent proprietary software producers to deliver same. And I certainly
have little time or interest in FOSS or proprietary software (crapware?)
that does not meet stringent standards in security, safety and merchantability.
 
It may mean that certain creators and distributors of FOSS may have to
take out a bit of liabilitiy insurance, brush up on their development
and testing SKILZ and even enter the realm of responsible software
development. Is that such a bad thing? I am of the opinion that the
development teams of the more successful FOSS projects are already
there, often miles ahead of their proprietary cousins. The latter are
driven by market forces that demand far different things than quality,
reliability and security (unfortunately).

> > No contract, no consideration. I am sure some of the legal eagles
> > on Link could come up with many more examples of where safety and
> > security are legal issues that fall far beyond the area of contract
> > law.
> 
> OTOH, for an example closer to software distribution, look at the
> liability of a financial counsellor (or lawyer or other professional
> advisor) providing generic opinions on a radio or TV show vs the
> liability for the same counsellor providing specific detailed advice
> to a client. there is far greater responsibility and liability for the
> latter.

I'll ignore the weak analogy of "free" as in beer vs. paid-for software,
as I don't think it applies. Software creation and distribution is not
a profession and until it is, no analogies like the above can be realistically
drawn. Besides, attempting to prove a point by analogy is dead-end illogic.

To address your analogy directly, I suppose the same would apply if I were
to offer free consults and advice on the radio in the area of IT and security,
vs. paid consults to clients. I suppose.

cheers
rickw



		
____________________________________________________ 
On Yahoo!7 
Photos: Unlimited free storage – keep all your photos in one place! 
http://au.photos.yahoo.com

More information about the Link mailing list