[LINK] Identity theft virus infects 10,000 computers

Marghanita da Cruz marghanita at ramin.com.au
Wed Aug 16 16:10:41 AEST 2006


Rick Welykochy wrote:
> --- Craig Sanders <cas at taz.net.au> wrote:
> 
> 
>>On Wed, Aug 16, 2006 at 02:51:34AM +1000, Rick Welykochy wrote:
>>
>>>If you think that producing free (as in beer) software would exempt
>>>the copyright holder from liability under such a law, think again.
>>
>>i don't think it should be entirely exempt (particularly in the case of
>>deliberately malicious intent) - but, the development of free software
>>is an iterative process of "release early, release often" with feedback
>>and patches from users being used to find and fix bugs and suggest new
>>features. this is quite distinct from proprietary software which is
>>released as (allegedly) finished, working product.
> 
> 
> I doubt the law would care which development model is used. If a law
> prohibits shoddy insecure software, that's the law. And that's what I
> am debating here. And that's what I am proposing here.
> 
...reliability and minimising the threats from viruses, and analysing 
the offerings , was the main reason I made the decision to switch from 
MSWindows upgrade path to Linux. However, we could debate whether the 
threat of viruses is related to poor software or market share (more bang 
for your buck in attacking a more popular software).

note, I downloaded and used free closed source software for my dial up 
so I am assuming my system is compromised!

Both open source and proprietary licenses have disclaimers. However, the 
advertisements say otherwise.

I don't think you can legislate or insure away risk management and in 
fact you are probably doing more damage in providing false senses of 
security.

...the real problem lies in the sales pitch and disclosure, but even in 
money where you would think the issues simpler, people have made bad 
decisions. The government mandated Superannuation, "tightened" the rules 
and we still have super investments going down the gurgler with Westpoint.

Marghanita

> 
> 
>>also, the fact that source code is available to be examined and fixed
>>by the user (or their agent) is (or should be) a significant mitigating
>>factor in any liability claim.
> 
> 
> Why so? It is very impractical for every single user of every single
> piece of FOSS to download the source, examine it for bugs, test it
> for security and then make a supposedly informed decision as to its
> security and safety. Far better to legislate the reliablility and
> enforce that the testing and validation be done ONCE, at the source,
> with the software writer. After all, the development team (which includes
> the testers) are in the best position to test the final product 
> against the initial requirements, don't you think?
> 
> I don't know if you develop software, craig. I can tell you that a read
> of the source code cannot possibly uncover all the potential problems
> that exist in software. The problem of software testing and validation
> is very complex and very unsolved. Peer reviews and code walkthroughs
> can uncover nasty programming habits and dud programmers, but will
> never uncover all the bugs, security or otherwise.
> 
> Let's take an example: race conditions and the security holes they can
> create. These are almost always detected in the wild, under conditions
> of realistic stress and resource usage. I doubt examining source code
> would uncover these errors. Or somewhat related: the problems of concurrent
> programming and multiple access. These are not even visible in the source
> code - the errors only emerge through concurrent usage.
> 
> Another concrete example for you personally. Do you really think even
> with your skills and talents that you could possibly have detected the
> security holes in SSL that were discovered in the wild back in
> 2001? I was using SSL on production systems at the time and certainly
> (a) had no time to read the source code which had been available for
> perhaps a year or two and (b) doubt I would have picked up the two
> or three lines of code out of thousands that contained the compromise.
> 
> 
>>strict liability for free software developers would effectively kill
>>free software - it would be too great a risk (with no benefit at all)
>>to release any free software. by contrast, proprietary/commercial
>>developers can balance the risk against the financial reward (and,
>>accordingly, incur obligations *because* they accept money for their
>>product).
> 
> 
> Have a read of Scheier. He doesn't make idle claims about software
> liabilities without backing them up. This industry needs more responsibility,
> respectability and liability for the software it produces. The way to
> mitigate risks associated with the legal responsibility is the same as
> is done in any field of endeavour: insurance. Commericial developers
> can balance the risk, as you say, how? By purchasing liability insurance.
> If they are good at their job, the software they produce will be low
> in security bugs and safety issues, and their premiums low. OTOH if their
> software is insecure grabage, they will pay the piper.
> 
> Yes, software liability legislation will have a chilling effect on
> FOSS. It will also have a chilling effect on proprietary software. So
> what? The goal is more reliable, secure and safe software. The outcome
> depends on the ability to deliver the same. I have complete faith in the
> FOSS community to deliver same. I DO NOT have faith in some of the
> more prominent proprietary software producers to deliver same. And I certainly
> have little time or interest in FOSS or proprietary software (crapware?)
> that does not meet stringent standards in security, safety and merchantability.
>  
> It may mean that certain creators and distributors of FOSS may have to
> take out a bit of liabilitiy insurance, brush up on their development
> and testing SKILZ and even enter the realm of responsible software
> development. Is that such a bad thing? I am of the opinion that the
> development teams of the more successful FOSS projects are already
> there, often miles ahead of their proprietary cousins. The latter are
> driven by market forces that demand far different things than quality,
> reliability and security (unfortunately).
> 
> 
>>>No contract, no consideration. I am sure some of the legal eagles
>>>on Link could come up with many more examples of where safety and
>>>security are legal issues that fall far beyond the area of contract
>>>law.
>>
>>OTOH, for an example closer to software distribution, look at the
>>liability of a financial counsellor (or lawyer or other professional
>>advisor) providing generic opinions on a radio or TV show vs the
>>liability for the same counsellor providing specific detailed advice
>>to a client. there is far greater responsibility and liability for the
>>latter.
> 
> 
> I'll ignore the weak analogy of "free" as in beer vs. paid-for software,
> as I don't think it applies. Software creation and distribution is not
> a profession and until it is, no analogies like the above can be realistically
> drawn. Besides, attempting to prove a point by analogy is dead-end illogic.
> 
> To address your analogy directly, I suppose the same would apply if I were
> to offer free consults and advice on the radio in the area of IT and security,
> vs. paid consults to clients. I suppose.
> 
> cheers
> rickw
> 
> 
> 
> 		
> ____________________________________________________ 
> On Yahoo!7 
> Photos: Unlimited free storage – keep all your photos in one place! 
> http://au.photos.yahoo.com 
> 
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
> 


-- 
Marghanita da Cruz
Ramin Communications
http://www.ramin.com.au
Phone: 0414-869202
Email: marghanita at ramin.com.au






More information about the Link mailing list