No care factor on liability and no pressure to change……

June 14th, 2008 Drazen Drazic Posted in Applications, Bad Developers, Bad Stuff, Dumb Security, Research, Risk Management, Vulnerability Management, WTF, Web Application Security, cyber crime |

A lot of recent posts here and in the forum talk about responsible and true representation of services and products being marketed. The focus though has been on security products and vendors, but why restrict it to just them? The whole software industry thrives under a no liability market that no or few other industries enjoy. There is something wrong with that!

They’ve been in that lucky position since day 1 pretty much. Produce flaky products (but with a heap of features to sell and continue to sell) and have no liability should your product cause problems to those people that buy it! If problems occur, NO LIABILITY AND LEGAL REPURCUSSIONS ON THE PEOPLE WHO CREATED THE PROBLEM!

The problem always sits with those who purchased and use that software!

Does a government regulator or business “regulator” like the PCI even talk about attacking the problem at it’s source? NO! They go after the people that used the software - not the producer of the software! (NB; I know in many cases, the software itself is not the sole problem but….). If company X is breached due to a vulnerability in a software product it uses, the company is at fault - no one goes after the developers! Why? Because they are immune at present to anything that goes wrong with their product. We all agree to the one-sided contract they give us (with no negotiation available) and there is no law that assists the consumer of the product!

David Rice in Geekonomics talks about this, but even in this great book, proposed way forward still seems like a long way off. Are we onto something here [in recent BorB discussion] in terms of maybe approaching some form of progress through a different means? ie; attacking the marketing and sales approaches of these companies and using bodies like the ACCC in Australia?

Through responses here and emails I have received, and even readers sending questionable “marketing” techniques to Media Watch, we are starting a movement I think. Small, slow, but progress nonetheless and with the likes of books like David’s, we can start to chip away and make some progress.

The solution is not another reactive product to make squillions for a big “security” vendor but rather getting back to the core of the problems - better and quality produced software. Now there will always be a place for both, but the balance at present is skewed amazingly to one side - ridiculously so. It makes no sense when viewed against other industries - particularly given our reliance on software and how much it affects our lives! (And by lives, I also mean, literally affects lives of people!)

8 Responses to “No care factor on liability and no pressure to change……”

  1. kuza55 Says:
    June 14th, 2008 at 11:07 pm

    Now, IANAL, obviously, but just because we ‘agreed’ to the license doesn’t mean it will be held up in court (http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1192439008771 is an example), maybe we need someone to get 0wned, then try to sue the vendor?

  2. ZmAN Says:
    June 15th, 2008 at 12:09 am

    Hey Kuza, good post and link. Precedent is key right now in our industry and we need some legal dudes to create that! As mentioned by DD…we have nothing at the moment. You are right in your last point to a degree. A big corp rooted so to speak with a bad time breach and with money to spend is key. Something like that will get judges here to start to learn. When they do that and make a call, we’ll get precedent and then “law”. That is our only starting point but once there, that is enough!…..hopefully…

  3. JW Says:
    June 15th, 2008 at 1:14 am

    Ad me to the list DD! Kick arse!

  4. Drazen Drazic Says:
    June 16th, 2008 at 5:27 pm

    Hey Kuza,

    Good to have you posting here. Interesting case. I couldn’t remember that one. I agree and I can see some of these “contracts” being tested more and more so in the future. Things have to change and they will if history is anything to go by looking at other industries that have emerged overtime - but it’s slow happening for the software industry.

    Trying to change the big guy’s position on contracts is going to be tough and take more than just negotiation between them and the clients (us). The “power” generally sits with them. There’s either few alternatives (eg; to the likes of a MS - you need it) or similar software producers will align to what others do, so why add additional costs to what they are doing?

    Organisations though can negotiate hard on software being developed for them specifically by third-parties. Many don’t do that, and end up in a similar position to what they have with the likes of the bigger guys. That needn’t be the case.

    Awareness is growing and the pressure needs to be directed to where the initial root cause faults like.

    ZmAN makes a valid point, but I also think, for things to change, pressures will need to come from a few areas. (Some as discussed here).

    DD

  5. Declan Ingram Says:
    June 18th, 2008 at 8:18 pm

    It happens because we allow it. It is that simple.

    If we choose not to buy software that is crap, it will go away. If we choose not to buy from companies that are crap, they go away. If we chose not to support open source projects that are crap - they too eventually go away !

    But while we all keep clicking ‘accept’ on crappy licenses we will be stuck with them. Yes, RMS - I’m looking at you too !

  6. D2 Says:
    June 19th, 2008 at 9:34 am

    “If you don’t like crap, don’t buy crap.
    If you do buy crap, don’t complain that it smells.
    If you hold your money in your hand and say what you want loudly enough, someone will come along and try to earn it.”

    http://www.ranum.com/security/computer_security/editorials/lawyers/index.html

  7. Declan Ingram Says:
    June 20th, 2008 at 1:58 pm

    @ D2

    I’ve love to say “the storms are comming” and “things are going to change” but I just can’t convince myself that it is true.

  8. D2 Says:
    June 21st, 2008 at 1:05 pm

    @Declan Ingram , agreed. Problem is sheep and complexity begetting complexity. Monkey magic my friend, old guard of IT.. we need to breed them out and hope the *rate* of change doesn’t continue to outstrip the generational divide. I *really* hate to say it but humans need a cyber 9/11 pearl harbor to wake the fcuk up!

    To quote my fav infosec peep once more:

    “Will the future be more secure? It’ll be just as insecure as it possibly can, while still continuing to function. Just like it is today.” http://www.ranum.com/security/computer_security/editorials/point-counterpoint/homeusers.htm

    Sometimes I feel like we need Fremen like IT warriors to bring about a new age :)

Leave a Reply