Friday's post about security blogs apparently contained a bit of unintended controversy.
When describing Bruce Schneier's blog, I said "I don't agree with a lot of what he says". Apparently this is heresy in some parts, although I don't understand why. Bruce is unquestionably a very, very smart man (and an excellent writer, I simply loved Applied Cryptography), but he's no Chuck Norris :)
On most topics - security architecture, crypto design, threat analysis, etc, Bruce is remarkable. I find most of what he writes to be insightful.
But Bruce seems to have a complete blind eye when it comes to Microsoft. To my knowledge, even though essentially every other serious security analyst has acknowledged that Microsoft has done a staggering amount of work to improve the security of its products, Bruce still maintains that Microsoft has no clue when it comes to security. That stings.
The #2 hit in a search for Bruce Schneier Microsoft is: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1011474,00.html which includes: " Microsoft is certainly taking it more seriously than three years ago, when they ignored it completely. But they're still not taking security seriously enough for me. They've made some superficial changes in the way they approach security, but they still treat it more like a PR problem than a technical problem". This couldn't be farther from the truth (the #1 hit is Schneier's FAQ about the PPTP analysis he did where he neglected to acknowledge the work that Microsoft did to rectify the issues he found after his analysis).
And then there was this gem (from February of this year): http://www.schneier.com/blog/archives/2007/02/drm_in_windows.html. He took Peter Gutmann's article and accepted it as the gospel truth, even though Gutmann had absolutely no factual basis for his speculation - Gutmann hadn't verified a single one of his claims, heck he hadn't even installed Vista at the time he wrote his paper.
On the basis of one paper from someone who had never even RUN Vista, Schneier leapt to the conclusion that Microsoft had embedded DRM into all levels of the operating system and that was a reason to avoid Vista.
For the following 5 paragraphs, please note: I AM NOT A LAWYER. I AM NOT GIVING A LEGAL OPINION, THESE ARE JUST MY THOUGHTS.
I also believe that he hasn't fully thought out his position on holding companies financially liable for the security holes in his product. At first blush his idea is attractive, but I firmly believe that the consequences of his idea would totally destroy the Internet as we know it today.
It's also entirely possible that it would kill the open source movement (talk about unintended consequences). Let's say that there's a security vulnerability found. If the vulnerability is found in a closed source product (or in proprietary code), then the corporation would be the only one that could be held liable for the damages - the individual developer would be protected by the corporate liability shield.
But for open source projects, often there is no such corporate liability shield (I could imagine scenarios where a corporate liability shield might apply, but I don't think they apply in general). So who pays up if a vulnerability is found in an open source project? The only likely target is the individual developer (or developers) who introduced the defect (I suspect that those involved in the distribution that contained the vulnerable code would also be targeted).
This means that it's highly likely that the individual contributors to open source projects would be held personally financially liable for security vulnerabilities they introduce. So to contribute to open source projects, you'd have to have many millions of dollars of personal liability insurance (or run the risk of financial ruin if a mistake is found in your code). That is highly likely to result in a stifling of the open source movement, and there's no easy way to work around it.
It's also likely to decrease the likelihood that a corporation would adopt an OSS solution. Consider the situation where a bank (or major retailer) is worried about having its customer records hacked. Since the bank/retailer is going to be held responsible for its security breaches, then the bank/retailer has to factor that risk when it chooses a vendor for its database solution. If the bank/retailer thinks it can sue the software developer who developed the database solution in the event of a breach, and it has two choices for a database vendor, one of them developed by a bunch of people who don't have any real assets and the other comes from a company with insurance and assets, it would be crazy to choose the one where you have no one to sue.
Those are a couple of reasons why I disagree with Bruce Schneier on occasion.
PingBack from http://msdnrss.thecoderblogs.com/2007/06/18/why-dont-i-agree-with-bruce-schneier-all-the-time/
Thanks Larry – I was getting pretty fed up with Bruce’s baseless remarks about Windows and Microsoft. Sure he knows his crypto and I like his book as much as the next guy but he is just plain ignorant when it comes to Microsoft security and technology.
Pretty good reasons for me. I work in a division where the mere mention of Microsoft can get people on their soap box.
"This means that it's highly likely that the individual contributors to open source projects would be held personally financially liable for security vulnerabilities they introduce."
I would dispute this point. The source code is there for all to see. Any group that wishes to use the code can either do their own security review or trust the contributors, based on their group's level of trust and paranoia. It's their choice, nothing is being hidden from them. In the case of closed source, I have no choice but to trust the company's assertions about its security and the steps they've taken to review it for vulnerabilities.
However, I think I see where you are coming from with the argument. A doctor who happens upon an accident and offers medical help has to be protected by Good Samaritan laws nowadays. It's just common sense, but it still needs to be legislated.
I decided not to even go into the volunteer help issue - apparently the law gets really complicated there.
The availability of source code doesn't change the liability issue (there have been numerous studies that have shown that open source code has roughly the same number of defects as closed source code). This is a product liability issue, not a code quality or trust issue.
The question is: to whom does liability attach? In the case of closed source code, liability clearly attaches to the corporation and only to the corporation (in fact, that's the entire purpose of the corporate liability shield). In the case of FOSS code, it's not clear where liability attaches, my belief is that it attaches to the developer who introduced the defect in the first place (because there's no corporation to sue).
I'll second Kenny's remarks.
I have similar mixed feelings about Schneier's blog. But I still syndicate his feed.
So I take 1 part Schneier, 1 part Microsoft blogs, and mix. :)
"my belief is that it attaches to the developer who introduced the defect in the first place (because there's no corporation to sue)."
I believe that may be true in law, but will never be carried out in reality. As Steve Dallas once said in a Bloom County comic strip, "Never sue poor people". Any lawsuit would most likely find it's way back to a corporation. For Windows OS software, somehow Microsoft would be pulled in. For Linux, probably IBM, maybe Red Hat or some other distributor.
Scott, if that's the case, then see my penultimate paragraph. No corporation in their right minds would ever adopt a FOSS solution if they didn't have anyone to sue in the case of a breach, they would stick only with closed source systems. They might go with a major commercial distribution, but that has its own set of issues - in that case, the corporation that owns the distribution would bear the lions share of the liability for any vulnerabilities. That in turn means that the corporation would be MUCH more careful about what packages are included in a distribution - most of the current packages that are included in most *nix distributions would be dropped on the floor as being too much risk to include.
You gotta give him credit for being one sane voice in a sea of madness after 9/11. He also certainly makes his opinions of Microsoft quite clear (and it does seem to be a rather dated opinion these days) but he's not *too* bad. You can't take anything anyone says as gospel, though.
I don't get his obsession with squids, either:-)
I haven't researched this, but I always thought the issue wasn't that software developers have liability *now* for security issues in their software, but that some future law ought to be crafted such that they *should* be.
In that case, since the law is hypothetical in the first place, to assume that liability *would* attach to individual developers is to argue against a straw man: the law could be crafted either way.
It's reasonable to argue that any law which made individual developers liable for defects in open source code would be ridiculous; I'd agree with that argument myself. But that isn't the only way such a liability law could be crafted. Personally, I'm tentatively in favor of a law which says that if you sell someone software or sell them support for software, then you become liable at the point that money changes hands.
It becomes a little more complicated if you want to cover things like individuals being sponsored to work on open source software, but it seems like it should be possible to craft a law to cover that situation too - some provision allowing software developed under contract to an organization to have the liability waived as part of the initial contract before development began, for example.
I'm not saying there aren't any valid arguments against making software developers liable for security flaws, I just don't think *that* argument holds up.
Dean: I 100% agree with you on the sane voice in a sea of madness. As I said: I agree with Bruce most of the time.
And I don't get the friday squid blogging thingy, but I know that there are other bloggers that do it. I figure it's sorta like my boss's "Hawaiian Shirt Friday".
Stuart: Why should open source development get pass from liability laws when closed source doesn't? I'm having a hard time understanding such a broad exception to product liability laws.
Schneier's opinion: "[...] holding companies financially liable for the security holes in his [their?] product."
You ask: "So who pays up if a vulnerability is found in an open source project?"
You answer: "[...] highly likely that the individual contributors to open source projects would be held personally financially liable for security vulnerabilities they introduce."
The open source projects you're talking about are not run by companies. Schneier's opinion as you state it here therefore does not suggest such an answer. It's a straw man.
"It's also likely to decrease the likelihood that a corporation would adopt an OSS solution."
Shouldn't Microsofties like it then?
Hey, I never said open source development gets a pass.
I said that it should apply when money changes hands.
If you download open source software for free from Joe Random, caveat downloador, you bear the responsibility for the choice you made to do that.
If you purchase Red Hat Enterprise Linux or whatever SUSE's enterprise edition is called from Novell, or purchase Ubuntu with support from Canonical, or get an enterprise Linux solution installed and supported by IBM, then that's no different than if you're buying Windows from Microsoft, and liability attaches.
Your position perhaps would be that Red Hat etc would never accept such a law, they couldn't possibly accept the liability of code from random contributors for the same reason that Microsoft constantly argues it can't possibly bundle Paint.Net with the OS instead of Paint. I'd argue that the mere fact that these vendors DO ship open source code and DO accept the risk of all the potential liability that Microsoft considers so unacceptable, tells you that in fact they don't feel that way.
(And yes, I'm implying that if Microsoft made Windows a free and unrestricted download, then they'd also get a pass on liability for it)
A: I have no idea if Microsofties should like it or not. Personally I think it's a horrible idea on many levels (do you have any idea how much ANY software would cost if the price of the software included the potential liability for any security defects was included in the price?)
If there's no company, liability attaches to the individual. It's one of the big reasons that corporations exist.
Stuart: If liability only attaches when money changes hand, then no corporation will ever adopt a FOSS project that's not associated with another corporation. Otherwise the liability for that corporation will be too high.