« Metricon 2.0 | Main | Real ID? No, Say DHS's Advisors »

May 08, 2007

Comments

Pete

Does this make you a proponent and believer in vulnerability-free software?

Pete

jsqrisk

Did the lawsuits about the Corvair make the automobile industry vulnerability-free?

Why is "vulnerability-free" a relevant question, anyway?

-jsq

Pete

Well, my post was about whether there was such a thing as being "naturally secure". With software, I believe naturally secure means vulnerability-free. Do you have a different definition?

Pete

"Did the lawsuits about the Corvair make the automobile industry vulnerability-free?"

No, it didn't. So liability didn't work there either.

Iang

Credit card vendors used to send out live cards in the paper mail that you'd have to decline. Crooks stole them out of the mail and used them. Eventually Congress passed a law saying that was illegal. Now credit card companies are liable if they do that. They don't do it anymore. I think Hal Varian has been on about this point since around the year 2000.

Why didn't people sue their banks for fraud? Why did congress need to write a law about behaviour that is already covered by contract law and fraud?

Iang

The idea that an injured party can sue the responsible parties for their share in the liability is starting to emerge. TJX are being sued by the banks. Bank of America was sued for online banking by Lopez, claiming that BofA should have known that the PC was insecure.

Class action suits are probably the way forward. A law will bungle it.

PS: we still have a way to go when blogs discriminate against secure URLs!

Iang

So liability didn't work there either.

Pete, that's a strawman. We all know that security is a risk question, not an absolute metric. Liability helps the risk approach, and of course it doesn't help that which we already know to be impossible.

Pete

@iang -

I think the idea of "naturally secure" is naive in exactly this way - as if security is absolute - so you make my point well.

Whether liability helps or hurts the risk question is dependent on an individual's starting point for risk. There is plenty of evidence to suggest that it really is only a vocal minority whose risk posture is such that liability is of interest. To the extent that this hurts everyone else through the reduction of future benefits, it needs to be carefully understood.

In any case, there is no such thing as "naturally secure."

jsqrisk

I don't really see what fixation on certain phrases does to help anything.

The basic point seems pretty straightforward to me: Microsoft (and other vendors) produces software with known design flaws (IE seems the most obvious example) that cause or exacerbate security problems, just like automobile manufacturors used to produce cars with shift patterns that had reverse where second had traditionally been; didn't have seat belts or air bags; would catch fire easily in wrecks; etc. Laws weren't the only things that helped with making cars safer, and of course no car is completely safe. Liability laws would help with software, too.

New laws aren't the only way to establish liability, and if plaintiffs can establish liability using existing laws, more power to them. However, so far that hasn't worked. And history indicates, e.g., in the live credit card scenario, that sometimes a law is a good idea.

So, Pete, tell us about the "plenty of evidence" of which you speak. Also why you think liability reduces future benefits. Help us to carefully understand.

-jsq

The comments to this entry are closed.

My Photo

Risk Reading

Blog powered by Typepad