WebApp Sec mailing list archives
Software liability
From: Andrew van der Stock <vanderaj () greebo net>
Date: Thu, 17 Nov 2005 22:56:46 +1100
On an average day, I get about 20-30 spam to webappsec, which of course I reject. Today, I received about 80, including many which managed to get around Mail.app's usually excellent spam filtering. Typically, I only see such massive spikes in spam when a new piece of malware is out there.
I can't say for sure that the Sony DRM rootkits caused this immense jump, but it has to be related; I know of no other major exploit out there which is as easy to exploit as the root kit, and the subsequent vulnerable removal ActiveX script which is even easier to exploit. I'm not going to get into an anti-Sony bash here (although they richly deserve their rewards for their inexplicable hostile activities against paying customers - pirates and copyright infringers will never see the root kit and thus not need to terminate it with extreme prejudice. Way to go Sony.)
Instead, I'd like to discuss the issue of damages when you just shove software out the door. With any other consumer good, most countries have reasonable trade practices laws which require the goods to be merchantable and fit for purpose, which includes "safe". Imagine if baby clothes and cot manufacturers could "license" flammable and dangerous goods which decry all liability in case your first born is burnt to a cinder at the first sign of a hot day?
My personal view is that companies cannot simply pump vulnerable software out there without any possibility of recovering damages (as per EULA fairy tale land). I think that there has to be a reasonable effort taken at securing software prior to its release, and if not, damages and liability has to be assumed. Even for open source software, otherwise vendors have an out.
What do you think? What should constitute "reasonable efforts"? If you stick a big engine in your car, you need an engineer's report and the engineer has to be an actual engineer. Is the world hostage to our field being a nascent industry with nascent tools and standards?
thanks, Andrew
Current thread:
- Software liability Andrew van der Stock (Nov 17)
- Re: Software liability Joseph Miller (Nov 17)
- Re: Software liability Jonathan Angliss (Nov 18)
- Re: Software liability Joseph Miller (Nov 17)