OT: Australia may allow punitive damages for security vulns

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

OT: Australia may allow punitive damages for security vulns

mark hellewell
http://www.news.com.au/technology/no-anti-virus-software-no-internet-connecti
on/story-e6frfro0-1225882656490

"Companies who release IT products with security vulnerabilities
should be open to claims for compensation by consumers", apparently.

Illegal to run without antivirus ... disconnection of vulnerable
computers.  A much needed kick up the arse for software makers or just
bat-shit insane?  Coming soon...

Mark

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Adam M. Dutko
> Illegal to run without antivirus ... disconnection of vulnerable
> computers.  A much needed kick up the arse for software makers or just
> bat-shit insane?  Coming soon...


I tend to agree with your last comment.

<begin article summary>
Idiotic politicians with no business setting arbitrary rules on something
they don't understand...
<end article summary>

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Rod Whitworth-3
In reply to this post by mark hellewell
On Tue, 22 Jun 2010 14:52:30 +1000, mark hellewell wrote:

>http://www.news.com.au/technology/no-anti-virus-software-no-internet-connecti
>on/story-e6frfro0-1225882656490
>
>"Companies who release IT products with security vulnerabilities
>should be open to claims for compensation by consumers", apparently.
>
>Illegal to run without antivirus ... disconnection of vulnerable
>computers.  A much needed kick up the arse for software makers or just
>bat-shit insane?  Coming soon...
>
>Mark
>

Never mind anything else - nobody can prove a negative. There goes the
claim for damages.

Nobody at OpenBSD would claim that they could guarantee that there is
no exploit waiting to be found in the OS.

They just make better efforts than anybody else to reduce the chances.

The errata page shows that they are forever responding to possible
problems publically rather than sneakily (or not at all) like some
bigger outfits we could name.

MNSHO,

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Martin Schröder
In reply to this post by mark hellewell
2010/6/22 mark hellewell <[hidden email]>:
> "Companies who release IT products with security vulnerabilities
> should be open to claims for compensation by consumers", apparently.

<shrug/>Doesn't seem like Apple cares.

Best
   Martin

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Manuel Ravasio-2
In reply to this post by Rod Whitworth-3
> Nobody at OpenBSD would claim that they could guarantee
> that there is no exploit waiting to be found in the OS.

> They just make better efforts than anybody else to reduce
> the chances.

> The errata page  shows that they are forever responding to
> possible problems publically rather than sneakily (or not at
> all) like some bigger outfits we could name.

Yep.
Unfortunately intellectual honesty is not the way things go in the
cold, real world out there :-(


Manuel

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Jacob Yocom-Piatt-2
In reply to this post by mark hellewell
mark hellewell wrote:

> http://www.news.com.au/technology/no-anti-virus-software-no-internet-connecti
> on/story-e6frfro0-1225882656490
>
> "Companies who release IT products with security vulnerabilities
> should be open to claims for compensation by consumers", apparently.
>
> Illegal to run without antivirus ... disconnection of vulnerable
> computers.  A much needed kick up the arse for software makers or just
> bat-shit insane?  Coming soon...
>  


is it really that unreasonable when you compare this treatment to any
other physical product e.g. a car? it is only the lack of physicality
that makes software differ from other products.

when ford sold the pinto with the 'exploding' gas tank, it just paid
money out to settle claims after many people were burned to death.
although i don't believe there is a precedent for it, possibly until
now, many software companies have been doing the same thing: selling
crap products that in essence 'explode' and hemorrhage valuable personal
data to script kiddies, etc.

perhaps the threat of a lawsuit will encourage software development
houses to turn out less shite products, in which case the consumer wins.
one way to look at the explosion of software development in the past
30-40 years is that it is an industry lacking sufficient regulation and
thus a very lucrative area to do business. because there is no
regulation you can get some random idiot in whatever country to write
your code and there are no repercussions if the code blows up after you
sell it someone else, you cannot be held liable for using second-rate
labor to build your product.

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Adam M. Dutko
> when ford sold the pinto with the 'exploding' gas tank, it just paid money
> out to settle claims after many people were burned to death. although i
> don't believe there is a precedent for it, possibly until now, many software
> companies have been doing the same thing: selling crap products that in
> essence 'explode' and hemorrhage valuable personal data to script kiddies,
> etc.


If we are to compare the nature of software to a physical product, we need
to remember a few things...

1) Proving software to be 100% correct is nearly impossible and in some
cases completely impossible.  (think halting problem and state space
explosion)
2) Physical products often have a calculable degradation curve whereas given
consistent conditions, software does not "deteriorate" in a way that is
easily quantifiable.  It does "degrade" under different conditions but see
point #1 for another problem.
3) Even the best tested and mathematically proven software (think IBM space
shuttle code) has bugs.  I forget the exact cost because I don't have the
paper nearby but the per line cost of the shuttle code was astronomical!  If
all software cost as much per line, no one would own a computer, except
maybe governments and multi-billionaires.

There are other points but I'm sure you get the gist...  I'm glad I have a
job, even if it means being a "high-priced" janitor.

CPB
Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

CPB
Adam M. Dutko wrote:

>> when ford sold the pinto with the 'exploding' gas tank, it just paid money
>> out to settle claims after many people were burned to death. although i
>> don't believe there is a precedent for it, possibly until now, many software
>> companies have been doing the same thing: selling crap products that in
>> essence 'explode' and hemorrhage valuable personal data to script kiddies,
>> etc.
>>    
>
>
> If we are to compare the nature of software to a physical product, we need
> to remember a few things...
>
> 1) Proving software to be 100% correct is nearly impossible and in some
> cases completely impossible.  (think halting problem and state space
> explosion)
>  
I disagree with this. How many times a year are motor vehicles recalled?
They don't replace the car, they fix it.
Why can't defective software get a recall or a hefty fine if they refuse
to fix it? This is a major reason I walked away from the paid software
world, impossible to pay for quality.

> 2) Physical products often have a calculable degradation curve whereas given
> consistent conditions, software does not "deteriorate" in a way that is
> easily quantifiable.  It does "degrade" under different conditions but see
> point #1 for another problem.
> 3) Even the best tested and mathematically proven software (think IBM space
> shuttle code) has bugs.  I forget the exact cost because I don't have the
> paper nearby but the per line cost of the shuttle code was astronomical!  If
> all software cost as much per line, no one would own a computer, except
> maybe governments and multi-billionaires.
>  
Almost all physical devices come in models, which the next one usually
fixes the defects. Software is very easy to fix the same model. So I see
software as much simpler to improve on.
> There are other points but I'm sure you get the gist...  I'm glad I have a
> job, even if it means being a "high-priced" janitor.

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Jan Stary
In reply to this post by Jacob Yocom-Piatt-2
> one way to look at the explosion of software development in the past  
> 30-40 years is that it is an industry lacking sufficient regulation and  
> thus a very lucrative area to do business. because there is no  
> regulation you can get some random idiot in whatever country to write  
> your code and there are no repercussions if the code blows up after you  
> sell it someone else, you cannot be held liable for using second-rate  
> labor to build your product.

> 3) Even the best tested and mathematically proven software (think IBM space
> shuttle code) has bugs.  I forget the exact cost because I don't have the
> paper nearby but the per line cost of the shuttle code was astronomical!  If
> all software cost as much per line, no one would own a computer, except
> maybe governments and multi-billionaires.

http://www.jstor.org/pss/1879431

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Stefan Wollny
>> one way to look at the explosion of software development in the past  
>> 30-40 years is that it is an industry lacking sufficient regulation and  
>> thus a very lucrative area to do business. because there is no  
>> regulation you can get some random idiot in whatever country to write  
>> your code and there are no repercussions if the code blows up after you  
>> sell it someone else, you cannot be held liable for using second-rate  
>> labor to build your product.
>
>> 3) Even the best tested and mathematically proven software (think IBM space
>> shuttle code) has bugs.  I forget the exact cost because I don't have the
>> paper nearby but the per line cost of the shuttle code was astronomical!  If
>> all software cost as much per line, no one would own a computer, except
>> maybe governments and multi-billionaires.
>
>http://www.jstor.org/pss/1879431
>
http://en.wikipedia.org/wiki/The_Market_for_Lemons

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Adam M. Dutko
In reply to this post by CPB
> I disagree with this. How many times a year are motor vehicles recalled?
>>
>> They don't replace the car, they fix it.
> Why can't defective software get a recall or a hefty fine if they refuse to
> fix it? This is a major reason I walked away from the paid software world,
> impossible to pay for quality.


Hrm...seems you disagree with your own point.  It is nearly impossible to
pay for "true" 100% quality.


> Almost all physical devices come in models, which the next one usually
> fixes the defects. Software is very easy to fix the same model. So I see
> software as much simpler to improve on.


That's why there are patches.  But, just like physical products, patches can
introduce new bugs because they too introduce new execution paths/"change
behavior."  I believe one good approach to improving quality (whether it be
real or not) is to reduce functionality.  Such a move should reduce code
complexity and execution paths.  But, afaik code quality and code size are
not strongly associated.

I'm not making excuses for software.  Software is hard which imho is what
makes it appealing.

I do love the paper Jan mentioned because it highlights the importance of
standards bodies.  It also highlights the potential use of government
organizations to regulate markets, which is what the original article
mentions.  I won't say which I prefer because you can probably determine
that on your own.  Good discussion.

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Marco Peereboom
In reply to this post by Adam M. Dutko
On Tue, Jun 22, 2010 at 08:44:45AM -0400, Adam M. Dutko wrote:

> > when ford sold the pinto with the 'exploding' gas tank, it just paid money
> > out to settle claims after many people were burned to death. although i
> > don't believe there is a precedent for it, possibly until now, many software
> > companies have been doing the same thing: selling crap products that in
> > essence 'explode' and hemorrhage valuable personal data to script kiddies,
> > etc.
>
>
> If we are to compare the nature of software to a physical product, we need
> to remember a few things...
>
> 1) Proving software to be 100% correct is nearly impossible and in some
> cases completely impossible.  (think halting problem and state space
> explosion)

This is obviously not the intent.  The intent is to have software that
is reasonably crafted by software engineers.  Not some slapped together
turd with peanuts from different development teams.

> 2) Physical products often have a calculable degradation curve whereas given
> consistent conditions, software does not "deteriorate" in a way that is
> easily quantifiable.  It does "degrade" under different conditions but see
> point #1 for another problem.

Not interesting and not even true.  Anyone who coded in the old world
with lets say threads, knew that going to a newer better faster machine
would always result in nice new racing bugs.  I won't get into why this
happened though.

> 3) Even the best tested and mathematically proven software (think IBM space
> shuttle code) has bugs.  I forget the exact cost because I don't have the
> paper nearby but the per line cost of the shuttle code was astronomical!  If
> all software cost as much per line, no one would own a computer, except
> maybe governments and multi-billionaires.

Reasonable quality control is something people shouldn't hope for it
should be something people demand.  The reason why we have windows the
way it is today is that in the early days people didn't put their foot
down and said "ENOUGH".  The rest is history.

The reason why Apple is making such big strides with OSX is because they
are capitalizing on this general feeling.  OSX unlike windows isn't
naturally chaotic and Apple does a fine job pretending they are secure.
All in all a pretty smart marketing campaign that seems to be paying the
bills just fine.

Your car runs hundreds of thousands (if not millions) of lines of code.
Does it crash all the time?  Microsoft spends more money on R&D than
NASA has to develop a rocket.  Are you sure that they should not have
been capable of any standard of quality?

> There are other points but I'm sure you get the gist...  I'm glad I have a
> job, even if it means being a "high-priced" janitor.

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Adam M. Dutko
> This is obviously not the intent.  The intent is to have software that
> is reasonably crafted by software engineers.  Not some slapped together
> turd with peanuts from different development teams.


I agree it shouldn't be slapped together but you strike upon an interesting
debate...  Should developers have to be software engineers and be certified?
 Or are we OK with the "hacker" model?  I hope you realize I'm not
insinuating "hacker" means crap coder!  I tend to think it's a superior
model but it's also an evolutionary one, something most people don't "have
time for."


> Not interesting and not even true.  Anyone who coded in the old world
> with lets say threads, knew that going to a newer better faster machine
> would always result in nice new racing bugs.  I won't get into why this
> happened though.
>

Sure, doing things faster doesn't mean it'll be better.  Often it just means
you'll hit a lock problem quicker than if you went slower.  Can you
elaborate on what you mean though...what's the equivalent to code rust?  API
breakage? Windows seems to have maintained crazy backwards compatibility.
 Not that I'm applauding it because it also means malicious can still run
unless other means are leveraged to block it.


> Reasonable quality control is something people shouldn't hope for it
> should be something people demand.  The reason why we have windows the
> way it is today is that in the early days people didn't put their foot
> down and said "ENOUGH".  The rest is history.
>

I agree that's part of the reason.


> The reason why Apple is making such big strides with OSX is because they
> are capitalizing on this general feeling.  OSX unlike windows isn't
> naturally chaotic and Apple does a fine job pretending they are secure.
> All in all a pretty smart marketing campaign that seems to be paying the
> bills just fine.


Yes, until the other shoe drops.


> Your car runs hundreds of thousands (if not millions) of lines of code.
> Does it crash all the time?  Microsoft spends more money on R&D than
> NASA has to develop a rocket.  Are you sure that they should not have
> been capable of any standard of quality?


Not all the time, but there are many documented cases, not the least of
which being the current "popular hybrid car maker" debacle.

I've looked up a couple of reports on money spent specifically to improve
quality for Microsoft and for NASA.  NASA gives us a number at
http://www.nasa.gov/pdf/420990main_FY_201_%20Budget_Overview_1_Feb_2010.pdfbut
the number I found was specific to a group within NASA not as a whole.
 If you also count the Air Force space program which is much bigger but is
also "involved" with NASA, the number becomes much larger:
http://www.saffm.hq.af.mil/shared/media/document/AFD-100201-050.pdf.  Most
of the information I found in Microsoft's filing and various news media
articles doesn't talk about specific research for "quality improvements."
 They talk about "vague" concepts.

I do believe they're all capable of better quality software, it's just hard
and expensive.  Each are avoided like the plague in most corporate
environments.

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Marco Peereboom
On Tue, Jun 22, 2010 at 01:23:14PM -0400, Adam M. Dutko wrote:

> > This is obviously not the intent.  The intent is to have software that
> > is reasonably crafted by software engineers.  Not some slapped together
> > turd with peanuts from different development teams.
>
>
> I agree it shouldn't be slapped together but you strike upon an interesting
> debate...  Should developers have to be software engineers and be certified?
>  Or are we OK with the "hacker" model?  I hope you realize I'm not
> insinuating "hacker" means crap coder!  I tend to think it's a superior
> model but it's also an evolutionary one, something most people don't "have
> time for."

I don't really believe in tying people down to a certain methodology or
process.  I am a huge fan of doing things "the right way".  This
obviously means different things for different organizations.  There
really is no silver bullet for this.

That said there are a couple of issues in any development organization
that need to be dealt with.  What it ultimately comes down to is how
well respected quality control is.  Quality control is not just
verification; it is code style, best practices, unit test etc etc.
If it is an afterthought and not taken seriously then your code will
suck.

You can add process, ISO certification and other BS all day which
usually results in disaster because staff doesn't buy into it.

And I'll tell you the true success to software development.  Good
engineers that know their stuff and are willing to work within a
framework.  This means hiring people and paying them what they are
worth.  Getting a bunch of kids from college with some degree or another
or outsourcing code is a recipe for disaster.  If the developers have no
vested interest in the success of the code a project will nearly always
fail.  I have seen some colossal failures over time and they usually
start when people become resources.

Anyway I can ramble about this for days.

>
>
> > Not interesting and not even true.  Anyone who coded in the old world
> > with lets say threads, knew that going to a newer better faster machine
> > would always result in nice new racing bugs.  I won't get into why this
> > happened though.
> >
>
> Sure, doing things faster doesn't mean it'll be better.  Often it just means
> you'll hit a lock problem quicker than if you went slower.  Can you
> elaborate on what you mean though...what's the equivalent to code rust?  API
> breakage? Windows seems to have maintained crazy backwards compatibility.
>  Not that I'm applauding it because it also means malicious can still run
> unless other means are leveraged to block it.

You misunderstood me.  I meant in the old days running old code on new
machines nearly always meant breakage because it was poorly written at
most levels (OS, API, Apps etc)

>
>
> > Reasonable quality control is something people shouldn't hope for it
> > should be something people demand.  The reason why we have windows the
> > way it is today is that in the early days people didn't put their foot
> > down and said "ENOUGH".  The rest is history.
> >
>
> I agree that's part of the reason.
>
>
> > The reason why Apple is making such big strides with OSX is because they
> > are capitalizing on this general feeling.  OSX unlike windows isn't
> > naturally chaotic and Apple does a fine job pretending they are secure.
> > All in all a pretty smart marketing campaign that seems to be paying the
> > bills just fine.
>
>
> Yes, until the other shoe drops.
>
>
> > Your car runs hundreds of thousands (if not millions) of lines of code.
> > Does it crash all the time?  Microsoft spends more money on R&D than
> > NASA has to develop a rocket.  Are you sure that they should not have
> > been capable of any standard of quality?
>
>
> Not all the time, but there are many documented cases, not the least of
> which being the current "popular hybrid car maker" debacle.
>
> I've looked up a couple of reports on money spent specifically to improve
> quality for Microsoft and for NASA.  NASA gives us a number at
> http://www.nasa.gov/pdf/420990main_FY_201_%20Budget_Overview_1_Feb_2010.pdfbut
> the number I found was specific to a group within NASA not as a whole.
>  If you also count the Air Force space program which is much bigger but is
> also "involved" with NASA, the number becomes much larger:
> http://www.saffm.hq.af.mil/shared/media/document/AFD-100201-050.pdf.  Most
> of the information I found in Microsoft's filing and various news media
> articles doesn't talk about specific research for "quality improvements."
>  They talk about "vague" concepts.
>
> I do believe they're all capable of better quality software, it's just hard
> and expensive.  Each are avoided like the plague in most corporate
> environments.

Microsoft spends $10B on R&D.  That is nearly the ENTIRE budget of NASA.
They are the classic example of organizations that are completely out of
control and rely entirely on some process that is "good enough".  Anyone
who has written code that directly interacts with their APIs knows how
completely disjoint their development teams are. They don't even adhere
to the same damn style for functions calls.

If you really want to have some fun with that number go figure out where
they make their money.  Then figure out how much each line of code cost.
Pretty baffling stuff.

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

VICTOR TARABOLA CORTIANO
In reply to this post by mark hellewell
> http://www.news.com.au/technology/no-anti-virus-software-no-internet-connecti
> on/story-e6frfro0-1225882656490
>
> "Companies who release IT products with security vulnerabilities
> should be open to claims for compensation by consumers", apparently.
>
> Illegal to run without antivirus ... disconnection of vulnerable
> computers.  A much needed kick up the arse for software makers or just
> bat-shit insane?  Coming soon...
>

australian laws => censorship

Imagine if those crazy anti-freedom lawmakers force OpenBSD users to
install antiviruses...

CPB
Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

CPB
In reply to this post by Marco Peereboom
Marco Peereboom wrote:

>
>
> Microsoft spends $10B on R&D.  That is nearly the ENTIRE budget of NASA.
> They are the classic example of organizations that are completely out of
> control and rely entirely on some process that is "good enough".  Anyone
> who has written code that directly interacts with their APIs knows how
> completely disjoint their development teams are. They don't even adhere
> to the same damn style for functions calls.
>
> If you really want to have some fun with that number go figure out where
> they make their money.  Then figure out how much each line of code cost.
> Pretty baffling stuff.
>
>
>  

Hmm, a $10B R&D donation for OpenBSD.

I wonder what could be accomplished with what was left over after the
beer was accounted for? :)

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

E.T-3
One hangover :)


On Tue, 22 Jun 2010 13:24:43 -0500, Chris Bennett
<[hidden email]> wrote:
> Marco Peereboom wrote:
>>
>>
>> Microsoft spends $10B on R&D.  That is nearly the ENTIRE budget of
NASA.
>> They are the classic example of organizations that are completely out
of
>> control and rely entirely on some process that is "good enough".
Anyone
>> who has written code that directly interacts with their APIs knows how
>> completely disjoint their development teams are. They don't even adhere
>> to the same damn style for functions calls.
>>
>> If you really want to have some fun with that number go figure out
where
>> they make their money.  Then figure out how much each line of code
cost.
>> Pretty baffling stuff.
>>
>>
>>  
>
> Hmm, a $10B R&D donation for OpenBSD.
>
> I wonder what could be accomplished with what was left over after the
> beer was accounted for? :)

--
@plus

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Kevin Chadwick-2
In reply to this post by Marco Peereboom
On Tue, 22 Jun 2010 12:55:10 -0500
Marco Peereboom <[hidden email]> wrote:

> Getting a bunch of kids from college with some degree or another
> or outsourcing code is a recipe for disaster.  If the developers have no
> vested interest in the success of the code a project will nearly always
> fail.

And ironically some uk government investment projects are only
attainable if you work with these "experts" and expensive resource
hogging "managers" a.k.a. leaches. Of course, some of them are experts
but they're not usually the ones they want you to work with.

How come the university acting as proxy, got so much of OpenBSDs DARPA
grant? What was the justification?

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Theo de Raadt
> How come the university acting as proxy, got so much of OpenBSDs DARPA
> grant? What was the justification?

Graft, influence trading, and patronage are institutionalized in the
relationship between universities, research grants, and the government
in the US to roughly the same level as anywhere else in the world.
The finances just aren't talked about as much in the US because the
people who benefit from it know to keep their mouths shut.  Upon the
remainder of the population, the other the coin is a very fast growing
but hidden inflation.  But your media is playing the same game with your
government.  The word "propoganda" has fallen out of vogue.

Anyways, in that instance the a few University people got around 50%
because of their connections, and did nothing except a few bits of
paperwork -- except for one grad student (who worked very hard, but
was already doing so beforehands).  Oh, but the university staff sure
worked hard in the last few days trying to steal payments back from
openbsd people who were on contract, when the Department of Defence
got upset.

Reply | Threaded
Open this post in threaded view
|

Re: OT: Australia may allow punitive damages for security vulns

Sunnz
In reply to this post by mark hellewell
2010/6/22 mark hellewell <[hidden email]>:

> http://www.news.com.au/technology/no-anti-virus-software-no-internet-connecti
> on/story-e6frfro0-1225882656490
>
> Illegal to run without antivirus ... disconnection of vulnerable
> computers.  A much needed kick up the arse for software makers or just
> bat-shit insane?  Coming soon...
>
> Mark
>
>

Well clamav is available in ports right? So I guess when needed, just
show them `man clam` or something like that to say that you do have
antivirus installed.

--
IMPORTANT: DO NOT send me Microsoft Office/Apple iWork documents.