Sunday, June 04, 2006

Bruce gets it wrong again

Bruce argues that we should Make Vendors Liable for Bugs

This is a common argument, make vendors responisble for bugs, they get their act together, hey presto no bugs.

Only one little problem: Vendors are already liable for negligence.

Negligence has an unusual status in common law, it is inalienable. A contract term that excludes negligence is unenforceable. This is the case even in a negotiated contract where both sides have equal bargaining power. Terms in shrinkwrap EULAs are much harder to enforce.

So why don't we see the law courts clogged up with neligence suits?

There are two reasons, first the 'fit for purpose' clause that vendors insert that attempts to make the user responsible for checking to see if the software will work in the intended application. If I buy a $1000 spreadsheet package, use it to design a nuclear power station and make no attempt to independely check the results it does not make much sense to hold the spreadsheet vendor liable for the melt down.

There are very few cases where a single software bug is the sole cause of an incident. If a virus gets onto your computer and eats all the files it was your decision not to back them up properly.

The second reason there are few negligence cases is that it is unlikely the legal standard for negligence is met in most cases. The legal definition of negligence is now determined by the Judge Hands test which states that negligence has occurred if it was forseable which is defined as being so if the cost of the damage multiplied by the probability of the damage is greater than the cost of preventing it.

The last part, the cost of prevention is where the whole argument breaks down. Microsoft has two testers for every developer and developers are responsible for performing component level tests on the modules they produce. All told five sixths of all the software development resources go into testing. The same ratio is true for pretty much every major vendor.

When a vendor is spending billions on software testing it is pretty difficult to see how a claim for negligence is likely to succeed. The cost of prevention is much gtreater than the foreseable damages.

So if software vendors are to be made liable for bugs we are not talking about negligence, we are inventing some new type of tort with different rules. I don't think that is a good idea.

Before we start trying to transfer liability we need to look for technical measures that are cheap to implement but have a big effect on reducing vulnerability. Using a language like C# or Java that supports managed code and eliminates the possibility of buffer overuns rather than C or C++ for example. The trouble is that converting a program like Word or Sendmail to use managed code is itself a vast expense.

There are some measures that can be taken that do have low cost but deliver a high degree of protection, for example:

  • Software firewalls
  • Least privilege
  • Trustworthy hardware to prevent O/S compromise and protect cryptographic keys
  • Egress filtering of spoofed source address IP packets
  • Reverse firewalls to limit the value of an owned machine as a bot
  • Stripping out executable code from email attachments

The thing is that the software vendors are already implementing the first three measures as aggresively as can be expected. The last three measures are the ones we are not seeing progress on and those are in the power of ISPs rather than the software vendors.

No comments: