Dan Geer Touts Liability Policies For Software Vulnerabilities

  /     /     /  
Publicated : 22/11/2024   Category : security


Dan Geer Touts Liability Policies For Software Vulnerabilities


Vendor beware. At Black Hat, Dan Geer suggests legislation to change product liability and abandonment rules for vulnerable and unsupported software.



BLACK HAT USA  -- Las Vegas -- Software vendors will probably
not
rejoice in some of the security policy proposals put forth by Dan Geer during his keynote Wednesday morning at the Black Hat USA conference in Las Vegas.
Some of Geers suggestions -- all reasoned and responsibly sprinkled with caveats -- are for legal measures that would push much of the onus of security onto those who develop vulnerable software; particularly those about source code liability, abandonment of software code bases, and vulnerability discovery.
One trouble, Geer says, is that users have no legal recourse if shoddy coding exposes them to undue danger -- making it wholly unlike other product defects. He quoted the Code of Hammurabi, written over 3,700 years ago: If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death.
Today the relevant legal concept is product liability, said Geer, and the fundamental formula is If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes. For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer.
Geer suggests that software vendors be given two choices. They could allay liability by giving the user the option to say no to whatever software components they dont want to trust, allowing the user to disable those components. Or, said Geer, if the software vendors do not wish to provide such capability, then they must accept liability for damage done, just like manufacturers of cars or purveyors of hot coffee.
The software houses will yell bloody murder the minute legislation like this is introduced, said Geer, and any pundit and lobbyist they can afford will spew their dire predictions that This law will mean the end of computing as we know it! To which our considered answer will be, Yes, please! That was exactly the idea.
There is also the matter of accelerating the discovery and disclosure of vulnerabilities. Geer says that the U.S. can capitalize on the fact that vulnerability discovery is now a real job, not just a hobby, and get their hands on vulnerabilities by outspending the rest of the world.
There is no doubt that the U.S. Government could openly corner the world vulnerability market, said Geer, that is, we buy them all and we make them all public. Simply announce Show us a competing bid, and well give you [10 times more]. Sure, there are some who will say I hate Americans; I sell only to Ukrainians, but because vulnerability finding is increasingly automation-assisted, the seller who wont sell to the Americans knows that his vulns can be rediscovered in due course by someone who
will
sell to the Americans who will tell everybody, thus his need to sell his product before it outdates is irresistible.
As for software that is no longer supported by the vendors, Geer suggested that code bases be subject to the same abandonment rules that apply to other possessions. If someone abandons their car, their children, their home, or other possessions, there are policies in place to transfer ownership to someone else. Geer proposes that perhaps at the point that a vendor decides that it will no longer provide security updates, that the code base should become open-source -- in other words, passing ownership of the abandoned code over to the public.
Geer presents this with the caveat that it is the worst option, except for all others.
Geer also issued thoughts about policies regarding the right to strike back at attackers (not just defend against them), fall backs and resiliency, the right to be forgotten, Internet voting, mandatory reporting of security incidents, Net neutrality, and the convergence of cyberspace and meatspace. Those topics will be addressed in forthcoming posts on DarkReading.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Dan Geer Touts Liability Policies For Software Vulnerabilities