On Wed, 2010-06-09 at 12:08 -0500, Joe Greco wrote:
That's not going to happen (but I'll be happy to be proven wrong).
Oh, there are so many things that are "not going to happen", aren't there? And because of that we shouldn't even bother suggesting regulation as a solution to anything because "the big companies" won't let it happen? It took a few decades, but eventually people figured out that tobacco killed people, and some of the biggest financial interests in the world ended up being legislated against. That process is not finished, the rearguard action is not played out, but the setup is not the cosy little "we'll do whatever we want and you can't stop us" that we had in the fifties. The Mafia in Italy seemed indomitable a few decades ago. It had the whole country (and large chunks of the US and other countries) in its grip, apparently unchallengeable. But the Mafia in Italy is now dying under the weight of courageous police and judges and a legal system that in spite of itself tries to do the will of the people. Little by little the changes were made, little by little the structures the Mafia depended upon were taken away. Including, most importantly, the belief amongst Italians that the Mafia was untouchable. Your argument seems to be "if we do X, it won't work". This is true for almost any X, because our field, like many other specialist fields, is a kind of ecosystem. Many factors have reached a kind of equilibrium, and it's really hard to look at any one factor and say "fix that" without seeing how so many other factors would work against the change. Try thinking about what *could* happen rather than what *can't* happen.
What legislator is going to vote for software liability reforms that will ruin major software companies? When their own staff and experts will be willing to state that outcome, in no uncertain terms?
Why do you assume these laws will ruin anyone? Noone is seeking to destroy software companies, any more than the people who demanded accountability from auto manufacturers or pharmaceutical companies wanted to put them out of business. People want cars and medicine, and are prepared to pay for them. But if the car is defective or the medicine proves harmful, people want recourse in law. Same for software. When the company screws up, people should be able to take them to court and have a realistic chance of success if their grievance is real. It is that simple. Yet when we read of yet another buffer overflow exploit in a Microsoft product we just sigh and update our virus checkers, because Microsoft has *zero* obligation in law to produce software that has no such flaws. There is no other product group I know of where a known *class* of defect would be permitted to continue to exist without very serious liability issues arising.
What are the outcomes here? We pass such legislation, it doesn't magically fix things. It just means that companies like Adobe and Microsoft are suddenly on the hook for huge liabilities if they continue to sell their current products. Do we expect them to *stop* selling Windows, etc.,?
You assume it all happens at once. You assume the change will be large. You assume there is no grace period. You assume a lot, then act as if it must be so.
That's the problem, isn't it. If we were serious about it, we could approach the problem differently: rather than trying to tackle it from a marketplace point of view, perhaps we could instead tackle it from a regulatory point of view. Could we mandate that the next generation of browsers must have certain qualities? It's an interesting discussion, and in some way parallels the car safety examples I provided earlier.
Mandating specific qualities in that sense leads to legislation that is out of date before the ink is dry. No - you mandate only that products must be fit for their intended purpose, and you declare void any attempts to contract away this requirement. Just like with other products! And then you let the system and the market work out the rest.
I certainly agree, but it isn't going to be wished away in a minute. To do so would effectively destroy some major technology companies.
You do a great line in straw men. Who said it would take a minute? Not I. Not anyone. People are just trying to point out that while it may be difficult, it's not impossible. We are also trying to point out the places where effective positive change could be made.
in a way) That's one of the reasons I had predicted more appliance-like computers, and now they seem to be appearing in the form of app-running devices like the iPad. From a network operator's point of view, that's just great, because the chance of a user being able to do something bad to the device is greatly reduced.
There is no reduction in the chance that the manufacturer will screw up, making their product vulnerable to attack. But even if all iPads turn out to be totally crackable, Apple will still have no obligation at all to fix it. Appliance computers do not address the real problem, which is lack of accountability.
Right, but rewriting the product liability laws to hold software vendors accountable, by proxying through the end user, is kind of a crazy solution, and one that would appear not to be workable. Was there another solution being framed that I missed?
No, it's not crazy. Regulation that empowers consumers is one of the fastest ways to better, safer products. Did you ever see a toy with a two-page shrink wrap contract making you the consumer absolutely liable for any fault the toy might have or any damage it might cause? No? What about kitchen appliances? The list of areas where consumer law has generated better, safer products is long. You say it "appears not to be workable" but have offered not a single argument as to why not. Remember, by the way, that in the context of computing, I'm not suggesting consumer empowerment should be a one-way street. I'm saying that the consumer gets the power to demand that software and hardware be fit for purpose. In return, the consumer too must become accountable.
That's nice. How much accountability should one have for having visited a web site that was broken into by Russian script kiddies, though? And we're not talking about driving a PC through a field of pedestrians, as someone else so colorfully put it. Who is going to "insure" me against the possibility that Russian script kiddies sent me a virus via Flash on some web site, and even now are trying to break into British intel via my computer, so one fine day the FBI comes a'knockin'? How do I even find out what happened, when I'm in jail for a year for "hacking the Brits"? That's got to be one hell of an insurance plan.
Once again you demand that everything be fixed in one fell swoop. How did visiting the web site cause me to get a virus? Did I download it? My bad. Did the browser have a vulnerability? Browser manufacturer's bad. Flash vulnerability? Adobe's bad. FBI - can they prove intent? Why are you so set against people having to face the consequences of their actions (or inactions)? What is so wrong with Adobe having to produce software that DOES NOT expose users to attack?
So feel free to convince me of why Microsoft, Apple, Adobe, etc., are all going to just sit idly by while their EULA protections are legislated away.
Microsoft et al do not actually own your country. You do. I don't expect them to sit idly by. Like all corporate citizens, they will attempt to protect their own interests above all other considerations. But because they do not own the country, and because their position is ethically and practically untenable, they will ultimately fail.
Go tell every webmaster who is hosting Flash on your network that it's now prohibited, as a security risk, due to the bulletin issued last week, and that any website hosting Flash on your network a week from now will be null routed. And then follow through.
Have you done that? If not, why not?
It's great to say "end users should be responsible" and "end users need to be security-conscious."
Except that's NOT what I am saying. I am saying they need to be *accountable*. As do network operators, software vendors, hardware vendors and so on.
However, are we, as network operators, willing to be equally responsible and security-conscious?
Dunno. As long as it's voluntary there will be little substantive change. Make network operators accountable, and the change will come. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF