Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <E1XcJF9-0007dc-DU@rmm6prod02.runbox.com>
Date: Thu, 09 Oct 2014 15:19:19 -0400 (EDT)
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: "oss-security" <oss-security@...ts.openwall.com>
Subject: Re: Thoughts on Shellshock and beyond

On Thu, 9 Oct 2014 08:28:23 -0700, Tim <tim-security@...tinelchicken.org> wrote:
> Seriously though, I agree with you that some form of liability ought
> to be introduced in order to create the business incentive to change
> development practices.  However, the devil is in the details, and as
> Michal pointed out, you don't want to squash open source innovation.

I am more skeptical, because unless you get the details right for liability,
the cure is worse than the disease.  One problem is that there needs to
be broad agreement on "what is not acceptable and thus is okay to sue for".
Without that, liability is just a system for enriching lawyers.

This has been challenging to do in software; process standards typically fail to keep up,
and we don't know how to ensure that product standards are met ahead-of-time.

Those interested in software liability should read
"Cybersecurity as Realpolitik" by Dan Geer (Black Hat USA 2014) at
http://geer.tinho.net/geer.blackhat.6viii14.txt
https://www.youtube.com/watch?v=nT-TGvYOBpI
He proposes:
0. Consult criminal code to see if damage caused was due to intent
   or willfulness.
1. If you deliver your software with complete and buildable source
   code and a license that allows disabling any functionality or
   code the licensee decides, your liability is limited to a refund.
2. In any other case, you are liable for whatever damage your
   software causes when it is used normally.

I'm skeptical of this specific list, to be honest.  It's very difficult to
identify a liability scheme that would make sense.  On the other hand,
clearly the current system could stand improvement :-).

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.