Just pay more...

by Anton Chuvakin

Related link: http://www.computerworld.com/printthis/2004/0,4814,96948,00.html

This is a pretty insightful piece from Bruce Schneier. It can be summarized as: "We're not paying to improve the security [...] We're paying to deal with the problem rather than to fix it."

Basically, the idea is that security will be much improved if vendors are liable for their software insecurities (unlike now). However, some say that it will break the open-source movement. Thoughts?


2004-10-30 01:07:54
Maybe not so bad...
I think it wouldn't be so bad if it's vendors, not developers, who are liable. There have been attempts to make people liable for things they give away, and that would be very damaging.

OTOH, it would make it difficult to resell open-source-based services, because you'd instantly take on all the liability without any ability to recoup losses from an upstream provider.

Lastly, the whole thing is hard to figure out. Many security problems cannot be fixed by the vendor, they are system problems and can only be fixed by system implementors. In other cases, security is blamed for other mysterious problems; more than once I've seen people blame hackers for problems that were simply bugs.