Vulnerabilities / Threats // Advanced Threats
07:48 PM
Connect Directly

Dan Geer Touts Liability Policies For Software Vulnerabilities

Vendor beware. At Black Hat, Dan Geer suggests legislation to change product liability and abandonment rules for vulnerable and unsupported software.

BLACK HAT USA  -- Las Vegas -- Software vendors will probably not rejoice in some of the security policy proposals put forth by Dan Geer during his keynote Wednesday morning at the Black Hat USA conference in Las Vegas.

Some of Geer's suggestions -- all reasoned and responsibly sprinkled with caveats -- are for legal measures that would push much of the onus of security onto those who develop vulnerable software; particularly those about source code liability, "abandonment" of software code bases, and vulnerability discovery.

One trouble, Geer says, is that users have no legal recourse if shoddy coding exposes them to undue danger -- making it wholly unlike other product defects. He quoted the Code of Hammurabi, written over 3,700 years ago: "If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death."

"Today the relevant legal concept is 'product liability,'" said Geer, "and the fundamental formula is 'If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes.' For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer."

Geer suggests that software vendors be given two choices. They could allay liability by giving the user the option to say "no" to whatever software components they don't want to trust, allowing the user to disable those components. Or, said Geer, if the software vendors do not wish to provide such capability, then they must accept liability for damage done, just like manufacturers of cars or purveyors of hot coffee.

"The software houses will yell bloody murder the minute legislation like this is introduced," said Geer, "and any pundit and lobbyist they can afford will spew their dire predictions that 'This law will mean the end of computing as we know it!' To which our considered answer will be, 'Yes, please! That was exactly the idea.'"

There is also the matter of accelerating the discovery and disclosure of vulnerabilities. Geer says that the U.S. can capitalize on the fact that vulnerability discovery is now a real "job," not just a hobby, and get their hands on vulnerabilities by outspending the rest of the world.

"There is no doubt that the U.S. Government could openly corner the world vulnerability market," said Geer, "that is, we buy them all and we make them all public. Simply announce 'Show us a competing bid, and we'll give you [10 times more].' Sure, there are some who will say 'I hate Americans; I sell only to Ukrainians,' but because vulnerability finding is increasingly automation-assisted, the seller who won't sell to the Americans knows that his vulns can be rediscovered in due course by someone who will sell to the Americans who will tell everybody, thus his need to sell his product before it outdates is irresistible."

As for software that is no longer supported by the vendors, Geer suggested that code bases be subject to the same abandonment rules that apply to other possessions. If someone abandons their car, their children, their home, or other possessions, there are policies in place to transfer ownership to someone else. Geer proposes that perhaps at the point that a vendor decides that it will no longer provide security updates, that the code base should become open-source -- in other words, passing ownership of the abandoned code over to the public.

Geer presents this with the caveat that it is "the worst option, except for all others."

Geer also issued thoughts about policies regarding the right to strike back at attackers (not just defend against them), fall backs and resiliency, the right to be forgotten, Internet voting, mandatory reporting of security incidents, Net neutrality, and the convergence of cyberspace and "meatspace." Those topics will be addressed in forthcoming posts on DarkReading.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sara Peters
Sara Peters,
User Rank: Author
8/12/2014 | 11:27:51 AM
Re: Secure coding
@Dr. T.  Thanks! Question for you. Do you think insecure applications are just due to a lack of time and budget? Or can we also blame a lack of training in secure coding or a lack of commitment from the people at the top of the organization?
User Rank: Ninja
8/11/2014 | 11:21:57 AM
The timing of this talking point could not be more... perfect?
On Thursday, Roger Capriotti posted in the IE blog that Microsoft support policy for Internet Explorer will change.


Looks like Microsoft is reading the same tea leaves.  The question is if they will have the willpower to fight off pressure to provide security support for older IE versions.
User Rank: Ninja
8/9/2014 | 8:14:52 AM
Re: good topic
your first reply hit the nail on the head,,,,, "no one has enough time.... no one has the budget for.... security"

or for zero defects

for zero defects you have to conduct all-branch testing rather than regression testing.    this means: if you have time to write an instruction you must make time to insure that it executes properly

it's a cost issue though-- as Schneier noted -- as long as there is no liability software builders will find no business reasons to attend to security.    the consequence is pervasive hacking. at some point from a business standpoint controllers will take the stance that insecure software is unacceptable.   this may only occur when there are viable alternatives.   without product liability law to change the cost balances the tipping point is only found when it costs more to use software than to not use it.   1401 anyone?
User Rank: Ninja
8/7/2014 | 9:34:52 PM
Re: good topic
I agree in general, although there is no such things zero-defects or error-free based on my experience. No testing process catches everything they are supposed to catch.
User Rank: Ninja
8/7/2014 | 9:31:21 PM
Secure coding
Good article, thanks for sharing it. Nobody generally writes applications to be not secure on purpose, it is just not having enough time to go proper vulnerability test or they do not have enough budget to cover security measures.
User Rank: Ninja
8/7/2014 | 8:43:01 AM
good topic
Bruce Schneier has commented on this as well, noting that softare builders will continue to gloss over security until it costs less to make the software secure than it does to minimalize or skip work on security

Phil Zimmerman noted in his original work on PGP that where the operating software is compromised there can be no meaningful discussion of PGP -- (or any other app based security either)

liability has to apply to those who have control,-- each of us needs to look after the security in the code we control....

this has to start in the os.    the os must be made such that it cannot be updated with un-authorized code and this has to be the responsibility of the os oem

applications then do the same but with the additional note that a zero-defects process has to be applied to incorporated software libraries.   If I use a software library I am responsible for having checked the MD5, SHA-1, SHA-256, or PGP signature on the distribution before I install or use it.

remember: zero defects is something you DO -- not something you get.   before i ship my code I will have to sign it, certifying that (a) I have checked the signature on incorporated libraries and (b) that I have not inclued anything maliscious in my code.   and I take responsibility for the above.

audit processes -- SAP possibly -- could help me check my work.
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.