Vulnerabilities / Threats // Advanced Threats
8/6/2014
07:48 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Dan Geer Touts Liability Policies For Software Vulnerabilities

Vendor beware. At Black Hat, Dan Geer suggests legislation to change product liability and abandonment rules for vulnerable and unsupported software.

BLACK HAT USA  -- Las Vegas -- Software vendors will probably not rejoice in some of the security policy proposals put forth by Dan Geer during his keynote Wednesday morning at the Black Hat USA conference in Las Vegas.

Some of Geer's suggestions -- all reasoned and responsibly sprinkled with caveats -- are for legal measures that would push much of the onus of security onto those who develop vulnerable software; particularly those about source code liability, "abandonment" of software code bases, and vulnerability discovery.

One trouble, Geer says, is that users have no legal recourse if shoddy coding exposes them to undue danger -- making it wholly unlike other product defects. He quoted the Code of Hammurabi, written over 3,700 years ago: "If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death."

"Today the relevant legal concept is 'product liability,'" said Geer, "and the fundamental formula is 'If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes.' For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer."

Geer suggests that software vendors be given two choices. They could allay liability by giving the user the option to say "no" to whatever software components they don't want to trust, allowing the user to disable those components. Or, said Geer, if the software vendors do not wish to provide such capability, then they must accept liability for damage done, just like manufacturers of cars or purveyors of hot coffee.

"The software houses will yell bloody murder the minute legislation like this is introduced," said Geer, "and any pundit and lobbyist they can afford will spew their dire predictions that 'This law will mean the end of computing as we know it!' To which our considered answer will be, 'Yes, please! That was exactly the idea.'"

There is also the matter of accelerating the discovery and disclosure of vulnerabilities. Geer says that the U.S. can capitalize on the fact that vulnerability discovery is now a real "job," not just a hobby, and get their hands on vulnerabilities by outspending the rest of the world.

"There is no doubt that the U.S. Government could openly corner the world vulnerability market," said Geer, "that is, we buy them all and we make them all public. Simply announce 'Show us a competing bid, and we'll give you [10 times more].' Sure, there are some who will say 'I hate Americans; I sell only to Ukrainians,' but because vulnerability finding is increasingly automation-assisted, the seller who won't sell to the Americans knows that his vulns can be rediscovered in due course by someone who will sell to the Americans who will tell everybody, thus his need to sell his product before it outdates is irresistible."

As for software that is no longer supported by the vendors, Geer suggested that code bases be subject to the same abandonment rules that apply to other possessions. If someone abandons their car, their children, their home, or other possessions, there are policies in place to transfer ownership to someone else. Geer proposes that perhaps at the point that a vendor decides that it will no longer provide security updates, that the code base should become open-source -- in other words, passing ownership of the abandoned code over to the public.

Geer presents this with the caveat that it is "the worst option, except for all others."

Geer also issued thoughts about policies regarding the right to strike back at attackers (not just defend against them), fall backs and resiliency, the right to be forgotten, Internet voting, mandatory reporting of security incidents, Net neutrality, and the convergence of cyberspace and "meatspace." Those topics will be addressed in forthcoming posts on DarkReading.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
8/12/2014 | 11:27:51 AM
Re: Secure coding
@Dr. T.  Thanks! Question for you. Do you think insecure applications are just due to a lack of time and budget? Or can we also blame a lack of training in secure coding or a lack of commitment from the people at the top of the organization?
aws0513
50%
50%
aws0513,
User Rank: Ninja
8/11/2014 | 11:21:57 AM
The timing of this talking point could not be more... perfect?
On Thursday, Roger Capriotti posted in the IE blog that Microsoft support policy for Internet Explorer will change.

Link: http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx

Looks like Microsoft is reading the same tea leaves.  The question is if they will have the willpower to fight off pressure to provide security support for older IE versions.
macker490
50%
50%
macker490,
User Rank: Ninja
8/9/2014 | 8:14:52 AM
Re: good topic
your first reply hit the nail on the head,,,,, "no one has enough time.... no one has the budget for.... security"

or for zero defects

for zero defects you have to conduct all-branch testing rather than regression testing.    this means: if you have time to write an instruction you must make time to insure that it executes properly

it's a cost issue though-- as Schneier noted -- as long as there is no liability software builders will find no business reasons to attend to security.    the consequence is pervasive hacking. at some point from a business standpoint controllers will take the stance that insecure software is unacceptable.   this may only occur when there are viable alternatives.   without product liability law to change the cost balances the tipping point is only found when it costs more to use software than to not use it.   1401 anyone?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/7/2014 | 9:34:52 PM
Re: good topic
I agree in general, although there is no such things zero-defects or error-free based on my experience. No testing process catches everything they are supposed to catch.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/7/2014 | 9:31:21 PM
Secure coding
Good article, thanks for sharing it. Nobody generally writes applications to be not secure on purpose, it is just not having enough time to go proper vulnerability test or they do not have enough budget to cover security measures.
macker490
50%
50%
macker490,
User Rank: Ninja
8/7/2014 | 8:43:01 AM
good topic
Bruce Schneier has commented on this as well, noting that softare builders will continue to gloss over security until it costs less to make the software secure than it does to minimalize or skip work on security

Phil Zimmerman noted in his original work on PGP that where the operating software is compromised there can be no meaningful discussion of PGP -- (or any other app based security either)

liability has to apply to those who have control,-- each of us needs to look after the security in the code we control....

this has to start in the os.    the os must be made such that it cannot be updated with un-authorized code and this has to be the responsibility of the os oem

applications then do the same but with the additional note that a zero-defects process has to be applied to incorporated software libraries.   If I use a software library I am responsible for having checked the MD5, SHA-1, SHA-256, or PGP signature on the distribution before I install or use it.

remember: zero defects is something you DO -- not something you get.   before i ship my code I will have to sign it, certifying that (a) I have checked the signature on incorporated libraries and (b) that I have not inclued anything maliscious in my code.   and I take responsibility for the above.

audit processes -- SAP possibly -- could help me check my work.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

CVE-2014-7880
Published: 2014-12-17
Multiple unspecified vulnerabilities in the POP implementation in HP OpenVMS TCP/IP 5.7 before ECO5 allow remote attackers to cause a denial of service via unspecified vectors.

CVE-2014-8133
Published: 2014-12-17
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.