Vulnerabilities / Threats //

Advanced Threats

8/6/2014
07:48 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Dan Geer Touts Liability Policies For Software Vulnerabilities

Vendor beware. At Black Hat, Dan Geer suggests legislation to change product liability and abandonment rules for vulnerable and unsupported software.

BLACK HAT USA  -- Las Vegas -- Software vendors will probably not rejoice in some of the security policy proposals put forth by Dan Geer during his keynote Wednesday morning at the Black Hat USA conference in Las Vegas.

Some of Geer's suggestions -- all reasoned and responsibly sprinkled with caveats -- are for legal measures that would push much of the onus of security onto those who develop vulnerable software; particularly those about source code liability, "abandonment" of software code bases, and vulnerability discovery.

One trouble, Geer says, is that users have no legal recourse if shoddy coding exposes them to undue danger -- making it wholly unlike other product defects. He quoted the Code of Hammurabi, written over 3,700 years ago: "If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death."

"Today the relevant legal concept is 'product liability,'" said Geer, "and the fundamental formula is 'If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes.' For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer."

Geer suggests that software vendors be given two choices. They could allay liability by giving the user the option to say "no" to whatever software components they don't want to trust, allowing the user to disable those components. Or, said Geer, if the software vendors do not wish to provide such capability, then they must accept liability for damage done, just like manufacturers of cars or purveyors of hot coffee.

"The software houses will yell bloody murder the minute legislation like this is introduced," said Geer, "and any pundit and lobbyist they can afford will spew their dire predictions that 'This law will mean the end of computing as we know it!' To which our considered answer will be, 'Yes, please! That was exactly the idea.'"

There is also the matter of accelerating the discovery and disclosure of vulnerabilities. Geer says that the U.S. can capitalize on the fact that vulnerability discovery is now a real "job," not just a hobby, and get their hands on vulnerabilities by outspending the rest of the world.

"There is no doubt that the U.S. Government could openly corner the world vulnerability market," said Geer, "that is, we buy them all and we make them all public. Simply announce 'Show us a competing bid, and we'll give you [10 times more].' Sure, there are some who will say 'I hate Americans; I sell only to Ukrainians,' but because vulnerability finding is increasingly automation-assisted, the seller who won't sell to the Americans knows that his vulns can be rediscovered in due course by someone who will sell to the Americans who will tell everybody, thus his need to sell his product before it outdates is irresistible."

As for software that is no longer supported by the vendors, Geer suggested that code bases be subject to the same abandonment rules that apply to other possessions. If someone abandons their car, their children, their home, or other possessions, there are policies in place to transfer ownership to someone else. Geer proposes that perhaps at the point that a vendor decides that it will no longer provide security updates, that the code base should become open-source -- in other words, passing ownership of the abandoned code over to the public.

Geer presents this with the caveat that it is "the worst option, except for all others."

Geer also issued thoughts about policies regarding the right to strike back at attackers (not just defend against them), fall backs and resiliency, the right to be forgotten, Internet voting, mandatory reporting of security incidents, Net neutrality, and the convergence of cyberspace and "meatspace." Those topics will be addressed in forthcoming posts on DarkReading.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
8/12/2014 | 11:27:51 AM
Re: Secure coding
@Dr. T.  Thanks! Question for you. Do you think insecure applications are just due to a lack of time and budget? Or can we also blame a lack of training in secure coding or a lack of commitment from the people at the top of the organization?
aws0513
50%
50%
aws0513,
User Rank: Ninja
8/11/2014 | 11:21:57 AM
The timing of this talking point could not be more... perfect?
On Thursday, Roger Capriotti posted in the IE blog that Microsoft support policy for Internet Explorer will change.

Link: http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx

Looks like Microsoft is reading the same tea leaves.  The question is if they will have the willpower to fight off pressure to provide security support for older IE versions.
macker490
50%
50%
macker490,
User Rank: Ninja
8/9/2014 | 8:14:52 AM
Re: good topic
your first reply hit the nail on the head,,,,, "no one has enough time.... no one has the budget for.... security"

or for zero defects

for zero defects you have to conduct all-branch testing rather than regression testing.    this means: if you have time to write an instruction you must make time to insure that it executes properly

it's a cost issue though-- as Schneier noted -- as long as there is no liability software builders will find no business reasons to attend to security.    the consequence is pervasive hacking. at some point from a business standpoint controllers will take the stance that insecure software is unacceptable.   this may only occur when there are viable alternatives.   without product liability law to change the cost balances the tipping point is only found when it costs more to use software than to not use it.   1401 anyone?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/7/2014 | 9:34:52 PM
Re: good topic
I agree in general, although there is no such things zero-defects or error-free based on my experience. No testing process catches everything they are supposed to catch.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/7/2014 | 9:31:21 PM
Secure coding
Good article, thanks for sharing it. Nobody generally writes applications to be not secure on purpose, it is just not having enough time to go proper vulnerability test or they do not have enough budget to cover security measures.
macker490
50%
50%
macker490,
User Rank: Ninja
8/7/2014 | 8:43:01 AM
good topic
Bruce Schneier has commented on this as well, noting that softare builders will continue to gloss over security until it costs less to make the software secure than it does to minimalize or skip work on security

Phil Zimmerman noted in his original work on PGP that where the operating software is compromised there can be no meaningful discussion of PGP -- (or any other app based security either)

liability has to apply to those who have control,-- each of us needs to look after the security in the code we control....

this has to start in the os.    the os must be made such that it cannot be updated with un-authorized code and this has to be the responsibility of the os oem

applications then do the same but with the additional note that a zero-defects process has to be applied to incorporated software libraries.   If I use a software library I am responsible for having checked the MD5, SHA-1, SHA-256, or PGP signature on the distribution before I install or use it.

remember: zero defects is something you DO -- not something you get.   before i ship my code I will have to sign it, certifying that (a) I have checked the signature on incorporated libraries and (b) that I have not inclued anything maliscious in my code.   and I take responsibility for the above.

audit processes -- SAP possibly -- could help me check my work.
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Ohio Man Sentenced To 15 Months For BEC Scam
Dark Reading Staff 8/20/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15667
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The "send" command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can...
CVE-2018-15668
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. The "send" command in the airmail:// URL scheme allows an external application to send arbitrary emails from an active account. URL parameters for the "send" command with the "attachment_" prefix designate atta...
CVE-2018-15669
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that requests from HTMLIFrameElements are blacklisted. However, other sub-classes of HTMLFrameOwnerElements are...
CVE-2018-15670
PUBLISHED: 2018-08-21
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that OpenURL is the default URL handler. A navigation request is processed by the default URL handler only if t...
CVE-2018-15671
PUBLISHED: 2018-08-21
An issue was discovered in the HDF HDF5 1.10.2 library. Excessive stack consumption has been detected in the function H5P__get_cb() in H5Pint.c during an attempted parse of a crafted HDF file. This results in denial of service.