Related link: http://www.computerworld.com/printthis/2004/0,4814,96948,00.html
This is a pretty insightful piece from Bruce Schneier. It can be summarized as: “We’re not paying to improve the security […] We’re paying to deal with the problem rather than to fix it.”
Basically, the idea is that security will be much improved if vendors are liable for their software insecurities (unlike now). However, some say that it will break the open-source movement. Thoughts?
Contact Us | Advertise with Us | Privacy Policy | Press Center | Jobs
Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express,
and O’Reilly Media, Inc., disclaims any and all liability for that content, its accuracy, and opinions it may contain.
This work is licensed under a Creative Commons License.
For problems or assistance with this site, email help@oreillynet.com | (707) 827-7000 / (800) 998-9938
Maybe not so bad...
I think it wouldn't be so bad if it's vendors, not developers, who are liable. There have been attempts to make people liable for things they give away, and that would be very damaging.
OTOH, it would make it difficult to resell open-source-based services, because you'd instantly take on all the liability without any ability to recoup losses from an upstream provider.
Lastly, the whole thing is hard to figure out. Many security problems cannot be fixed by the vendor, they are system problems and can only be fixed by system implementors. In other cases, security is blamed for other mysterious problems; more than once I've seen people blame hackers for problems that were simply bugs.