Liability and Secure Software

iang over at Financial Cryptography has a thought-provoking discussion of liability (ht @alexhutton) and its corresponding risks. I think I added a comment (but can’t be sure) that said this:

Culture and consciousness is all a distraction and very malleable. What really matters at the end of the day is the relative number of vulns in the software.

Also, worth noting that “secure software” is a derivative goal of less risk – that is, fewer incidents. We often opt for the former in the face of the latter, which is counterproductive.

Liability is a horrible idea. Here are some reasons why:

  1. It’s unenforceable.
  2. It will destroy innovation.
  3. It will destroy open-source.
  4. It will create an Xbox Internet.
  5. It will double prices.
  6. It will force lock-in.
  7. And, finally — it won’t work.

Those come circa 2005 from my commentary here: To Sue is Human; To Err Denied


Software Liability = Our Worst Nightmare

The Death of Open Source and Xboxes for Everyone

Software Liability Redux

Who Should be Liable?