… I am going to remind folks what a bad idea it is.
So, it came up. It’s a bad idea.
I think Mr. Schneier’s foray into psychology and security theater (which I would normally applaud) is taking its toll. His idea would certainly be great theater and be great for perception while it killed the software industry.
But is his argument correct in economic terms? Would such a thing put the onus on vendors to release cleaner code?
We have our own Linux distribution (Snaplinux) that features production level code, cleaner than RH or Novell. It is maintained and tested single-handedly through automation. If we can do it, why can’t everyone else?
The whole economic question can be pointed at the industry as a whole though, and is done through by people like Marcus Ranum. Why is there so much emphasis on patching instead of finding ways to prevent threat enablement due to vulnerabilities?
@Rob -
Well, it’s correct to the extent that he says we will pay more, if that is what you mean. You will pay more for insurance, of course, or will be forced out of the market because nobody will buy uninsured products.
It is interesting to me that you suggest nobody else is doing what you are doing… because they are and your code isn’t as good as you think it is (unless it is a trivially simple program). Btw, who is out there trying to purposely write bad code?
This is the big problem with liability – we are never done and nobody can prove that anyone else is “better” or “worse” and so everyone pays, starting with the big guys and then trickling down to the little guys. Since the big guys can afford it, they weather the storm. You die along with all the other little guys. (By the way, you will also be forced out of any sort of integration attempts with other software.)