Schneier on Security

Shane • July 24, 2008 1:08 PM

Bruce, I think this is a terrible idea, and actually am quite surprised that you’ve brought it up so often. Not to mention the horridly irrelevant analogies you seem to be sticking to.

“If an automobile manufacturer has a problem with a car and issues a recall notice, it’s a rare occurrence and a big deal – and you can take you car in and get it fixed for free. […] The reason automobiles are so well designed is that manufacturers face liabilities if they screw up.”

This has nearly no connotation, as stated, with anything regarding software. It really doesn’t, and you should know this. First of all, many reasons cars are recalled, as well as many of these flaws that the companies are held liable for, directly cause bodily harm, or death, of one or more people in the vicinity of the car under certain circumstances. Find me one piece of software that was *directly responsible for the death of a user (directly). Secondly, I don’t see one car manufacturer being sued over the fact that someone was able to plant a car bomb and kill the driver, cut the brake lines, steal the stereo, et al. Do you? Doubtful, but I’m open. Why? Because while the car manufacturer could absolutely armor the living flack out of the automobile, to prevent all kinds of common acts of malice to it or its payload, it’s absolutely ludicrous in terms of expense, usability, and convenience. Not to mention statistical relevance… (ever had your brake lines cut? neither have I, although it’s definitely a real ‘security hole’).

“This sounds a lot like blaming the victim: “He should have known not to walk down that deserted street; it’s his own fault he was mugged.” Of course the victim could have – and quite possibly should have – taken further precautions, but the real blame lies elsewhere.”

Here, my first question is “Where does the blame lie?”. Well, if you said the mugger, you’re probably right, although being that mugging is generally a crime of opportunity, I’d say it’s about 70/30 in favor of the victim’s 30% here. Either way, another terrible analogy. How would this be prevented by holding someone liable? Obviously the software vendor isn’t the ‘mugger’ in this scenario, nor is the victim. So who is it? The government? The alley-way? So, do we sue the businesses on the street face for not keeping the ‘riff-raff’ out of the alley? Or do we sue the government for not preventing all possible crime? How about the wallet manufacturer for making such an easy-to-steal wallet? Any of the options are ludicrous and you don’t need a point by point to know why.

So why the terrible analogies?

Frankly, I think the answer is simply that there is no good analogy for this issue. It is a fresh field of human interaction that we are only just getting comfortable with, and likening its legislative governance to that of anything comtemporary or historical is not really suitable.

You cannot hold the world at fault for being a victim of a crime, unless the world allows the crime to happen unpunished, free of interference upon awareness of the act. You cannot hold the venue of a crime at fault, unless its owner(s) beared witness to the crime during its occurrence and failed to attempt to stop it, or alert the appropriate authorities. You cannot hold the manufacturer of the weapon used (be it a Grenade, Desert Eagle, or Bic™ fucking pen) unless the manufacturer sold the weapon in question directly to the malicious people knowing full-well their intent.

It takes three to dance to this music, and frankly I really don’t think the software vendors should be held responsible for all (or nearly any) forms of malicious actions performed with, on, or against their products.

I think what you propose is a very impatient, messy, and poorly thought out attempt at roping in a wild bull. The end of the next few generations will see a boom in overall end-user awareness, an increase in quality and security of software / networks, as well as increased competency of law enforcement and government agencies to track down and deal with more and more types of ‘cyber’ crime (or they damn well better, now, since we can’t browse anything without being stored in some DB in a bunker somewhere).

Increased transparency of software design, as well as community (and/or consumer) commentary and awareness, is what is needed here. Hold the software vendors liable in terms of competing with better, faster, more secure versions of what it offers (which, at this rate, will generally be the open source versions, free of charge minus the learning curve of some). And yes, we’ve all heard about your lovely grandmother not being able to keep up with the times. Bleeding hearts aside, you’re right of course, but they still have the power and choice to educate themselves, somehow, on the products they use to help secure them without much knowledge / hassle. I don’t know shit about how cars acheive better gas mileage from an engineering standpoint, but I sure can do a little footwork on which cars have historically (both from a manufacturer’s and driver’s perspective) acheived great gas mileage, and choose my purchase from there… no ‘inside knowledge’ required, other than an acronym (MPG). And I damn sure wouldn’t by a car without door locks… You know, to keep on with the terrible car analogy.

I think this country needs a real big effing wake up call if all of its problems need to be solved by allowing the ‘victims’ to sue ‘those at fault’. Because in the end of that model, the only real victims are the middle-to-lower class citizens who have to pay higher taxes (could they get any higher?), and pay through the asshole for products / services (esp. insurance, jesus FCK!) just to cover the costs of lawyers, legislation, increased vigilance and quality control, et al..

This is a criminal problem. Perhaps if they pulled their head out of the non-violent-drug-users’ asses, they’d figure a simpler way to lower the incentive for the criminals… which, has, historically, helped lower the rate of the crime in question altogether, but nothing will ever stop all cyber crime, or any other form of crime for that matter. In fact, I think cyber crime will prevail over most other forms in the end because it helps to dissociate the crime from the victim, since you’re not facing the victim, just the idea of the victim.

I know how to break in to some types of systems with some types of configurations, I know how to exploit poor programming in many bits of software, hell, I write it for a living, I ought to, like an architect knows the weak portions of his buildings, I also know how to rob a bank, kill someone, blackmail someone, et al..

Do I? No. Never. Honestly, and neither do most (if not all) of you. We all *know how to commit crime, what separates us from doing it is our consciences, our decisions, and our relatively hostile-free environments and comfort levels.

Do I believe that the government should be held responsible in some ways for disciplining and preventing malicious acts and intents? YES!! But that also goes hand in hand with not putting a dollar sign on everything, because dollar signs are generally the root of most, if not the vast oceanic majority of all malicious intent, and let’s face it kids, poverty is the number one fueling factor in most petty crimes… and this 99% / 1% economy isn’t helping to lower the poverty rates.

Do I believe that the government should be held financially *liable for crime that is committed?!? Hell no… how could society operate in such a way? If every time a criminal succeeded, the ‘good’ guys, or the justice system always got punished for it? They would wreck the streets, and the lives, of every citizen in this country until we were so under their control that nothing even remotely suspicious happened without 6 gubmt agents being en route to or on the scene, one way or another. Who is the criminal then?

This, to me, is a terrible idea… not to mention the inevitable outcome for (arguably) the most secure software out there (with many exceptions, obviously): open source. What then Bruce? How do we hold them liable?

It takes three to dance to this music, again, and the music shouldn’t be punished because it enticed one of the two dancers to get a little fresh with the other one, without permission. I will say that I agree that software needs to be more secure, obviously, and I will also grant that your idea would seriously increase the security of software products out there. However, your idea should be cast away for many of the same types of reasons that the 1st Amendment should never be compromised because of some asshole named Reverend Phelps, or Johnny Nazi using it to their twisted advantage. It’s much deeper than a security issue, or a financial issue, it’s about the rights of the citizens of this country, and the lessening of power / oversight granted to our government. I truly do think, that in many ways, this country needs to take more effing responsibility for their actions. Educating yourself about anything is always a good thing, being a victim because you’re an idiot is how we learn. If you burn your hand on the stove, you know it’s gonna get burned there. Either build a new stove that doesn’t burn hands, ask someone else to build it for you, or keep your fucking hand off of the stove. The stove company is not at fault, and it’s especially not at fault if someone breaks into the person’s home, cuts the gas line, and fills the room with gas awaiting for ignition. (You know, that ‘security flaw’ in most gas stoves that allow for explosions and death?) Seriously.

Now, if the software companies created security flaws with the direct intention of exploiting them themselves, or using a third party to gain from the exploitation, THEN they should be held liable. Burn em’ down. Anything other than that simply needs a warning label… or does it? Don’t tell me you’re all for someone suing the coffee vendor because they burned themselves on the hot coffee? Give me a break. No one ever needed a goddamn warning label to know that “hot things burn”, and according to your own statement:

“There’s no other industry where shoddy products are sold to a public that expects regular problems”

See? Right there… you said it yourself. The public ‘expects regular problems’. Just like I expect the stove to burn my hand if I touch it. Just like I expect hot effing coffee to burn me should I pour it on myself, or it gets jostled in such a way. As long as the manufacturer / vendor gives me a stove that doesn’t explode during normal operations (sans third party tampering), and a coffee cup that doesn’t have an intentionally placed hole in the bottom, or is known to disintegrate quickly in-hand, I’m TOTALLY fine with knowing the risks / limitations / pros / cons of the products I use, and choosing accordingly. I’m not suing Starbucks® cause some ass flipped the lid off of my cup and seared me with the contents… it’s not their fault that human interaction can create havoc, it’s kind of a given.

Give it up already. Let the lawyers go hungry for once.

I’ll just say this: using the Internet is not a friggin’ right. We’re a pretty privileged country, but everyone being able to drive a car, and ‘surf’ the internet is not a requirement. Life went on fine without either of those things. That being said, using a car has (a TON of risks), as does the using the internet, as does WALKING DOWN THE STREET. You make a clear choice to perform these actions knowing some of the risks, and experiencing real-world manifestions of others… you learn. You live, you learn, you adapt, you move on. If I sued a driver or the city every time some asshole cut me off, or rolled through a four-way stop, ran a red light, etc… nothing would ever get done, and no one would drive anywhere. Likewise, if I whined about every shady character I ran into on the street to the police, or the government, and sued them for not ‘cleaning it up out there’, the world would seriously just crumble into idiocy.

Take some responsibility for hell’s sake, trust the Market to create the rest, or if you think it’s so important, take a bite out of that American dream and do it your damn self. Pointing fingers and sueing when the only true fault lies in human nature, is simply idiotic, and incredibly daft. If you think Mrs. 90-something with no idea what is going on should be able to safely use an electronic world community without risk, or education, create some little Playskool ‘Grandma’s First Internet’ and market it as the most secure, sweet, cutesy, user-friendly, featureless crap tool there is and make a billion dollars. Don’t ask the government to force every software creator in the world who sells a product to assume all risks the user takes when launching out into the big scary world.

I still don’t see one product on the market that you can buy that says you are 100% immune from all malicious human intent when walking down the street (or surfing through the internet) while using it, and if they do, we all know it’s bullshit. You said it yourself. We know the world isn’t safe, we know the internet isn’t safe. We also ought to know where in each we can be relatively safe, and how best to balance that safety with our preferred level of convenience. The government has very little business whatsoever making those decisions or tradeoffs for us, and you know it… because you preach about it nearly every day. Punish the guilty, lower the incentive for crime, try to save the impoverished, all the while maintaining the privacy and freedoms essential to our lives.

Shane • July 24, 2008 2:57 PM

@SecureApps

“The next user finds my credit card information and bank account information and I’m wiped clean in 2 days before I can react. Shouldn’t the software manufacture be held liable to a degree for something?”

No. Why? Because just like I check that my door is in fact locked and secured to my taste before leaving the vehicle or house, after locking it, it falls on you to check that whatever software YOU purchased after research, performs what YOU want it to perform, before blindly trusting that it does so.

If it fails to do so on a number of occasions, the incentive will be there to make sure it doesn’t fail, lest they go out of business.

Do I believe that my lock will prevent all access to my home or vehicle? F#@$ no. If anyone REALLY wants to get into my house or car, they will find a way. What matters is my level of comfort regarding the ease of operation, convenience, and the statistical feeling of safety I have in the area in which I live, and the relative effort it would take to get in. If someone manages to get into my house, I’m going to blame the fates or myself, not the Master™ lock on my door which was supposed to ‘secure unauthorized entry by using a unique key’. And, to keep in tempo with your example, if it was later found that the lock itself was actually just a trick lock, that opened for anyone (going against it’s advertised security) then curse me twice for trusting what a corporation tells me to get me to buy their product.

Shit, if we believed every single corp. tagline as blindly as you’d have to had trust your disk-cleaning software to screw up like that, we’d have a lot more problems than trojans, ID theft, and password sniffers to worry about I’m afraid.

Wake up. You have a brain. Try to use it. Christ, this country has gotten so lazy that now, no one even wants to have to THINK anymore… just DO DO DO, or more like SIT SIT SIT, ZING ZING ZING, NOW NOW NOW, ME ME ME.

Wake up. Read something. Test things. Be skeptical. Question everything. And for hell’s sake stop pointing fingers and looking for a payday every time you get screwed. Even if some jack-a-muffin ‘wiped you clean’ in 2 days, you’ve still got it better than most of the world, due simply to geography.

So suck it up, and next time sell your computer to a kindergarten class or a trusted person instead of some shady guy named IcePick0666 on craigslist. Better yet, smash your hard drive and melt down the magnetic platters first, since you should know, as a user, that that is just about the only proven way to ‘clear your hard drive’.

There’s always a window to break, or a wall to smash, and there are too many ‘victims’ out there as it is, if you want someone to coddle you throughout your life, move into a retirement home. I, for one, don’t need the government hassling me, or escorting me in my daily life or online commerce for my ‘own good’.

Just take our current trampling of privacy and freedom due to the ‘liability’ which the public opinion has placed on our government for 9/11.

Sorry to say, bleeding hearts, that laziness and/or incompetency aside, the government is not responsible or liable for what happened on 9/11. Terrorists are. But we want some kind of guarantee from that very same, incompetent government that it won’t happen again (fucking laughable, we want a guarantee that religious zealots will not succeed in performing acts of violence, something that has gone on since the dawn of humanity)… so what happened? WHAT HAPPENED? We lost a shit-ton of privacy rights, went to a useless money-pit of a war, screwed our economy, lost citizen moral, trust in our president, trust in ‘foreigners’, and just reverted back into a modern-day mini-dark-ages, well on our way to police state funny farms… and have we even caught the terrorists behind the attack???? I don’t even have to answer that…

Real good. Liability. Blame. Seems to work… just blame the middle man, or the venue, and everything is right as rain.

Wake up.