One of our more popular columns of late discussed the idea that authors of software should be found liable for actions performed by those who use it.
We're still waiting for the formation of a new government body to combat this menace (call it the SFT -- Bureau of Software, Firearms, and Tobacco); but until that glorious day, we have another bone for the tort bar to gnaw on:
Let's sue all the vendors of popular software packages simply because they're popular.
You may think this proposal is nowhere near as enticing as suing gun manufacturers or big tobacco, but hear us out first. Popular software is clearly dangerous, as demonstrated by the summary of statistics in the chart at right. These totals, taken from the Bugtraq Vulnerability Database (www.securityfocus.com/vdb/stats.html), indicate the total number of security vulnerabilities reported for each operating system for the years 1997 through 2000.
Just look at the numbers: 667 holes in popular operating systems and 11 in NetWare and Mac OS combined. Based on this, what CIO in his right mind wouldn't run his Web farm on NetWare or the Mac?
Here's where the windfall for the nation's lawyers comes in: If wildly popular software can be associated with a high risk of security breaches, then shouldn't vendors who sell popular software be held liable for the security problems they create? After all, these vendors put too many features in their products, making it too easy for the world's hackers to find security holes.
All these features contribute to the problem in another way, too: Anyone who finds a hole in such widely distributed code is surely going to end up in the headlines if they go public with the bug, because the bug affects everybody.
Statistics don't lie, so we really think software vendors should make a conscious effort to build rotten products with extremely limited functionality so that these types of security problems can finally be abolished. And if they don't, well, they should pay, by golly. Ahem. Do we get a small finders' fee for this?
We've no doubt that we've stirred up a lot of partisanship by this point (all in good fun, of course). But we hope there's a lesson in here somewhere. Does anyone really select technology based on security alone? How many variables go into decisions such as what operating system will support our business in the next millennium? Should the number of security holes found during unsystematic public research efforts weigh in the decision?
Despite the incomplete record Bugtraq's database provides, we think security should be part of the decision. Bugtraq is a wonderful open forum for discussing security vulnerabilities. But as with any open forum, random snippets of the various conversations on Bugtraq can lead to an incomplete picture of what is really happening in the world, and that's what the data in the Bugtraq database is. We're committed to the value of the open discussion of information security even if such discussion can be used to prop up obvious falsehoods.
How many of you would welcome a serious effort to track product-specific security vulnerabilities? Post to the mailing list at www.securemac.com or (seriously) send e-mail to email@example.com.
Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone Inc. (www.foundstone.com).