[Dailydave] The monetization of information insecurity

Michal Zalewski lcamtuf at coredump.cx
Wed Sep 10 11:10:52 EDT 2014

> You want to know what would work? Holding software producers legally liable
> for their software bugs, because only if they have consequences for their
> actions will they ever start taking things seriously!

It's a fairly persistent argument, but there is also a range of
counterpoints. Perhaps most importantly, liability for damages puts
the open source community and small, emerging companies at a distinct
disadvantage, whereas large businesses would be likely to just factor
it in as a cost of doing business.

In that context, it may be also informative to look at the credit card
& banking industry; liability for fraudulent charges hasn't really
pushed them toward developing particularly safe payment technologies -
instead, the cost is just factored in and ultimately passed on the
customer in the form of higher payment processing fees.

I abhor physical-world analogies, but if we're going down that path,
it's also worth noting that we seldom hold people accountable for not
doing absolutely everything within their power to stop abuse. The
builders of your home or the designers of your car are usually not on
the hook if somebody breaks in, even though they could have built more
of a fortress. The company that makes your cereal is not on the hook
if somebody poisons your food down the supply chain, even though they
could have used tamper-resistant packaging.


More information about the Dailydave mailing list