Remember the other day when I was talking about why assigning liablity for buggy code was a bad idea? Bruce had argued that we should sue companies for buggy software - which I argued was not a good idea because smaller companies that made freeware tools (e.g. Counterpane) wouldn't release such a tool given the risk. Well, as if to prove my point, the folks over at Elcomsoft (remember them) pointed out what is arguably a security flaw in PasswordSafe. I say "arguably" because it's a "how to make a dictionary attack viable" kind of flaw; Microsoft argued this wasn't a flaw per se when the same thing happened to them (with L0phtcrack) so maybe it's not a flaw here either.
If we all followed the "company liability" model, now would be the time to start getting our class action together against CounterPane; if we followed the "developer liability" model, I suppose we would need to sue Bruce himself. In my opinion, both are obviously foolish - nobody cares more about security than Bruce Schneier... Why sue him for someone else's creativity?
Posted by Ed at November 16, 2005 02:14 PM