I feel like I’m taking crazy pills

Is it just me or does anyone else feel like we’re trapped in a skit from “Mondo Bizarro”? Everyone is in a hubub about who to sue for software bugs: Howard Schmidt says sue the developers, Bruce Schneier says sue the vendors, and Pete Lindstrom says not to sue anybody, but to send vulnerability researchers to jail. It’s a veritable “who’s who” of information security, and they’re all saying the answer to software security is in the courtroom.

I, for one, wholeheartedly object to the trend. As a former developer, and a former vulnerability researcher, I can’t even believe we’re discussing the matter.

First and foremost, let’s get prison terms and chain-gangs off the table. Now, to be fair to Pete, he says in his blog that he was kidding about actually making bug research a crime, but the part about it being good-natured tomfoolery was in his blog – not in the published article. Some folks might read the article and not know that he was kidding – they might seriously consider his recommendation that bug research be “off limits”. And why not? Isn’t telling people about breaking copy protection illegal nowadays? Why not telling people how to “circumvent protection mechanisms” in software?

As to who to sue, clearly it’s not (as Howard Schmidt argues) the developers. I can honestly say that I would never have written a lick of software if I knew that I could be held personally liable for bugs. After all, all the developers I’ve ever met don’t get to control their own sechedule – they are told the deadline they have to meet (which is always too short) and they have to choose what corners to cut to make the timeframe happen. Not to mention the fact that no matter how careful you are, some bugs always happen. I don’t think I know anybody who would write software – or scripts, or batch files, or web pages, or flash, or word documents with macros in it, or anything else that could potentially be considered “code” – if a bug means they (and not the company) would be held liable. Oh, and don’t forget microcode – so no fancy new video card for you. I don’t think anyone would be left in the business to turn it into anything more than a lump of silicon and plastic – between microcode, ASIC’s, and drivers – there’s just too much software (shudder) to take the risk.

I also don’t think that we want to go with the Bruce approach. We already have a model for how this would go down – malpractice (and malpracitce insurance) in the medical industry (which, may I remind you, isn’t working so well nowadays.) Of all the proposals, his is the most innocuous – at least if companies are liable some people would still be around to write some software. Although, they would all be working for companies that could afford the “bug insurance” – like Microsoft, Oracle and Sun. Smaller companies would likely find that the costs were too high. Forget small companies giving away free software – companies that give away free tools like Counterpane’s PasswordSafe or Tenable’s Nessus would likely not take out an expensive liability policy when there’s no commercial upside other than marketing.

I don’t want to live in that world.