Liability for Software Vulnerabilities Richard Warner Chicago-Kent College of Law [email_address]
My Conclusions <ul><li>Flaws in software—”vulnerabilties”—facilitate unauthorized access computers and networks.  </li></u...
Vulnerability Defined <ul><li>A vulnerability is a feature one can exploit to gain unauthorized access.  </li></ul><ul><li...
The Difficulty of Defense <ul><li>If the software has 100 vulnerabilities, you need to find all, or at least most, of them...
A Snapshot of the Problem <ul><li>2006 IBM Internet Security Systems report. </li></ul><ul><ul><li>Detected vulnerabilitie...
Operating systems <ul><li>Internet Explorer  </li></ul><ul><li>Windows Libraries  </li></ul><ul><li>Microsoft Office  </li...
Cross-Platform Applications <ul><li>Web Applications  </li></ul><ul><li>Database Software  </li></ul><ul><li>P2P File Shar...
Network Devices <ul><li>VoIP Servers and Phones  </li></ul><ul><li>Network and Other Devices Common Configuration Weakness...
The Question <ul><li>Why is software so buggy?  </li></ul><ul><li>There are at six reasons which apply to all software.  <...
1. Complexity <ul><li>It is impossible to write complex software without creating vulnerabilities.  </li></ul><ul><ul><li>...
2. Lack of Skill <ul><li>As in any other profession, programmers differ in skill.  </li></ul><ul><li>A grandmaster chess p...
3. Group Programming <ul><li>Complex software cannot be built by a single person.  It is programmed by a group. </li></ul>...
4. Programming Languages <ul><li>Some programming languages are more secure than others.  That is, it is easier in some th...
5.  Discrete Versus Continuous <ul><li>Bridge building: an engineer discovers that the value of an important variable vari...
6.  Market Pressures <ul><li>Network effects </li></ul><ul><ul><li>It is critical to be first to market where network effe...
Operating Systems <ul><li>Operating systems raise special concerns because of the lack of competition. </li></ul><ul><ul><...
Applications <ul><li>Applications raises special issues when they are implemented on Internet accessible systems.  </li></...
 
Applications:  Legacy Systems <ul><li>Old systems can be difficult or expensive to update.  </li></ul><ul><li>Many systems...
Applications:  Inadequate documentation <ul><li>Most products do not clearly document </li></ul><ul><ul><li>their out-of-t...
Security software:  Lemons market  <ul><li>In a lemons market, bad drives out good.  </li></ul><ul><ul><li>Consumers canno...
What Costs Do Vulnerabilities Impose?  <ul><li>There are no reliable estimates of the total loss, although there is a lot ...
Business’s Losses Per Intrusion  (2005 FBI Computer Crime Report)
Losses In Order of Magnitude  (2005 FBI Computer Crime Report) <ul><li>Viruses, worms, Trojans </li></ul><ul><li>Spyware <...
Assumption <ul><li>The current level of software vulnerabilities is inefficient. </li></ul><ul><ul><li>Inefficient in the ...
Possible Solutions <ul><li>Legal </li></ul><ul><ul><li>FDA-like Approval </li></ul></ul><ul><ul><li>Negligence </li></ul><...
A Point To Remember <ul><li>Innovation is critical. </li></ul><ul><li>It drives economic development. </li></ul><ul><li>It...
An FDA-Like System? <ul><li>Software is similar to prescription drugs in that both are essential and both have unavoidable...
An Initial Hurdle to Tort Liability <ul><li>The economic loss rule :  without a physical impact, there is no tort recovery...
Tort Extent of physical impact Economic impact
Drop the Economic Loss Rule? <ul><li>To apply tort liability to software, we would have to drop the economic loss rule in ...
Negligence <ul><li>Standard of reasonableness </li></ul><ul><ul><li>Industry norms </li></ul></ul><ul><ul><li>reasonable  ...
Negligence <ul><li>Unclarity in the standard could  </li></ul><ul><ul><li>fail to deal adequately with market pressures.  ...
Products Liability <ul><li>The manufacturer is liable for the foreseeable damage caused by a defect in a product. </li></u...
Problems <ul><li>Small losses for any one plaintiff.  </li></ul><ul><li>Slowness of the process to bring about change.  </...
Certification As A Solution <ul><li>The National Security Telecommunications Advisory Committee,  Internet Security/Archit...
Is Certification Feasible?  <ul><li>Problem :  The software industry changes so fast that substantive standards are diffic...
Licensing Requirements <ul><li>We license many professionals. </li></ul><ul><li>Why not network administrators?  And, perh...
Assessment of Negligence and  Products Liability <ul><li>Negligence and products liability may work in “egregious” cases: ...
Assessment of Certification and Licensing <ul><li>Evidence form other areas suggests that these approaches have limited va...
Market Solutions <ul><li>A market solution relies primarily on monetary, non-legal incentives to achieve a desired result....
Open Source Software <ul><li>Software is “open source” if its source code is publicly available.  </li></ul><ul><li>Open s...
Open Source Economics <ul><li>Open source software works best when it is  </li></ul><ul><ul><li>Based on non-proprietary t...
Vulnerability Disclosure Markets <ul><li>A vulnerability disclosure market provides a mechanism for those who discover vul...
Market Based <ul><li>A business—like iDefense—pays for information about the existence of vulnerabilities and communicates...
iDefense Vulnerability Challenge <ul><li>This challenge sets the bar quite high, focusing on core Internet technologies li...
CERT-type Organizations <ul><li>No money is paid to those who discover vulnerabilities. </li></ul><ul><li>No money is char...
Consortium Mechanism <ul><li>Those concerned to gain information about vulnerabilities form a consortium. </li></ul><ul><u...
Federally Funded Centers <ul><li>This does not exist. </li></ul><ul><li>The center would pay for the discovery of vulnerab...
Lemon Markets and Their Solution <ul><li>Nothing we have said so far addresses the lemon markets problem.  </li></ul><ul><...
Prediction Markets <ul><li>A prediction market would accomplish the purpose. </li></ul><ul><li>In the market (set up on th...
An Example <ul><li>Why not set up a prediction market in which investors by futures on when vulnerabilities will be discov...
Contractual Protections for Vendors <ul><li>We are now in a position to evaluate a legal issue I have so far suppressed— <...
In re America Online Inc. Version 5.0 Software Litigation <ul><li>In In re America Online Inc. Version 5.0 Software Litiga...
The Disclaimer <ul><li>The court noted that the TOS Agreement stated:  </li></ul><ul><ul><li>[M]ember expressly agrees tha...
The Law’s Attitude <ul><li>The law generally enforces such disclaimers in the defective product context, where the vendor ...
In Favor of the Shift <ul><li>Assume that the vendor has a sufficient market incentive to produce a non-defective product....
In Favor of the Shift <ul><li>What happens if we allow the vendor to shift the risk? </li></ul><ul><ul><li>The cost does n...
Upcoming SlideShare
Loading in …5
×

Liability for Software Vulnerabilities

576 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
576
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Liability for Software Vulnerabilities

  1. 1. Liability for Software Vulnerabilities Richard Warner Chicago-Kent College of Law [email_address]
  2. 2. My Conclusions <ul><li>Flaws in software—”vulnerabilties”—facilitate unauthorized access computers and networks. </li></ul><ul><li>The law’s ability to decrease vulnerabilities in software is limited. </li></ul><ul><li>We have to rely on market solutions. </li></ul>
  3. 3. Vulnerability Defined <ul><li>A vulnerability is a feature one can exploit to gain unauthorized access. </li></ul><ul><li>Organization of Internet Safety : “A security vulnerability is a flaw within a software system that can cause it to work contrary to its documented design and could be exploited to cause the system to violate its documented security policy.” </li></ul><ul><ul><ul><li>www.osisafety.org </li></ul></ul></ul>
  4. 4. The Difficulty of Defense <ul><li>If the software has 100 vulnerabilities, you need to find all, or at least most, of them to be secure against unauthorized access. </li></ul><ul><li>The hacker just needs to find one that you have not yet found. </li></ul><ul><li>In the race with the hacker, the hacker will almost certainly win. </li></ul>
  5. 5. A Snapshot of the Problem <ul><li>2006 IBM Internet Security Systems report. </li></ul><ul><ul><li>Detected vulnerabilities increased 39% in 2006. </li></ul></ul><ul><ul><ul><li>Because of better detection tools. </li></ul></ul></ul><ul><ul><ul><li>The top 10: Microsoft, Oracle, Apple, Mozilla, IBM, Linux Kernal Organization, Sun, Cisco, HP, Adobe Systems. </li></ul></ul></ul><ul><li>Sans Institute 2006 list of the top 20 security attack targets. </li></ul><ul><ul><ul><li>http://www.sans.org/top20 </li></ul></ul></ul>
  6. 6. Operating systems <ul><li>Internet Explorer </li></ul><ul><li>Windows Libraries </li></ul><ul><li>Microsoft Office </li></ul><ul><li>Windows Services </li></ul><ul><li>Windows Configuration Weaknesses </li></ul><ul><li>Mac OS X </li></ul><ul><li>UNIX Configuration Weaknesses </li></ul>
  7. 7. Cross-Platform Applications <ul><li>Web Applications </li></ul><ul><li>Database Software </li></ul><ul><li>P2P File Sharing Applications </li></ul><ul><li>Instant Messaging </li></ul><ul><li>Media Players </li></ul><ul><li>DNS Servers </li></ul><ul><li>Backup Software </li></ul><ul><li>Security, Enterprise, and Directory Management Servers </li></ul>
  8. 8. Network Devices <ul><li>VoIP Servers and Phones </li></ul><ul><li>Network and Other Devices Common Configuration Weaknesses </li></ul>
  9. 9. The Question <ul><li>Why is software so buggy? </li></ul><ul><li>There are at six reasons which apply to all software. </li></ul><ul><li>In addition, there are special concerns about </li></ul><ul><ul><li>Operating systems </li></ul></ul><ul><ul><li>Applications </li></ul></ul><ul><ul><li>Security software </li></ul></ul>
  10. 10. 1. Complexity <ul><li>It is impossible to write complex software without creating vulnerabilities. </li></ul><ul><ul><li>Compare </li></ul></ul><ul><ul><ul><li>Prescription drugs. </li></ul></ul></ul><ul><ul><ul><ul><li>It is often impossible to achieve therapeutic effects with out the risk of undesirable side effects. </li></ul></ul></ul></ul><ul><ul><ul><li>Inherently dangerous but useful activities such as the use of explosives. </li></ul></ul></ul>
  11. 11. 2. Lack of Skill <ul><li>As in any other profession, programmers differ in skill. </li></ul><ul><li>A grandmaster chess player may easily find a vulnerability in a defense that a master overlooks. </li></ul><ul><li>Demand for programmers means that many unskilled programmers still get jobs. </li></ul>
  12. 12. 3. Group Programming <ul><li>Complex software cannot be built by a single person. It is programmed by a group. </li></ul><ul><li>The programming process suffers from the communication and coordination problems inherent in groups. </li></ul>
  13. 13. 4. Programming Languages <ul><li>Some programming languages are more secure than others. That is, it is easier in some than others to make mistakes that create vulnerabilities. </li></ul>
  14. 14. 5. Discrete Versus Continuous <ul><li>Bridge building: an engineer discovers that the value of an important variable varies by a small amount ε from the correct value . </li></ul><ul><ul><ul><li>Typically, a small error in one value produces only small errors in other values. </li></ul></ul></ul><ul><ul><ul><li>The correct value will be δ ( ε ) (where δ is some reasonable function). </li></ul></ul></ul><ul><li>Software </li></ul><ul><ul><ul><li>A small error can produce catastrophic results. </li></ul></ul></ul><ul><ul><ul><li>Error correction is discrete: A “0” replaces a “1” or vice versa. </li></ul></ul></ul>
  15. 15. 6. Market Pressures <ul><li>Network effects </li></ul><ul><ul><li>It is critical to be first to market where network effects are strong, as in software. </li></ul></ul><ul><li>Buyers insistence on usability. </li></ul><ul><ul><li>Buyers insist on usability. </li></ul></ul><ul><ul><li>Security often reduces usability, but </li></ul></ul><ul><ul><li>Buyers—irrationally?—undervalue security. </li></ul></ul><ul><ul><ul><li>It is difficult for buyers to evaluate security features. </li></ul></ul></ul>
  16. 16. Operating Systems <ul><li>Operating systems raise special concerns because of the lack of competition. </li></ul><ul><ul><li>Compare the Windows family to Unix (Linux and Mac OS X). </li></ul></ul><ul><ul><li>Microsoft’s dominate position allows it to persist in marketing an insecure operating system along with other insecure bundled products. </li></ul></ul>
  17. 17. Applications <ul><li>Applications raises special issues when they are implemented on Internet accessible systems. </li></ul><ul><li>Software which seems secure when tested in a stand-alone environment may contain or create vulnerabilities in the environment in which it is actually used. </li></ul><ul><li>It can be extraordinarily difficult to predict what software will do when it is embedded in a complex network. </li></ul><ul><ul><li>The following diagram—a very small part of one corporate network—illustrates the degree of complexity involved. </li></ul></ul>
  18. 19. Applications: Legacy Systems <ul><li>Old systems can be difficult or expensive to update. </li></ul><ul><li>Many systems run outdated, insecure software. </li></ul><ul><ul><li>As Ross Anderson notes. </li></ul></ul>
  19. 20. Applications: Inadequate documentation <ul><li>Most products do not clearly document </li></ul><ul><ul><li>their out-of-the-box security configuration </li></ul></ul><ul><ul><li>security assumptions </li></ul></ul><ul><ul><li>security capabilities, </li></ul></ul><ul><ul><li>recommended practices. </li></ul></ul><ul><li>The tech support issue: </li></ul><ul><ul><li>“ Vendors are naturally inclined to hold out until users pay for support and to provide minimal documentation so as to increase the number of support paid support calls. Vendors claim that they have to pay their support costs, but making effective user interfaces and completely documenting software can nearly eliminate support calls.” </li></ul></ul><ul><ul><ul><ul><li>Strebe and Perkins, Network Address Translation </li></ul></ul></ul></ul><ul><ul><ul><li>There are price discrimination efficiencies from this approach. </li></ul></ul></ul>
  20. 21. Security software: Lemons market <ul><li>In a lemons market, bad drives out good. </li></ul><ul><ul><li>Consumers cannot pre-purchase tell the difference between a good product and a lemon ; so </li></ul></ul><ul><ul><li>the price drops (the expected value of the purchase is reduced by the expected value of getting a lemon); and </li></ul></ul><ul><ul><li>good products disappear from the market. </li></ul></ul><ul><li>Bruce Schneier claims this happens in the computer security market. </li></ul><ul><ul><li>You may not be aware failures in your security. </li></ul></ul>
  21. 22. What Costs Do Vulnerabilities Impose? <ul><li>There are no reliable estimates of the total loss, although there is a lot of guess work. </li></ul><ul><li>The guess work puts the losses in the several billions. </li></ul><ul><li>Some statistics follow from the 2005 FBI Computer Crime Report </li></ul><ul><ul><li>Complied by surveying businesses with a yearly revenue of $1,000,000 or over. </li></ul></ul><ul><ul><li>Losses discussed are losses to the business, not to third parties. </li></ul></ul>
  22. 23. Business’s Losses Per Intrusion (2005 FBI Computer Crime Report)
  23. 24. Losses In Order of Magnitude (2005 FBI Computer Crime Report) <ul><li>Viruses, worms, Trojans </li></ul><ul><li>Spyware </li></ul><ul><li>Port scans </li></ul><ul><li>Sabotage of data </li></ul><ul><li>Laptop/PDA theft </li></ul><ul><li>Insider abuse </li></ul><ul><li>Denial of service attack </li></ul><ul><li>Network intrusion </li></ul><ul><li>Financial fraud </li></ul>
  24. 25. Assumption <ul><li>The current level of software vulnerabilities is inefficient. </li></ul><ul><ul><li>Inefficient in the sense that, if software manufacturers invested more in preventing vulnerabilities than they currently do, we—all of us affected by software vulnerabilities—would save more than the total they spent. </li></ul></ul><ul><ul><li>Software would cost more and be less usable, but those costs would be more than offset by the savings. </li></ul></ul>
  25. 26. Possible Solutions <ul><li>Legal </li></ul><ul><ul><li>FDA-like Approval </li></ul></ul><ul><ul><li>Negligence </li></ul></ul><ul><ul><li>Products liability </li></ul></ul><ul><ul><li>Certification of manufacturers </li></ul></ul><ul><ul><li>Licensing of software engineers </li></ul></ul><ul><li>Market </li></ul><ul><ul><li>Open source software </li></ul></ul><ul><ul><li>Market for software vulnerability disclosure </li></ul></ul><ul><ul><li>Prediction markets </li></ul></ul>
  26. 27. A Point To Remember <ul><li>Innovation is critical. </li></ul><ul><li>It drives economic development. </li></ul><ul><li>It drives it most effectively when considerable flexibility is allowed in business models, research, and design. </li></ul><ul><li>A question to bear in mind : Which of the approaches to software vulnerabilities allows the most flexibility? </li></ul>
  27. 28. An FDA-Like System? <ul><li>Software is similar to prescription drugs in that both are essential and both have unavoidable “side effects.” </li></ul><ul><li>We regulate drugs through a complex system of FDA approvals, licensing requirements, and legal liability. </li></ul><ul><li>FDA-like approval will not work for software. The approval process is very slow, and we need to develop software much more quickly than it would allow. </li></ul>
  28. 29. An Initial Hurdle to Tort Liability <ul><li>The economic loss rule : without a physical impact, there is no tort recovery for purely economic loss. </li></ul><ul><li>Rationale: to limit losses to a bearable amount. </li></ul>
  29. 30. Tort Extent of physical impact Economic impact
  30. 31. Drop the Economic Loss Rule? <ul><li>To apply tort liability to software, we would have to drop the economic loss rule in those cases. </li></ul><ul><li>Would the resulting liability be excessive? </li></ul>
  31. 32. Negligence <ul><li>Standard of reasonableness </li></ul><ul><ul><li>Industry norms </li></ul></ul><ul><ul><li>reasonable unclear unreasonable </li></ul></ul><ul><ul><li>Efficiency </li></ul></ul>
  32. 33. Negligence <ul><li>Unclarity in the standard could </li></ul><ul><ul><li>fail to deal adequately with market pressures. </li></ul></ul><ul><ul><li>inhibit innovation. </li></ul></ul><ul><ul><li>be too lenient in regard to legacy systems. </li></ul></ul><ul><ul><li>inhibit price discrimination in selling tech support. </li></ul></ul><ul><li>Causation problems </li></ul><ul><ul><li>“ It wasn’t my software; it was your implementation.” </li></ul></ul>
  33. 34. Products Liability <ul><li>The manufacturer is liable for the foreseeable damage caused by a defect in a product. </li></ul><ul><ul><li>No requirement of negligence. </li></ul></ul><ul><li>A defect is a tendency to cause physical harm beyond that </li></ul><ul><ul><li>contemplated by an ordinary user </li></ul></ul><ul><ul><li>whose knowledge of the product’s characteristics consists of what is </li></ul></ul><ul><ul><li>commonly known by foreseeable users of the product. </li></ul></ul>
  34. 35. Problems <ul><li>Small losses for any one plaintiff. </li></ul><ul><li>Slowness of the process to bring about change. </li></ul><ul><li>Difficulties in defining what counts as defective. </li></ul><ul><li>Unclarity could </li></ul><ul><ul><li>fail to deal adequately with market pressures. </li></ul></ul><ul><ul><li>inhibit innovation. </li></ul></ul><ul><ul><li>be too lenient in regard to legacy systems. </li></ul></ul><ul><ul><li>inhibit price discrimination in selling tech support. </li></ul></ul><ul><li>Causation problems </li></ul><ul><ul><li>“ It wasn’t my software; it was your implementation.” </li></ul></ul>
  35. 36. Certification As A Solution <ul><li>The National Security Telecommunications Advisory Committee, Internet Security/Architecture Task Force Report calls for certification. </li></ul><ul><li>Create by statute an organization that </li></ul><ul><ul><li>promulgates manufacturing standards and certifies that manufacturers follow them, where </li></ul></ul><ul><ul><li>violators are fined (liability for actual or foreseeable damage would be excessive). </li></ul></ul>
  36. 37. Is Certification Feasible? <ul><li>Problem : The software industry changes so fast that substantive standards are difficult to formulate. </li></ul><ul><li>Solution : Require security testing and documentation of security features and risks. </li></ul><ul><li>Problem : What counts as adequate security testing and documentation? </li></ul><ul><li>Overall : certification lacks a convincing record of success. </li></ul>
  37. 38. Licensing Requirements <ul><li>We license many professionals. </li></ul><ul><li>Why not network administrators? And, perhaps, programmers? </li></ul><ul><li>Licensing requirements impose professional duties that constrain the exercise of professional judgment. </li></ul>
  38. 39. Assessment of Negligence and Products Liability <ul><li>Negligence and products liability may work in “egregious” cases: </li></ul><ul><ul><ul><li>Lack of reasonableness, or existence of defect clear </li></ul></ul></ul><ul><ul><ul><ul><li>AOL 5.0 and Sony . </li></ul></ul></ul></ul><ul><ul><ul><li>Causation clear. </li></ul></ul></ul><ul><ul><ul><li>Monetary loss to others is foreseeable, and a reasonable person, who was aware of the risk, would take steps to avoid imposing that loss on others. </li></ul></ul></ul><ul><ul><ul><ul><li>Creates an exception to the economic loss rule. </li></ul></ul></ul></ul><ul><li>Generally, however, these approaches will be ineffective. </li></ul>
  39. 40. Assessment of Certification and Licensing <ul><li>Evidence form other areas suggests that these approaches have limited value. </li></ul><ul><ul><li>Ross Anderson on the Common Criteria. </li></ul></ul><ul><li>We may want to pursue these options, but we cannot rely on them as a complete solution. </li></ul>
  40. 41. Market Solutions <ul><li>A market solution relies primarily on monetary, non-legal incentives to achieve a desired result. </li></ul><ul><li>There are three market solutions. </li></ul>
  41. 42. Open Source Software <ul><li>Software is “open source” if its source code is publicly available. </li></ul><ul><li>Open source software may be the product of many programmers, scattered all over the world, who contribute to the source code. </li></ul><ul><li>Open source software has advantages. </li></ul><ul><ul><li>Fewer defects </li></ul></ul><ul><ul><li>No proprietary problems. </li></ul></ul><ul><li>Legal issues: </li></ul><ul><ul><li>Liability for intellectual property violations </li></ul></ul><ul><ul><ul><li>Sco Group v. IBM </li></ul></ul></ul>
  42. 43. Open Source Economics <ul><li>Open source software works best when it is </li></ul><ul><ul><li>Based on non-proprietary techniques </li></ul></ul><ul><ul><li>Sensitive to failure </li></ul></ul><ul><ul><li>Verification requires peer review </li></ul></ul><ul><ul><li>Sufficiently important (business critical) that people will cooperate to find bugs </li></ul></ul><ul><ul><li>Subject to network effects </li></ul></ul><ul><ul><ul><ul><li>Eric Raymond, The Magic Cauldron </li></ul></ul></ul></ul><ul><ul><ul><li>Security has all the above features (Anderson). </li></ul></ul></ul><ul><li>Many software vendors pursue an anti-interoperability strategy incompatible with open source software. </li></ul>
  43. 44. Vulnerability Disclosure Markets <ul><li>A vulnerability disclosure market provides a mechanism for those who discover vulnerabilities to communicate them to software manufacturers/vendors. </li></ul><ul><li>There four possibilities. </li></ul>
  44. 45. Market Based <ul><li>A business—like iDefense—pays for information about the existence of vulnerabilities and communicates this information to its clients. </li></ul><ul><ul><li>Markets are generally very successful in aggregating dispersed information. </li></ul></ul><ul><ul><ul><li>They are accurate and efficient. </li></ul></ul></ul><ul><ul><ul><li>Unless precautions are taken, clients could be hackers. This is true also in all following cases. </li></ul></ul></ul>
  45. 46. iDefense Vulnerability Challenge <ul><li>This challenge sets the bar quite high, focusing on core Internet technologies likely to be in use in corporate enterprises. Because of this, we are merging Q2 and Q3 challenges into one, effectively extending the research time. The following technologies are the focus of this challenge: </li></ul><ul><ul><ul><ul><li>Apache httpd </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Berkeley Internet Name Domain (BIND) daemon </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Sendmail SMTP daemon </li></ul></ul></ul></ul><ul><ul><ul><ul><li>OpenSSH sshd </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Microsoft Internet Information (IIS) Server </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Microsoft Exchange Server </li></ul></ul></ul></ul><ul><li>iDefense will pay $16,000 for each submitted vulnerability that demonstrates the execution of arbitrary code. </li></ul>
  46. 47. CERT-type Organizations <ul><li>No money is paid to those who discover vulnerabilities. </li></ul><ul><li>No money is charged for the disclosure of the vulnerability. </li></ul><ul><ul><li>One would expect this not to perform as well as a market mechanism. </li></ul></ul><ul><ul><li>Kannan, Telang, and Xu, Economic Analysis of the Market for Software Vulnerability Disclosure, contend CERT-type organizations sometimes outperform market mechanisms, but they assume that relevant information is costless available. This ignores precisely that at which markets excel. </li></ul></ul><ul><ul><ul><ul><li>Available on SSRN. </li></ul></ul></ul></ul>
  47. 48. Consortium Mechanism <ul><li>Those concerned to gain information about vulnerabilities form a consortium. </li></ul><ul><ul><li>The consortium pays for information about vulnerabilities. </li></ul></ul><ul><ul><li>Members may share information for free. </li></ul></ul><ul><li>Examples </li></ul><ul><ul><li>Information Sharing Analysis Centers (ISACs) </li></ul></ul><ul><ul><ul><li>Governmental. </li></ul></ul></ul><ul><ul><ul><li>Does not yet deal with vulnerabilities in the above way. </li></ul></ul></ul><ul><ul><li>Industry consortiums. </li></ul></ul><ul><li>Similar to CERT-type organizations with the added complexity of conflicting business motives. </li></ul>
  48. 49. Federally Funded Centers <ul><li>This does not exist. </li></ul><ul><li>The center would pay for the discovery of vulnerabilities, but </li></ul><ul><li>Would not charge for the disclosure of the information. </li></ul><ul><li>Kannan, Telang, and Xu, Economic Analysis of the Market for Software Vulnerability Disclosure, contend this type of approach performs best, but again they assume that relevant information is costless available. </li></ul>
  49. 50. Lemon Markets and Their Solution <ul><li>Nothing we have said so far addresses the lemon markets problem. </li></ul><ul><li>The basic lemon markets’ mechanism: </li></ul><ul><ul><li>Consumers cannot pre-purchase tell the difference between a good product and a lemon ; so </li></ul></ul><ul><ul><li>the price drops (the expected value of the purchase is reduced by the expected value of getting a lemon); and </li></ul></ul><ul><ul><li>good products disappear from the market. </li></ul></ul><ul><li>Solution: Get information to buyers before they purchase. </li></ul>
  50. 51. Prediction Markets <ul><li>A prediction market would accomplish the purpose. </li></ul><ul><li>In the market (set up on the Internet), investors buy futures in which the speculate on which products will have this or that type of vulnerability. </li></ul><ul><li>Such markets have proven remarkably accurate in predicting a wide variety of events. </li></ul><ul><ul><ul><li>http://www.consensuspoint.com/index.php </li></ul></ul></ul><ul><li>The prediction markets would work well where there are active disclosure markets which reveal the existence of vulnerabilities. </li></ul>
  51. 52. An Example <ul><li>Why not set up a prediction market in which investors by futures on when vulnerabilities will be discovered in iDefense challenge wit regard to: </li></ul><ul><ul><ul><ul><li>Apache httpd </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Berkeley Internet Name Domain (BIND) daemon </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Sendmail SMTP daemon </li></ul></ul></ul></ul><ul><ul><ul><ul><li>OpenSSH sshd </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Microsoft Internet Information (IIS) Server </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Microsoft Exchange Server </li></ul></ul></ul></ul><ul><li>Investors could speculate on the time, number, and rank order in the list. </li></ul><ul><li>The activity in the market could guide purchase decisions prior to discovery of the vulnerability. </li></ul>
  52. 53. Contractual Protections for Vendors <ul><li>We are now in a position to evaluate a legal issue I have so far suppressed— </li></ul><ul><ul><li>Contractual disclaimers of liability. </li></ul></ul><ul><li>A typical example follows. </li></ul>
  53. 54. In re America Online Inc. Version 5.0 Software Litigation <ul><li>In In re America Online Inc. Version 5.0 Software Litigation, 168 F.Supp.2d 1359, America Online (AOL) distributed software that cut off non-AOL Internet access, disrupted local area networks, and interfered with other applications and thereby causing computers to crash. AOL distributed the software accompanied by a clickwrap Terms of Service (TOS) agreement. The court noted that the </li></ul>
  54. 55. The Disclaimer <ul><li>The court noted that the TOS Agreement stated: </li></ul><ul><ul><li>[M]ember expressly agrees that the use of AOL, AOL software, and the Internet is at member's sole risk.&quot; . . . With respect to disputes relating to the software, the TOS Agreement provides, &quot;AOL's entire liability and your exclusive remedy ... shall be the replacement of any AOL software found to be defective.&quot; . . . If the consumers have any other dispute, the TOS Agreement states, &quot;[Y]our sole and exclusive remedy ... is the cancellation of your account as detailed below in Section 7.&quot; . . . The TOS Agreement also purports to limit AOL's liability for consequential damages. . . . According to AOL, . . . these provisions prevent the consumers from seeking punitive damages, compensatory damages, disgorgement, injunctive relief, and attorneys' fees. </li></ul></ul><ul><ul><ul><ul><li>168 F.Supp.2d 1359, 1361 (S.D. Florida 2001). </li></ul></ul></ul></ul>
  55. 56. The Law’s Attitude <ul><li>The law generally enforces such disclaimers in the defective product context, where the vendor is unaware, and should not have been aware, of the defect. </li></ul><ul><li>The risk of loss from the defect shifts to the buyer. </li></ul><ul><li>Is this fair? </li></ul>
  56. 57. In Favor of the Shift <ul><li>Assume that the vendor has a sufficient market incentive to produce a non-defective product. </li></ul><ul><ul><li>As software vendors might if there were disclosure and prediction markets. </li></ul></ul><ul><li>What happens if we do not allow the vendor to shift the risk of loss onto the buyer? </li></ul><ul><ul><li>The cost of the product rises. </li></ul></ul><ul><ul><li>Defects are inevitable, and the seller will be liable. </li></ul></ul><ul><ul><li>So the seller takes the expected legal loss into account in setting the price. </li></ul></ul><ul><ul><li>Low-risk buyers subsidize high-risk buyers. </li></ul></ul>
  57. 58. In Favor of the Shift <ul><li>What happens if we allow the vendor to shift the risk? </li></ul><ul><ul><li>The cost does not rise. </li></ul></ul><ul><ul><li>Buyers who wish to insure against the risk of loss. </li></ul></ul><ul><ul><li>Low-risk buyers do not subsidize high-risk buyers. </li></ul></ul><ul><ul><li>This is most likely fairer and more efficient than making vendors bear the risk. </li></ul></ul>

×