I got into an interesting conversation today. Here's the question: if a vendor rolls out a net-enabled product that features a crypto- secured interface, what kind of liability do they face if the interface security is breached? In particular, we were discussing machine controls and the recent incident where it was discovered that one manufacturer was fielding a GPIB control card with TCP/IP Ethernet and no security at all. If a net-connected and secured machine were hacked and death or personal injury resulted, does that make the manufacturer an accessory to manslaughter? Would having a provably good (or provably bad) security layer mitigate this? -- Roy M. Silvernail Proprietor, scytale.com roy@scytale.com
On Thu, Feb 15, 2001 at 03:49:14PM -0600, Roy M. Silvernail wrote:
I got into an interesting conversation today. Here's the question: if a vendor rolls out a net-enabled product that features a crypto- secured interface, what kind of liability do they face if the interface security is breached? In particular, we were discussing machine controls and the recent incident where it was discovered that one manufacturer was fielding a GPIB control card with TCP/IP Ethernet and no security at all.
If a net-connected and secured machine were hacked and death or personal injury resulted, does that make the manufacturer an accessory to manslaughter? Would having a provably good (or provably bad) security layer mitigate this?
See, generally, Cem Kaner's _Bad Software_ or <http://www.badsoftware.com>. The short answer is that liability is very unlikely, especially in a consumer device scenario - both because of the traditional lack of warranties for software, and because of the unlikelihood of the injury. Generally, products don't need to be designed with criminal activity of third parties in mind - and products which are safety- essential are probably sold plastered with warnings about verifying proper operation before critical use, which are intended to shift the legal (and moral) burden from the manufacturer to the end user. If I were the plaintiff's attorney, I'd try really hard to use advertising/marketing statements about the security of the products to create an express warranty (other than the weak one that the company's lawyers will have written) .. dunno if that would work or not, but it would be fun to try. On the other hand, look at what product liability suits did to the amateur aircraft industry - for some time, I understand that Cessna simply stopped making new planes, because it just wasn't economical to stay in business. If software didn't have an "as-is" warranty - or if software publishers were forced to stand behind their products in a meaningful fashion, with support and/or service, recalls, and all of that, buying a computer would look more like buying a car and less like buying a gun. (where pretty much the entire enterprise involves some amount of danger, though the product liability people have sure given it a good try.) The money which would be paid to plaintiffs, or provided in services to them, has got to come from somewhere - either shareholders or customers, corporations are just leaky money pipes shipping the stuff between those two endpoints. -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604
participants (2)
-
Greg Broiles -
Roy M. Silvernail