Differences between revisions 12 and 13
Revision 12 as of 2012-07-31 17:21:53
Size: 20140
Editor: ?JussiEronen
Comment:
Revision 13 as of 2012-09-19 13:05:05
Size: 20310
Editor: ?JussiEronen
Comment:
Deletions are marked like this. Additions are marked like this.
Line 66: Line 66:
 * 2012: [[http://www.techrepublic.com/blog/european-technology/should-developers-be-sued-for-security-holes/1109]] by Nick Heath. Published 23 August 2012. TechRepublic.

Publications and Discussions on Liability for Bad Software

Table of Contents

ABSTRACT

Rarely discussed issue on vendor liability for causing the security problems gets lost behind everyday media attention on the malicious parties exploiting the vulnerabilities. Sources that collect all these arguments for vendor liability are scarce. This document acts as a place-holder for related contributions that we are aware of. Paper, articles and more informal documents are grouped based on the type of publication. We hope that these links are useful to anyone familiarising themselves with the issue or planning further contributions.

Academic publications

Conference papers, etc.

Journal articles, etc.

  • 2001: "Liability for Computer Glitches and Online Security Lapses" by Alan Charles Raul, Frank R. Volpe and Gabriel S. Meyer. [1]

  • 2001: "Security, Rights, and Liabilities in E-Commerce" by Jeffrey H. Matsuura. [2]

Conference speeches

  • 1994: "Liability and Computer Security - Nine Principles" by Ross Anderson. [3]

White papers (or other online publications)

  • 2000: "War on 'Love' Prevention Must Target Real Culprit" by Donna Ladd, ?AlterNet. [4]

  • 2001: "Computer Crime" by Jari Råman. [5]

  • 2001: "National Security and Individual Freedoms: How the Digital Millenium Copyright Act (DMCA) Threatens Both" by Richard Forno. [6]

  • 2001: "Distributed Denial of Service Attacks: Who Pays?" by Margaret Jane Radin. [7]

  • 2004: "U.S. info-sharing program draws fire" by Kevin Poulsen [8]

Vendor policies and guidelines

News articles

  • 2000: "The Other Side Of The Story" by Lewis Z. Koch, interviews Mudge from @Stake. [9]

  • 2000: "Software Companies Work to Kill `Love Bug' Virus (Update3)" by Greg Chang. [10]

  • 2001: "Wanted: Loveable hero for copyright battle" by Lisa M. Bowman. [11]

  • 2001: "Three Minutes With Security Expert Bruce Schneier", Bruce Schneier interviewed by Kim Zetter. [12]

  • 2002: "Software security law call" by BBC News. [13]

  • 2002: "Con: Trust, but verify, Microsoft's pledge" by Bruce Schneier. [14]

  • 2002: "What Billg's new security effort will cost" by Thomas C Greene. [15]

  • 2002: "Software Licensing: The Hidden Threat to Information Security" by Richard Forno. [16]

  • 2002: "Network Associates is Sued Over Review Ban" by Dick Kelsey. [17]

  • 2002: "Check the fine print" by Ed Foster. [18]

  • 2002: "Clarke presses private sector to protect against cyber attacks" by Bara Vaida. [19]

  • 2002: "Security Quandary: Who's Liable?" by Dennis Fisher and Chris Gonsalves. [20]

  • 2002: "Court Decision Could Gag French Security Site Kitetoa" by Brian ?McWilliams. [21]

  • 2002: "'Responsible Disclosure' Draft Could Have Legal Muscle" by Mark Rasch. [22]

  • 2002: "Commentary: The Best Way to Make Software Secure: Liability" by Ira Sager and Jay Greene. [23]

  • 2002: "Contracts Getting Tough on Security" by Dennis Fisher. [24]

  • 2002: "Security is poor because vendors are not held responsible" by Bruce Schneier. [25]

  • 2002: "Penalizing vendors brings consequences" by Harris Miller. [26]

  • 2002: "Tinkerers' champion" by unknown. [27]

  • 2002: "Security warning draws DMCA threat" by Declan ?McCullagh. [28]

  • 2002: "Security czar points finger of blame" by Robert Lemos. [29]

  • 2002: "Software vendors are obliged to find vulnerabilities, says US govt". [30]

  • 2002: "Post to Bugtraq -- Go to Jail" by Mark Rasch. [31]

  • 2002: "As Threat of Cyber Attacks Grows, Security Specialists Blame Faulty Software" by Jim Landers. [32]

  • 2002: "Clarke Solicits Cyber-Security Input at MIT" by Dennis Fisher. [33]

  • 2002: "Perspective: Home isn't where security is" by Robert Lemos. [34]

  • 2003: "Firms' hacking-related insurance costs soar" by Jon Swartz [35]

  • 2010: New group calls for holding vendors liable for buggy software. Published 17 February 2010. Homeland Security Newswire.

  • 2012: Vendors should not be liable for their security flaws by Roger A. Grimes. Published 24 July 2012. ?InfoWorld.

  • 2012: Suing software vendors is no security fix by Roger A. Grimes. Published 31 July 2012. ?InfoWorld.

  • 2012: http://www.techrepublic.com/blog/european-technology/should-developers-be-sued-for-security-holes/1109 by Nick Heath. Published 23 August 2012. ?TechRepublic.

  • 1991: "Step-Saver Data Sys., Inc. v. Wyse Tech., 939 F.2d 91 (3d Cir. 1991)", Before SLOVITER, Chief Judge, and COWEN and WISDOM, [FN*] Circuit Judges. [36]

  • 2000: "M. A. Mortenson Company, Inc. v. Timberline Software Corp. & Softworks Data Systems", in Supreme Court of the State of Washington. [37]

  • 2001: "State of Oregon vs Randal Schwartz computer security case" collected by Steve Pacenka. [38]

  • 2002: "Critique of the Proposed UK Implementation of the EU Copyright Directive" by Julian T. J. Midgley. [39]

  • 2003: "Corporate coverup exposed divers to grave risk Company kept computer defect secret for 7 years, according to Oakland lawsuit" by Reynolds Holding [40]

Selected messages from discussion lists

  • "Re: [NTBUGTRAQ] Call to arms - INFORMATION ANARCHY" by Jim. [41]

  • "Re: [ISN] South Korean Group Sues Microsoft Over Slammer" by Kurt Seifried [42]

  • "Trend Week 34/3 - Microsoft Makes, The World Quakes = Product Recall & Liability - Slammer, Blaster..." by Information Security This Week http://securitynews.weburb.org/show.php3?item=Newsboard&p[messageId=3106 [43]]

Selected threads from newsgroup discussions

Selected threads from bulletinboards

  • 2000: "Should Microsoft Be Responsible For Poor Software?", discussion on Kuro5hin.org. [44]

  • 2000: "Washington Supreme Court Upholds Shrinkwrap Licensing", discussion on Slashdot. [45]

  • 2000: "Intel FDIV bug vs ILUVYOU", discussion on Slashdot. [46]

  • 2001: "Felten vs. RIAA Hearing", summary and discussion on Slashdot. [47]

  • 2002: "An Open Letter to Borland/Inprise Concerning Licensing", an editorial and discussion on Freshmeat. [48]

  • 2002: "Laws to Punish Insecure Software Vendors?", discussion on Slashdot. [49]

  • 2002: "High Tech (Ir)Responsibility", an editorial and discussion on Freshmeat. [50]

  • 2002: "Who Is Liable For Software With Security Holes?", discussion on Slashdot. [51]

  • 2002: "Cure For Bad Software? Legal Liability", discussion on Slashdot. [52]

  • 2002: "Liability and Computer Security", discussion on Slashdot. [53]

  • 2002: "What's (Still) Wrong With UCITA", discussion on Slashdot. [54]

  • 2006: "Would Vendor Liability for Bugs Kill OSS?", discussion on Slashdot code-clean dept. Posted by Zonk on Friday June 02, 2006, @14:44 (Security). http://ask.slashdot.org/article.pl?sid=06/06/02/1636212

Multimedia

Other resources

  • 2000: "Bad Software: What To Do When Software Fails - List of Articles" at badsoftware.com, maintained by Cem Kaner and David Pels. [55]

  • 2001: "frontline: hackers: who's responsble for improving security?" at FRONTLINE. [56]

  • 2001: "Welcome to the Anti-DMCA Website". [57]

  • 2010: Application Development Security Procurement Language. February 2010. State of New York.

References

[1]

[2]

[3]

  • Ross Anderson. "Liability and Computer Security - Nine Principles". In proceedings of the ESORICS 1994 Conference. Brisbane, 1999. FIRST1999-process.

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46]

[47]

[48]

[49]

[50]

[51]

[52]

[53]

[54]

[55]

[56]

[57]


?CategoryNewSite