85 comments

[ 5.0 ms ] story [ 149 ms ] thread
> The German government wants to ensure that manufacturers are liable in future for damage caused negligently by software vulnerabilities in their products. [DeepL]
Sounds sensible to me. Similar laws exist for negligence with physical products that cause damages.
This makes the work of independent contractors more or less impossible. Only big software houses will be able to afford the insurance needed to deploy software in general.
While that's absolutely correct, fortunately it's only true for Germany, which will further cripple itself in the tech world. The Germans are already decades behind the US in that space, this will just keep things as they are, which I appreciate. Were the Germans acting rationally, applying their potential fully, they'd be a global tech juggernaut, including in software. The more they trip themselves up, the longer the US can easily keep its crown and the trillions of dollars that go with it.

And it's kind of cute how SAP now fits in Microsoft's pocket.

> While that's absolutely correct, fortunately it's only true for Germany, which will further cripple itself in the tech world.

Sooner or later this will be an EU proposal anyway like the GDPR.

> The more they trip themselves up, the longer the US can easily keep its crown and the trillions of dollars that go with it.

A lot of the success of the US tech giants is built upon the cost of people suffering in a myriad of ways, from the cost of following up with data thefts to literal death from exploitative working conditions. European countries - while not perfect - tend to value their citizens a bit more than the US... and if the US continues on its current path, it may very well see the consequences of dissatisfied citizens. The election of the 45th President was only the beginning of what may happen.

I'm not so sure about that. Most likely, there will be a burden of proof on whoever makes a claim of this type. Just think about how many various lib's are involved in one application. If the problem lies in one of the libs, they'll hunt down whoever made it.

I have mixed feelings about a law like this but I can't say I don't agree with something like this as a principle for paid software. Maybe liability will reduce the number of backdoors in software that we pay for. As for FOSS projects on github and such, there is no contractual obigation of any kind as long as you don't see lic's or stuff like that. That being said... I've heard some horror stories that defy common sense so wouldn't be surprised by anything.

According to the top HN comment right now, the new risk only applies to closed source software which has known/disclosed vulns before the software’s declared lifespan ends.

This is not draconian to reasonable software firms and is analogous to structural/civil engineering.

Which seems like a great incentive for companies to:

a) not look for vulnerabilities

b) if they are found anyway, to not classify them as vulnerabilities (but regular bugs)

Then what? Relying on unpaid people to find and disclose vulnerabilities?

And what about all the people who think that they found a vulnerability but didn't? Consider that there are US senators and governors that think reading HTML code is hacking.

What bureaucracy will we have to build to decide what is and isn't a vulnerability?

After having typed out a response, your comment just looks like bad faith foot dragging.

This is Germany. Lots of software companies already do this type of work with SOC2 or FedRamp contracts.

A vuln is typically reported to NIST and assigned a CVE record. That 3rd party system allows for embargo, publish, dispute, etc. If a manufacturer denies that is is a vuln, the researcher can release their work and malicious actors could prove the manufacturer wrong. I work in cybersecurity, so this isn’t new to me. Maybe it is new to you… ?

These companies already have reasons not to look for vulns. IMHo they need more incentives (eg. Regulator/economic pressure) to look for them.

My guess is that this rule is being pushed in the aftermath of Log4j, which is a publicly identified CVE/vuln, but which is compiled/linked into other products. Any proprietary product which uses a known vuln in their software supply chain should have to either fix it (by releasing a patch) or make a public statement that the upstream vuln does not create a software vuln downstream or suffer liability. This already happens with companies/products that do this with large contracts.

The Missouri Governor is a political stooge, but his Department of Justice is prosecuting what the journalist did after he took the PII that was embedded in the page. We will have to wait to see if that was legal. I suspect he took a SSN that was in the page and used it to fill in a web form, which could be prosecuted as fraud. That would be an example where good faith efforts by security researchers should be exempted from prosecution, but has no relevance to this German proposal.

Your complaints seem to be extremely defensive/reticent. I think such posture is only useful if you also consider the value

Same applies to small food places that need to comply with food regulations.
From what I understand Germany already is not very start-up friendly it seems like this further exactrebates it. I put together a weekend project to see how it goes, I have a bug somewhere I didn't think of now BAM I'm on the hook for millions of dollars in "damages."

Another much more chilling question is what happens to FOSS projects? Is Germany going to start going against every software developer that uploads an MIT licensed package on Github? What about the Log4j vulnerability who is on the hook for that?

I agree security needs to be taken more seriously and we need to step up our game, but I grow concerned when the government starts making broad laws like this.

You seem to misunderstand the original request _and_ the proposal. We so far only have the CCC's request, no further details are known.

If you go by the proposal, FOSS and Open Source is out of scope. In the case of Log4j, companies knowingly selling software that contains in insecure version of Log4j now need to own that defect.

What if they claim that they don't know? You know... haven't got the memo.
Not sure if you’re already trying to make a joke, but there’s a word for that, isn’t there? Negligence.

Doesn’t help your local restaurant if they didn’t get the memo about the poisonous scallops, particularly if there existed a regular scallop-poison-level newsletter they could check.

that could still be considered negligent, if it has a CVE and you're using it, you gotta know about it
I agree with the concern for several related reasons, but the pendulum had to swing eventually. We are at a point, where too much critical infrastructure relies on software. If those building blocks crumble each time someone sneezes at them, some remedy is necessary.

Regarding the start-up argument, the amusing upshot ( for Germany ) of this is that they get software that has been already beta tested in US ( think Tesla autopilot ).

> it seems like this further exactrebates it. I put together a weekend project to see how it goes, I have a bug somewhere I didn't think of now BAM I'm on the hook for millions of dollars in "damages."

Judging by the CCC statement, this is more intended for cases of negligence in face of known security problems. It specifically says "unkorrigierten oder gehäuften IT-Sicherheitsproblemen" (uncorrected or accumulating/amassed it security problems).

Who do you consider responsible for the code in products we ship?

Is it users? It can’t be. They aren’t engineers, and even the users who are don’t have access to our source code.

Is it the government? No.

Is it … nobody? That sounds like a terrible idea.

The only people left are us. The company or team who ships a product.

This is the same as everything else in civilisation. I’m responsible for food I sell. If I sell you poisoned food, you can sue me for the harm my food caused. If you hire me to build a house, I’m responsible for making the house safe. If the house falls down and injures you, you can sue me for damages. The general principle is that we are responsible to our neighbours insofar as our actions could foreseeably hurt one another. Lawyers call it Tort Law and frankly it makes sense.

Why should software be exempt?

As for opensource - if you pull in a random (free) MIT licenced piece of code on GitHub, one of the license conditions is that you take all responsibility for the software. The opensource dev isn’t responsible and (I am not a lawyer) almost certainly wouldn’t be held liable for bugs.

Users. They shouldn't use software that they haven't wetted as secure.

No amount of regulation will save users from installing a hundred of toolbars if they want to do that.

But it will hinder legitimate programmers from publishing useful software (especially free and open source software).

That only makes sense for FOSS, where part of the deal is that the software is provided for free, but with no guarantees about fitness for purpose.

Would you except restaurant-goers to be liable if they get poisoned? Now compare that to picking your own mushrooms, or dumpster diving. Part of the deal when you start charging for something, has to be that the customer can expect the product to… work.

How is this different from saying "We shouldn't cross bridges that we haven't vetted as structurally sound."? I don't expect everyone to have an architectural degree, as well as the time and resources to verify everything without access to the building plans.
Huh? How??

How are users supposed to vet all the software we run? How are you supposed to know that a compiled binary from Wacom snoops on your computer? That gmail - or, worse, some random startup has no security vulnerabilities?

Users don’t have time to read the source code for every product. Even if they did, we don’t have the source code for most software on our devices. And even if we could get that, we don’t have access to any of the code running on someone’s web server.

Saying users are responsible is the same as saying nobody is responsible.

The only way a user can take responsibility is to refuse to use products and services from startups & young companies who don’t have a reputation yet. And if people feel the need to start doing that, it’s bad for everyone.

responsible is not the same thing as "liable for damages"

Obviously the companies are responsible for the stuff they make.

If companies make crappy software or groceries stock rotten vegetables the invisible hand of the market will take care of it and put them out of business.

This law, while well meaning, has obvious side effects that might make things worse than they are today.

Most importantly it creates an incentive for companies to create a culture of not looking for vulnerabilities. If they have a vulnerability they don't know about, they are fine. If they do know about it, they are potentially liable.

Then there's the issue of who decides what is a vulnerability. And if you think that's obvious just read "The Old New Things" blog for many examples of "vulnerability" reports that boil down to "If I can run program with admin privilege's, I can do bad stuff". Or look at US senators and governors who think that looking at HTML is hacking.

Finally, not of that is free. Government doesn't make money, it takes it from you. So when we create new regulation that require more government employees, you're paying for it, indirectly.

> the invisible hand

The FDA has 18,000 employees. The USDA has around 100,000.

> If companies make crappy software or groceries stock rotten vegetables the invisible hand of the market will take care of it and put them out of business.

The problem with IOT, routers, etc with unpatched vulnerabilities are much more akin to dumping toxic waste or spewing smog than a grocery equipment supplier making poor-quality goods. A grocer would naturally choose equipment that didn't fail and cost them inventory, but unpatched devices affect all of us, even the ones who didn't choose to purchase that equipment. And far from the invisible hand of the free market shutting them out, it actually tends to encourage this behavior (absent regulation) because it's cheaper to dump the waste in the river (not patch your known-vulnerable commercial software) than to pay to have it handled properly, and the market generally favors cheap above all else. It's a classic tragedy of the commons situation, and that's where regulations are important.

> Then there's the issue of who decides what is a vulnerability. And if you think that's obvious just read "The Old New Things" blog for many examples of "vulnerability" reports that boil down to "If I can run program with admin privilege's, I can do bad stuff". Or look at US senators and governors who think that looking at HTML is hacking.

Uh, MITRE already does that. The CVE list is a thing that exists, it works well and isn't filled with a bunch of nonsense. Some blog being bad doesn't mean there's no way to systematically track vulnerabilities and their severity.

This is nonsense throwing up your hands "who can, truly, know anything!?". We can, and we already do.

> Finally, not of that is free. Government doesn't make money, it takes it from you. So when we create new regulation that require more government employees

The beautiful thing is, this isn't about the government enforcing these regulations - this is about creating a civil claim by the customers of the business. The business will provide a support window for critical security vulnerabilities, and if they fail to meet it, they're liable just like any other support contract. It's a free market solution, in fact!

> not very start-up friendl

I'm not sure about that. The startup culture is different but not necessary worse.

The main pain point would be that you must get taxes right

and maybe that the system favors more substainable startups then moonshots which mainly hope to be bought for absurd prices by monopolistic companies.

> FOSS

Isn't sold (normally) so shouldn't be affected (in the common case).

Instead the company using it is responsible. Like using open source without vetting or potentially fixing it, is like using a building blueprint you found on the internet without vetting or fixing it.

This should favor companies using open source more responsible and payed support contacts.

That's is if any law resulting from this is properly done.

I feel this is an important step in turning software programming into an actual engineering discipline.

Engineers that design bridges and buildings are liable when these structures fail and cause damage or loss of life. Lessons-learned are critical to ensuring corrective actions are taken to ensure similar failures don't happen in the future.

Software development has almost none of that. The lessons of the past are relearned on an apparent two to four year cycle.

This is a great lesson on bridge building and software engineering.

http://thecodelesscode.com/case/154

Jon Bentley's The Back of the Envelope[0] has a much better lesson about bridge building and software design.

"Most of you," says Vyssotsky, "probably recall pictures of 'Galloping Gertie,' the Tacoma Narrows bridge which tore itself apart in a windstorm in 1940. Well, suspension bridges had been ripping themselves apart that way for 80 years or so before Galloping Gertie. It's an aerodynamic lift phenomenon, and to do a proper engineering calculation of the forces, which involve drastic nonlinearities, you have to use the mathematics and concepts of Kolmogorov to model the eddy spectrum. Nobody really knew how to do this correctly in detail until the 1950s or thereabouts. So, why hasn't the Brooklyn Bridge torn itself apart, like Galloping Gertie?

"It's because John Roebling had sense enough to know what he didn't know. His notes and letters on the design of the Brooklyn Bridge still exist, and they are a fascinating example of a good engineer recognizing the limits of his knowledge. He knew about aerodynamic lift on suspension bridges; he had watched it. And he knew he didn't know enough to model it. So he designed the stiffness of the truss on the Brooklyn Bridge roadway to be six times what a normal calculation based on known static and dynamic loads would have called for. And, he specified a network of diagonal stays running down to the roadway, to stiffen the entire bridge structure. Go look at those sometime; they're almost unique.

"When Roebling was asked whether his proposed bridge wouldn't collapse like so many others, he said, 'No, because I designed it six times as strong as it needs to be, to prevent that from happening.'

"Roebling was a good engineer, and he built a good bridge, by employing a huge safety factor to compensate for his ignorance. Do we do that? I submit to you that in calculating performance of our real-time software systems we ought to derate them by a factor of two, or four, or six, to compensate for our ignorance. In making reliability/availability commitments, we ought to stay back from the objectives we think we can meet by a factor of ten, to compensate for our ignorance. In estimating size and cost and schedule, we should be conservative by a factor of two or four to compensate for our ignorance. We should design the way John Roebling did, and not the way his contemporaries did-- so far as I know, none of the suspension bridges built by Roebling's contemporaries in the United States still stands, and a quarter of all the bridges of any type built in the U.S. in the 1870s collapsed within ten years of construction.

"Are we engineers, like John Roebling? I wonder."

[0] https://www.seltzer.com/margo/teaching/CS508.19/background/p...

I feel this is an important step in turning software programming into an actual engineering discipline.

Yes.

More than that, anything that has a backdoor or a "default password" should be viewed as being at least criminally negligent or outright criminal.

Haha, the German government is pushing for lawfully required backdoors at the same time.
On countries where it is a professional title, software engineers that sign off projects are liable.
> Engineers that design bridges and buildings are liable when these structures fail and cause damage or loss of life.

I'm pretty sure that's not true, at least not in practice.

Not even once have I read about an engineer being liable for a failed bridge.

But I'm open to being educated.

Can you point to a single case, in US, of an engineer being liable for a failed bridge?

Who found them liable (federal government? state government?) and what happened after they were found liable (a fine? jailtime)?

The construction/architecture company is liable, and the same will happen with the software regulation. Not saying that it's a good (or bad) idea, only that the comparison is reasonably apt.
(comment deleted)
I would think that unless criminal negligence can be shown (e.g. an engineer signed off on plans that he knew or should have known were unsafe) then civil liability would maybe apply to the construction contractor (again, depending on why the bridge failed), for which they should be insured.
Before you pick up pitchforks, it's important to understand that this has been requested by the reputable Chaos Computer Club for years.

It's targeted at commercial proprietary software with disclosed and unfixed vulnerabilities. In other words, if you're knowingly selling software that materially harms your users, you're on the hook.

As an example: You're buying "Foo Professional" from MegaCorp. It contains an insecure version of Log4j. You're paying MegaCorp $500,000 per year for license fees. MegaCorp refuses to patch the used version of Log4j. With this proposal, you now have a legal basis for arguing that you _deserve_ a fixed version of "Foo Professional" unless MegaCorp told you clearly by which date "Foo Professional" expired.

I think that's a sensible way to think about it.

All software has bugs, some of those bugs will necessarily lead to security issues. The German government can't investigate every product out there, so this will either be a reactionary only measure, that does nothing but cause organizations to simply try and hide what they are doing from the German government, or more chillingly it becomes selectively enforced to punish the politically unpopular and reward the politically favored.
That's exactly the same what was said for the GDPR... and no one will deny that the GDPR was effective in forcing the industry to adhere to at least some common sense standards.

And yes, part of both the GDPR and the CCC proposal is effectively weeding out those whose business model is solely to undercut legitimate competition by putting their customers at risk of losing control of their data or of wasting money on products that are effectively a danger to their data sometimes not even a year after they were bought (looking at you here, cheap-ass Android phones).

> and no one will deny that the GDPR was not effective in forcing the industry to adhere to at least some common sense standards.

I suspect that this is intended to be a single rather than double negative, or did you mean to assert that GDPR was universally recognized as a complete failure at limiting bad behavior?

Same thing applies to surprise visits from regulation authorities to all kind of business, nothing special about software shops.
Note that this is only about known and disclosed security vulnerabilities.

It will not be enforced by an overworked regularly body, but by customers suing software companies.

No reason for the government to investigate proactively (as long as the government was not affected).

Or, software sold in Germany will cost $X more where X is the actuarial cost needed to offset the liability risk.
Yes the CCC also mentions router hardware quite a lot. You buy a 20€ wifi router from Mediamarkt or something and the CCC says it should come with a label until which date the router will get updates because the consumer has no idea they buy stuff that'll never see another update because the manufacturer already build two newer units.

In one podcast I heard t hem compare it to software in cars where if there is for example an encoding error so all bluetooth connections are reduced to a low bitrate they won't fix it until the next version of the car is released

Fully behind it, even a little corner shop is liable for what they produce, why should software companies be special snowflakes.

If this kind of regulation is the only way to make security part of the development process and chosen tooling and not am afterthought, so be it.

Because you aren't paying for that level of software. NASA paid $1,000 per line of code for the shuttle's avionics software[1] to get it as bug free as possible. If you want that level of perfection, then you won't be getting current commercial software prices.

1) https://history.nasa.gov/sts1/pages/computer.html

This doesn't seem to cover novel attacks, just applying basic security patches for a stated lifetime. If that lifetime is "six months" then you have to state that.

If that means we can't buy insecure IoT lightbulbs with no tls, no authentication and no sha checking for under $10, I guess we'll just have to live with it.

Lack of incentive contributes a great deal to lack of quality. If the company knows they are going to lose money if they are careless, they'll be less careless. Way too many bugs and security vulnerabilities are consequences of nothing but carelessness and companies thinking they can't be held accountable of anything.
This proposal doesn't demand preemptively bug-free software, it demands that commercial software fix identified security issues within a reasonable timeframe, and establish a defined support window in which it will be expected to do so.

This is exactly the proposal that comes up every time HN discusses things like routers and IOT, which are frequently abandoned without updates despite critical known security issues. Well, now you know when you buy it that "updates will be provided through 2024". If the vendor fails to provide support through that date, the customers will have a claim against the vendor (i.e. it's not a situation of government enforcement, it's between you the customer and the vendor).

And again, the problem is, this is a tragedy of the commons situation. Bad actors who don't provide security updates provide fodder for botnets to attack the rest of us. At some point it becomes necessary to address that, and the way you do that is a measure like this one, to transfer liability to corporations who are "dumping waste" to avoid the cost of proper "software handling".

(also, the easy answer is - open source your software and it won't be an issue! that hypothetical router that a company now has to provide with security updates? just release your router with official DD-WRT/OpenWrt/Tomato support and 95% of your workload goes away.)

The CCC is in favor, and they're not exactly computer-illiterate nobodies, or against innovation in software. Something really has to be done about software quality, or the Internet Of Shit is going to ruin the internet for good.

Plain FUD, every kind of business is subject to liability doesn't matter the size, and they manage to keep the doors open, including the junk food joint down the street corner.
Seems like the way to handle that is through the civil court systemt tho?
Oh, seems like the companies may finally get some motivation to use memory-safe languages, formal proofs, etc.
Are there any software firms, or individuals, who volunteer to accept liability, as a competitive advantage?
Those are called insurance agencies.
Every company developing medical and automotive software for production use (ISO 262652 etc).
Not volunteer, but seeing it as advantage of required widely.

Yes such which are dependent on their party software components they pay for.

Like companies using payment system plugins.

Or smaller laptop/computer/smartphone manufacturers.

I expect in my lifetime insurance policy will get to dictate software practices and only certified software engineers will be allowed to program software. I also think anyone who believes this won't be applied to free / open source is fooling themselves.

Other profession had hundreds of years to mature, but software will not be allowed time to grow.

Yes. Free OSS is like “I build bridges for free as an architect” or “I dig wells for free in Africa.” It may be free but we still need to ensure its security.

And this is how, I believe, AWS will become kind of required, as it will be the only way to get a certified-up-to-date version of a Linux, of a database, of a library, etc. And programmers will only be responsible for the glue code between those services.

It's more like "I build a bridge blue print for free as an hobby project".

Which is ok. (As long as you don't claim that it's something it's not.)

And it's also ok for a company to actually use your blueprint (ignore copyright for a moment).

The problem is if a company uses the hobbist blue print without verifying that it fulfills necessary requirements, like being safe in case of an earth quake.

You're saying this as if you're very convinced it's a bad thing. Why? I'm not so sure it's a bad thing.
Programming ceases to be a hobby for anyone and you can kiss the make community goodbye. There will be no more masterpieces out of left field and all programmers are factory workers.
That's really absurd. People make food for friends and build everything from furniture to vehicles for fun in their garages without complying with any professional standards or laws all the time. How many people on Hackaday or any DIY site have ISO compliant or OSHA inspected labs? Existing regulations are not stopping the maker space scene.
You can play car mechanics as self taught builder, the moment the car needs to hit the road, it must certificy road regulations.

Not being a Mechanical Engineers doesn't prevent building the car and putting it on the road, provided the regulations are met.

And if something happens to someone else with that car, the one building it is also liabiable, provided it was caused by a construction error.

However not having an Engineering license doesn't forbid it to being built.

Many programmers are factory workers, plugging software libraries, that is why open spaces are organized like the mills from industrial age, or the offshoring sweet shops exist.

I wish they did the same for governments and lawmakers
Finally it is happening, great news.
Why not let market figure this out? Companies that do not provide support are bound to be eaten by the others.
If you had asked the same question about airlines 100 years ago... [0]

"At the urging of the aviation industry, that believed the airplane could not reach its full commercial potential without federal action to improve and maintain safety standards,[citation needed] President Calvin Coolidge appointed a board to investigate the issue. The board's report favored federal safety regulation.[10] To that end, the Air Commerce Act became law on May 20, 1926.[11]"

[0] https://en.wikipedia.org/wiki/United_States_government_role_...

Market incumbents quite often welcome the new regulation. It helps them to avoid competition by creating entry barriers.
OK, here's an even older instance of the same thing, probably not advocated for by the industry incumbents...

229 If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then that builder shall be put to death.

- Code of Hammurabi, ~ 1700 BC [0]

[0] https://avalon.law.yale.edu/ancient/hamframe.asp

Something tells me you're from USA. Americans let the market figure out public health service and prison systems. We can all see what that did to that country and its people.

Free market without any regulation whatsoever can absolutely work to the detriment of society.

This is not so much 'against bugs', but to force companies to update their software and firmware against known problems. And the companies have to explicitly set a date when no more (security) updates are going to be made - for devices like WIFI router firmware.

The german text:

    Der CCC fordert dort eine "Haftung bei unkorrigierten oder gehäuften 
    IT-Sicherheitsproblemen inklusive einer Versicherungspflicht, 
    zwingender Angabe eines Verfallsdatums [...]
To everyone saying my weekend project is going to be on the hook for millions:

The keyword here is "fahrlässig" (translates to negligent). Whoever is damaged must be able to prove that a bug caused through your program was negligent. I myself have tons of weekend project that have no stakes at all (most are libraries that are used by essentially no one and I make $0 from all of them combined) and even there I spend a little bit of time keeping dependencies up to that. With the few bug reports I get I at least look into them. It will be very hard to extort any money out of me under this law.

If you are running a startup and making money you will need to allocate resources to maintenance, stability and bug fixing.

"Move slower and build stuff that lasts"
As a manufacturer, you're already liable for damages caused by negligence, similar to Common Law jurisdictions I guess. So how does this proposed law go beyond that? Is merely using unpatched software negligent, and is a bill of materials or something required to make claims practical? Maybe the law also wants to target the bad practice of eg. Android phone manufacturers stopping to provide updates 2-3 years after purchase if at all?
I don't know. This is the kind of decision where the upside is very visible and easy to argue for, and the downside is much less visible, very spread out, and usually a couple of orders of magnitude larger than you'd first guess.

Dev doing a successful OOS project in his spare time is something that fortunately still happens. Dev doing a successful OOS project _and_ accepting liability for potential mistakes is something I really expect to see less of.

Plus don't forget the death by a thousand papercuts. If you have this regulation, and that liability, and who knows what else - this is a very time-tested pattern: it raises barriers to entry in an industry and favors large, incumbent companies. Paying a lawyer is a small price to be sure that you can't have competitors smaller than that.

Dev doing a FOSS project is specifically out of scope of the proposal, so this is FUD.