Members of the House of Lords Science and Technology Committee will this Friday call on ministers to do more to battle security threats online. The House will debate the government's response to the well-regarded personal internet security recommendations produced by the Committee last year. Lords and security experts have …
If they are going to make developers responsible for security breaches are they also going to make builders responsible when a house is broken into?
"In our initial report we raised concerns that public confidence in the internet could be undermined if more was not done to prevent and prosecute e-crime."
Or more is not done to prevent ISPs selling our internet communications to highly dubious companies like Phorm.
Or more is not done to prevent the government spending £12billon of our own money on storing our internet communications for highly dubious reasons.
Software Developer Liability?
Every application is as imperfect as the imperfect technology/framework that the imperfect developer implements them with.
are they also going to make builders responsible when a house is broken into?
Well, if the builder presented a house with no architect's drawings, no wiring diagrams or even proof of a certified electrician signing off on it, and stated that he'd done it himself with no prior experience and a bunch of lads he knows that have done a little DIY in their bathroom before, no alarm, no windows and no door, then yes, I'd say make the builder responsible in that case.
What it may get rid of is the whole idea of "It'll be alright if we rush it, and use people who we have no idea if they're capable of doing the job apart from a quick certificate they managed to cram into two weeks on holiday in Phuket, but they're cheap.". This is pretty much how half the software world works these days.
add car makers responsible for any and all car crashes....
I for one welcome our house of Lords overlords
If the builder left a door-sized hole in the wall covered by a tarpaulin and didn't tell the buyer about it, then a burglar wandered in and made off with their new plasma TV, I would expect that there would be a pretty strong case to be answer there.
I think it's pretty much a question of degree. I wouldn't hold a builder responsible if the front door was fitted with a cheap lock that could be easily forced - I wouldn't expect anything expensive unless it had been explicitly stated.
The same goes for software - glaringingly obvious security holes suggest negligence on the part of the developer, but there will always be bugs and unforeseen circumstances where software can break down. The reality is that real-world software is not perfect because developers have to work to deadlines and within budgetary constraints.
The danger is that the government will pass some ill-considered law that holds software developers responsible for fixing every flaw, no matter how minor, that is ever discovered in a piece of software. That would put people out of business, as it would increase the cost of software by an order of magnitude.
Who'd pay a dev who'd intentionally (liably) leave a security vulnerability in a piece of software? Surely security vulns are merely bugs, which you often don't spot until someone else "points it out" while it's being used?
Oh wait, we're talking uk.gov. Disregard.
We felt that the Government, the police and the software developers were failing to meet their responsibilities and were quite unreasonably leaving individual users to fend for themselves.
= Slippery slope down which we have already fallen quite a way. Why should individual users not have to take responsibility? If I go to buy a car from Honest John's Quality Used Cars I wouldn't expect the government to spend my taxes to provide a free of charge quality check service. Spend money on more important things.
Having said that, net based businesses do need to improve their security but it should be something privately not publicly (sp?) funded.
Re: Developers Responsibility
I'm sure if the builders made a wall out of cardboard that just looked like bricks then that would be justifyable.
Developers often just deliver the minimum required, flashyness over function, they don't do field validation anymore, assuming that the user 'should know better' also thinking that not knowing about the importance of secure cookies, buffer overflows, cross site scripting isn't relevant to them, this is why this needs addressing, people who wrote code used to be programmers, now they are developers, this should imply a wider responsibility than just cutting code.
Give enough developers enough typewriters............. (just in case you don't get it, I was kind of implying monkeys, that kind of where I was going with that)
Educate not legislate
"But others, such as software developers' liability for damage caused by security flaws and enabling people to report online fraud directly to the police rather than their bank, have either been ignored or are awaiting action."
It is usually the implementation of software systems that are vulnerable, not necessarily the software itself. And as most software systems are installed and maintained by people trained to pass exams as opposed to being trained in the subject matter, it is going to get worse.
As most e-crime, online fraud, phishing scams etc. are committed by those outside of UK jurisdiction, what are the UK police going to do with the wealth of information passed to them regarding e-crime? Pass the information on to those who do have jurisdiction then close the case? ffs they cannot even deal with UK crime unless an ANPR system prompts them into action.
The Internet cannot be trusted anymore than our government can be trusted. Education of those that use the internet for anything more than posing on my-u-face-space-book-tube or exercising their grip whilst viewing porn should be a priority. TV and media advertising stating that the internet is inherently insecure and cannot be trusted. Advertising that shows that the login page for your bank, may not actually belong to your bank and how the user can spot fraud. Adverts that tell the consumer that there is no such thing as a free lunch and that free vary rarely means free. Inform users that business conducted via the post and telephone is much more secure.
E-crime is not going to go away, and it is so easy to set up a phishing site or make empty promises in order to capture user information to sell on. I get around a dozen emails a week from "banks" I do not do business with asking me for account details. These phishing sites are very well made and easily fool the unwary. Public awareness is what is required not tighter controls and invasive monitoring implemented under the guise of protecting users. I don't expect the Internet to be safe or secure any time in the near future, just as I don't expect government to get honest and truthful anytime soon.
Why will the government not educate the user? Because a knowledgeable populace is a dangerous one. Teaching the populace to recognise a scam when they see one may well put the government at a disadvantage.
hahahah @ developers responsible
I hope they start with the master of all Windows
Since if it was not for windows most of the flaws would not exist
It seems this is all a tad of old rubbish and will be only applied if its a British tax payer writing the code
since tax payers are the biggest crooks of all
"Educate not legislate "?
This suggestion is contrary to NuLabouria's standardised policy of "Legislation not Education"
As you have identified yourself, you are ordered to repost to the National Official Bureau of Happiness and Exemplary Attitude Development (N.O.B.H.E.A.D.) where the staff will re-align your perception of the world to conform with the NuLabourian ideals.
Could be a blessing in disguise
If they are going to make developers responsible for security breaches...
Assuming we allow developers some leeway to correct flaws "within a reasonable time" (as an example, I'm thinking of the time usually given by security researchers from "we found a flaw" to "we're going to publish it"), it still means
* Microsoft can't afford to operate in the UK
* No £12billion surveillance databases
* No (universal) ID cards
* No RFID
* Chip & PIN is dead in the water
* Free tube journeys
etc etc etc (WooHoo!)
Mine's the one with copies of "Beyond Fear" and "Security Engineering" in the pockets.
Wasn't me, my Register login details must have been phished. Prove it was me.
"Government access to Phorm spy system reports it was your IP address."
Well my wifi must of been hacked, prove it was me. What's that, you don't need proof, I should prove I am innocent? What kind of justice is that?
"No justice here, only law and you're nicked."
@ Chris re builders responsible for home break-ins
Sometimes they are.
I once had an exterior door installed which had to swing outward because of interior space limitations. The carpenters used special hinges with set screws that prevented withdrawal of the hinge pins when the door was closed; otherwise they would have been liable had someone broken in by pulling the pins out.
Just what the legal foundations of that are, I do not know, but for some kinds of mistakes leading to break ins, the builder has indeed been liable at some times and places.
Mutatis mutandis, one has to wonder why Microsoft has gotten away with their forked-tongue yap so long: Windows is oh so wonderful and does all these many things and by the way we don't claim it's fit for any purpose at all and take no responsibility for its flaws and misbehaviors. Or is their advertising actually content-free?
I think my comment was probably a bit too general, yes I agree if theres a wide gaping whole then the development company should be responsible. However if the company has taken appropriate procaution given the sensitivity of the data stored then they shouldn't be prosecuted just because a rather persistent criminal managed to gain access.
I think the big problem here is that if a house has big flaws its pretty obvious early on (if its missing windows, doors etc) however with software its not obvious to the users how risky it might be to use.
All developers should quit and start shelf stacking/farming anything but computers
and we then need to assign the role of development to the house of lords and UK GOV
once it goes wrong we need to charge them with their own stoopidness
Anyone wanna run s/w written by brown and co hehehehehehehehehheeh
Banks are ignoring to exploit better system to combat fraud crimes
Fraud crimes will get worse until banks make signature and PIN systems reliable as proposed on website www.xwave.co.uk
Why would anyone get tempted to do identity fraud when they know that their signature personalised with their ID sticker will expose their identity? Current signature system does not even expose person's gender and so boosts identity fraud. Only this system will deter use of fake documents.
Why would anyone get tempted to use stolen or skimmed cards when they know that they will not be able to activate the transaction without new security code which will change to a new value after every transaction?
This system will also eliminate the need for us to protect our personal an card details since fraudsters will not be tempted to misuse these stolen details.
Organisations would make their customers personalise signatures by letting them use mobile phone size device which will capture image and activate printer to print their ID sticker virtually instantly.
Proposed system will deter virtually all fraud crimes including those Chip and PIN, data protection and even biometric ID cards will not deter.
This KEY and PIN system could be treated like international ID card since it will personalise signature and PIN to the right individual in any country in the world.
To protect the public and entire business industry from becoming victims of fraud government and banks should act now and exploit proposed system before it is too late to stop a fraud crunch which will be far worse than credit crunch.
Let them do the development
I like that approach, good idea.
But instead of just doing anything else, use your development skills to build your own systems in a business you have an interest in.
You should be able to out perform any other business, most of business is full of slackers, and sub job's worths.
If we all did it, then the country would be development lead and owned in perhaps only a few years. We could band together and block off shoring, but frankly the drivel that lot produce is probably more detrimental in usage then it is of benefit.
House of Turds?
Oh, sorry, my mistake.
What the hell?
Half the comments on an article on internet security are mindless Windows bashing. How about holding Apple responsible for taking way longer than everyone else to patch their DNS flaws? Or ignoring researchers who point out flaws with the iPhone's security model?
- Boffins attempt to prove the UNIVERSE IS JUST A HOLOGRAM
- Review Reg man looks through a Glass, darkly: Google's toy ploy or killer tech specs?
- MEN WANTED to satisfy town full of yearning BRAZILIAN HOTNESS
- +Comment 'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
- Apple tried to get a ban on Galaxy, judge said: NO, NO, NO