SoylentNews is people
SoylentNews
Bunnie Huang, hardware hacker, wrote a brief article about transparency versus liability in the context of open hardware. He covers some of the tradeoffs without going into depth.
[...] Should a buggy library you develop be used in a home automation appliance that later causes a house to catch fire, you get to walk away scot-free, thanks to the expansive limited-liability clauses that are baked into every open source software licence.
Unfortunately, hardware makers don't get to enjoy that same luxury. Beyond guaranteeing a product free from workmanship or material defects, consumer protection law often requires an implied or express 'fitness for purpose' guarantee – that a piece of hardware is capable of doing what it's advertised to do. The latest controversy over Spectre/Meltdown indicates that more people than not feel CPU makers like Intel should be liable for these bugs, under the 'fitness for purpose' theory.
Open hardware makers should be deeply concerned. [...]
At BlackHat 2014, Dan was more specific regarding software and raised, with Poul-Henning Kamp, the idea that normal liability laws should also apply to software. But with that liability in place, exemptions should be available if vendors supply complete and buildable source code along with a license that allows disabling any functionality or code that the licensee decides against. Poul-Henning has called for a long time for changes to liability laws for software.
(Score: 2) by captain normal on Sunday March 25 2018, @05:40AM (12 children)
Are Bunnie Huang and Dan Geer in bed with the insurance mob? What happened to "caveat emptor"? If you are gullible enough to let someone install untested hardware with software only proven in a lab environment, a big life lesson is inevitable.
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 5, Interesting) by canopic jug on Sunday March 25 2018, @06:29AM (1 child)
If you are gullible enough to let someone install untested hardware with software only proven in a lab environment, a big life lesson is inevitable.
Or your choices have been limited to only what is commercially available on the market nowadays. Look at the sad state of phones. Nearly all electronic devices these days, from cars to televisions to implanted medical devices, fall into the category of barely tested or severely undertested. Of the three links shown in the summary, the one that answers your questions best would be the third one from Poul-Henning Kamp since it is the one that Dan Geer is citing.
Yes, opening the source code for all hardware devices would upend the industry as we know it, but that is badly needed and long overdue as we've seen with the ancient, but recently announced, x86 CPU bugs. The same benefits, with similar initial disruption, would apply to opening hardware and microcode as to system code. The cycles are slower and things are less flexible but the cat is out of the bag. The world is looking for and exploiting hardware bugs. Currently about the only ones outside of the manufacturers themselves to have access to the hardware details are criminals.
Simply put current rules and laws are steering industry in a direction that produces more and more danger and harm. It is necessary to change course and that is done by changing the rules and laws.
Money is not free speech. Elections should not be auctions.
(Score: 2) by c0lo on Sunday March 25 2018, @11:00AM
But... they have criminalized hacking already, you should be safe from harm now. No?
(grin)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Insightful) by Runaway1956 on Sunday March 25 2018, @06:31AM (8 children)
Alright, so, what do you consider to be "tested", or proven code? Do you consider Windows10 to be proven? That means Windows is "safe", for all purposes, right? It can't crash, can't just freeze up, can't do unexpected crap in even the craziest situations.
I'm not real sure that I agree with all of what Huang and Geer want, but they are on the right track. Software writers should have some liability. That liability should be greater, when the software is closed source, and no one outside of the writer can examine the code for bugs. Opening the source up, and thereby inviting outsiders to examine the code for bugs, should lessen that liability. The basic idea sounds great - but the implementation can easily be made to suck.
(Score: 0) by Anonymous Coward on Sunday March 25 2018, @08:48AM (6 children)
> I'm not real sure that I agree with all of what Huang and Geer want, but they are on the right track. Software writers should have some liability.
Say bye-bye to your free Linux distro of choice after a lawsuits or two.
(Score: 2) by pkrasimirov on Sunday March 25 2018, @09:26AM (1 child)
And that's the thing: the existing Linux distros will be replaced with better tested ones and fit for specific purposes. Same for Windows and MacOS except there will be nobody to rejuvenate them because they are proprietary code, nobody will have it.
(Score: 1, Informative) by Anonymous Coward on Sunday March 25 2018, @11:46AM
>And that's the thing: the existing Linux distros will be replaced with better tested ones and fit for specific purposes.
No stupid. The existing free stuff will be replaced by whatever the rich megacorps with throngs of lawyers deign to offer, and at whatever prices the now-monopolized market will bear. While as for all "liability", they have their forced arbitration clauses for that, and resources to drag you through courts till you bankrupt yourself.
(Score: 3, Informative) by Runaway1956 on Sunday March 25 2018, @10:04AM (3 children)
You may have missed the bit in TFS and TFA about an exemption for open source. But, even if open source doesn't get an exemption, open source is still in a much better position than your closed source proprietary code. See, with may or most open source projects, any responsibility is shared among many different people, companies, and organizations. With closed source, only one entity has access to the code - therefore, that one entity MUST bear all responsibility.
This can all be summed up as, "If you want all the rewards, then you bear all responsibility." And, the obverse, "If you don't want the responsibility, then share the rewards."
Assuming, for a moment, that the ultimate objective of technology, research, science, capitalism, or any other aspect of our civilization, is to improve mankind's existence, then our current "intellectual property" law is well and truly fucked up.
We need to get back to the basics of our original copyright and patent laws. "If there is a profit to be made with an idea, then the author should get some of that profit." Key word is "IF". Maybe ideas are worthy of zero profit. IF that idea is worthy of being profitable, then the author gets some of that profit. That profitability must be time limited, to the tune of fifteen or twenty years.
IP should simply NOT be what the corporations want it to be.
(Score: 2) by choose another one on Sunday March 25 2018, @04:32PM (2 children)
I have worked on closed source projects (in fact, probably the vast majority of those I have worked on) where part or all of the code (in source form, binary component sharing is even more common) was shared between entities, sometimes many entities. Access to the code, and control, is controlled by contracts which often have strict conditions and penalties for breach, just as the performance of the code may also have to meet conditions. Access may be for regulatory approval, security audit in addition to use in other products by other parties, multiple parties may have modification rights.
Just because _you_ don't have access to the code, or have limited or no rights, does not mean that others (even many others) don't have access.
That would be a major change from the way liability laws currently work, certainly where I am.
Companies would not be liable if there was no profit (reward) in a product? That can be arranged, and hence liability avoided, at will.
You aren't responsible for the consequences of work you do for free? Nope, you "fix" your neighbours gas for free you better do it right, you absolutely are liable if you screw up and blow their house up.
Responsibility generally goes with _control_ not with reward - or more correctly you cannot usually be held responsible for things you do not control. There is natural justice in that too. Unfortunately that is also where major problems arise, as in many places consumer protection laws (because the average consumer is an idiot, and half of them are stupider than that) prevent you passing liability on to end users, and contractually you may be bound not to do that as well. This means you _cannot_ use some forms of open source as they require control to be passed to the end user as a condition of using the code, something you are legally and/or contractually bound not to do - the GPL does this since rms had his Vader moment. So extending liability so it's like hardware isn't all good news for open source, exemptions or not.
(Score: 2) by Runaway1956 on Sunday March 25 2018, @05:02PM
You seem to have missed the bottom line here, which is, the bottom line. When you write code, it is for profit. Someone is going to put money in the bank when that closed source code is tested and released. Investors are expecting return on their investment - profit.
And, all of us commoners are excluded from sharing either the code or the profit.
Control does infer responsibility, but the expectation of profit also infers responsibility. Have you ever noticed that you can drive your personal car, legally, with just several thousands of dollars worth of insurance, or "financial responsibility", but commercial vehicles carry a minimum of a million dollars worth of insurance? Profit.
As for the neighbor with a gas leak - you're partly right. If I'm "helping" him, he retains responsibility for his gas lines. If, however, I volunteer to fix his problems, then I've assumed some part of his responsibility. And, finally, if I accept pay for fixing his problems, I've assumed all the responsibility for those problems.
Do you get paid for the code you write? Does your employer get paid for the use of that code? Professionals and amateurs live in entirely different worlds, despite your attempt to blur that fact.
(Score: 0) by Anonymous Coward on Monday March 26 2018, @05:36PM
dirty skank.
oh, you poor, poor sell out!
what a bastard! Thinking he can provide an alternative future where humans keep/gain their freedom from slavetraders like you.
(Score: 0) by Anonymous Coward on Monday March 26 2018, @07:14AM
I've seen lots of articles about how Microsoft got rid of their testing teams when they developed Windows 10. That's why the whole telemetry disaster came to be in the first place. All Windows 10 users are beta testers, and telemetry automatically uploads test results to Microsoft servers.
As such, Windows 10 should be viewed as less tested than previous Microsoft products such as Vista and Windows ME.
(Score: 2) by urza9814 on Tuesday March 27 2018, @01:50AM
Well, in general I'd agree with you, with the corollary that this means open source software should be deployed much more widely. But that's not the way most people do business these days.
If it's not open source, it's hard to even test it. Does this function call do something if it detects it is running on a Monday? I can't tell, so I'd have to test that. Does it do something different if it is run with a timestamp ending in "2" (I know of commercial software that does) -- I can't tell, gotta test that. Does it do something different if the serial number of the processor on the system where it is running changes? Gotta test that too. If you don't have the source code, there's a million ways to hide bugs or malware that no sane amount of testing would uncover. You cannot test every possible case. Decompiling or other sorts of analysis might be able to detect syscalls that would trigger some of these...but that may also violate your license, and they could probably sneak something past that kind of analysis anyway.
But if you've got the source, you can actually check the code and see if it's checking the date at all, and if not you can exclude that whole class of tests. If you read the code, you can know what you actually need to test. And if everyone can read the code, then you gain additional confidence from other people checking the code and making sure that it actually does make some logical sense, and therefore your test cases should as well.
If you can't view the code, you cannot possibly test everything, so you have to get your guarantees by contract. And if you let the vendor write a contract that says they aren't liable for any damages (or if you just buy a copy/license and accept the default terms with such a clause) then you can't give any guarantees for your software either. And in some cases, you are legally required to give such a guarantee. Unfortunately, those are rarely enforced, especially in cases where another vendor is at fault.
Unfortunately, the IT industry as a whole is infected with a nasty little virus that I see spreading all over the damn place -- the idea that a company is not responsible for the actions of their contractors. And unfortunately, most of the general public seems to accept that line without challenge. So some company screws up, you complain, they tell you that they can't do anything because that particular part of their business is handled by a contractor. So, you contact the contractor, and they don't give a damn because you aren't the one paying them. Assuming you can find their contact info at all -- usually it's pretty well hidden. And usually they don't reply at all. And most people get bounced around a few times and give up. Only way to win that one is with legal action, and you can't do that unless you can prove a certain threshold of monetary damages...and possibly pay for an attorney.