Last Wednesday I attended Professor Eben Moglen’s lecture in Edinburgh, he is presenting here for the second time in two years. Here are some notes. (Full lecture here).
Defining the problem: Software is everywhere, it’s in cars, hospitals, in buildings, and in all other sort of devices. “There is software in the things that power people’s hearts”, there are no requirements on the type of software that goes into those devices. Software powers airplanes, and software fails. All of these software solutions sometimes fail because the software has been acquired from providers with indemnities, or acquire it unlawfully. Providers do not have requirements to disclose the provenance of a piece of software.
If software has clashes in the system in an airplane, it is difficult to determine how it was acquired, or what incompatibility may have caused the failure. We allocate more resources to areas that are less important than software-related activities, which may create some liability nightmares. Moglen said “Liability nightmares may be good things for some people in the audience”. However, these are serious subjects where software security may be a matter of life and death, so why the lack of oversight?
Another example are potential issues with software that powers financial markets. In financial markets there have been all sorts of strange goings-ons with software, yet manufacturers do not have the ability of declaring the software provenance, and potential incompatibilities.
Linus’ Law “with enough eyeballs all bugs become shallow”. This is one of the most important aspects that make free software secure. Peer review and peer examnation of code produce more resilient software. We need civil society to stop failures the likes proprietary software may be causing. “We need inspectable and examinable materials in the building blocks of our architectures”
Europe does not allow free software in medical devices. Violating GPL is bad form from practical and moral reasons. There is controversy with regards to the security differences between Free Software and proprietary software in the same way that there is controversy about the way that supposedly some people mistakenly press accelerators when they want to press the break.
Questions: Person asks why open licences are not more open to discussion, she clearly does not know the drafting process of the GPL v3.
My take: Professor Moglen was clear that this is a topic in its earliest stages of development, and it shows that it is a work in progress. I agree that free software is more secure, and that we should perhaps encourage it more in situations where lives matter.
1 Comment
Lilian Edwards · July 4, 2010 at 1:12 pm
Hmm. You see this is all terribly familiar (cf "back in the 80s", passim) – when I was building expert systems in the mid 80s there was a similar concern that the extent of liability for complicated software that interacted with other software producing unpredictable bugs and controlled lots of "stuff" was unquantified (your "liability nightmare"), or alternately, that there was not enough control to incentivise security in such products – in fact you can find a fine discussion of tye law on it in the Susskind text on the Latent Damage System c 1987? .. but the reality is, in UK/EC at least, there seem to have been very few major lawsuits about it or even notoriously expensive settled cases. It would in fact be really interesting in fact to go round actually software vendors of various sizes asking them how they feel about this, but the reality seems to be they do succesfully rely on, or think they can rely on, having those exclusion clauses, even if we know a court could declare them null at least in B2C environment. No reason why "provenance" or "incompatibility " should make any difference to this basic analysis from all other types of software bugs, whether you think about contract or tort (the more difficult area) (altho it does make me wonder what exclusions from liability you're allowed to put into a CC license? pretty big disincentive to use em (as creator/writer) if the answer is none..)
My other question is for a ref to the assertion that "Europe (EC?) won't use free software in medical devices". It just strikes me as terribly unlikely EC would have been clued up or motivated enough to have got around to banning them!