[felixrieseberg]

Before you pick up pitchforks, it's important to understand that this has been requested by the reputable Chaos Computer Club for years.

It's targeted at commercial proprietary software with disclosed and unfixed vulnerabilities. In other words, if you're knowingly selling software that materially harms your users, you're on the hook.

As an example: You're buying "Foo Professional" from MegaCorp. It contains an insecure version of Log4j. You're paying MegaCorp $500,000 per year for license fees. MegaCorp refuses to patch the used version of Log4j. With this proposal, you now have a legal basis for arguing that you _deserve_ a fixed version of "Foo Professional" unless MegaCorp told you clearly by which date "Foo Professional" expired.

I think that's a sensible way to think about it.

[geek_at]

Yes the CCC also mentions router hardware quite a lot. You buy a 20€ wifi router from Mediamarkt or something and the CCC says it should come with a label until which date the router will get updates because the consumer has no idea they buy stuff that'll never see another update because the manufacturer already build two newer units.

In one podcast I heard t hem compare it to software in cars where if there is for example an encoding error so all bluetooth connections are reduced to a low bitrate they won't fix it until the next version of the car is released

[pjmlp]

Fully behind it, even a little corner shop is liable for what they produce, why should software companies be special snowflakes.

If this kind of regulation is the only way to make security part of the development process and chosen tooling and not am afterthought, so be it.

[protomyth]

Because you aren't paying for that level of software. NASA paid $1,000 per line of code for the shuttle's avionics software[1] to get it as bug free as possible. If you want that level of perfection, then you won't be getting current commercial software prices.

1) https://history.nasa.gov/sts1/pages/computer.html

[paulmd]

This proposal doesn't demand preemptively bug-free software, it demands that commercial software fix identified security issues within a reasonable timeframe, and establish a defined support window in which it will be expected to do so.

This is exactly the proposal that comes up every time HN discusses things like routers and IOT, which are frequently abandoned without updates despite critical known security issues. Well, now you know when you buy it that "updates will be provided through 2024". If the vendor fails to provide support through that date, the customers will have a claim against the vendor (i.e. it's not a situation of government enforcement, it's between you the customer and the vendor).

And again, the problem is, this is a tragedy of the commons situation. Bad actors who don't provide security updates provide fodder for botnets to attack the rest of us. At some point it becomes necessary to address that, and the way you do that is a measure like this one, to transfer liability to corporations who are "dumping waste" to avoid the cost of proper "software handling".

(also, the easy answer is - open source your software and it won't be an issue! that hypothetical router that a company now has to provide with security updates? just release your router with official DD-WRT/OpenWrt/Tomato support and 95% of your workload goes away.)

The CCC is in favor, and they're not exactly computer-illiterate nobodies, or against innovation in software. Something really has to be done about software quality, or the Internet Of Shit is going to ruin the internet for good.

[vorpalhex]

This doesn't seem to cover novel attacks, just applying basic security patches for a stated lifetime. If that lifetime is "six months" then you have to state that.

If that means we can't buy insecure IoT lightbulbs with no tls, no authentication and no sha checking for under $10, I guess we'll just have to live with it.

[pjmlp]

Plain FUD, every kind of business is subject to liability doesn't matter the size, and they manage to keep the doors open, including the junk food joint down the street corner.

[turminal]

Lack of incentive contributes a great deal to lack of quality. If the company knows they are going to lose money if they are careless, they'll be less careless. Way too many bugs and security vulnerabilities are consequences of nothing but carelessness and companies thinking they can't be held accountable of anything.

[buscoquadnary]

All software has bugs, some of those bugs will necessarily lead to security issues. The German government can't investigate every product out there, so this will either be a reactionary only measure, that does nothing but cause organizations to simply try and hide what they are doing from the German government, or more chillingly it becomes selectively enforced to punish the politically unpopular and reward the politically favored.

[orangeoxidation]

Note that this is only about known and disclosed security vulnerabilities.

It will not be enforced by an overworked regularly body, but by customers suing software companies.

No reason for the government to investigate proactively (as long as the government was not affected).

[pjmlp]

Same thing applies to surprise visits from regulation authorities to all kind of business, nothing special about software shops.

[mschuster91]

That's exactly the same what was said for the GDPR... and no one will deny that the GDPR was effective in forcing the industry to adhere to at least some common sense standards.

And yes, part of both the GDPR and the CCC proposal is effectively weeding out those whose business model is solely to undercut legitimate competition by putting their customers at risk of losing control of their data or of wasting money on products that are effectively a danger to their data sometimes not even a year after they were bought (looking at you here, cheap-ass Android phones).

[dragonwriter]

> and no one will deny that the GDPR was not effective in forcing the industry to adhere to at least some common sense standards.

I suspect that this is intended to be a single rather than double negative, or did you mean to assert that GDPR was universally recognized as a complete failure at limiting bad behavior?

[throwawayboise]

Or, software sold in Germany will cost $X more where X is the actuarial cost needed to offset the liability risk.

[stjohnswarts]

Seems like the way to handle that is through the civil court systemt tho?