Hacker News new | ask | show | jobs
by sunshine-o 396 days ago
Yes so the problem is this is not about random f-up, the CRA is full of buzzwords concepts like "Cyber security by design", "Cyber security by default" "according to risks" which will be evaluated by the courts if you end up there.

Every software you provide have to be secure and if not you are liable for damage. So this is not just a random f-up, and we know how hard security really is in practice.

I also know that when you are a provider of a software most vulnerabilities and risks are usually requested/created by the client who usually exercise pressure on you (especially if you are a small actor). It is often done in a sneaky manner, putting the provider in an impossible situation. You will need to document this the best you can because now you are liable big time.

EDIT: What I mean is I understand they did that to force big manufacturers of IoT device to care more about security. But if you are now a small provider setting up some customized software you fall under the same rules.
2 comments
immibis 396 days ago
So in other words if you provide someone software and it sets their business on fire, you're liable to repay the value of the business you set on fire. Yes, this is how all business relations work. If I sell someone a mango that sets their business on fire I'm liable for that too. Not unique to software. No difference if it's a mango full of genetically modified bacteria that spontaneously combust after a certain time passes, or a server that sends network signals to turn the heating up to 1000 degrees. And in both cases the solution is don't do that.

So I want to know what specific risks you're worried about that are not present in literally 100% of business interactions. Or do you expect software to be exempt from the general principles of liability?

link
sunshine-o 395 days ago
> Or do you expect software to be exempt from the general principles of liability?

Yes.

Have you read the EULA of most of the software you use ?

Any of the open source licenses ?

And this is why the computer world is almost the only thing that really progressed in the last decades.

Because we could take that risk because in most cases nobody was gonna die (medical devices or the ABS in your car are a separate category with other rules).

You do not realize how free from regulations computers have been and this is why you are on HN and probably work in this industry.

We ended up with a fairly acceptable ecosystem where you can either keep your ISP provided router, buy a very suspicious one on Aliexpress, or Nitrokey, Turris (both EU companies) or one with OpenBSD.

Bad regulations will make the last 3 options disappear. That is the sad reality.

link
immibis 395 days ago
> > Or do you expect software to be exempt from the general principles of liability? Yes.

> Have you read the EULA of most of the software you use ?

> Any of the open source licenses ?

Yeah, copyright licenses don't override the law. They only provide permission under copyright law. Nothing to do with liability. Liability disclaimers are put there because it's somewhere you're supposed to have read, but they're not actually do to with copyright and they only work because the law says it's okay to provide products without liability.

Now the law says it's NOT okay to provide products without any liability unless they're free. You may or may not still be able to negotiate liability individually as part of your contract negotiations, not sure.

If I sell a mango full of giant flesh eating fly larvae I'm liable. Even if I put a warning on the box saying I'm not liable for anything. Now, if I wrote on the box in big letters that there's a chance this mango could be full of giant flesh eating fly larvae, that has some chance of holding up in court. (let's ignore that fruits aren't sold in boxes)

If I sell you some software that's easily remotely hacked and I say on the box: not liable for anything, it won't stand. If I say prominently: warning: this software is known to be highly insecure and should never be connected to the internet, and you connect it to the Internet and get hacked, I'm pretty likely to avoid liability for that. You know these cases are judged individually on their merits, right? The judge will ask you in full seriousness: why didn't you obey the bright red warning on the front of the box? Are you completely illiterate?

> We ended up with a fairly acceptable ecosystem where you can either keep your ISP provided router, buy a very suspicious one on Aliexpress, or Nitrokey, Turris (both EU companies) or one with OpenBSD.

If you import a foreign good you're liable for any consequences of it not following regulations - obviously the exporter doesn't have to because they're in a foreign country, so the buck stops with you. You'll still have that option.

Same with open source thanks to the carve out. If you use OpenBSD, they're exempted from the regulation because they're volunteers. Buck stops with you.

Are you telling me that Nitrokey and Turris can't make secure products?

---

I also have to wonder if you actually know what liability is. Liability means that when there's an accident, like a building collapses, or Facebook is offline for three hours, the case may go to a judge (and/or jury) who has to decide who pays the resulting financial losses. Which is basically the same as asking whose fault it was or whose problem it is to clean up.

There are general purpose rules for this which are not exclusive to software. I am not a lawyer and this is not legal advice but here are some examples: if a dam collapses because the concrete was of poor quality, it's the concrete company's fault. If the concrete was of the requested quality but it needed to be better, it's the engineer's fault for choosing the wrong concrete. If it collapses because they bought screws from the hardware store and they were a little weaker than specified, it may be the maker's fault but the liability is probably going to be on the builders or engineers for relying on a cheap part without testing it. If they paid the screw maker a lot of money to make screws specifically for the dam with specific characteristics, then the screw maker can be liable.

If Facebook is down for three hours because they used MongoDB open source for free, it's Facebook's fault, period, because of the carve out. If MongoDB worked as expected but it was the wrong choice for Facebook, it's Facebook's fault for choosing it. If Facebook is down because of a Cisco router crashed, it depends: some failure rate is normal in computer equipment (unlike concrete) but if it's excessive than Cisco may be held partially liable (Facebook still should've had redundancy). If Facebook is down because they made their entire company dependent on a single fritz!box home router, and that crashed, even if the crash is the router maker's fault, Facebook is still liable because they should have tested it and because they should have had redundancy in place. If they pay Cisco for a specific order that Cisco knows is going to be in a critical position at Facebook without redundancy, Cisco might be liable (this should be specified in their individually negotiated contract).

And the cyber security one: If Cloudflare gets taken offline by a botnet of Cisco routers, Cisco is almost certainly liable, and has to pay for all of Cloudflare's business losses, maybe unless security warnings weren't followed (e.g. management interface shouldn't be connected to the internet) or unless Cloudflare should have been able to handle the amount of traffic. If it's by fritz!boxes (home routers) the bar will be even higher for fritz - these must be secure in their default configuration when installed by an inexperienced user, though expert features behind a warning should have the same standard as Cisco.

And if your commercial software takes down Cloudflare, yes, you have to pay for Cloudflare's lost money - probably making you bankrupt - and rightfully so. Why do you think someone who shoots a gun in the air and hits an unmanned plane and crashes it should have to pay for the plane, but someone who does the equivalent on the Internet shouldn't? Which is why you shouldn't shoot guns randomly at planes and you shouldn't make software that takes down Cloudflare. You still haven't told me if this is a specific risk you're concerned about.

link
jart 395 days ago
What if I'm Mikrotik, a tiny company in Eastern Europe, and I sell a switch to mighty Google that causes google.com to go down. Am I liable for Google's losses? What about Google's users losses?
link
immibis 395 days ago
It's the same question as "What if I'm Sun Orchard Apples and I accidentally sell a rotten one to Elon Musk and he eats it and dies?"
link
jart 393 days ago
You become responsible for billions of lost wealth and go bankrupt? It sounds like the lesson here is to never sell anything to anyone bigger than you.
link
jart 395 days ago
Open source software is unsecure. It's neither secure or insecure. Securing something means implementing policies like SSO and ACLs. That's not open source's job. Open source gives you a tool and it's your responsibility to secure the thing. It's not the responsibility of open source developers. It can't be. What they strive to do is to not ship something that's known to be insecure.
link