Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Re: Truecrypt 4.1

Reply
Thread Tools

Re: Truecrypt 4.1

 
 
Borked Pseudo Mailed
Guest
Posts: n/a
 
      11-27-2005
nemo_outis wrote:

> Borked Pseudo Mailed <(E-Mail Removed)> wrote in
> news:(E-Mail Removed) d.net:
>
> ...
>>> You seem to have a strange sense of entitlement. The authors of a free
>>> program have exactly ZERO duty or responsibility - least of all to you,
>>> a whining parasite!

>>
>> The price one charges for a product and their liability and
>> responsibility for that product are NOT synonymous nemo. Sorry. If it
>> doesn't work as advertised they're liable for any damages it might
>> cause, and that has nothing at all to do with how much money they make
>> off it.
>>
>> In the case of TrueCrypt they're offering software that allegedly
>> secures data. If there's some flaw that makes this software insecure and
>> they DON'T make an acceptable effort to fix that flaw they're negligent.
>> Again, no matter what they're charging for the product.
>>
>> This is the cross ALL software authors must bear. If you don't want to
>> play the game, stay home.
>>
>>

>
> Nope, not so. If you're interested in legal folderol you might wish to
> read the Truecrypt Licence, and, more particularly, Section IV, Disclaimer
> of Warranties and Liabilities.


No disclaimer in the world will cover your tail if you're negligent.
You're simply wrong. I know you like the software and the people who write
it, I do too, but don't let that could your judgment. If TrueCrypt had not
addressed their problems in a reasonable way and someone lost data or had
something compromised because of the KNOWN flaw in their software they
could and maybe WOULD have been legally responsible.

This is very basic business law. You can not disclaim away the
responsibilities normal people would have. Disclaimers do not relieve you
of those responsibilities.

>
> As a more practical matter, the authors are unknown, and this would make
> pursuing a claim more than a little difficult. (I speculate that they're
> also likely impecunious, too


John Doe warrants are pretty common these days. Ask anyone who works for
RIAA or around the DMCA. Someone somewhere knows who they are, or has an
account of theirs with a credit card or bank number. Damages might be
collected even without knowing exactly who you're collecting from. At the
very least the software could have been removed from reputable download
sites.

>
> As for maintaining that the authors of a freeware program have a duty to
> update it - that is so preposterous as not to deserve further comment.


Fixing basic, functional errors in your programs isn't updating nemo, it's
being responsible. The authors have a right at any time to quit
developing, but they're offering a product that's advertised to do a
certain thing. If it fails because of their negligence they're
responsible. That's just the way the real world works.

>
> Caveat emptor. And all the more so when the "emptor" has paid nothing.
> No, I stand by my statement: no duty and no responsibility. And I say so,
> not just regarding reasonable jurisdictions, but even for the litigious
> lawyer- infested USA.


The entire WORLD is infested with money grubbing lawyers. I don't like it
any more than you. But what we like or dislike is irrelevant. We must deal
with what IS. The current state of "is" means that if you offer a product
no matter what the cost, you are responsible for that product.

Do you think that Ford wouldn't be held responsible for flaws in their
automobiles if for some reason they decided to give them away with a "take
it or leave it" offer? If they did something that caused the brakes to
lock up and someone skidded over a cliff and died?

Sure they would nemo, because that's what normal people are responsible
for. There's a difference between innocent mistakes and just saying
screwit. The TrueCrypt CBC thing was border line, but since they ARE
maintaining it they have a responsibility to do it properly. The "I don't
own you anything because I give stuff away" theory is real Utopian and
everything, but it just doesn't hold water in the real world.

 
Reply With Quote
 
 
 
 
nemo_outis
Guest
Posts: n/a
 
      11-27-2005
Borked Pseudo Mailed <(E-Mail Removed)> wrote in
news:(E-Mail Removed) d.net:



Utopian? Me? Believe me, I'm no dewy-eyed ingenu; I am as worldly-wise
and cynical as they come.


>> Nope, not so. If you're interested in legal folderol you might wish
>> to read the Truecrypt Licence, and, more particularly, Section IV,
>> Disclaimer of Warranties and Liabilities.

>
> No disclaimer in the world will cover your tail if you're negligent.



You're already guilty of begging the question (petitio principii). There
can be no negligence where there is no duty of care - and that remains to
be established.

If you are merely saying that anyone can sue anyone else for any reason -
or, indeed, for no reason - then, yes, you are correct. So conceded and
stipulated. In fact, that is altogether too commonly the case in the US;
in other, less supine, jurisdictions, such lawsuits are summarily
dismissed as "frivolous and vexatious" (which is legalese for "a ****ing
waste of the court's and everybody else's time").

Yes, in most jurisdictions the common law doctrine of "caveat emptor" has
been widely supplanted by statutory provisions, including those for
consumer protection. And the scope of product liability has been
broaadened, sometimes to strict or even absolute liability (usually
confined to specific products or industries!). But let's look a little
deeper.

Speaking broadly, there are two bases for which a product liability suit
might be brought against Truecypt (I say broadly because there are
differences in the law between jurisdictions). Those bases are contract
and tort.

Now here's the crux: there is no basis for a suit in contract since an
essential element of contract, consideration, was absent - the software
was free! With that, whole great chunks of the law, including most
consumer protection laws, become inapplicable. (Not to say a lawyer
might not argue otherwise, but he would find it very hard uphill
sledding.)

So only tort remains.

I'll continue below.


> You're simply wrong. I know you like the software and the people who
> write it, I do too, but don't let that could your judgment. If
> TrueCrypt had not addressed their problems in a reasonable way and
> someone lost data or had something compromised because of the KNOWN
> flaw in their software they could and maybe WOULD have been legally
> responsible.
>
> This is very basic business law. You can not disclaim away the
> responsibilities normal people would have. Disclaimers do not relieve
> you of those responsibilities.



While an ingenious lawyer might try any of a number of tacks, a suit in
tort would hinge on "reckless or fraudulent misrepresentation" on which
the user relied. That is going to be astoundingly difficult given the
disclaimers and limitations of liability printed prominently in caps in
the licence.

And further, it is **universally** established that "commercial usage"
for software (unlike, say, automobiles) is that it comes with a
disclaimer, not a warranty. Not even a software user from Pluto could
claim to be unaware of this; the user cannot reasonably claim otherwise.

(Incidentally, Truecrypt has an additional defence layer going for it: it
can claim to be specialized software for sophisticated users, who can
reasonably be expected to use far greater levels of due diligence to
ensure such specialized software is suitable for their purposes. But I
digress...)


>> As a more practical matter, the authors are unknown, and this would
>> make pursuing a claim more than a little difficult. (I speculate
>> that they're also likely impecunious, too

>
> John Doe warrants are pretty common these days. Ask anyone who works
> for RIAA or around the DMCA. Someone somewhere knows who they are, or
> has an account of theirs with a credit card or bank number. Damages
> might be collected even without knowing exactly who you're collecting
> from. At the very least the software could have been removed from
> reputable download sites.



Even if I squint and stand on one leg, I can conceive of nothing stronger
than a civil suit being brought for any alleged deficiencies in
Truecrypt. Accordingly, all talk of warrants and such is bullshit, No,
we are talking ordinary civil service for an ordinary civil suit. And no
litigation lawyer worth his salt - even the bottom-feeding ones who work
on a contingency basis - will do much unless there is a clear path to a
defendant with deep pockets. That absent, the case (especially such a
weak and tenuous one) would wither on the vine.

As for suppressing the software's availability? Gimme a break! The RIAA
and such, despite their massive lobbying efforts to buy legislators and
laws, have been tilting at windmills trying to suppress software. Don't
say such silly things - it undermines your credibility. You can't really
think thata user could get such an injunction. At worst Truecrypt would
relocate from sourceforge. (Even if Truecrypt lost a suit - which itself
strains credulity - it is most unlikely it would have to do anything
other than modify its representaions and licence.)


>> As for maintaining that the authors of a freeware program have a duty
>> to update it - that is so preposterous as not to deserve further
>> comment.

>
> Fixing basic, functional errors in your programs isn't updating nemo,
> it's being responsible. The authors have a right at any time to quit
> developing, but they're offering a product that's advertised to do a
> certain thing. If it fails because of their negligence they're
> responsible. That's just the way the real world works.



Responsible? Responsible to whom for what? Using what theory of law?

You continue to beg the question. The standard of care required in the
circumstances of free software is not much higher than not constituting
deliberate malfeasance - a standard easily met by anything other than an
outright virus or trojan.

No, all responsibility for suitability of software to meet the user's
needs falls on the user. That is the universal situation for software,
including software sold commercially. The standard for free software is
many notches lower yet.



>> Caveat emptor. And all the more so when the "emptor" has paid
>> nothing. No, I stand by my statement: no duty and no responsibility.
>> And I say so, not just regarding reasonable jurisdictions, but even
>> for the litigious lawyer- infested USA.

>
> The entire WORLD is infested with money grubbing lawyers. I don't like
> it any more than you. But what we like or dislike is irrelevant. We
> must deal with what IS. The current state of "is" means that if you
> offer a product no matter what the cost, you are responsible for that
> product.



Of course the world is filled with money-grubbing lawyers. And sometimes
even I use them! But suing Truecrypt for failing to update their
product? I'd rather sue the sun for shining too brightly - the chances
are better!

But, hey, I'm willing to be educated. Cite me some instances of
successful suits against free software.


Regards,

 
Reply With Quote
 
 
 
 
Winged
Guest
Posts: n/a
 
      11-28-2005
Borked Pseudo Mailed wrote:
> nemo_outis wrote:
>
>
>>Borked Pseudo Mailed <(E-Mail Removed)> wrote in
>>news:(E-Mail Removed) ked.net:
>>
>>...
>>
>>>>You seem to have a strange sense of entitlement. The authors of a free
>>>>program have exactly ZERO duty or responsibility - least of all to you,
>>>>a whining parasite!
>>>
>>>The price one charges for a product and their liability and
>>>responsibility for that product are NOT synonymous nemo. Sorry. If it
>>>doesn't work as advertised they're liable for any damages it might
>>>cause, and that has nothing at all to do with how much money they make
>>>off it.
>>>
>>>In the case of TrueCrypt they're offering software that allegedly
>>>secures data. If there's some flaw that makes this software insecure and
>>>they DON'T make an acceptable effort to fix that flaw they're negligent.
>>>Again, no matter what they're charging for the product.
>>>
>>>This is the cross ALL software authors must bear. If you don't want to
>>>play the game, stay home.
>>>
>>>

>>
>>Nope, not so. If you're interested in legal folderol you might wish to
>>read the Truecrypt Licence, and, more particularly, Section IV, Disclaimer
>>of Warranties and Liabilities.

>
>
> No disclaimer in the world will cover your tail if you're negligent.
> You're simply wrong. I know you like the software and the people who write
> it, I do too, but don't let that could your judgment. If TrueCrypt had not
> addressed their problems in a reasonable way and someone lost data or had
> something compromised because of the KNOWN flaw in their software they
> could and maybe WOULD have been legally responsible.
>
> This is very basic business law. You can not disclaim away the
> responsibilities normal people would have. Disclaimers do not relieve you
> of those responsibilities.
>
>
>>As a more practical matter, the authors are unknown, and this would make
>>pursuing a claim more than a little difficult. (I speculate that they're
>>also likely impecunious, too

>
>
> John Doe warrants are pretty common these days. Ask anyone who works for
> RIAA or around the DMCA. Someone somewhere knows who they are, or has an
> account of theirs with a credit card or bank number. Damages might be
> collected even without knowing exactly who you're collecting from. At the
> very least the software could have been removed from reputable download
> sites.
>
>
>>As for maintaining that the authors of a freeware program have a duty to
>>update it - that is so preposterous as not to deserve further comment.

>
>
> Fixing basic, functional errors in your programs isn't updating nemo, it's
> being responsible. The authors have a right at any time to quit
> developing, but they're offering a product that's advertised to do a
> certain thing. If it fails because of their negligence they're
> responsible. That's just the way the real world works.
>
>
>>Caveat emptor. And all the more so when the "emptor" has paid nothing.
>>No, I stand by my statement: no duty and no responsibility. And I say so,
>>not just regarding reasonable jurisdictions, but even for the litigious
>>lawyer- infested USA.

>
>
> The entire WORLD is infested with money grubbing lawyers. I don't like it
> any more than you. But what we like or dislike is irrelevant. We must deal
> with what IS. The current state of "is" means that if you offer a product
> no matter what the cost, you are responsible for that product.
>
> Do you think that Ford wouldn't be held responsible for flaws in their
> automobiles if for some reason they decided to give them away with a "take
> it or leave it" offer? If they did something that caused the brakes to
> lock up and someone skidded over a cliff and died?
>
> Sure they would nemo, because that's what normal people are responsible
> for. There's a difference between innocent mistakes and just saying
> screwit. The TrueCrypt CBC thing was border line, but since they ARE
> maintaining it they have a responsibility to do it properly. The "I don't
> own you anything because I give stuff away" theory is real Utopian and
> everything, but it just doesn't hold water in the real world.
>

Ford would not be responsible if you took the car and told you they did
not warrant the vehicle from defects and that defects were possible.

Perhaps the laws on freeware software differ somewhere. If you will
notice the Microsoft license (big commercial company with a lot of
money, nice fat target) and they too put in a disclaimer...sue away...
No doubt you can make a case to its insecurity, and you even paid for
that software....

Winged
 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      11-28-2005
Winged <(E-Mail Removed)> wrote in
news:7253$438aa3c3$45493f2f$(E-Mail Removed):

.....
> Ford would not be responsible if you took the car and told you they
> did not warrant the vehicle from defects and that defects were
> possible.
>
> Perhaps the laws on freeware software differ somewhere. If you will
> notice the Microsoft license (big commercial company with a lot of
> money, nice fat target) and they too put in a disclaimer...sue away...
> No doubt you can make a case to its insecurity, and you even paid for
> that software....
>
> Winged



Actually it's considerably more complicated. Let me point out just a few
aspects.

Strict product liability only applies where there is "blood" involved
(i.e., personal injury) - economic loss still falls (in the US) under the
UCC (Uniform Commercial Code). The standard then drops (in tort) to
negligence.

One other key aspect, a very tricky one, is that "product liability" only
applies, reasonably enough, to "products." While there have been moves
in some jurisdictions to try to extend the definition of product to
include software, there are serious legal obstacles, such as that
"products" are tangible goods, and it is highly questionable that
software is tangible. This is particularly true, for instance, in the
case of Truecrypt, where the only mode of distribution is downloading
over the internet. No tangibility ==> no product ==> no product
liability! One whole legal tower then collapses! Even if it doesn't
quite collapse, it is seriously undermined.

Also, for open-source software such as Truecrypt, a number of other legal
principles come to bear. For instance one of the questions in product
liability is the capability of the user to examine the product in detail.
The rationale, for instance, for strict product liability, is based on
there being an unfair burden placed on the consumer to do the technical
anlysis of, say, GM's proprietary closed engineering and production
processes. But with Truecrypt, an open-source program, the user can see
all that the developer sees. Even if a particular user does not have the
technical competence to analyze the program, it is still open to broad
public scrutiny and comment. This goes a very long way to shifting the
burden of assessing suitability for purpose to the consumer, and makes it
much harder to complain about hidden defects. Also, because the program
is free, the consumer can evaluate it in a low-risk situation as long and
as intensely as he wishes - without financial commitment- while he makes
up his own mind on suitability for purpose. If a user rashly and
imprudently does otherwise, it's his ass.

Another legal standard that bears on the split of responsibility between
producer and consumer is the degree of professionalism and commercial
commitment of the producer. To the extent that the producers can assert
they are producing the software as a hobby or public-benefit pursuit and
not as a commercial venture, they further deflect any claim of negligence
on their part. The consumer has constructive notice that the standard of
production and support for the program may well be expected to fall
considerably below commercial standards (pitiful though those are!).

There's lots more, but that gives some idea of how shaky any claim for
product liability against failure to update a free open-source product
would be.

Regards,

PS Now, aside from all the legal mumbo-jumbo, the practical fact, as
things now stand, is that bringing a suit for even grossly buggy
commercial software is very likely to be unsuccessful. At best, maybe,
if you have the tenacity of a bulldog and mountains of money to spend on
lawyers, you might get your purchase price refunded. Whoopee do! To move
beyond this to pushing some claim against free open-source software
hasn't a hope in hell.

 
Reply With Quote
 
Winged
Guest
Posts: n/a
 
      11-28-2005
nemo_outis wrote:
> Winged <(E-Mail Removed)> wrote in
> news:7253$438aa3c3$45493f2f$(E-Mail Removed):
>
> .....
>
>>Ford would not be responsible if you took the car and told you they
>>did not warrant the vehicle from defects and that defects were
>>possible.
>>
>>Perhaps the laws on freeware software differ somewhere. If you will
>>notice the Microsoft license (big commercial company with a lot of
>>money, nice fat target) and they too put in a disclaimer...sue away...
>>No doubt you can make a case to its insecurity, and you even paid for
>>that software....
>>
>>Winged

>
>
>
> Actually it's considerably more complicated. Let me point out just a few
> aspects.
>
> Strict product liability only applies where there is "blood" involved
> (i.e., personal injury) - economic loss still falls (in the US) under the
> UCC (Uniform Commercial Code). The standard then drops (in tort) to
> negligence.
>
> One other key aspect, a very tricky one, is that "product liability" only
> applies, reasonably enough, to "products." While there have been moves
> in some jurisdictions to try to extend the definition of product to
> include software, there are serious legal obstacles, such as that
> "products" are tangible goods, and it is highly questionable that
> software is tangible. This is particularly true, for instance, in the
> case of Truecrypt, where the only mode of distribution is downloading
> over the internet. No tangibility ==> no product ==> no product
> liability! One whole legal tower then collapses! Even if it doesn't
> quite collapse, it is seriously undermined.
>
> Also, for open-source software such as Truecrypt, a number of other legal
> principles come to bear. For instance one of the questions in product
> liability is the capability of the user to examine the product in detail.
> The rationale, for instance, for strict product liability, is based on
> there being an unfair burden placed on the consumer to do the technical
> anlysis of, say, GM's proprietary closed engineering and production
> processes. But with Truecrypt, an open-source program, the user can see
> all that the developer sees. Even if a particular user does not have the
> technical competence to analyze the program, it is still open to broad
> public scrutiny and comment. This goes a very long way to shifting the
> burden of assessing suitability for purpose to the consumer, and makes it
> much harder to complain about hidden defects. Also, because the program
> is free, the consumer can evaluate it in a low-risk situation as long and
> as intensely as he wishes - without financial commitment- while he makes
> up his own mind on suitability for purpose. If a user rashly and
> imprudently does otherwise, it's his ass.
>
> Another legal standard that bears on the split of responsibility between
> producer and consumer is the degree of professionalism and commercial
> commitment of the producer. To the extent that the producers can assert
> they are producing the software as a hobby or public-benefit pursuit and
> not as a commercial venture, they further deflect any claim of negligence
> on their part. The consumer has constructive notice that the standard of
> production and support for the program may well be expected to fall
> considerably below commercial standards (pitiful though those are!).
>
> There's lots more, but that gives some idea of how shaky any claim for
> product liability against failure to update a free open-source product
> would be.
>
> Regards,
>
> PS Now, aside from all the legal mumbo-jumbo, the practical fact, as
> things now stand, is that bringing a suit for even grossly buggy
> commercial software is very likely to be unsuccessful. At best, maybe,
> if you have the tenacity of a bulldog and mountains of money to spend on
> lawyers, you might get your purchase price refunded. Whoopee do! To move
> beyond this to pushing some claim against free open-source software
> hasn't a hope in hell.
>


You are not getting any argument from me. Success of an ice cube in a
very warm place is higher. I was trying to write to user proposed situ,
and failed. Further, this is one of the few places where the law is
correct.

Winged
 
Reply With Quote
 
Jeremy
Guest
Posts: n/a
 
      11-28-2005
"nemo_outis" <(E-Mail Removed)> wrote in message



> But suing Truecrypt for failing to update their
> product? I'd rather sue the sun for shining too brightly - the chances
> are better!
>


That remark made my day! Thanks.


 
Reply With Quote
 
Jeremy
Guest
Posts: n/a
 
      11-28-2005
"Winged" <(E-Mail Removed)> wrote in message news:7253$438aa3c3
>
> Perhaps the laws on freeware software differ somewhere. If you will
> notice the Microsoft license (big commercial company with a lot of money,
> nice fat target) and they too put in a disclaimer...sue away... No doubt
> you can make a case to its insecurity, and you even paid for that
> software....
>


One defense that is often used is to assert that the service provider (in
this case, the authors of TrueCrypt) could not, for the price charged, be
expected to provide a product that is fool-proof.

I once sat on a jury where a woman was suing Ford because her transmission
slipped out of "Park" while she left the engine running and dashed into a
bakery. She came out, found her car slowly rolling backwards toward a wall,
she got in back of her car and tried to "push" it so as to keep it from
hitting the wall, and she sustained injuries when she found that the car was
more powerful than were her efforts to heroically stop it!

When the judge instructed us in the law he made it clear that NO product was
expected to be free of all problems, and that there was a clear distinction
between gross negligence and an occasional malfunction. Also, the
plaintiff's attorney argued that the vehicle's operating manual did not
specifically warn against leaving the vehicle unattended with the engine
running!

We found Ford not to be at fault. The deliberations took no more than 15
minutes.


 
Reply With Quote
 
Ari Silverstein
Guest
Posts: n/a
 
      11-29-2005
On 27 Nov 2005 22:42:46 GMT, nemo_outis wrote:

>> No disclaimer in the world will cover your tail if you're negligent.

>
>
> You're already guilty of begging the question (petitio principii). There
> can be no negligence where there is no duty of care - and that remains to
> be established.


Perhaps where you live but in the USA, gross negligence is most often
interpreted as unwaivable.
--
Drop the alphabet for email
 
Reply With Quote
 
Juergen Nieveler
Guest
Posts: n/a
 
      11-29-2005
"nemo_outis" <(E-Mail Removed)> wrote:

> I'd rather sue the sun for shining too brightly - the chances
> are better!


Or sue all the established churches and monotheistic religions on this
planet for damages classed as "Acts of god"...

Juergen Nieveler
--
Man who scratch ass should not bite fingernails.
 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      11-29-2005
Ari Silverstein <(E-Mail Removed)> wrote in
news:ik6mn1ly7j72.irdy228yldfu$(E-Mail Removed):

> On 27 Nov 2005 22:42:46 GMT, nemo_outis wrote:
>
>>> No disclaimer in the world will cover your tail if you're negligent.

>>
>>
>> You're already guilty of begging the question (petitio principii).
>> There can be no negligence where there is no duty of care - and that
>> remains to be established.

>
> Perhaps where you live but in the USA, gross negligence is most often
> interpreted as unwaivable.




Gross negligence? We've now leapt from Borky's merely silly negligence to
the patent absurdity of gross negligence, have we?

And my point remains, trenchant as ever, despite you leapfrogging over it:
until you establish a duty of care (and the required standard) it is more
than a little premature to speak of negligence - any form of negligence.

Regards,


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Truecrypt 4.1 Borked Pseudo Mailed Computer Security 11 11-30-2005 06:29 AM
Re: Truecrypt 4.1 nemo_outis Computer Security 8 11-30-2005 04:58 AM
Re: Truecrypt 4.1 nemo_outis Computer Security 0 11-26-2005 06:01 AM
Re: Truecrypt 4 Released! Ari Silversteinn Computer Security 1 11-02-2005 06:48 PM
Truecrypt 3.0 has been released nemo outis Computer Security 4 12-11-2004 05:58 PM



Advertisments