This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to BSidesLV 2016, our 8th annual BSides in beautiful Las Vegas, Nevada!
View analytic
Tuesday, August 2 • 14:30 - 15:00
Security Vulnerabilities, the Current State of Consumer Protection Law, & how IOT Might Change It

Sign up or log in to save this to your schedule and see who's attending!

If a consumer purchases software (like, perhaps, a word processor or a note taking software) and that leads to some harm- perhaps the software allows malware to run on their computer, locking all their data for ransom, or their private data is stolen, then do they have any recourse? 

In the area of private law suits, a consumer would likely first look to products liability. Product liability law acts as a form of insurance to protect users - if a product is built in an unsafe way, and it injures you, you may sue the retailer or manufacturer of the product. 

There are three general theories a consumer can recover under:

  1. Design defect: the product was designed in an unsafe way
  2. Manufacturing defect: the specific instance of a product was assembled incorrectly and had a one-off manufacturing flaw
  3. Failure to warn claim: the product had non-obvious ways it could harm the consumer, that the consumer should be told about

Although these suits are common for defective products such as lawn mowers, coffee makers, and other consumer goods, they are not used by purchasers or users of software. The primary reason why this is so far is that products liability is so focused on physical harms- it covers serious injuries like losing your finger to a bagel cutter, for instance, and the fact that until somewhat recently, most software couldn’t physically harm you. (Although alternatively, some users can recover if they had a contract with the software creator or provider - as in the Trustwave Incident Response suit)

The rise of the Internet of Things is about to change a lot of that. There have already been a small number of cases where liability was found where buggy software caused physical harm to some consumers. Returning to the fridge, what if someone could connect remotely to your fridge, and adjust the temperature to be a little too warm, leading you to get food poisoning? What if they could do so without the temperature display in the fridge changing, so it looked like it was still cold enough?

This talk will explore the background of product liability law, and discuss how and why IOT might bring about a change in expanding coverage of software flaws.

avatar for Chris Eng

Chris Eng

VP Research, Veracode
Chris Eng is vice president of research at Veracode. In this role, he leads the team responsible for integrating security expertise into Veracode’s technology. Throughout his career, he has led projects breaking, building, and defending web applications and commercial software for some of the world’s largest companies. | | Chris is a frequent speaker at premier industry conferences, such as BlackHat, RSA, OWASP, and CanSecWest, where... Read More →

avatar for Wendy Everette

Wendy Everette

George Mason Law School, George Mason University
@wendyck worked as a software developer at Amazon.com, Google, and Meetup before deciding to do something really dumb and go to law school. She has spoken at BSides Charm 2016 on Vulnerability Disclosure and Consumer Protection Law, and won the 2016 ShmooCon Firetalks. She graduated from George Mason Law School in May 2016 and will be doing a fellowship in computer security law in Washington D.C. this year. | | Come tell me about your... Read More →

Tuesday August 2, 2016 14:30 - 15:00
Proving Ground Florentine E