How does liability work in these cases? If you had a security breach due to this security incident, would it be Docker’s liability or yours? It’s probably in the terms and conditions, but I would think it’s your liability since you can host your own registries and it’s your responsibility to act on Docker’s warnings (and I would think users expect and demand abundance of caution). But what happens if Docker mischecked and sent you a false negative on being compromised? And what happens if a full post-mortem is released detailing gaps in security best practices between what’s Docker does and what you could do yourself?
This may well be a moot point; I think if you really wanted to be sure of what you were including in your code you would pull down tarballs and validate checksums for all dependencies before building on a secure network.
This also does not seem to have affected "Docker Official Images"[1]:
> Q: Were any of the Docker Official Images impacted by this incident?
> No Official Images have been compromised. We have additional security measures in place for our Official Images including GPG signatures on git commits as well as Notary signing to ensure the integrity of each image.
Typically Docker would only be held liable if misconduct can be proven. Incompetence is typically not enough (which is why e.g. Equifax is not liable for the damages following their hack).
I do think these laws need to tighten up for security-related incidents, but right now, it is what it is.
> ...the judge noted that Equifax had a duty to safeguard information, failed to heed warnings from the Department of Homeland Security, and “willfully” violated the Fair Credit Reporting Act and state regulations.
IMO, ignoring government warnings and violating regulations is much different than failing to stand up to an attack.
I would be very resistant to making "being hacked" a crime - in almost all cases, the hackee is the victim of an attack. If you feel the need for legal action, we should increase our "anti-hacker" laws and enforcement.
We don't fine banks for being robbed. It's the robbers fault something bad happened, not the bank's.
> We don't fine banks for being robbed. It's the robbers fault something bad happened, not the bank's.
No, we don't fine banks for being robbed. However, if the bank had clearly insufficient security on their vault, was notified of this being a problem, and made zero efforts to fix the problem then yes they should be held liable.
This may well be a moot point; I think if you really wanted to be sure of what you were including in your code you would pull down tarballs and validate checksums for all dependencies before building on a secure network.