Increased Software Vulnerability, Gov't Regulation

PogieMT writes "An article in the New York Times (registration required) suggests that the rash of security flaws, viruses and worms is leading a push towards greater regulation by the government, which, according to the piece, has largely relied on the efforts of individual companies."

they forgot to mention

[Tirel]

how most of the vulns are in microsoft software. i think this should be better emphasized.

Re:they forgot to mention

[digitalunity]

It's not just Microsoft, they are just really prevalent. With new laws coming like UCITA, software makers can disclaim all liability while making false advertisements about the softwares ability to perform a certain function. Notice how every software maker has advertised that their product is the very best, most secure product on the market? How can everyone be the best all at once? It would also allow for far more draconian licensing clauses.

A little regulation would be nice. Obviously, the free market isn't going to regulate itself when the consumer and even the government has decided that this is normal and that they will just 'put up with it'. Well, some of us have had enough.

Re:they forgot to mention

[mOoZik]

This is because microsoft has a greater number of users. Given this, it should be expected that bugs would come out more frequently than in low-circulation operating systems/software, say linux.

Re:they forgot to mention

[Eric+Ass+Raymond]

most of the vulns are in microsoft software

It only appears so because Microsoft's is found on practically every desktop and on the majority of server computer too.

If Linux were as popular as Windows, you can bet we'd be in the same situation. Why? Because the problem is only partially software. The main problem is the clueless user and to a lesser extent the feature bloat required by the users.

Let's imagine that the open source zealots got their wish and Microsoft was broken down or, even better, stopped selling software altogether and Linux would suddenly be the mainstay operating system both for desktops and servers. Linux would suddenly be truly big business. Corporations would develop their own distributions and make them as feature rich and easy to use as the Windows was. In other words the (alleged) superior security of linux distributions would be broken down in a day: The systems would enable logging in as root and would run all the conceivable daemons by default to avoid problems with third-party software.

But getting back to the article. If operating systems were to become a government supervised commodity with stiff penalties for those who produce insecure software, would you be prepared to accept that open source companies (or the copyright owner, FSF) would get fined for every security breach - just like the manufacturers of proprietary software?

Re:they forgot to mention

[Rosco+P.+Coltrane]

Notice how every software maker has advertised that their product is the very best, most secure product on the market? How can everyone be the best all at once?

Err.. on what planet do you live? this isn't new and it's not limited to the computer industry. What has that got to do with UCITA? Have you ever seen a company say anything else but "leader in abc", "best product of xyz", ...? I'm still waiting for the pepsi bottle that says "great taste, second only to coke"

Re:they forgot to mention

[turgid]

The BBC was making similar mistakes in reporting viruses, worms and security flaws until very recently. I emailed their editors and showed them the error of their ways. They now carefully mention which platform the vulnerabilities apply to when they report them...

Re:they forgot to mention

[pesc]

Corporations would develop their own distributions and make them as feature rich and easy to use as the Windows was. In other words the (alleged) superior security of linux distributions would be broken down in a day: The systems would enable logging in as root and would run all the conceivable daemons by default to avoid problems with third-party software.

You may have a point. But if there were several corporations creating Linux distros, they would probably have different features, default deamons, etc. Virus would not spread as easily as they do now.

Also, with Linux an interested user can decide by himself what stuff he wants to install. If I don't want to use IE, Outlook express, Mediaplayer, etc, because I think they are full of spyware and insecure, it is quite difficult to choose something else under Windows. Not so on Linux.

Monopolies are bad. They make viruses spread more easily.

Re:they forgot to mention

[turgid]

Dude, don't you have a job to do? Haven't you caught them pesky Duke boys yet?

Re:they forgot to mention

I for one would like some sensible regulation from government, by building open-source authorities that would: have some teeth in enforcing internet protocols. Certain companies would not be able to steal commonly-accepted protocols and file formats and put them in a proprietary closed box. Software developers would register their file formats with these semi-governmental, independent bodies, and they would necessarily become public domain. A developer could sell a proprietary application, but he couldn't patent its file format. That is my suggestion, and I know it would be good for security, not bad.

What I'm worried about is that government intervention, and particularly this government, would mean that "the nameles monopoly" would be able to impose its own proprietary formats on the internet as a whole, and be able to sell dumb people on the notion that, if it's secret and proprietary, it's secure. It is nothing of the sort.

Re:they forgot to mention

[michaeltoe]

The free market does a fine job regulating itself, assuming users are willing to actually inform themselves. What's going on here, is the general populace is stupid about computers, and is opting for the government to do the thinking for them.

Re:they forgot to mention

[geek2003]

You said ...it is quite difficult to choose something else under Windows... I disagree. Eg - I just tried an evaluation copy of TextMaker today and it opens Word files almost as well as ..er Word itself. Has somebody used Textmaker on Linux yet? It's available at http://www.softmaker.de/tml_en.htm . I bet the Linux version is better than OpenOffice Writer.

Re:they forgot to mention

Pepsi is much better than Coke. Coke is syruppy and nasty.

Re:they forgot to mention

[edbarrett]

Also, with Linux an interested user can decide by himself what stuff he wants to install.

Not on any network I administer, you don't. What makes you think you'll have that opportunity with a Linux-based desktop?

Re:they forgot to mention

It only appears so because Microsoft's is found on practically every desktop and on the majority of server computer too.

Microsurfs repeat this myth a lot. Is it true? Does WinXX have more viruses and stability problems because it is on "practically every desktop and server"?

Obviously not. OpenSource software run 67% of the Internet, and Linux is underneath a large part of those applications, yet it is only those Internet servers running Microsoft products that are targets of the malware. It is a fact that Script Kiddies and Crackers target WinXX and its applications because they are easy to break into. As far as reliability goes, Bill Gates himself said that 50% of all WinXX platforms crash at least once a day. I have no doubts that the remaining 50% crash more than once a day. He also said that half of the stability problems were caused by drivers from 3rd party software house, but that leave four fingers pointing back at MS. He knows full well that if his platforms were more stable 3rd party software would be more stable. http://www.bugtoaster.com/dw15/Reports/OperatingSy stems.asp

Linux now runs about 25% of corporate America's servers and is probably settng on 10% of their desktops. In other countries the pecentages are higher. One would think that 25% of the viruses and trojans would be targeted at Linux, if susceptibility were merely a function of percentages. Not so. The fact is that unlike Windows, Linux stability is legendary, and so is the security. The properties were designed into Linux and the OpenSource paradigm is the major reason. "All bugs are shallow to a thousand eyeballs." Propriatary code can't match it. Another reason for Linux's security is that users don't run as root. Script kiddies running root kits have a much harder time breaking into a Linux box. That is why, when a Linux box is cracked, it becomes front page news, while the news about Microsoft cracks is how many millions of machines got compromised. Microsurfts failing to "patch" their boxes isn't the reason. The patches themselves can cause more holes than the ones they supposedly fix. The number of holes are so great it is becoming impossible for WinXX users to protect their machines. Anti-virus software can't work until the virus is trapped, analyzed and a fix created. By then many machines have bee compromised. It amazed me at work how much effort was required to clean up Natchi and SoBig, even though 6 MSCE labored furiously to secure our network before the infections were discovered.

Your comment reveals your ignorance about how Linux works but I'm not going to take the space here to explain it to you.

Re:they forgot to mention

Funny, I feel the same way about Pepsi.

Re:they forgot to mention

Mark this shit down as -3 troll

Re:they forgot to mention

Funny, I feel the same way about sugary, carbonated drinks, especially cola...

Re:they forgot to mention

[archen]

If Linux were as popular as Windows, you can bet we'd be in the same situation. Why? Because the problem is only partially software.

I can download any Linux virus I want, and I can click on it as much as I want but guess what? It still won't run unless I mark it to execute. That practically eliminates email viruses that require people run them. Not to mention that hiding file extensions by default is really not user friendly in any way, and when your OS depends on the file extension to determine its action, HIDING the file extension is the last thing you want to do.

Re:they forgot to mention

In advertising, it is not considered deceptive to call your product the best, if it is just as good as another product. I doesn't actually have to be better.

Re:they forgot to mention

I know you probably believe this stuff and it has all been said over and over, but to let total fud continue is just plain wrong, particularly when it is modded up.

It only appears so because Microsoft's is found on practically every desktop and on the majority of server computer too.

No. this was disproved long ago. Even simple logic tells you that this is not true. Virus writers do not write to what is the most populus. It is always to what is the easiest. Good example is Apache vs. IIS. IIS occupies < 25% of the http space, ~1/3 of the https space and yet accounts for not only the majority of problems, but nearly 100% of all stolen credit cards.
Whats more to say that MS accounts for the majority of servers is just plain wrong. Until this last quarter, IDC has always shown that the server space was dominated by Unix (note that it does not include linux in Unix calculations). Only in this last quarter did the intel world beat out the Unix servers and that includes Windows combined with Linux. Why? Because the problem is only partially software. The main problem is the clueless user and to a lesser extent the feature bloat required by the users.

How funny that you call it bloat. In the server space, we are loaded with tons of software that runs. For example, all major databases have been ported to Linux except for sqlserver( Interestingly enough, it is normally sqlserver from which credit cards are so easily lifted, so MS does the OSS world a favor by not porting). Likewise, almost all of the major web, mail, ftp, and dhcp servers run in *nix/OSS world rather than MS

In other words the (alleged) superior security of linux distributions would be broken down in a day: The systems would enable logging in as root and would run all the conceivable daemons by default to avoid problems with third-party software.

The majority servers on the Internet's is *nix and Linux today. Yet the vast majority of cracks are on Windows, not the other systems. The fact that business processes get ported to Linux does not necessarily increase the risk. In point of fact, it is almost 100% MS's applications that are the openings, not others. IIS, sqlserver, Outlook, and Exchange are where the vast majority of openings are. That is not to say that *nix does not have any (sendmail and wu-ftpd come to mind as being almost as insecure as these prior products; statistically over their life they are, but in recent history, it is not even close).

Re:they forgot to mention

[Eric+Ass+Raymond]

It is a fact that Script Kiddies and Crackers target WinXX and its applications because they are easy to break into.

Script Kiddies most likely use Windows on their computers. They are not the best and the brightest of the inet crowd and find the Windows environment easiest to use (like the most people in the world). Furthermore, they can test their kits at home and that's why they also prefer to target Windows and why Linux computers seem apparently harder to crack. In short, it only makes sense to attack Windows computers: you can test your method at home and Windows computers are the most prevalent, that is easist to find, on the net.

I cannot verify your statistics as the link (even with the "OperatingSy stems" fixed) gives me a connection refused error.

Attacking the alleged 67% open source servers that make the internet does not make sense to a script kiddie or even a pro cracker. You'll end up against pros that way. You don't want to attack the best defended line, but you go for the soft spots and try to get around and behind the main line. Attack the soft home user computers en masse and use them as zombies for later attacks. And guess again which OS is used on most home computers?

Re:they forgot to mention

[frovingslosh]

There's a reason they forgot to mention that. The effect of regulation like this will to be to keep many individuals and small shops from producing software. It might be a major step towards destroying Linux and other Open Source projects. Microsoft, big and rich enough to deal with any red tape and above the law when they do things illegal, will be unaffected. They will embrace it, may even be the force behind getting it started to smash those that dared to make better products.

Re:they forgot to mention

[sniggly]

A lot of not most users on winxp/2k run as administrator or as a user with equivalent powers. Any worm or virus running as that user will have total command over the system.

*nix based multi user systems often run few processes as root and those are usually the most audited pieces of software on the planet (like bind, sendmail, etc). Very few people run as root user.

If there was a virus spreading through evolution mail it would only have the rights of the evolution user. It wouldn't be able to open services on ports below 1024, wouldn't be allowed to delete or modify system binaries...

Windows is (very) slowly moving in the right direction but microsoft has had so much time to fix this and still vulnerabilities pop up because of poor systems design.

Also in linux and other open source OS the source is open so vulnerabilities can be spotted easily and fixes can be written and distributed in no time.

We'll probably be moving towards a much greater linux install base over the next decades, we'll probably see much more secure systems because of it.

Re:they forgot to mention

You're wrong. Try deleting IE or mediaplayer or the desktop shell or switching file browsers, etc.

Re:they forgot to mention

The two taste 95% alike. If one is syrupy and nasty, the other is just slightly less so.

Try some water or fruit juice. There's a whole world of beverages out there that aren't made by soft drink conglomerates, won't rot your teeth or digestive tract, won't cause your body to burn and displace vital nutrients for no purpose, and are frequently cheaper or even free. And once you deprogram your taste buds they taste better to boot.

Re:they forgot to mention

Point out three examples of the free market doing a fine job regulating itself. Be specific.

Re:they forgot to mention

[ScrewMaster]

Well, it's very easy to choose a different application for handling your browsing, email or media playing or whatever. The problem with Windows is that it isn't so easy to get rid of the problems that go along with the default app. The DLLs are still there, the security holes are still there, and because of the "operating system integration" of these functions with Windows you can't even get rid of them. How many Windows security patches have you seen that said something like "A malicious user can access your system even if you don't use Internet Explorer." Absolutely ridiculous. No other operating system on Earth does that, and it was done purely for marketing reasons.

Re:they forgot to mention

[Moraelin]

Oh, give me a break. I'm mainly a Windows user, because I'm mainly a die-hard gamer.

Yet I have no problem choosing a replacement for IE, Outlook Express or Media Player. In fact, last time I used any of those three at home was last year. It was IE. Outlook Express I've last used in '97. And while we're at it, the last time I had MS Office (or rather only MS Word) installed at home was in '98.

Guess what? You have the exact same choices for replacements under Windows as you have under Linux. Opera runs just as well (or at least with the same interface flaws) under Windows as under Linux. Mozilla or Netscape run (or at least crawl and crash) just as well under Windows as under Linux. E-Mail clients? All the above mentioned browsers come with an e-mail client. Etc.

So, like, let's get out of this "bashing Microsoft is fashionable and gets you Karma points" rut. Microsoft _does_ have flaws, but if you can't find a browser that's not IE under Windows, then that's _not_ Microsoft's fault.

Re:they forgot to mention

[danielsdk]

Basically, open source software systems are more secure than closed source one, that not only because there are more choices, but also because open source software provide source code that permit you to build up a trustworth system. for some emergent situation, a knowlege user can amend or alter his/her software to avoid more seriuos outcomes even without help from vendors. Another important thing is that open source software encourage users to learn and to master their own systems, that help people get out of habits of being clueless that is one of the most important reasons to bring insecurities to systems.

Like the cars

[ComaVN]

Much like car safety between the '50s and '70s. Manufacturers simply didn't care about safety, because the customer didn't care.

Re:Like the cars

They'll care when their baby pictures get wiped out, taken with that nice new digital camera

Kick up the A** for a certain well know company??

[L-s-L69]

Hopefully this will mean more pressure on micro$oft and other software companies rather than more internet controls which may be abused.
Im not paranoid, no really im not.

Increased Software Vulnerability, Gov't Regulation

[Sir+Haxalot]

Microsoft are of course complying with the regulation.

Hmmm

[RMH101]

Is this being used to restrict individual freedoms in a similar way as 9-11 is used to?

Call me cynical, but I don't think the US government are getting into this for the sake of safeguarding my PC from viruses...

Re:Hmmm

[rknop]

Call me cynical, but I don't think the US government are getting into this for the sake of safeguarding my PC from viruses...

It's cynical, but it's also not an unreasonable fear based on anybody who's been rationally observing the behavior of our government recently.

I fully expect that we'll see increased security resolutions which are ostensively tough on companies like Microsoft, but those companies will embrace them (while all the while getting good PR about "doing the right thing and making the right sacrfices") because ultimatly they will only be minor inconveniences... while the regulations that show up will all but prohibit free software (at least for commercial purposes, and possibly for anybody who wants to connect to the Internet), meaning that in the long run Microsoft benefits hugely from those "minor inconveniences".

Meanwhile, the regulations-- like a lot of what we've seen with airport security-- won't increase actualy computer security one whit, but anybody who complains about them will be chastised by John Ashcroft as a whiner who won't let the government do what it needs to safeguard our homeland.

Yeah, I'm cynical too.

-Rob

Re:Hmmm

[Chexum]

It's cynical, but it's also not an unreasonable fear based on anybody who's been rationally observing the behavior of our government recently.

I would oppose any regulation with all my instincts, but let's look at it this way: when was the last time an electrician, or architect/house-builder handed you a paper that with the money you forked over, they can only make product only *this* good, and you are responsible for any damage they may be causing, not them, and forced you signing/accepting it?

Thought so. In software, it's called the EULA.

Re:Hmmm

[ScrewMaster]

You mean, "rationally observing the irrational behavior of our government recently."

What I want to know is: who is going to protect us from those that are claiming to protect us?

Re:Hmmm

[jc42]

the regulations that show up will all but prohibit free software (at least for commercial purposes, and possibly for anybody who wants to connect to the Internet), ...

One problem with this is that, if you eliminate all the free and open software, you will effectively shut down most of the Internet, and that ain't gonna happen.

A huge portion of the Internet uses (variants of) the Berkeley networking software. 2/3 of the web servers are running apache. And so on. This is not going to be replaced by proprietary software any time soon. The companies that now control big chunks of the Internet are not about to pay for the huge development effort it would take to replace two decades of software development that works.

Re:Hmmm

[DunbarTheInept]

One problem with this is that, if you eliminate all the free and open software, you will effectively shut down most of the Internet, and that ain't gonna happen.

You assume the regulators will be competent enough to realize this. It's entirely possible that they hypocritically keep using the free software that runs the internet, either by artful dodging of the truth, or more likely, through sheer incompetence where they don't realize that's what they're doing, and attempts to tell them about it will be ignored as "irrelevant whining".

Hmm.. Regulation

[dbs_flac]

Who is going to pay for regulation? I can see goverments passing it between them waiting for someone else to pay. Self regulation by software companies will not work, can you see Microsoft, SCO, Sun and Red Hat sitting down to draft a policy? I can't.

Regulation is not the answer

[sql*kitten]

Regulation is not the answer - professionalism is. The government has oversight over the construction industry for example, but engineers are accredited and the profession is run day-to-day but the professional institution, in the UK this is the Institute of Civil Engineers. Same in medicine, the government oversees, but day to day regulation rests with the BMA, the British Medical Association, and doctors answer to them. Same with lawyers, accountants, investment bankers... even lifeguards and hairdressers have professional bodies.

Software development needs to become more like engineering, and software developers should be required to take a qualification like CEng (UK) or PEng (US) in order to work in positions of authority and responsibility. Remember that engineering is about public safety - bridges don't often collapse, buildings don't often topple, and that's all because the people designing them have been certified by independant bodies. Programmers of safety-critical systems are already often required to be certified by the relevant body, usually that of the electrical engineers.

Re:Regulation is not the answer

[metatruk]

And as more and more IT and programming jobs are relocated to foreign people in India, I am sure we can look forward to an increase in professionalism and the formation of certified independant bodies.

Re:Regulation is not the answer

[Ed+Avis]

I'm an MEng and I've still written programs that crash... so have you. It's not a question of certification but just how much time you're prepared to take writing some code (by which I include choice of method, programming language and so on) and testing it. You can have thirty years of experience and still bang out flaky code if you're in a hurry. And if flaky code is all that's needed for the particular task, why not?

Rather than regulation we should let the market decide. Vendors could undertake: I will pay you $100 for each crash. Sometimes this already happens, eg with guarantees about the number of nines in server systems. The biggest problem is deciding responsibility for any faults. If an operating system call, which (according to POSIX or whatever) should not return null, one day does return null and the application crashes, who should pay up? And how do you find out whose fault it was? Running the whole system in some kind of virtual machine where you can roll back the last few seconds of execution would be one answer.

Re:Regulation is not the answer

[Audity]

I really wish that would work. But the problem is that the software industry is not like construction. If a house is designed poorly it could collapse and cause serious damage. There would likely be lawsuits involved and the construction company would be bad publicity. They would lose market share and possibly fall out of the buisiness entirely.

If a software program is poorly designed, it crashes, Joe User restarts his machine and goes on with his life. He doesn't even bother to investigate what caused the crash because it happens so often.

The real problem with "cybersecurity" is that software companies have no incentive to create secure software, insecure software sells just as well.

Re:Regulation is not the answer

[El]

Certifying the developers wont help if the management is still pushing pushing to ship software with inadequate testing. Micro$oft already hires many of the best and brightest programmers in the world, and yet their security still sucks. Therefore the problem must be more systemic; simply put, their corporate culture and procedures must not reward designing in and implementing secure software. Even after the "Trustworthy computing" initiative, this still appears to be true. Imagine civil engineers working for management that insisted on shipping bridges by artificial deadlines, and refused to allow time for safety checks. Would it matter if the engineers were certified? Only in the sense tha certified engineers would be morally bound to resign rather than signing off on the bridge design.

Re:Regulation is not the answer

[awol]

Of course regulation is the answer. But the implications are horrible. Any doubt that we are living in the "wilds" of the post revolution expolosion just consider the issues of industrial safety immediately after the industrial revolution. It was a disaster, people were killed and maimed hourly. Look at software, thankfully few people are actually harmed but some of what we "professionals" produce is just crap.

Professionalism is an answer to nothing in this case. Regulation comes in many forms. Pick your jusrisdiction and even your industry and you will find a litany of standards and regulations to which a product must conform before it can be sold. Fire safety for clothes, building materials, Electrical safety standards etc etc etc. One recurring theme seems that most of these standards relate to safety, or to paraphrase to reduce the human cost of substandard products. Having never worked in the industry, I do not know, but I can imagine that the standards required for medical equipment software (pacemakers et al) and things like nuclear power stations are much higher. This is not a question of the qualifications of the people who do the work but opf the output of their work and that is regulation, plain and simple.

Personally I think that the market is the right tool for many of these regulations, but that requires better information and we all know how companies are about disclosing the true nature of their products at the moment, but I digress. The other point is that whilst I am comfortable with my ability to choose the prudent or safe product, I don't trust the vast majority of morons out there to do the same and if they drive a crappy car they can kill me, so I am happy to have regulated standards.

Software, ah yes software, well for starters with most software the worst thing a crash or defect will do is cost you money (or make you late for a date), so I am not so sure that I want so much regulation. Secondly, due to the nature of the process, software is more art than engineering, and that is nothing to do with the professionalism of the people writing it. Now, it is true that the baseline at which the process turns from art into engineering is increasingly high (I am comfortable relying on my compiler to turn my Arty C code into engineered machine language and that the hardware will interpret this in a way that is engineered, whereas thirty years ago that was not so much the case) and in future that boundry will be higher still, however it is not a question of the "capabilities" of the industry participants that currently determines that level and getting us to a point where it is will take a long time and a number of really astounding revolutions in the tools at our disposal.

Having said all that. I would love to see "BS01232 - Computer Operating Systems" that defined a minimum standard of performance, but such a thing is a logistical nightmare do define yet alone to actually implement, so in the mean time I will just run the OSes for which my tasks are best suited and grin and bear the pain.

Re:Regulation is not the answer

[sql*kitten]

If a software program is poorly designed, it crashes, Joe User restarts his machine and goes on with his life. He doesn't even bother to investigate what caused the crash because it happens so often.

But it is possible to write reliable software. Aircraft, for example, run on extremely reliable software. The way it works in civil engineering is, if you can't get a CEng to sign off on the plans, you can't go ahead with the project. A CEng won't sign unless he's sure, because if it fails, he's responsible and he'll likely never work again. The fact that he's an employee is neither here nor there, he answers to the ICE, not the company. A similar approach could be taken with software - make the senior programmer on a team personally responsible, and give them the authority - independant of the company employing them - to say yes or no.

Re:Regulation is not the answer

> I'm an MEng and I've still written programs that crash... so have you. It's not a question of certification but just how much time you're prepared to take writing some code..

Did you think as a MEng when coding? If you were told that coding is an engineering task, would you allow yourself to code in a hurry and let bugs in?
IMHO the 'responsibility training' engineers (or other professionals such as doctors) have is a good starting point for sw quality control. There should be some professionals assuring critical code. And, yes, code *must* be open enough to be reviewed by independant bodies.

Re:Regulation is not the answer

[sql*kitten]

I'm an MEng and I've still written programs that crash... so have you.

Sure, it wouldn't be a perfect system - but it would better than the situation we have now, where no-one is willing to take responsibility for quality. A strong professional body for granting certified status, backed by a public unwillingness to buy software that didn't have a signature on it from a qualified engineer (maybe in turn backed by a law that some software must be signed off to be sold to the public) would work wonders.

Re:Regulation is not the answer

[rnd()]

If there were public unwillingness to buy software that didn't have a signature on it from a qualified engineer, then people wouldn't buy software that didn't have a signature on it from a qualified engineer.

Most of the worm/virus issues exist b/c of code written in c rather than in a safer high level oop language where you don't get buffer overflows, sloppy use of pointers, etc.

Most of the problems with worms/viruses, etc, are due to sloppy sysadmin practices. Of course, with better code sysadmins could be lazy, but that isn't necessarily the goal.

Government regulation will only lead to a marketplace where new technologies are more expensive to produce. Do you know how much a seat in a passenger aircraft costs? Thousands of dollars. Governments are not good at making software, and nearly every piece of government regulation harms markets and makes people worse off.

I personally do not need 100% reliable software. So why should the government make me pay for it? Don't worry, I will pay for it through taxes needed to support the regulatory burocracy and through higher costs of software apps for which there is not enough of a market to support two versions, one certified along with a cheaper uncertified version.

At minimum, the government should offer certification for software that can be received when a company voluntarily submits it to the certification body. There are already some secuirty certifications such as this in the US. Anything more would make the public much worse off.

Re:Regulation is not the answer

[Ed+Avis]

If you were told that coding is an engineering task, would you allow yourself to code in a hurry and let bugs in?

There will always be bugs. The question is how much time you're prepared to spend per bug eliminated. This is an engineering tradeoff.

Re:Regulation is not the answer

[ScrewMaster]

You're right ... professionalism is the answer. But professionalism is not something that can be easily mandated: certification means absolutely nothing if the people being certified aren't fundamentally trustworthy. Being able to pass a test is no indicator whatsoever as to the the kind of human being you are and the quality of work you will choose to perform, it just means that you can pass a test. And you simply destroyed your case by using doctors, lawyers, accountants and investment bankers as examples. I guess you haven't been reading the news: those groups have consistently shown themselves (at least in the U.S.) to have all the ingrained ethics of used car salesmen and professional thieves. Forcing that kind of "professionalism" on the software development industry would be a huge mistake and would result in even more downed aircraft and refinery explosions.

And yes, buildings don't fall (very often) and bridges don't collapse (most of the time), BUT the difference there is that the technologies and math used to design those constructs have been well understood for centuries. That same claim cannot be made for computing technology because it has only existed for a few decades, and is evolving constantly. Any certification examination required of software engineers will be obsolete a few months after it was administered. And may I point out that software-driven devices such as calculators, microwave ovens, automobiles and aircraft generally do function very well.

You completely miss the point that the developers themselves are not the problem. The problem is that business sees software as a commodity item, something to be packaged and sold and rushed to market as quickly as possible. Programmers, developers and software engineers are generally very aware of whether their product is ready for release or not, and will typically fight to keep it in-house until it is ready. Why? Because it would be irresponsible to do otherwise.

I might add that as a professional developer of high-reliability systems for the past twenty three years I have fought that same battle many times, on many fronts. Unfortunately, the engineers don't make the decision to release a defective product: management does, and it is management that must make the effort to understand the software development process and the consequences of corrupting it. If you want to certify anyone, start with them, because it is their poor decisionmaking that causes most of the issues you were talking about.

Look, all software has bugs. Any programmer that tells you his software is bug free is lying, ignorant or worse. However, if management sets in place proper testing and review processes, the majority of major problems can be found well before release and a product can gain a reputation for quality.

Unfortunately, such processes are resource-intensive and cost lots of money, and are often the first thing to be cut from the next year's budget. I would suggest that you look more into what actually goes on in most development houses before you cry "foul" and claim that those who create the software that drives our civilization are immoral, unethical or just incompetent.

Re:Regulation is not the answer

[Tony-A]

I'm an MEng and I've still written programs that crash
You can design something so critically that if one bolt or one thread is below specified strength, the whole thing will crash. But normally you design with a safety factor so that a number of things can be off-spec or break and still have the whole thing hold together and function properly.
Now, how do you do a safety-factor in programming ;-)

Re:Regulation is not the answer

You can have thirty years of experience and still bang out flaky code if you're in a hurry ... Vendors could undertake: I will pay you $100 for each crash.

I've got a better idea: let's make it $1,000,000 per crash! And let's state that the money to pay this "fine" will be deducted from the pay (in proportion to their salary) of the IT staff and the company's management, all the way up the structure to it's president ...

Now, which is worth more to the software company: shipping flakey code to meet a scheduling deadline or taking the time to ensure it doesn't crash before shipping!

Re:Regulation is not the answer

[kabdib]

You can indeed write very reliable software. The code that runs the space shuttle, for instance, is regarded as having one of the lowest bug rates in the world. It cost hundreds of dollars per line of code to get there, and it took a long time.

Want reliability? Pony up. See you in ten years.

(Don't get me started on government intervention, or initially well-meant licensing legislation. It'll be your worst nightmare, you'll remember the days of BillG and Windows fondly, if the governments ever get serious about that kind of control).

Re:Regulation is not the answer

[Sven+Tuerpe]

Aircraft, for example, run on extremely reliable software.

An aircraft is a pretty simple environment to run software in, compared to computers. No, really. Computers are expected to run arbitrary combinations of software, to perform equally well as a platform for gaming, a database server, and a network firewall. Computers come in zillions of hardware configurations and are used for zillions of different applications, and a piece of software that happens to be run on one of them is expected to run smoothly and to open up no security holes no matter what. Operating systems are modified every other week, and even BIOSems are routinely modified for nonsensical reasons like buying a replacement battery for a laptop computer.

Compare aircraft. Software running there is severely constrained by the environment. There ain't no HyperWing (TM) USB Toy needing a special driver. There ain't no Aerobatics software self-taught home pilots install from CD. No control panel for administration and maintenance designed with this target group in mind, too, and no interface between passengers and important systems other than non-interactive cabin windows. There ain't no Web browser downloading code from the Internet. No need to interact with obscure peers running broken implementations of outdated or experimental protocol versions. Also, most aircraft in operation today are based on well-understood designs whose flaws and weaknesses were learned and fixed the hard way. With aircraft, you can buy only slightly modified implementations of 30 years-old designs. Try buying a 40 GB harddisk today.

Well, that's what I hope aircraft are like. Another thing is for sure. Civil aviation has established a system of investigation covering not only accidents but also incidents that might have lead to accidents under less lucky circumstances, while the IT industry prefers to protect their mistakes as "valuable intellectual property".

Re:Regulation is not the answer

[gantzm]

You just described buffer overflow. Some programmer thinks, "Hey nobody will ever send this function a zero terminated character array longer than 80 characters.". Designing for safety entails be able to handle an input string of any arbitrary length and handling error conditions sanely.

Re:Regulation is not the answer

[ajs318]

A strong professional body for granting certified status, backed by a public unwillingness to buy software that didn't have a signature on it

Like the Open Source Community? We need to educate people. IF THEY WON'T SHOW YOU THE SOURCE CODE, THERE IS OBVIOUSLY SOMETHING WRONG WITH IT! OTHERWISE THEY WOULD NOT FEEL THE NEED TO HIDE IT FROM YOU! Which part of that is so hard to understand?

Re:Regulation is not the answer

[Ed+Avis]

Not quite the same: a fixed-length buffer is where you _know_ there is a bug - you know the program will crash or do weird things when given a too-long input. Not having buffer overflows is not part of any advanced fault-tolerant strategy; it's just the basic discipline of not releasing code you know is buggy.

Much more interesting is how to code for robustness in the face of bugs you _don't_ know about. That is very tricky, although encapsulating access to data structures so they're always in a sane state can help, also adding sanity checking, checked invariants and assertions (if you feel it safer to abort the program than continue).

Re:Regulation is not the answer

[ImpTech]

You can write reliable software for a plane, thats true... but a plane is a relatively simple, relatively isolated system. It does a limited number of things in a limited number of ways, and therefore it can be tested exhaustively and completely. Thats simply not the case on a desktop computer, however. You can't exhaustively test a comsumer operating system because you can't possibly know everything that will be done to it. The same is true of a word processing suite, a web browser, various server programs, and pretty much all the software you and I use every day. Unless we want to abolish the whole idea of the personal computer, and move back to a system of appliances that have very limited functionality, I just don't see how you could reasonably expect the same reliability from your PC that you do from a bridge or an airplane. Even then, I defy anyone to design a web browsing appliance that can correctly handle all (or nearly all) the websites out there and be guaranteed not to crash or have any other undesirable behavior. And more importantly, design that appliance so that it cannot be hacked or cracked in any way.

In fact, that has me thinking a little bit... I'd bet a skilled hacker or cracker or what have you would almost certainly be able to break the aforementioned aircraft software. The reason they don't is because they can't get to it. So therefore on a structure like the internet, where everybody is connected to everybody else, secure and reliable computing is just plain impossible. Unless of course you want to radically redesign the internet, but I for one can't even concieve of what you could do to fix that problem while still allowing a somewhat free exchange of information.

Re:Regulation is not the answer

[russotto]

You want me to get a fucking license to program and toady up to a bunch of self-important people on the "Board of Professional Programmers" in order to practice my profession? That's regulation by another name, just by a different body. No thanks; leave the strangling over-regulation and "professionalism" to fields which are pretty much mature, static, and stagnant... though perhaps that's the _reason_ they're stagnant.

Re:Regulation is not the answer

[russotto]

Having never worked in the industry, I do not know, but I can imagine that the standards required for medical equipment software (pacemakers et al) and things like nuclear power stations are much higher.

I _have_ worked in medical equipment software; not implantable devices but other life-critical stuff. Let's just say that neither the FDA nor any other regulatory organization looked at a single line of code; there were documents they did look at, but not code. Nor was any certification required to work on this stuff.

Re:Regulation is not the answer

[Ed+Avis]

Well in programming there isn't really an equivalent of particular components being below spec; either a program has a bug or it doesn't, and every copy of that program has the same behaviour. It's not as if one in every 1000 compilations of GNU Hello come out defective.

What you can do is defensive programming, so that even if some other code is buggy your program tries to stagger on rather than crash. But this is really difficult - where do you draw the line? If a function is specified as adding two numbers, should the caller also check that the numbers have been added correctly? If so you are just rewriting the code yourself. At best you can put in checks for a few obvious things like returning null when the specification says not-null, but in many programming languages (C++ with references, C with splint, Nice) this can be enforced by the compiler so a run-time check isn't needed.

Re:Regulation is not the answer

[jc42]

While professional certification seems like it would help, there is a simple reason why historically it hasn't worked.

There have been many attempts to establish such certifications since software arose as a significant part of the world back in the 50's. In almost every case, the same thing has happened: A certification program was established, and the the qualification tests looked for only one thing: Familiarity with the dominant software platforms at the time. From the 50's to the late 80's, this meant one thing: IBM's commercial systems. Since the late 80's, Microsoft has nearly supplanted IBM, but the situation is otherwise the same.

The problem here is that most of the world's computer infrastructure was built on unix and the various small real-time kernels. The people who set up certification programs aren't familiar with these, and don't consider them.

This means that when you are talking about safety and security concerns, existing software certification programs are pretty much considered jokes. If you were building a team to write the software for a secure/safe environment, would you hire someone with certification on MVS or Windows? More likely, you'd know not to ever
mention such an idea, because the result would be a permanent "clueless" label, and it would be your last contribution to the discussion.

Part of the problem has been that the people who organize software certification programs are invariably professional managers, and they consider programmers as interchangable components. The few who have realized that this is dumb generally go to the opposite extreme, and will hire only people with N years experience on one particular release of the chosen OS (and not understand that that release has only been out for N-3 years).

So, as things have stood for the past 40 years or so, no matter how good an idea professional software certification seems, the end result is generally a joke. Successful software managers understand this, and consider certification a negative point on a resume.

A few minor eceptions exist in some very narrow specialties. But overall, software certification can't succeed as long as the result is a program that certifies only IBM and/or MS software experts.

(As a long-time unix/linu/internet geek, I've looked at a lot of certification programs, and I don't think I've ever seen one that I had a chance of qualifying for. But I didn't mind; it was obvious who their market was, and I've never wanted that sort of job. ;-)

Re:Regulation is not the answer

[sql*kitten]

IF THEY WON'T SHOW YOU THE SOURCE CODE, THERE IS OBVIOUSLY SOMETHING WRONG WITH IT! OTHERWISE THEY WOULD NOT FEEL THE NEED TO HIDE IT FROM YOU!

Sorry, but this argument holds no water and you are doing a disservice to Open Source by propagating it. It is equivalent to saying "if you are doing nothing illegal, why don't you let the government track your movements via an electronic tag, otherwise obviously you have something to hide".

Re:Regulation is not the answer

[the_truk_stop]

software developers should be required to take a qualification...in order to work in positions of authority and responsibility

I'd rather have someone who's competent in the language and competent in the application coding whatever Big-Important-Project may be. For instance, take GnuPG. As far as I know, requiring those guys to take a test to prove that they know what they're doing with that particular application would be useless; they understand the design necessities of strong encryption, and they have the programming skills to realize those design needs.

Having a competent and uncertified programmer working on something that s/he has a stake in seems much more important than having someone who doesn't understand the application but can summon the Vast Powers of Certification (TM).

Re:Regulation is not the answer

[sql*kitten]

You want me to get a fucking license to program and toady up to a bunch of self-important people on the "Board of Professional Programmers" in order to practice my profession?

Yes. What makes you so special? I'll bet dollars to donuts you're no smarter than the average PEng or MIEE or MD. And, I'll place a side bet that you think that you are.

leave the strangling over-regulation and "professionalism" to fields which are pretty much mature, static, and stagnant... though perhaps that's the _reason_ they're stagnant.

I'd hardly call medical science "stagnant" - in fact, bioinformatics is likely to be a growth area in IT. Or engineering for that matter, a far more innovative and dynamic field than software. Computer geeks salivate over, say, nanotech, but mechanical engineers are making it happen.

Re:Regulation is not the answer

[sql*kitten]

There have been many attempts to establish such certifications since software arose as a significant part of the world back in the 50's. In almost every case, the same thing has happened: A certification program was established, and the the qualification tests looked for only one thing: Familiarity with the dominant software platforms at the time

While that is true, it must be possible to create such a body; after all, engineers, lawyers, doctors, etc managed it, even tho' all those professions change quite rapidly. The medical profession, for example, hasn't held back the development of CAT scanners just because most of its members qualified on stethoscopes (for example). The engineering profession hasn't held back the adoption of CAD even tho' when it was founded the slide rule was the computational tool of choice.

Re:Regulation is not the answer

[Tony-A]

Much more interesting is how to code for robustness in the face of bugs you _don't_ know about.
Cheap shot at how.
First comes the integration. All testing in done in-vivo.
Second comes the writing of the programs, bugs and all.
Testing at this phase is extremely interested in finding both bugs anytime the consequences are out of proportion to the causes.
Finally, you might get around to unit testing.

The bugs you most want to get rid of are the ones that only show up in the presence of another bug. There are plenty of doubles. I've even seen a triple. Curing either will "make it go away". Curing both gives rather more confidence that the system won't go into shambles under pressure.

Re:Regulation is not the answer

[Wolfier]

I will pay you $100 for each crash.

Sounds like the way our deity does things. I like it.

Re:Regulation is not the answer

[lsdino]

What you describe is a testing methodology, not a method to increase software robustness. While you're fixing bugs that you know about if you miss one buffer overflow then the app crashes and burns. There's no safety factor there.

There are ways to increase reliability beyond this level. Examples include restartable out-of-proc components, VMs such as .NET or Java (which introduce their own problems w.r.t. unexpected memory allocations and handling those), and restartable in-proc components isolated through various techniques (seperate memory heaps per component spread throughout the process to reduce chances of corruption, structured exception handling at component boundaries, etc...). And of course if you're writing in C++ doing things like using a conservative GC to prevent one bad class from running your process out of memory is another way to introduce wiggle room.

So those are some ways to introduce REAL wiggle room in an app, but very few people go to such lengths (and not many major commercial apps run on VMs). You still need to do the testing to get rid of the bugs, but when you miss a major bug you've reduced the consequences and scope of corruption.

Also your testing methodology seems to be backwards. Unit testing last? How the hell can you start integrating stuff together if you haven't made sure the basics work yet? That's just asking for a disaster, where you have a huge pile of crap that's completely broken and undebuggable.

Re:Regulation is not the answer

[pHDNgell]

Most of the worm/virus issues exist b/c of code written in c rather than in a safer high level oop language where you don't get buffer overflows, sloppy use of pointers, etc.

Just a nit, there are plenty of high level languages well suited for application development that are not OO that apply to this. OO doesn't give you safety, the higher level constructs do.

Re:Regulation is not the answer

[vsprintf]

Most of the worm/virus issues exist b/c of code written in c rather than in a safer high level oop language where you don't get buffer overflows, sloppy use of pointers, etc.

Yeah, Ada (the safe language) worked so well, and that's why it's in such widespread use. Please don't try to turn poor programming practices (or Microsoft's API) into a language holy war. It seems the biggest problem is really trojans that don't need buffer overflows or other trick exploits -- a little VB script in an email is enough.

Most of the problems with worms/viruses, etc, are due to sloppy sysadmin practices. Of course, with better code sysadmins could be lazy, but that isn't necessarily the goal.

Well, which is it that's causing "most" of the problems, C or sysadmins? Even the best sysadmin can't do a thing about new trojans in email if the company insists on using a Microsoft email client. The real reason that "most of the worm/virus issues exist" is the lack of forethought and a real product-security policy in Redmond. Unfortunately, the lack of responsibility at Microsoft is likely to result in regulation for all of us because most of our so-called lawmakers are unable or unwilling to distinguish between Microsoft and software in general.

Re:Regulation is not the answer

[pHDNgell]

Sorry, but this argument holds no water and you are doing a disservice to Open Source by propagating it. It is equivalent to saying "if you are doing nothing illegal, why don't you let the government track your movements via an electronic tag, otherwise obviously you have something to hide".

Well, this is not entirely accurate. In this case, I'm buying something to solve a particular problem I have, but am forbidden from knowing how that problem is solved.

There are certain aspects of an application that make me less interested in using it when I see how it's implemented. I.e. is it well designed, or does it happen to work by trial and error?

Re:Regulation is not the answer

Regulation certainly isn't the answer. The government is no more qualified to handle computer security than the idiots who don't harden their systems and keep up with security fixes, get rooted, and whine about it after the fact. As we've seen with the move to federalize airport security, it doesn't matter. If a so-called "crisis" is at hand, there's enough of a groundswell among the Republicrats to make another unaccountable, incompetent federal agency to take over everything. It is a natural tendency of the government to acquire more and more power over people's lives. When the government makes a move on the software industry (actually they've already done so. Remember that Microsoft monopoly lawsuit?), they will do it supposedly for the benefit of consumers, but in truth it will be at our expense. Privacy? Less than we ever had before. New taxes? Definitely, only they'll be "access fees". Freedom? Hardly. We shouldn't be able to purchase programmable computers at all, nor should we be permitted to copy information or preserve our anonymity. It's coming, and it's coming because there are too many idiots out there who don't want to help themselves or even think for themselves.

Re:Regulation is not the answer

[lsdino]

While that is true, it must be possible to create such a body; after all, engineers, lawyers, doctors, etc managed it, even tho' all those professions change quite rapidly. The medical profession, for example, hasn't held back the development of CAT scanners just because most of its members qualified on stethoscopes (for example). The engineering profession hasn't held back the adoption of CAD even tho' when it was founded the slide rule was the computational tool of choice.

While I'm not sure that it's impossible, I think there is a significant difference in scope between these professions and software development.

Lawyers are scoped to their state, by their state bar, and their only real requirement is to zealously protect their client (or prosecute the bad guys). Doctors are scopped to the human body, and while there's many diverse areas throughout the human body, they all pretty much have the same goal of improving health. Engineers are scopped at various different levels (Electrical, Civil, Mechanical, etc...). Generally speaking they need to build things that don't fall over within specified tolerances.

Software on the other hand crosses across many different areas: VB database front ends, applications, OSes, medical applications, nuclear power plant software, airplanes, cars, games, PVRs, microwaves, MP3 players, etc... And all of these have widely varying requirements. Should the VB database app be held to the same standard as the medical applications? Probably not.

So if every VB programmer had to be a certified Software Engineer then the price of VB developers would sky rocket. And for what benefit? The corporations are satisfied with the quality they are getting today. So do we have a certification for every different category? Do we have a certification with different levels of reliability and quality?

And to get back to the other professions, should programmers be like lawyers: they just need to do their best, and not appear incompotent to their peers? Or should they be like engineers and specify tolerances ("This program will work fine as long as all inputs are valid." :) ). Or should they be like doctors, and if they introduce bugs they're liable to be sued for malpractice? And once again, I have to ask about the VB developer (and I hate that I have to keep coming back to VB developers, but they are a large group, and they and their employers would suffer the most from legislation in this direction).

jc42 inadvertantly pointed out that there are already many certifications. I think the real "problem" is there's no demand for certified people.

Re:Regulation is not the answer

[vsprintf]

Don't get me started on government intervention, or initially well-meant licensing legislation. It'll be your worst nightmare, you'll remember the days of BillG and Windows fondly, if the governments ever get serious about that kind of control

If the government starts regulating software and those who write it, it will be because of "BillG and Windows", and believe me, they won't be remembered fondly -- indeed, they will likely profit from government-mandated *trusted computing*.

Re:Regulation is not the answer

[Tony-A]

Also your testing methodology seems to be backwards
That's because it's a design methodology. Poor hindsight beats 20/20 foresight.

How the hell can you start integrating stuff together if you haven't made sure the basics work yet? That's just asking for a disaster, where you have a huge pile of crap that's completely broken and undebuggable.
Sounds like evolution.
Until you've got the stuff working together, you don't really know what the units are. Not the fat middle. The edges. All the edges.
Theory vs practice. In theory there is no difference. In practice there is.
You can unit test against a hypothetical universe. The real one tends to throw you curves in places you didn't know you had places.

There will be a very few critical transforms. Those few need to be designed excruciatingly carefully.

Re:Regulation is not the answer

[Ed+Avis]

A language holy war isn't justified, but neither should we ignore the simple fact that almost all buffer overflows happen in C or other relatively low-level languages, and almost none in higher-level languages. Yes, you can program safely in C, and you can program unsafely in Ada if you choose to. (In C++ you can do both with equal ease.) But there's something to be said for a language that makes it simple to do the right thing, and requires a bit more explicitness and verbosity to do the wrong thing. With C it is often the opposite.

Actually, I wouldn't blame C so much as the standard library. If there were a decent set of variable-sized array classes, safe string classes and so on included as part of the standard C library, we probably wouldn't see so many problems.

Microsoft's security holes are another issue altogether and often related to 'active content' and other moronic ideas. Language wars certainly aren't relevant there.

Re:Regulation is not the answer

[thoth]

I'm not sure certification will do anything for software, without tying certification to liability. The reason bridges don't collapse and cars don't explode is that the companies responsible are liable for big bucks if that stuff happens in everyday usage. While the software industry releases products with license agreements that basically say "this product isn't guarenteed to work; you have no recourse" it won't get better.

I'm not saying I'm in favor of attaching liability - just without that you can't fairly compare "real" engineering disciplines to software.

Re:Regulation is not the answer

[thoth]

To play a devil's advocate, signoff can't occur without everything else in the "stack" signing off. You think your code works great, but did you write the compiler you used? Did you fab the processor it will run on? The OS that runs your code? Bugs in any of those components equals your buggy software.

Re:Regulation is not the answer

[DunbarTheInept]

The safety of which you speak has nothing to do with how high-level the language is. In C, the decision not to check array bounds is not a matter of it being low level. It's a matter of preferring speed over coddling. Every array reference takes three times longer when you have bounds checking. The design model is that you only use the checking when you have to (like when filling a buffer with untrusted input). The fact that programmers don't do that is their fault, not the language's fault.

(That being said, I think it would be cool for a language to have a pragma that could turn bounds checking on and off when the programmer wants to,
so a critical section of code that processes user input could operate with it on, but the rest of the code operate with it off.)

Re:Regulation is not the answer

[DunbarTheInept]

But there's something to be said for a language that makes it simple to do the right thing, and requires a bit more explicitness and verbosity to do the wrong thing.

The problem is that people disagree strongly over which way is the "wrong thing". Some would say that the wasted CPU time constantly checking every array reference every time (such as happens in languages that enforce array bounds for you) is the "wrong thing". (Ideally, I think the programmer should be able to invoke array bounds checking when he wants to, with a compiler directive, and turn it off when he wants to. Then he could wrap the parts that process user's untrusted input with this directive, but leave it off the rest of the time for speed.)


Actually, I wouldn't blame C so much as the standard library. If there were a decent set of variable-sized array classes, safe string classes and so on included as part of the standard C library, we probably wouldn't see so many problems.

I agree there. Every time I had to program something that had to protect itself against buffer overflows, I got very annoyed at the lack of strn... functions in the library. For working with normal strings, there's lots of useful functions to play with: strstr, strtok, strchr, strdup, and so on, but only a select few of them have "n" versions, like strncpy, and strncmp. Why this is the case I don't know. But I'm sure it's part of the reason people don't check their bounds as much as they should. If you want to use the useful C-string library functions, you have to do so unsafely.

Re:Regulation is not the answer

[DunbarTheInept]

One of the things that worries me is things like this:

I work on the staff of a university. At the student union, they have a free access wireless LAN that covers the building and lets anyone with a laptop hook up to the campus network, get a DHCP-assigned IP and run with it, no questions asked, no login required. When the SoBIG virus was running amok a week or two back, they started putting up signs that said anyone using that wireless network MUST have antivirus software that blocks e-mail viruses installed and up-to date or they don't have the rights to use the network. (followed by a URL for where they could get such software from the campus IT department) Now, aside from how on earth they thought they could enforce this, I was a bit worried about what they would say about someone not using Microsoft. Would they be dumb enough (assuming they could even find out) to say that someone using a Linux laptop was violating the rule and being "less" safe than someone using Windows with the anti-virus software installed? Would they understand that that software doesn't exist on Linux only because there's no need for it (yet?).

Will the idiots in charge believe that a computer with antivirus software on it is always more 'trusted' than one without, even if the reason it lacks the software is because it is at zero risk since it's not running the OS that has the viruses?

They just might be that dumb.

Re:Regulation is not the answer

[vsprintf]

But there's something to be said for a language that makes it simple to do the right thing, and requires a bit more explicitness and verbosity to do the wrong thing. With C it is often the opposite.

While I can agree with that, I've often wondered why it is that no new *safe language* has ever been widely successful (unless you want to count Java as both safe and widely successful). Surely it is more than an aversion to "explicitness and verbosity". Perhaps it is due to inherent limitations of these languages?

Actually, I wouldn't blame C so much as the standard library. If there were a decent set of variable-sized array classes, safe string classes and so on included as part of the standard C library, we probably wouldn't see so many problems.

I may have missed something during the last couple of decades, but I don't recall any "classes" in the "C" standard library ("string classes" or otherwise), although one could argue that structures are unsafe classes. I think your original point was about responsibility for malware, and I still don't believe any particular language (or system administrators) should bear the blame. I blame certain nameless companies (with the initials MS) for irresponsible behavior and the easy propagation of malware. Again, the biggest problem is software produced by a certain company that enables trojan malware by default, which has nothing to do with programming languages or system administration.

Re:Regulation is not the answer

[DunbarTheInept]

And yes, buildings don't fall (very often) and bridges don't collapse (most of the time), BUT the difference there is that the technologies and math used to design those constructs have been well understood for centuries.

I don't think that's the reason. I think the reason is that the tasks computers perform have a lot more variety than anything else. If you design a bridge, it has one purpose only - to carry a road - which has weight travelling across it. You aren't going to suddenly find next week that someone also wants to keep their recepies on the thing, and use it to pretend they're shooting space aliens with ray guns, and then use it to balance their checkbook.

Software breaks because the conditions that have to be tested for are almost infinite in variety. So the best the software engineers can do is try to test for certain classes of things they think could be relevant, and hope that all the uses peopel come up with for the computer fall under those classes of things that were tested against.

Re:Regulation is not the answer

[russotto]

Yes. What makes you so special?

Nothing. That's just the point; I don't need to be special to practice my profession. Nor do I want to be.

Anyone who can acquire the skills can write software. That makes software special. "Professional" licensing would throw that away.

Re:Regulation is not the answer

[ScrewMaster]

Russotto's point (and my own) is valid. Certify software engineers and programmers all you want, but you will find that it will have no positive effect (and a very probable negative one) upon the quality of software unless you are will to grant those same developers the authority to deliver a quality product in spite of marketing goals. That hardly ever happens in practice ... so, failing that, your only choice is to try and fix faulty management or replace it with one that has an understanding of the development process and a sincere desire to release quality code.

You bring up medical science as an example of where certification has been successful. I won't even attempt to discuss the overall ethical wasteland that modern medicine has become, but it is true that doctors have heavy certification requirements. However, they also have traditionally had the authority and autonomy to make medical judgments on behalf of their patients, and to make those decisions stick! And one of the biggest complaints about modern medicine is that that authority has been removed from the doctors (where it belongs) and placed in the hands of professional managers (where it doesn't)! So don't talk to me about how I need to (as Russotto so aptly put it) "toady up to a bunch of self-important people" until you are willing to address the real issue of bad software management. One thing that doesn't appear to be taught to the average MBA is how to manage a bunch of professional programmers in a manner that results in quality code. We know how to do it (after all, that's our job), but we are rarely given the opportunity.

More generally, it is true that all engineering is a process: whether it be architectural, mechanical, electronic, or software, it is a process. And, like most systems intended to take raw material and turn it into finished product, there are numerous stages involved, and many checks and balances designed to correct any errors.

In the case of software development, the raw materials are a. perceived need an b. ideas. Those raw materials are first turned into a design, which is (ideally) checked and re-checked for any flaws or missteps. Note that in many development operations, the people that design the product are not the people who actually implement the design, and if the design is not correct then no number of properly "certified" software engineers will be able to fix it. Then, once a semi-functioning version of the software is available, the quality control department (you do have one of those, don't you) takes over and finds any initial problems. If any are found, they are returned to the design and implemention crews to make any changes. Lather, rinse and repeat until quality emerges.

My point is that simply focusing on the programmers (who, after all, are only a part of the process, and not necessarily the most important part) is foolish and expresses ignorance of how things are and must be done. Truly, if you must certify, then certify the quality control staff. They, after all, are the ones that either found, or didn't find, that obscure little bug that melted down your local nuclear power plant. Or perhaps you should certify the designers: after all it was their drain-bamaged fundamentally-flawed design that the programmers did their best to implement and work around. What about the graphic artist who did your toolbar: if he'd made the icon a little more recognizable maybe that plane wouldn't have crashed. And let's not forget management, who probably doesn't have a clue what is going on but is nominally responsible for all of it. Ultimately it doesn't matter: if the whole system doesn't work properly then the result will likely be unfortunate.

In any event, as soon as I see sincere and constructive efforts made to reform the software development process from the top down then, and only then, will I consider the need for "certification" of programming talent. And I say, "consider." Chances are I will never personally accept it, and would probably choose to go into another field entirely.

Re:Regulation is not the answer

[vsprintf]

Would they be dumb enough (assuming they could even find out) to say that someone using a Linux laptop was violating the rule and being "less" safe than someone using Windows with the anti-virus software installed? Would they understand that that software doesn't exist on Linux only because there's no need for it (yet?).

Actually, I have read about a Linux anti-virus program, but I was so concerned that I forgot the name. :)

Will the idiots in charge believe that a computer with antivirus software on it is always more 'trusted' than one without, even if the reason it lacks the software is because it is at zero risk since it's not running the OS that has the viruses?

I had that problem when I wanted the company (ITS) to give me a VPN account. I am running Linux at home and could not give them the name of the anti-virus software, so they refused me access. I finally had to get the ITS manager's signature (and don't even ask me about that conversation -- talk about clueless :).

Re:Regulation is not the answer

[DunbarTheInept]

Actually, I have read about a Linux anti-virus program, but I was so concerned that I forgot the name. :)

I know of that one too (and can't remember the name either), but it exists NOT to protect Linux from viruses. It's a virus scanner to help prevent a linux box from propigating viruses for other OS's if they travel *through* the linux box. It was meant for cases where (for example) a linux box is serving mail to Windows machines.)

Re:Regulation is not the answer

[ScrewMaster]

Depends upon the computer system. Embedded systems (such as those in your microwave, or those that control massive industrial processes) only do one thing for their entire life-cycle, and they can be tested for most possible input conditions. You appear to be referring to desktop software, and yes you are correct as far as that goes. But I still maintain that we are far down on the progress curve of computing technology, and that in far less than the span of time that we learned to build reliable bridges we will learn to consistently write reliable software. We just aren't there yet.

Even so, we can still do a lot better now than we have been. I just don't believe that forcing software engineers to under go periodic, irrelevant testing in order to practice their art will help in that regard, given that they aren't the real culprit.

Re:Regulation is not the answer

[Adrian+Lopez]

The ACM's position on the licensing of software Engineers is that licensing - even for safety reasons - is neither effective nor desirable. A similar perspective on licensing in general may be found here.

Re:Regulation is not the answer

[ScrewMaster]

Tying certification to liability is absolutely pointless. If you make every software engineer responsible for every error in his or her work then soon nobody will take the risk and there won't be any software engineers in the U.S. India's development houses would get rich, but that's another story.

You are correct in your assertion that holding large corporations liable for faulty product is why bridges don't fall ... cars, however, do explode. A specific Lincoln model favored by many police departments has a tendency to do just that when rear-ended. But that's neither here nor there. It is the CORPORATIONS (and their bottom lines) that are held accountable. Putting programmers in jail because of a software error would not serve the public interest in any way, shape or form.

Tying financially-motivated managerial decisions to release untested, buggy software upon an unsuspecting public to a corresponding degree of liability makes more sense. As I've stated elsewhere, management is a. responsible for work performed on their watch, and b. policy decisions that impact the quality of that work. All programmers create bugs ... nobody is perfect, and no-one with the cranial capacity of Piltdown Man would ship code that never left the Alpha testing stage. Corporate structures and budgets that don't leave room for adequate design and testing procedures should be held accountable, not the individual engineers. That's just incredibly stupid, and this whole discussion of "certifying" software engineers and programmers is remarkably obtuse and off-target. The entire process of software development, end to end, needs to be overhauled in many, if not most, software houses and scapegoating the programmers is counter-productive at best.

Re:Regulation is not the answer

[lsdino]

I'm sorry, this is not a design methodology. I could maybe accept a development methodology. But part of your design is defining units, and those units should be tested first.

You say "You can unit test against a hypothetical universe. The real one tends to throw you curves in places you didn't know you had places." I assume you meant can't here, not can. First, unit tests are not hypothetical. You have obvious units during development that can be tested (each class comes to mind), you should test them. Unit tests are not designed to test these curves that you don't expect. Unit tests are designed to test basic functionality to get rid of basic bugs. Once you know your basic functionality works, then you start testing the system.

Let's say that I have a program that needs me to implement a custom growable list. Am I going to write the entire program and run it and drive the program to use the list? No, I'm going to write the list, test it, and make that part of the program. Maybe, and in fact most likely, my original tests didn't cover every state. That's why we have integration testing. But it happens AFTER I've verified the basics of the component are functional. If I discover a bug that my original unit tests don't cover, ideally I should go back and add a test to cover that.

Ss for "sounds like evolution", you say that as if it's a good thing. Yes software design isn't solid at the beginning and it evolves in practice. But that does not mean that there aren't explicit units that can be tested during this evolution before the whole is tested.

I'll close with final thought (god, who the hell am I, Jerry Springer?): If you test with the smallest scope first your time spent debugging will be minimized. If you throw an entire program together, and start testing, all of a sudden the bug you're tracking down could be anywhere in the program. If you are debugging a unit test, your bug is in the unit. It's much easier and faster to debug. And THAT'S why you write unit tests first!

Re:Regulation is not the answer

[IM6100]

Yes, but Knuth's software projects have convergent version numbers. As in: no creeping featureitis.

I've spoken on this topic before, advocating that Linux and Linux desktops should converge, instead of just bloating out like KDE and GNOME have, but generally get scolded for it.

Re:Regulation is not the answer

[jadavis]

Who is going to pay these costs? The costs for certification and increased education are high, and will undoubtedly increase the cost of developing software.

Why not regulate that everything has to be perfect? Some M&M candies are a little lopsided, so let's pass some regulations and make the employees get a license. That way nobody will have to eat another lopsided M&M, they'll all be made to a 10nm spec.

How about instead we just let consumers decide what's acceptable, and what prices they're willing to pay for higher design costs or other quality control.

Now, if the vendor is making false claims, that can be handled under existing laws. If they say it has feature X and it's so buggy that it's unreasonably difficult to use feature X due to bugs, than you should have a right to some kind of refund.

However, in the case of Microsoft software, most people KNOW how much it crashes/fails and KNOW that it may have to be rebooted frequently. MS makes no pretenses about perfect software. And MS software generally works, I can't (offhand) think of an advertised feature that is so dysfunctional that it should be called false advertising.

Re:Regulation is not the answer

[rnd()]

Quite true....

Re:Regulation is not the answer

[rnd()]

Microsoft email clients (when patched) do not exhibit behavior that automatically spreads script viruses.

Re:Regulation is not the answer

[DunbarTheInept]

Depends upon the computer system. Embedded systems (such as those in your microwave, or those that control massive industrial processes) only do one thing for their entire life-cycle, and they can be tested for most possible input conditions.

I think this supports my point well, given that those types of systems aren't as buggy as desktop software. There appears to be a correlation between how multipurpose a piece of software is and how buggy it is.

Re:Regulation is not the answer

[Olathe]

You didn't quite get the analogy. There IS an equivalent of particular components being below spec. Unless you are making something trivial like a "Hello, World" program, the program will be divided into various parts like functions or classes (these are components...). These can be individually defective. The defective parts would be below spec.

It wouldn't be as if one in every thousand of such a program would come out defective. It would be as if one out of every five parts of the program would come out defective (which would make one out of one compilations of the program defective).

Re:Regulation is not the answer

[Ed+Avis]

I wasn't thinking of bounded array access (though that is useful) so much as using fixed size buffers or variable sized ones. Does a programmer think 'I should use a growabable buffer, but it's too much effort, so I'll just use char[1000] instead'? That's what I mean by making it hard to do the right thing.

You're correct that there isn't universal agreement on what the right thing is for array access; a language ought to make it pretty simple to do either, eg 'char[1000 unchecked]' versus 'char[1000 checked]' or something like that.

Re:Regulation is not the answer

[Ed+Avis]

I've often wondered why it is that no new *safe language* has ever been widely successful

Well how about Perl, Tcl, Python, etc. Tcl and sometimes Perl have their own gotchas related to quoting, but these aren't so bad and relatively easy to avoid

About string classes, arrays and so on: yes I know C does not use the 'class' keyword. But many C libraries present what is effectively a class interface, with functions foo_create(), foo_frob(int), foo_add(foo, foo), and foo_destroy().

In my earlier post I wasn't really talking about malware but about unsafe software in general. If the user is told 'any executable you run will have your permissions, and so you are responsible for it' but chooses to ignore that and run the dancing elephants demo anyway, I don't see why anyone else should be liable. The user interface could certainly be improved to make this point more explicit to the user, and it would be good to have better sandboxes for untrusted code (and to wean users away from 'active content' in general, except for specialized applications). But that's not a liability issue I think.

Re:Regulation is not the answer

[Ed+Avis]

I get the analogy... I don't think it is appropriate. What you describe is more analogous to picking the wrong component. If you design a car and pick the wrong type of seats, or seats with a known design flaw, then you must change the kind of seats you're using or fix their design and manufacture some more. You wouldn't change the rest of the car to work around an always-faulty component. Only for tolerance of particular components that might be faulty in one particular car - and that situation doesn't really happen in software.

Re:Regulation is not the answer

[ScrewMaster]

Well, that's true, so far as it goes.

But there's a much more direct correlation between how bug-free a program is and how much effort is invested in quality control, during both the design and implementation phases. What you are really saying is that the more complex a piece of software is, the more it needs to be tested. And that variable we can control: we just have to choose to make the investment. Historically, products that have are well-designed and thoroughly tested do very well when artificial market constraints (cough cough Microsoft cough cough) are removed.

And you are also correct in that the more sophisticated a program is (this primarily refers to operating systems, which are by far the most complicated programs in general use today) the more bugs will rear their ugly heads. No reasonable amount of quality control will ever squash them all, of course, but some vendors don't even seem to try.

Re:Regulation is not the answer

[ScrewMaster]

If you design a bridge, it has one purpose only - to carry a road - which has weight travelling across it. You aren't going to suddenly find next week that someone also wants to keep their recepies on the thing, and use it to pretend they're shooting space aliens with ray guns, and then use it to balance their checkbook

That's true, but only because game programmers don't design bridges. However, the real issue here is simply one of complexity: the more things something is composed of, the more things there are to fail. An top-of-the-line Lincoln Continental, with all its built-in toys, will have more things break over time than a stripped-down Chevette.

To continue the previous example, a modern suspension bridge is a pretty damned complicated device, with a lot of potential failure modes. And, it's true ... they don't fall down very often. But you can bet your boots that every step in the design process for such a construct is thoroughly checked, double-checked, triple-checked and then checked again. Bridge designers and builders make a substantial investment in QC, because a. once the die is cast and the bridge is built you can't easily change it and b. the penalties for failure are immense.

From a business/management perspective, however, the vast majority of computer applications do not fall into those categories. Software is relatively easy to change after delivery, and b. there are few penalties for failure. Management frequently takes the position that it is more important to ship the product as soon as possible, and fix any problems later. It is that attitude that has to change if commercial software is going to get any better. There are shining examples of companies that do know how to do it right, but they are few and far between.

In any event, I'm not really disagreeing with you. I'm just saying that, as complex as modern programs are, we can do one hell of a lot better at making them reliable. We shouldn't have allowed organizations like Microsoft to use the excuse that, "Well, ya know ... it's just so darn complicated" to justify shipping bad software. Stop shipping features that nobody will ever use and start shipping features that work.

I read a book some twenty years ago that was called "How to purchase software" or something like that. It was written by a (rather intelligent) businessman who was responsible for selecting and buying software for a large corporation. He said one thing that sticks in my mind to this day: "If a feature doesn't work, then it isn't a feature."

Re:Regulation is not the answer

[vsprintf]

Microsoft email clients (when patched) do not exhibit behavior that automatically spreads script viruses.

There is a patch that prevents Outlook users from clicking and running an attachment?

Re:Regulation is not the answer

[rnd()]

That is not a problem with the software platform being vulnerable, since the same can happen with Eudora, or any other mail client.

Incidentally, outlook express has a feature (which is enabled by default) which does prevent this. It effectively locks the user out of any attachments that might contain vulnerabilities. I don't know if Outlook has this feature or not, but you should definitely take a look at this in express.

Re:Regulation is not the answer

[DunbarTheInept]

But there's a much more direct correlation between how bug-free a program is and how much effort is invested in quality control, during both the design and implementation phases.

No - the correlation is between bug-free and the relative DIFFERENCE between how much quality control there was and how much quality control there needed to be. As you say, if you increase the complexity you increase the amount of QC needed. Thus two programs with exactly the same amount of QC will have different levels of bugginess if one was more complex than the other.

Re:Regulation is not the answer

[ScrewMaster]

Thus two programs with exactly the same amount of QC will have different levels of bugginess if one was more complex than the other.

Okay, if you want to nitpick. Certainly you wouldn't invest the same amount of QC in a DOS directory listing utility that you would in a missile guidance system. My point was more general: companies that develop software need to understand that investment in quality control is just that: an investment. And it is one that pays big dividends, even in the short run.

Forget the regulation...

[jafo]

Regulation may or may not work. What would really work would be if the government (Microsoft's biggest customer, I've heard) stopped buying their products in favor of others that are more secure. Re-evaluate that when Microsoft's products have less of an issue.

I know that all systems have some security problems or another. I don't recall any of them having sent me a thousand e-mail messages every day, though. And it's not like this is the first time.

Let the government talk with it's money and people will listen.

Personally, I don't really like my tax money going so much to Microsoft. For one thing, I don't like that the privacy of my information and security of the systems relies on something that seems to have so many problems.

Sean

Decent regulation is the only way

[The+Old+Burke]

... to stop the mess that threatens to ruin Internet. If one look at history sooner or later all new ares or inustries have to become regulated and "followed up" by the government in order to succseed. Slavery, newspaper, broadcasting/television, weapon trade, biochemestry and drugs. When this happens to regulated place becomes more stable and a more bussiness friendly environment. This draws capital and investment in new ways to earn money. Restrictions like DRM, succesfull monitoring and surveilance are all signs of this.

IMHO this is a good thing as more and more people are able to exploit this and create their own bussiness based uppon standard that are specified by governments not by some standard group that stiffles innovation.

Re:Decent regulation is the only way

For a post like that to work, you really need to be more subtle. But don't stop trying.

Re:Decent regulation is the only way

[BiggerIsBetter]

Anything government regulated is limited by borders and politics. Unless this sort of regulation is implemented by a non-governmental world body then it's useless and will only serve to segregate the internet.

Re:Decent regulation is the only way

[El]

Damn straight! And Mussolini made the trains run on time, too!

Re:Decent regulation is the only way

Yeah we need the UNO to ban Windows ASAP!

Re:Decent regulation is the only way

[turgid]

Those that give up liberty to make the trains run on time deserve everything they get.

Re:Decent regulation is the only way

[El]

"Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin, quoted in Suzy Platt, Respectfully Quoted: A Dictionary of
Quotations (Barnes and Noble, 1993), p. 201.

"Authority has always attracted the lowest elements in the human race.
All through history, mankind has been bullied by scum. Those who lord
it over their fellows and toss commands in every direction and would
boss the grass in the meadow about which way to bend in the wind are
the most depraved kind of prostitutes. They will submit to any
indignity, perform any vile act, do anything to achieve power. The
worst off-sloughings of the planet are the ingredients of sovereignty.
Every government is a parliament of whores. The trouble is, in a
democracy the whores are us."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

It's called sarcasm, learn to recognize it.

Re:Decent regulation is the only way

[acceleriter]

And when the trains didn't run on time, no one would dare say they didn't :).

retro posting

[segment]

I tried to submit something similar before as an article but it was denied ... and I sincerely thought it is very relevant to this. According to the NSA's "Statement on Cybersecurity" paper released earlier this year, there were a few people who are spooked as the government seems to want to either backdoor or control somehow software under the guise of 'tougher security'

A significant cybersecurity improvement over the next decade will be found in enhancing our ability to find and eliminate malicious code in large software applications. Beyond the matter of simply eliminating coding errors, this capability must find malicious software routines that are designed to morph and burrow into critical applications in an attempt to hide. There is little coordinated effort today to develop tools and techniques to examine effectively and efficiently either source or executable software. I believe that this problem is significant enough to warrant a considerable effort coordinated by a truly National Software Assurance Center. This center should have representatives from academia, industry, federal government, national laboratories and the national security community all working together and sharing techniques to solve this growing threat.

And to add insult to injury to MS, a letter was sent to Tom Ridge asking the Dept. of Homeland Sec to limit or stop it's use of MS products due to insecurity.

Personally I would stop using machines if it were possible to have some form of monitoring of my actions without my authorization. Aside from that it's not a secret that the NSA has been accused of corporate espionage, so I would hope large corporations would think twice about giving them any form of say when it comes to codes for commercial software.

Re:Increased Software Vulnerability, Gov't Regulat

Like the recent virus Microsoft should have been writing secure code, from the start, instead of being to keen to make money. It their lapses that lead to these virus/backdoors being allowed. Digital Update

Paid By Higer Taxes

[nurb432]

Why even ask who is going to pay for it? Every government initiative is funded via taxes..

Oh, and higher prices to the consumer...

Is anyone surprised this was going to happen? Im only suprised the goverment hasnt gotten involved until now.

Trends?

[NtwoO]

Isn't it strange how there is a marked surge in software control in the past few months with microsoft's main competitor being an OS that is being built with a relatively low centralized control

trusted computing anyone?

[Alien+Being]

Gates is probably telling Bush "see, this is why we need trusted computing." Bush will declare that either you are with him, or you are with the terrorists.

Re:trusted computing anyone?

[CoolMoDee]

In that case you can count me as a terrorist. You can pry my floss sofware from my cold dead hands!

Re:trusted computing anyone?

[dazaris]

It seems that George W Bush has found evidence to link these Cyber Terrorist to the al-Qaida. Looks like its time to bomb another dictorial country.

Blame the user

[madsen]

In just about every report on worms or virus attacks the user is blamed for propagating the problem. In the article Scott Charney (MS security chief) tells the users to get antivirus software and keep it up to date.
That wouldn't be necessary if the user does as his third suggestion, patch the system.
And that wouldn't be necessary if the system would be built more securely from the start.

A good idea for MS would be to not make their stuff so userfriendly that it automatically executes every virus attachement that it comes across but instead would warn the user by default.

Re:Blame the user

A good idea for MS would be to not make their stuff so userfriendly that it automatically executes every virus attachement that it comes across but instead would warn the user by default.

Windows XP already does this...

Re:Blame the user

[dzym]

A good idea for MS would be to not make their stuff so userfriendly that it automatically executes every virus attachement that it comes across but instead would warn the user by default.

The default behavior for Outlook, Express, has already been to do this. It is certainly not Microsoft's fault a select subset of individuals aren't patching or are smart enough to be purposefully circumventing their attachment protections but are dumb enough to run attachments anyway.

Regulation vs Open Source

[jcam2]

While regulation of software might sound like a good idea to the anti-Microsoft crowd, consider how it would effect free software developers. Imagine if you couldn't release any software that hasn't been vetted by some government agency - that would be end end of 99% of the open-source projects out there.

And even if there were some excemption for not-for-profit developers, what about distribution companies like Redhat? They would be out of business in seconds ..

Re:Regulation vs Open Source

[mangu]

Imagine if you couldn't release any software that hasn't been vetted by some government agency

No, imagine if you couldn't sell any software that hasn't been vetted by some government agency...

Re:Regulation vs Open Source

[Christian+Engstrom]

Imagine if you couldn't release any software that hasn't been vetted by some government agency [...]

Yes, I agree that that would be a death blow to open source (and to many smaller independent software manufacturers as well), but "government regulation" can take many other forms than "obligatory vetting".

If the government regulation took the form of a law stating that if a security problem arises in some software that you have distributed, you must either

take full responsibility for it and make sure that the problem is fixed, immediately and for ever, or

release the full source code for the software in question, so that any other party that may be more interested in (or capable at) solving the problem can do so.

This would provide no additional burden to the Open Source movement, including the commercial distributors of Open Source software, since the source is already out there in the open, for anybody to examine and improve, if necessary. It would, however, most certainly "encourage" (to quote the article) the makers of proprietary closed source software to make sure they gave adequate attention to security issues, since they would be deprived of their business model if they didn't.

The government would in effect be saying "if you make stuff that is dangerous and you can't fix it yourself, we're going to turn it over to somebody else and not let you continue exposing us all to risk".

Which hardly would seem unreasonable to me.

Re:Regulation vs Open Source

[IM6100]

Hmm, that means Red Hat would go out of business. Nobody would dare integrate Linux into any system they had hopes of selling commercially. It would instantly become impossible to get liability insurance if your business used Free Software.

Kewl, eh?

Regulation is the goal

[nurb432]

Control and regulation is what the governments of the world does best.

The very existence of a government translates to the control of its people, and its resources.

Them wanting to control the IT market, under the guise of 'for your safety', so common man will accept it, is an expected maneuver.

Not that i agree with it, but its expected and inventible.. Just one more step towards total control of the public...

Re:Regulation is the goal

[Eric+Ass+Raymond]

I'll choose a democratically elected government over a plutocratic regime of corporations (=markets) any day.

Them wanting to control the IT market

Not all government control over the markets is bad. It's a fact that a capitalist society cannot self-regulate - it's natural growth is always towards a monopoly. This unhealthy growth cannot be curbed by some internal mechanism inherent in he markets (as libertarians like to believe) and external control is always required at some stage.

Re:Regulation is the goal

I'll choose a democratically elected government over a plutocratic regime of corporations (=markets) any day.

Such naive, blind faith in democracy? I suggest you look up the word venality. It's actually quite common in democracy.

It seems to be a common tenet among liberals/progressives that corporations are evil and the government is good. In fact, it's people in power who often have "evil" tendencies, and corruption moves to where the power is. In a country like the U.S., corruption may be found in corporations like Enron, WorldCom, and Global Crossing. In socialist countries, where there is a disproportionately larger share of power in the government (the regulatory bodies), there is far greater corruption in the government.

A good, true conservative position, then, might be to accept that there is always going to be corruption somewhere, and to create a government and economic system that is robust enough to withstand it. For example, you could strive to maintain a balance of power between the private sector and the public sector.

Re:Regulation is the goal

[jadavis]

It's a fact that a capitalist society cannot self-regulate...

It's a fact? According to what source?

I am not suggesting that pure capitalism is always the answer, however there are inherent forces keeping it in line, in my opinion.

For instance, older industries tend to consolidate, while newer industries develop and spin off eachother. Innovation usually causes new upstarts and breaks industries apart.

For example, if you look at a Network World magazine you see a lot of small companies with a very specific product line (i.e. and Intrusion Detection System vendor). As the technology matures, larger companies start to offer a similar technology, and eventually the startup has made it's money and the investment moves to the next idea.

I don't see anything inherently wrong with consolidation. The "failures" of capitalism are due, in large part, to inadequate knowledge by consumers to control the situation. For instance, if a monopoly is making so much money, doesn't that mean that it would be a wise investment to start competing with that monopoly? Wouldn't a bank be happy to loan you money to compete so long as they were sure you had enough capital to truly compete with the monopoly? I wouldn't loan you $1000 to compete with Microsoft, because I would lose all $1000. But, if I had the money, it might be wise of me to loan you $100,000,000,000 or whatever is necessary to compete with them.

Re:Regulation is the goal

[Eric+Ass+Raymond]

It's a fact? According to what source?

The history.

Innovation usually causes new upstarts and breaks industries apart.

The big corporations tend protect their trade by buying off the small and innovative companies that are perceived as a future threat. This is one reason why I say that markets flow towards a monopoly.

But, if I had the money, it might be wise of me to loan you $100,000,000,000 or whatever is necessary to compete with them.

Attacking an established market is always a high risk strategy, no matter how much money you've got. Look at Microsoft's X-box project. They're still hanging on, but simply because they can pour so much money into the project. You can't do something like that using loan money.

Re:Regulation is the goal

[Eric+Ass+Raymond]

In socialist countries, where there is a disproportionately larger share of power in the government (the regulatory bodies), there is far greater corruption in the government.

Sure there is corruption, but when it's in the government you can vote it out.

What are you going to do when the markets are corrupt? The public can't vote the CEOs out, maybe you can sue them but in any case they'll just get their golden parachute and start looking for another lucrative business to trash. How many Enron, WorldCom executives are in the jail?

Re:Regulation is the goal

Sure there is corruption, but when it's in the government you can vote it out.

You can?

Re:Regulation is the goal

[ratamacue]

Name one monopoly that was achieved without the direct backing of government force, or more commonly, by exploiting an overly complex, ambiguous system of law.

Government is at the root of monopoly, not some "natural tendency of the market". The natural tendency of the market is to promote competition -- only government can prevent or eliminate it.

Re:Regulation is the goal

[Rich0]

I assure you, nothing would please MS more...

It would essentially kill linux and all free software - it would be illegal to distribute software code without complying with some set of regulations. One regulation might be certified security testing - which of course costs money. How many open source companies can afford to spend $10-100k per release for testing? Proprietary vendors can easily afford it.

In many industries government regulation is looked upon favorably as a barrier to entry. Industry will cry about over-regulation, but they usually only want regulations relaxed enough to reduce their costs, but not so much as to allow anybody to compete...

Regulation is sometimes important. It is usually most important when consumers are unable to evaluage the merits of a product on their own. Software probably doesn't fit this bill - consumers can look at published reviews and decide whether a product is good to use. Cars are different - while there might be a review on a car, there is variation when manufacturing physical goods, so a review-once run-anywhere system doesn't work as well - you need QA to ensure that there is consistency across your manufacturing runs. The average consumer isn't capable of evaluating whether a car is safe to drive. On the other hand, bananas are relatively regulation-free - if it looks good and smells good it is probably safe to eath.

Re:Regulation is the goal

[invenustus]

It would essentially kill linux and all free software - it would be illegal to distribute software code without complying with some set of regulations. One regulation might be certified security testing - which of course costs money. How many open source companies can afford to spend $10-100k per release for testing?

And even if some subset of the Linux kernel team got together to certify individual releases, whenever I played around with the TCP/IP stack to learn how it works, I'd be breaking the law.

Re:Regulation is the goal

[pmz]

I'll choose a democratically elected government over a plutocratic regime of corporations (=markets) any day.

So, you claim that free markets tend to monopolies, yet you ignore that democracies tend toward corrupt hegemonies and, likely, freely-elected dictatorships.

At least corporations can be unseated relatively peacefully through controlling the flow of money (freedom of consumer choice). How do you unseat a dictatorship? Civil war.

Which do you prefer?

Personally, I think civil war is best avoided. I'd rather keep the government in check through eliminating the federal Income Tax and keeping corporations in check by increasing accountability in their executive staffs.

Re:Regulation is the goal

[pmz]

Sure there is corruption, but when it's in the government you can vote it out.

Which is less corrupt: George W. Bush/Dick Cheny or their potential Democratic replacement?

I laugh with sardonic cynicism.

Republican Homeland Security: bigger government, bigger spending, unconstitutional information gathering, less freedom for people.

Democratic Nationalized Healthcare: bigger government, bigger spending, unconstitutional information gathering, less freedom for people.

Of the major political parties available to us, there are no ways to vote out corruption, because, simply, they are nearly all corrupt.

Reprint of the story

[Florian+Weimer]

Here.

The easiest way to cope with this threat

[kompiluj]

In my opinion the easiest way to cope with this threat is to make software companies responsible for their products - see article by Declan McCullagh.
Of course this regulation has to be done carefully - we shall deem liable for damages only those companies that require MONEY for that product: for instance when you install free version of RedHat Linux - RedHat (or anybody else) is not responsible for the damage, yet if you pay for this distro - then RedHat _shall_ be responsible - they can simply buy an insurance against such claims. I am sure that the price that Linux companies will pay for such insurance will be smaller than in case of Microsoft.

Re:The easiest way to cope with this threat

[Sphere1952]

I agree with this. Of course, the government is bound to turn your good suggestion into some sort of regulatory nightmare.

Re:Kick up the A** for a certain well know company

what SCO?

no, they will care when...

[ecalkin]

when their quicken data or other very personal info is 'liberated'. or any number of other personal information. can you imagine how fast things would be patched if a virus/worm scanned for quicken/quickbooks/misc financial data and emailed them to people in the local address book?

eric

Re:no, they will care when...

[jc42]

Yeah, and that's why such virus/worm programs don't send their output to people in the address book. They send the output to fixed address that are created for that purpose and disappear a few days after the virus is released. Or even better: They make a TCP connection to one
of a few IP address/port combinations, send the data, and exit. That way you don't even suspect they've been there.

Re:no, they will care when...

if a virus/worm scanned for quicken/quickbooks/misc financial data and emailed them to people in the local address book?

better yet, e-mail them with the data and a thank you from Al Qaeda. Once they see (or simply think) that they are funding Al Qaeda, security might be a bigger issue to the users.
Dear american,
We wish to thank you for the kind contribution of your money via your MS windows system. We have now withdrawn part of your money and will be useing it to further our advances. See you real soon as we now have your addresses.

Sincerly
Osama Bin Ladin
Al Qaeda, Inc.

Re:no, they will care when...

[Czmyt]

Sadly, I don't really think that would make a difference. People would be upset, feel betrayed and violated, but that would not motivate the companies responsible for the problems to do anything about it.

Break up Microsoft, for God's sake

[goon+america]

People accept the low level of software quality simply because the thought has never entered their heads that things could be any different. MS can get away with it, much like the old AT&T of yore, because it knows that switching and using an alternative is costly enough, if only cognitively costly enough, that people will be willing to accept a level of frustration up to the value of the cost of switching before doing so.

Regulating computer safety makes these guys exactly like the AT&T of yore. And don't we all know what happened with that?

So let some damned competition into the market. The only reason to trust these guys in any other situtation is to simply not understand the idea of a world without them, and sadly that seems to be the way most people think.

Re:Break up Microsoft, for God's sake

[pmz]

Break up Microsoft, for God's sake

No, I would prefer to see them boil in their own blood. Having them regulated into perpetuity like the telephone companies would not be a good thing. What we need is reinvention rather than codifying the status quo.

Lets go 100%

[nurb432]

Sure, regulation and government restrictions in our life is a good thing.. Lets not stop here...

Why not just give them total control of our lives, setup cameras in your house.. let them come in and see everything you do, read, think.

Oh, and send them all our money so they can pay for enforcement.

Why isn't security the ISP's responsibility?

[putaro]

A few years ago there was a push on to provide home users with "safe" connections with the ISP running a firewall and virus scanning. What ever happened to this? While this would not fix everything it would help a lot, especially for inexperienced users. The current situation is kind of like making people do their own water purification at home.

Re:Why isn't security the ISP's responsibility?

[Cytlid]

A few years ago there was a push on to provide home users with "safe" connections with the ISP running a firewall and virus scanning. What ever happened to this? While this would not fix everything it would help a lot, especially for inexperienced users. The current situation is kind of like making people do their own water purification at home.

Because human stupidity is extremely difficult to firewall.

Re:Why isn't security the ISP's responsibility?

[gr8_phk]

" Why isn't security the ISP's responsibility? "

You don't want the ISP to firewall for you. For this extra "service" you'd pay more. To open an extra port (to play quake for example) you'd have to pay extra. This would lead to every application using port 80 so they can get through the firewall, and then another mechanism (MS SOAP or whatever) to run other stuff through that port. At that point nothing is different except things are more complicated, and you gave up some freedom. Not to mention it makes the ISP responsible for the traffic on their network - something neither they nor you should want.

Software Regulation is going to be EXPENSIVE

You don't buy a car for $20, $50 or even $399. Nor do we build bridges for anything near that cost. Realize that adding regulation will not significantly change the security issues and will cost end users tremendously.

You thought software prices in the 80's were horrible, wait until it costs you $70,000 for a text editor (that's been "certified").. that's where we're headed.

Software "Engineering" is still in its infancy. It's like civil engineering was back hundreds of years ago. In order to create more secure systems, we'll have to completely give up low-level languages and it'll take 10x as long to build in a feature (as it has to be "engineered" in).

Software Engineers will have to buy special insurance to protect them from lawsuits related to any potential bugs and that cost will be passed on.

I think arguments that more pressure should be put on Microsoft, which has been the source of probably 90% (or more) of the vunerabilities. Of course, when the gov't just slap the hands of a giant corporation for destroying markets with its monopolistic attacks, the clout of the gov't isn't all that great.

Re:Software Regulation is going to be EXPENSIVE

The text editor will cost the first person $70000 but the rest of us will download it from alt.binaries.certified.warez
or

Re:Software Regulation is going to be EXPENSIVE

[gl4ss]

heck, you can't sometimes trust sofware that does cost $50k and upwards, and actually, call me a monkey and spank my ass, but the more the software costs the more probable it is that it is designed just for you(or just very small group) and thus has gotten way less testing than widely adopted cheap softwares.

but yes, software engineering is in it's infancy, much more in infancy than other fields of engineering were over 2000 years ago.

who knows, maybe there will be new ways to develop programs that are more reliable in the future, perhaps even in the near future(ai testing? brute force testing? ai coding? nobody knows yet).

the thing is that the modern eulas are pretty much made just to relieve the software company from all responsibility in any case that might happen, kind of like you would buy a meat pie and it said "we can't tell you whats in this, and you might die from eating it, also please don't try to find out yourself whats in it, but it's not our fault if you do get sick."

Or a free link

here

No Tax Incentives.

[Sphere1952]

I didn't see any other actual suggestions in the article which were all that bad, but tax breaks stink.

The exact opposite of a tax break might not be too bad. Have some government agency rate companies for their security and fine those with bad records (e.g. Microsoft),

just hold businesses liable

[penguin7of9]

I think regulation is the wrong solution. A better solution is to hold companies responsible for security breaches.

Everybody keeps passing the buck: businesses blame the software company, software companies blame hackers, and ultimately the taxpayer and customer ends up paying for the incompetence and poor choices of the businesses.

Businesses should be primarily responsible for the harm that arises from the software they choose. If they want to pass on the risk of their choice to the software company, that should require an explicit contractual agreement.

And the government should get out of trying to regulate how software is written, and the government should get out of trying to catch "hackers".

Re:just hold businesses liable

[GerardM]

If business is to be held for its actions or inactions, it is not something that you want for IT only. When an accountant is held personally responsible for the integrity of money transfers, it would be the end of money laundering. We would be seen to have many more white collar criminals. There is a huge intrest NOT to make people / companies accountable for their actions.

When you are to be held responsible for the security of your systems, you need management tools that enable you to do your job; to patch / modify / verify. System management will again be primary to the business now order to prevent costs due to "negligence". This while the trent has been that system management is there to manage the systems for the business..

As Linux exists in its distributions, only the distribution with the best implemented system management tools will survive in a corporate setting. When Linux is to be ready for the desktop, it must be easy to adjust 20.000 systems with patches and/or policy changes. Servers are different from desktops in the ratio of sysadmins per system...

Thanks,
Gerard

Re:just hold businesses liable

[penguin7of9]

When Linux is to be ready for the desktop, it must be easy to adjust 20.000 systems with patches and/or policy changes.

Fortunately, that is actually Linux's strength. It is Microsoft Windows that fails badly in the area of managing large numbers of installations easily.

As Linux exists in its distributions, only the distribution with the best implemented system management tools will survive in a corporate setting.

If by "system management tools" you mean clones of the GUI tools that Microsoft ships, it's not going to happen (well, some confused company may try to clone it, but it won't catch on). Microsoft's system management tools are using the wrong approach. For managing lots of machines, scripting, text-based interfaces, and the command line are the only way to go, and Linux is lightyears ahead of Windows there.

Re:just hold businesses liable

[GerardM]

It is scary how people know that I would refer to Microsoft's stuff. Really, I am not impressed by what Microsoft has to offer. It is imho a watered down version of what Novell does much better.

As to your assertion that the Open Source system management tools are good, compare them to enterprise functionality as offered by some of the proprietary companies. The bottom line is delivered by a flexible integrated system where a few good man can reliably MANAGE many servers in a WAN network with thousands of people working in many locations. As far as I am aware there are great OSS tools but the integration required is not there (yet).

IBM's Tivoli uses bash, perl in a major way. Scripting in a Novell environment is powerfull.

By the way, GUI tools can be very effective a picture paints a thousand words, certainly in the hands of a few good man.

Re:just hold businesses liable

[penguin7of9]

As to your assertion that the Open Source system management tools are good, compare them to enterprise functionality as offered by some of the proprietary companies. The bottom line is delivered by a flexible integrated system where a few good man can reliably MANAGE many servers in a WAN network with thousands of people working in many locations.

And people did this long before Tivoli or Novell were around.

IBM's Tivoli uses bash, perl in a major way.

Tivoli's value is in "standardization" (to the degree that a proprietary set of scripts can be a standard) and documentation; functionally, it seems to offer little you don't get out of the box with any decent Linux distribution.

As far as I am aware there are great OSS tools but the integration required is not there (yet).

The OSS tools for system management work great together; there isn't going to be any more "integration" because there is no more integration needed.

What you want is a benign dictator telling you exactly which combination of tools to pick and choose. But OSS won't get that because people who use OSS don't want it. If you do, go pay IBM or Novell. But that does not make their tools functionally or technically better.

By the way, GUI tools can be very effective a picture paints a thousand words, certainly in the hands of a few good man.

You're confusing visualization and GUIs. Visualization is very useful, and there are plenty of OSS tools available for that. GUIs are means of issuing commands with a combination of the mouse and keyboard, and they are not very effective for administering large systems.

Yes! Yes!

[moehoward]

Any user who does not patch daily and harms another due to not being patched should be punished. Here is how I think it should work....

A few big ISPs should simply start cutting service to those who have been backdoored and are zombies, have opened virus laden e-mails, or are otherwise infected and causing others problems. For example, no firewall on an open, always-on connection. Especially cable modem ISPs and DSL providers should do this. It should be VERY heavily marketed ... "If you don't patch and change your behavior, we cut you off without warning."

My feeling is that by doing this, people will finally start learning how to patch and how to not open e-mail attachments. People will get firewalls and AV software ASAP.

I have seen the threat of this work on a small scale. ISPs are dimwitted morons for not requiring this in the first place. How stupid to give a bunch of newbies loaded guns and then deny responsibility. Buy stock in firewall and AV companies!

Re:Yes! Yes!

[MadKeithV]

"Any user who does not patch daily and harms another due to not being patched should be punished"

95% of the people I have to go visit to solve serious computer-related problems wouldn't even know what the word "patch" means.

To me, requiring the average joe user to be on top of his patches is like asking average joe driver to stay on top of the advancements in electronic motormanagement technology. I just want to drive the damn car, fill up the water reservoir every now and then, and take the car in for regular checkups. If there is something seriously wrong with the car I'm using that causes it to be unsafe for either me, or other people, I expect the manufacturer or garage holder to notify me of this fact. If it's big enough, it'll be on the news (and it has been several times, relating to the recent worms).

Now, we don't really have "garage holders" for white-box PC systems, and even people like Dell aren't going to be particularly bothered. I think this is part of the problem. That's why half my neighbourhood comes to ME when they have issues, I'm the only guy that knows anything about computers that will actually put the time in to help them.

What we need is PC service centers. The kind where you walk in carrying your box under your arm, and your problems are fixed for a small fee. Not just "nothing works anymore" problems, but also setups, regular patchings, checkups for viruses (when are virus/worm scanners and firewalls going to become mandatory for any system that wants to connect to the internet anyway??)

Anyway, [/rant], [asbestos]

Re:Yes! Yes!

[moehoward]

I completely disagree. If my wife can click the "Install Patch" button when Windows XP pops it up, anyone can.

How hard is that?

Do your user's have problems finding the "On" button? How do they possibly get any usefulness out of a computer if they are such complete dolts?

The patch thing is not hard.

If they are that idiotic, just turn on the switch for them so the patches automatically install. You are just being difficult and somehow want to change your completely unrealistic experience into some jihad to destroy MS.

Re:Yes! Yes!

[DunbarTheInept]

Any user who does not patch daily and harms another due to not being patched should be punished. Here is how I think it should work....

Seeing as how there has been occurances in the past where a patch solved one problem but caused another, I don't think that would be fair. If installing a patch will break something you *need*, but not a lot of other people do, is it fair for them to force you to install it?

Re:Yes! Yes!

[IchBinEinPenguin]

I agree with much of what you're saying. Let me give you a laymans view though:

My sister has been running Win95 on her old box for years. I recently told her that this was EOL-ed and that, in order to be protected from future worms/viruses, she would have to upgrade. To what?

LINUX? Not really an option (much as I love LINUX) until she can click on a .ppt or .doc (yes, I've told her not to, but what can you do when all her friends send her jokes like that?) or open any braindead web-page that insists on IE with Flash etc. etc. (don't get me started on THOSE!!)
Win-XP? Fine, That'll be $$$$ for the OS, more $$$ for new Hardware.
Why should she spend $$$$ on a new computer so she can send <10 emails per week?
I guss it's like driving around in an old, unsafe car that blows smoke at everyone else. It's rude, but not worth the cost of upgrading to a new car (at least not to the driver, at most they see the smoke in the rearview mirror and don't choke on it themselves).

Lives aren't at stake, or at least not as directly as the are in Cars, so there's not justification for tons of regulation in the interest of safetey. Consumers aren't educated enough to demand security, having been force-fed blinkenlights for years and starting to think they actually want/need them.
Force Software vendors to suport all products indefinetley? Unreasonable I think: Ford don't make break-pads for the Model-T anymore, why should DR be exhumed and forced to support DR-DOS?
My personal favourite solution is to force software vendors to either support their products or make the source available so that someone else can. (yeah, I can really see THAT happening ;-)

Re:Yes! Yes!

[bigsteve@dstc]

I completely disagree. If my wife can click the "Install Patch" button when Windows XP pops it up, anyone can.

I bet she asked you what the popup meant the first time she saw it. Most users don't have someone knowledgable in the next room to ask what to do!!

Re:Yes! Yes!

[jpop32]

To me, requiring the average joe user to be on top of his patches is like asking average joe driver to stay on top of the advancements in electronic motormanagement technology.

I call BS!

Asking computer users to patch is the same as asking car drivers to go for oil change and tyre change every x miles. And, having the users learn not to click on 'wicked screensavers' is about as much knowledge as not going into corners doing 80mph.

You don't blame the car manufacturer if your machine dies because of lack of oil. You don't blame the manufacturer if you end up in a ditch doing 80mph in a corner.

Nuff said.

Finnally

[ExEleven]

Good Morning Mr United States Action.

Solution - simple

[ajs318]

The idea of software being distributed without warranty dates all the way back to the first ever spreadsheet. The software company's lawyers were worried that if someone used the programme to design a suspension bridge, and it later collapsed and investigation proved that it was due to a flaw in the software, they might get sued. Furthermore, it would have been a physical impossibility to test the software in all circumstances. These were the days of 2MHz 8080 processors, lest we forget.

The sane response would have been "let them try, we'll never have what they're asking for and you can't be sued for what you've not got." Instead, that company explicitly disclaimed any warranty on their software, and the situation has persisted since. Today, one company is responsible for a lot of software, and they could easily afford to pay for several suspension bridge failures. But the law has not caught up with reality. The solution is simple and everyone will like it except the distributors of substandard software.

My proposed solution is to require all software to be guaranteed to perform substantially as indicated on the packaging. If you buy any other product, and it doesn't do what the literature said it was going to do, then you are entitled to a refund.

The only exception to the requirement for a guarantee would be where the source code is available for scrutiny. IMHO, reading the source code before deploying a mission-critical application is just Due Diligence. It has been stated by some that this is a lot of work to expect people to do. It is, but there is nothing to say independent bodies could not audit software for a fee. The GPL does not seek to prohibit anyone from making money out of their own work; only by misappropriating other people's work.

Whilst stopping short of my Ultimate Ideal, I think this is a fair compromise. Most goods are required to be guaranteed, why should software be any different? But Open Source software is more like self-assembly furniture: you {or a suitably qualified person in your pay} can examine the pieces {source code} before they are put together {compiled and installed}, determine suitability for your application, and make a decision: use as-is, use slightly-modified or reject outright. You only get your money back on kit-built stuff if there are actually any pieces missing; everyone understands that circumstances of deployment are beyond the control of the supplier.

Re:Solution - simple

[Sphere1952]

I think kompiluj's (677438) suggestion is easier to implement and makes more sense. Make companies responsible for the software they _sell_. If the customer didn't pay anything then the customer has the responsibility.

This also makes sense in terms of commercial speech verses free speech. If you sell the speech then the government has the right to require that it be truthful speech. If you give the speech away the government has no such right.

Re:Solution - simple

[jimmy_dean]

Sounds all nice and fuzzy in theory, but in practice - this would create a legal nightmare. In the current status of our country where everyone sues everyone for the slightest thing done wrong to them - this would create all kinds of lawsuits in software and then it'd be a matter of weeks before the U.S. Supreme Court started coming up with many laws restricting software. I would predict that software would then become a political party thing that would divide instead of bring together. For instance, it'd be the Democrats who'd support regulation since it'd "help the working people out." The Republicans and every other sane party would say down with regulation because it encroaches on our Constitutional freedoms. Anyone who's willing to compromise on this either doesn't care about their freedom, is being paid off by someone, or hasn't thought through the issue fully or logically.

Re:Solution - simple

[Bromrrrrr]

require all software to be guaranteed to perform substantially as indicated on the packaging

Well the thing to remember here is that, to most users (ok let's be frank here, we're talking about MS right? :-)) MS software does perform as indicated . The problem is that it leaves them dangerously vulnerable on other fronts.

If the software would't work as advertised then the laws in most countries would give you the right to a refund without anything additional.

I think a solution might be to force software vendors to show some of that due dilligence in alerting their customers to the problem.. For what it's worth Microsoft DID have patches for the vulnerabilities already out. But most home users probably weren't aware of any problem, let alone a fix to it untill it hit them.

Let them, and any other vendor that makes their customers vulnerable, do the same thing that happens in other industries. Have them use their retail channels to reach every last customer they can and then have them place page-wide adds in the major newspapers of every country they sell their products in, just to make sure to reach everybody.

The message, offourse, should be: "there is a problem with the product you bought from us, here's what you should do....if you need help, call our toll-free helpdesk at +++ where you can also order (free of charge) a cd to remedy the problem".

I don't blame Microsoft for bugs and holes (well ok, I do a little bit), but I do blame them for making software that makes it possible for virtually anyone to use a computer and the Internet and then when a problem arises, turn around and say: "yes well they should have patched: it's not our fault if our customers are morons". Probably not what they said but near enough :-)

And what would the OSS angle be then?

[Cooper_007]

Here you have a company that goes out and make some cool software that scratches an itch that a big chunk of the world also feels. The program is an instant hit, becomes #1 on CNET's download page and the main coder gets his picture on the cover of Time (one can always dream).

Suddenly a bug is discovered which will give others full control of your system. Acting quickly, a patch is created and a fixed version is put online, and warnings posted to all the regular places.

Several weeks later an exploit program is seen in the wild, attacking systems owned by CLUELESS USERS who either never knew of the problem, or were too lazy/overworked to fix it. The damage is immense, and in the current fingerpointing society most people blame this company even though they did everything that could be reasonably expected from them.

And now a growing group of people feel the government should be breathing down this company's neck for not making secure software?

Replace "company" with "group of OSS developers", and tell me how things should be different for this case, and why.

Mirrors suck, huh?

Re:And what would the OSS angle be then?

[ajs318]

The group of OSS developers have released the source code for anyone to examine and thereby determine its suitability for deployment in their application. If it does something you didn't expect, well, you should have read the source code, or paid an independent expert to read it for you.

The closed source company, by refusing to show you the source code, have taken this responsibility entirely upon themselves.

Also, when you write Open Source software, you are conscious that any mistake you make will be seen by millions of people. And they will laugh at you, or call you names, or want to kill you, if there is so much as a punctuation mark out of place. {How often have you written in BASIC, IF a$<>"" THEN ... when IF a$>"" THEN ... would have done. A string is hardly going to be less than null. But I digress.} So you show it to a few people on the quiet, just to make sure. Then you release it. A few more people see it. The number of people seeing it builds up over time, and with that the chance of an exploit being found. But it's still early days yet. You warned people it was an early release and to keep checking back for updates. Maybe they will find one, maybe they won't, maybe there isn't even one to find. Sooner or later, a Distributor finds it, checks it out and decides it's probably fit to use.

At any one time, there are three groups of people looking for exploits:

1. Crackers looking for exploits in closed-source software which they can use for mischief
2. Crackers looking for exploits in open-source software which they can use for mischief
3. Hackers looking for exploits in open-source software which they notify to the community at large before anyone else uses them for mischief

I said before that the source code should absolve you from the requirement to offer a guarantee. Maybe I should have phrased that differently. The guarantee of performance would be in lieu of the source code. Also, I would make source code subject to subpoena.

Re:And what would the OSS angle be then?

[Keeper]

That's like saying by having the recipie for the cake you're making, you should know if it'll taste bad or not before you bake it. You can't tell what it'll taste like until you bake it. The recipie might look good, but it could taste aweful. Or the recipie might look horrible, but it could taste wonderful.

If inspecting the code allowed you to find all the possible problems with it, that'd be great. If it were that easy, you wouldn't need a QA process -- you'd just have to do code reviews to make perfect software. But you can't "prove" that a non-trivial piece of software works.

Nobody gives a shit about inspecting the code before running a piece of software. To prove the point, I'd like everyone who's read every line of the linux source to raise their hand. If by some miracle someone actually has, I'd like them to keep their hand up if they understood the implications of the interactions between each and every single line of code. I'm going to hazard a guess and say that nobody on this planet will have their hand up.

Now if you can't do that with something as small as the linux kernel, tell me how you're going to do that for something which has over a billion lines of code?

Saying "well, you can look at it" doesn't do you any good when looking at it doesn't tell you anything.

Re:And what would the OSS angle be then?

[ajs318]

Typical closed-source argument. "You probably wouldn't gain anything of value if we shew it to you, therefore, we're not going to show it to you." Unfortunately {like anything closed-source!} I don't buy it. Judging by the sheer number of vulnerabilities in MS code, at least some of them must be visible on first inspection.

Also, with Open Source, testing is incremental and changes propagate easily. Those who know they are guinea pigs are more likely to tread carefully at first - and then deliberately try to break it under controlled conditions. In fact, there are people out there who do nothing but test other people's software. But with closed source, all the testing {and therefore the disclosure of results} is sponsored by the manufacturer, changes are lumped together, everyone gets the same version at the same time, and changes take too long to propagate throughout the user base - especially if the "change" consists of releasing a whole new paid-for package, which some people will not pay for.

Basically, it comes down to the fact that closed-source software is written and tested purely for money {which will still be there if the software is faulty}; but open source software is written for the love of writing software, which will only be there if the software is right, and tested for the love of breaking it, which will only be there if it isn't right.

Your Security at Risk

[LeRoy]

I read the NY Times Article about calling for government regulation and suing the creators of software. Will this mean that the fine developers that work on the Linux and BSD systems will be sued for bugs in their software that they have donated to the community? Also there is a danger that having the government control computer security will stiffle the openess of the Internet.

Do we want the government looking over our sholder all of the time saying that they are protecting us? We all have locks on our homes and a certain level of personal security. It is not the governmnet's responsibility to make sure we lock our own doors. The same goes for computer security. As a Linux user I have a dedicated firewall utilizing IPtables. Sure it took some time to write the firewall script, compile a custom kernel with patches from the iptables source, but it is worth the effort.

I do not think that depending upon government regulation where the creators of free software might find themselves in a pickle and have a lawsuite slapped on them for damages if someone cracks into someones system.

As much as I despise a certain company in Redmond, I do not think that they should have to face legal law suites from a bug in their code.

It is your responsibility to protect your system and not some beaurcratic faceless agency. Adding more laws on the books is a dangerous idea.

Make the Software Publisher Liable

[Korgan]

Get rid of the whole regulation issue. Thats not necessary. It would be far better to make the software publisher liable for any faults or flaws in the software that led to an incident such as MSBlaster, Slammer or any other number of worms out there.

Virii like SoBig.F are not something that can be avoided because the vulnerability there is the user themself. The only way to sort out virii like that is to educate users to not open email they are not expecting or recognise. Even then its still a risk.

If Microsoft were liable for the damages caused by the worms such as MSBlaster and Slammer because their software was vulnerable, don't you think their culture would change very rapidly? Instead of having the worst security reputation, they'd suddenly have the very best. Win2k3 is a good start in the right direction by disabling everything by default. I applaud that. Now they need to sort out their coding practices so that these sorts of issues are a non-event.

Governments don't need to regulate anything. All they need to do is make it illegal for a company to not take responsibility for faulty products, regardless of the product. It worked in the automobile industry, its worked in the medical industry, its worked in the engineering industry.

If my car explodes because of a fault in the fuel line at manufacturing, I'm perfectly within my rights to sue that company. If my computer becomes completely unusable because a vulnerability allowed someone to damage it or similar, why shouldn't I sue the publisher of that software? I'd also reserve the right to sue the person that exploited that vulnerability and caused the damage.

Don't need regulation, just liability and a warranty of suitability for a purpose. 'This OS is guaranteed to perform to XXXXXXX level and is considered suitable for XXXXXXXXXX purpose.'

Re:Make the Software Publisher Liable

[sql*kitten]

If Microsoft were liable for the damages caused by the worms such as MSBlaster and Slammer because their software was vulnerable, don't you think their culture would change very rapidly?

Well, given that Microsoft had released patches for both of the vulnerabilities exploited by those two viruses long before the viruses were ever released, I'm not sure it even should be liable. Nothing helps if the sysadmins don't stay on top of things.

Re:Make the Software Publisher Liable

[ctid]

Get rid of the whole regulation issue. Thats not necessary. It would be far better to make the software publisher liable for any faults or flaws in the software that led to an incident such as MSBlaster, Slammer or any other number of worms out there.

This wouldn't work because then no-one could use (eg) Debian Linux, as there is no one company behind it. The right way to prevent security problems is to make sure that there is fair and open competition in the OS market. This way a company whose products are proven over and over to be unreliable and insecure (naming no names) would simply be overtaken by its competitors. Once the company saw the writing on the wall, they might decide to focus properly on security, or run the risk of being driven out of the market. To achieve this, companies who sell OSs and applications should be forced to open up their secret protocols and file formats to ensure that competition is fair. This will have the additional effect of allowing a more varied ecosystem of OSes on the internet, making it far more difficult for virus and worm writers to hit a majority of machines.

Although these ideas would be good for competition and good for security and good for the economy, they won't happen because that is not how democracies work any more. Certain companies will buy political influence to prevent this happening. We are already seeing Microsoft claiming that it's "impossible" to create a secure computing platform without secure hardware. This sort of madness is likely to be the result of government intervention.

Re:Make the Software Publisher Liable

[dirk]

If my car explodes because of a fault in the fuel line at manufacturing, I'm perfectly within my rights to sue that company. If my computer becomes completely unusable because a vulnerability allowed someone to damage it or similar, why shouldn't I sue the publisher of that software? I'd also reserve the right to sue the person that exploited that vulnerability and caused the damage.

That line diffuses your whole arguement. This is not a problem in the computerthat rendered it dangerous without anything happening. A bug or poor security is more akin to saying the car manufacturer used glass windows that it know could be broken, and that caused someone to throw a brick through your windows and hotwire your car. You are comparing a basic flaw in the system (the car) that makes the car dangerous and unusable to a minor flaw that a third party can find a way to exploit. They aren't comparable.

Re:Make the Software Publisher Liable

[DickBreath]

How would vendor liability affect open source software?

Re:Make the Software Publisher Liable

[jeabus]

Actually, the fuel line analogy is quite appropriate. Whether a defect is inherent or needs some outside factor is irrelevant. If the fuel line failed only at low temperatures, for instance, the auto manufacturer would still be liable. But if the car maker was M$, they would have gotten replacement parts, and then posted notices on the dealers' bulletin boards. Just puting patches on M$.com isn't enough. Why do we assume that it is the user's responsibility to keep track of defects in his OS? I didn't have to keep track of the defective seat belt in my old car. I didn't even know there was a problem until Chrysler told me. The real question for M$ users is why isn't M$ doing more to inform its customers of defects in the products they're buying?

Re:Make the Software Publisher Liable

I think the point is that the vulnerabilities should never have existed in the first place in published mass-market software. By "culture change", the poster means writing good code in the first place, not writing crap, selling it, and then releasing millions of patches later.

Tangentially, Microsoft should never have blurred the distinction between code and data. Personally, I open every e-mail I ever receive. Why? Because I don't use crappy mail clients that execute their data. I also don't leave RPC mechanisms available on my machine. I do leave data-providing services running, though.

monocultures vs heterocultures

[ferretmaster]

People need to be pointing out that the cost/benefit ratio for monocultures vs heterocultures is changing. The Irish developed an appreciation for the risk of monocultures in 1845-1847 ...

http://tingilinde.typepad.com/starstuff/2003/08/mo nocultures.html

Oh, great

[reboot246]

Microsoft + government regulation = one big clusterfuck

Re:Kick up the A** for a certain well know company

[DarkSarin]

LOL, Your only paranoid if the conspiracy isn't real, RIGHT?

Unfortunately you are probably correct in that this will be used to restrict individual freedom, rather than corporate misbehavior.

Voluntary is OK, proprietary has the problem

[Alain+Williams]

• "The government has essentially relied on the voluntary efforts of industry both to make less-buggy software and make systems more resilient," says Michael A. Vatis, former director of the National Infrastructure Protection Center at the Federal Bureau of Investigation. "What we're seeing is that those voluntary efforts are insufficient, and the repercussions are vast."

Wrong it is not the voluntary developers (of Open Source), but the salaried developers at MicroSoft that have the problems.

The voluntary developers are taking security seriously, it is the proprietary software houses that need the legislation: disclosure would be a nice start.

We need to take care that legislation does not impose (financial) penalties on Open Source developers - that could cripple OSS contributions.

It could mean the end of open source...

When M$ Windoze becomes fully warrantied (M$ can afford it), and most OSS coders don't dare accept liability for their software .... "Why should we be using Linux for our company systems? It doesn't even come with a guarantee! On with the windoze installation!"

MOD PARENT UP, INSIGHTFUL

yeah, should we really be supporting it? it might screw m$, but it'll screw open sourc more in the long run

Just another political ploy by ...

Billy Boy. You can bet that if his money has its way politicians like Fritz will be modifying the bills to specifically attack OpenSource and Linux. I can here it now: "Surely software can't be made safe if anyone can look at the source!"

Re:Just another political ploy by ...

[ajs318]

"Surely software can't be made safe if anyone can look at the source!"

Where can I get some of whatever you're smoking? Software can't be made safe unless anyone can look at the source! If the author is hiding something from the users, the users have no cause to trust the author.

Re:Just another political ploy by ...

A little slow this morning, eh?

Should I have surrounded my comment with a tag set?

Re:Just another political ploy by ...

You really need to learn how to read. Maybe it's you who is smoking something.

semantic error in your reading of the article

[Simon]

"What we're seeing is that those voluntary efforts are insufficient, and the repercussions are vast."

I think that here "voluntary efforts" refers to businesses' efforts to handle security without regulations and laws forcing them to (i.e. 'voluntarily'), and doesn't refer to Open Source developers.

Have a nice day.

--
Simon

Re:semantic error in your reading of the article

[Alain+Williams]

I think that here "voluntary efforts" refers to businesses' efforts to handle security without regulations and laws forcing them to (i.e. 'voluntarily'), and doesn't refer to Open Source developers.

I realised that.

The last frontier

[scifiber_phil]

Part of the charm of the internet has always been its lack of regulation. It has been the last frontier that we can still explore. There were parts of it that should have been labelled on the map, "Here be monsters and sea serpents". Now, it is becoming like the cow town where the railroad now reaches, and the women have arrived, and they want to civilize the place. They want to hire a sheriff and close down the saloons. They want a dry goods store and a bank. The mountainmen and adventurers who first came are no longer welcome, and they will leave by their own choice, as this safe, homogeneous town is no longer interesting. The bad thing is, where will they go? Government regulation will be the death of innovation and the publishing of unpopular or non mainstream ideas. Sure, your IM program will be declared "safe" by the government. Nothing bad can happen, but your "smileys" don't interest me, and I will be leaving then, looking for another map with an area where there just may be sea serpents.

Re:The last frontier

the women have arrived, and they want to civilize the place

Oh, dear. I guess the circle-jerk parties will be ruined.

Staying updated goes a long way

[bassert]

People should just use some of the great security sites out there. E.g. SecurityFocus or Secunia. Both have a large vulnerability database and mailing list with all the latest vulnerability information.

Profitting through politics

[mariox19]

Once government is regulating programming, the companies shrewd at gaining and exploiting political connections will be able to use that political power to squash less "able" competitors. Laws will be written to favor the "big boys," those who have the money to lobby, at the expense of start-ups, smaller companies and open source.

This will be the worst thing to happen to software development and the tech industry.

In Soviet Russia (not funny)

[dimss]

In Soviet Union programmers were controlled by government authorities, standards, laws etc. They had to document every piece of their code. Now we see that it wasn't so stupid.

Evaluation on technical merits

[SgtChaireBourne]

Let the government talk with it's money and people will listen.

If it was found that lost productivity and staff time spent on repair and clean up makes Microsoft about as harmful to the economy as Al Quaida, it would hardly be a surprise. Especially since some of the Microsoft security problems causing recent trouble are quite old. Both old and new are due to innapropriate design or production defects. Tools need to work, those bought with Federal money, especially.

Being allowed to publish product reviews of products would allow a greater risk that tools be chosen based on technical merit rather than ideology. Also, it would help if news stopped refering to MSTDs as "Internet Worms" and "e-mail Viruses" and start talking about options.

It looks like we've reached a junction where it's time to start asking in all seriousness, "Is Windows ready for the Internet?"

Odds are that, despite the great admiration for Bill Gate's personal wealt, it is not. Now when sensitive government documents or personal financial or medical data start circulating (actually they already have), it is too late and will an issue for the courts: gross negligence, willful negligence or fraud. This will be a hard one for both Redmond and CTOs to wiggle out of.

"Voluntary Efforts" Insufficient?!

[dollar70]

From the article:
"What we're seeing is that those voluntary efforts are insufficient, and the repercussions are vast."

Did I miss a meeting? Is this not Slashdot? I'm skimming through the posts and seeing a lot of cammoring that seems to approve regulating software. IS NOT LINUX A VOLUNTARY EFFORT?! Hand this guy a copy of Knoppix and tell him to crack it!

The biggest problem with computers on the internet today is the number of people who ran out and bought a computer because it looked like an interactive television. Hold the end user responsible for what their computer does.

I like to view my computer as one of my best friends... Proverbially, man's best friend is a dog... In other words, a pet. Think of it in this light: Do you sue the kennel when your dog bites your neighbor? No... You sue the kennel for selling you a dog with physical defect, but not a personality defect. You are responsible for your pet's actions, even if the kid down the street was shooting him with the super soaker, makes the dog mad, and the dog goes out on a rampage biting old ladies.

So if your computer goes out and bites another system, then you should be responsible for the cleanup costs regardless of who or what made it go off like that. Sure, it may sound harsh, but if it takes a few "Bonzai Buddy" users out of the pool, I doubt the net will suffer too greatly.

ENFORCE the antitrust laws

[dpbsmith]

The cause of the current problem is only partially due to insecure Microsoft software. It is very noteworthy that Windows 98 and 95 were immune from the latest round of malware (W32/Blaster, W32/Welchia, W32/Sobig.F). The main cause is monoculture--the dominance of a single operating system, Windows NT and its variants.

What we need is a truly competitive market in which many operating systems compete, no single operating system dominates, and a market that uses many operating systems therefore demands and rewards inoperability and writing software to standards rather than writing to a single vendor's API.

Why don't we have it? Because Microsoft was allowed to get a monopoly and the Justice Department is not doing its job and breaking it up.

It wouldn't be any different if IBM were the dominant company--as it was a few decades ago--or Apple, or what have you.

The problem is not Microsoft. The problem is monopolization. And the answer is not the free market--monopolies exist only when the market has already failed.

Re:ENFORCE the antitrust laws

You, sir, are in La-La land.

The fact is that the Market wants a universal solution, a "monoculture" if you will. Nobody wants to go back the the early 80s where software is limited to which platform you were unlucky enough to choose.

Even if you did create a magical situation where 3 different OSes had 33% marketshare each, the market would respond by creating universal cross-platform APIs like Java. Then you move the problem space from the OS API to a higher layer. You still have the same viruses and worms.

Re:ENFORCE the antitrust laws

[moncyb]

You are clueless.

Even if you did create a magical situation where 3 different OSes had 33% marketshare each, the market would respond by creating universal cross-platform APIs like Java.

This is exactly what the parent poster was talking about, though not necessarily Java. There is OpenGL, ELF, POSIX, and many other standards which, if followed, would make a binary run on any operating system--assuming they don't pull a M$ and "embrace and extend" the standard.

Re:ENFORCE the antitrust laws

[ScrewMaster]

No, not exactly. There is a significant difference between a simple monopoly, and an illegal monopoly. A company which completely dominates a particular market (say, Intuit Software with Quicken/Quickbooks) because they simply have the best product out there is perfectly legitimate. And, the good news is that such monopolies tend to be transient affairs because eventually the dominant organization slips up and allows a competitor to move in. The problem is that Microsoft (and the RIAA, MPAA, and a long list of others) are illegal monopolies, garnered and maintained by continuously breaking a variety of laws. So you are not correct in assuming that a monopoly exists, by definition, because the free market has failed. That's a myth ... it's perfectly possible for enough people to vote with their dollars for a single entity, and that is not inherently wrong. Microsoft is wrong because it deliberately, and with malice aforethought, suppressed and destroyed any possible competition to its key product lines.

Re:ENFORCE the antitrust laws

[IM6100]

The more baroque variations in software being run out there, the more complex and unreliable the interactions, and the more expensive support costs become. The market becomes fragmented, stores have to stock multiple versions of the same software, and prices in general go up.

Of course, a lot of the people who participate on this forum make their money being paid for doing 'support work.' And if software was distributed mainly as source code, there'd be all sorts of money to be made, and ways to control people. That guy across the street would look up to you if he couldn't write email unless you came over and patched and recompiled his mail client, eh?

So let's just be honest and admit it's a 'geek power' issue as much as anything else.

Regulation = Standardisation = More Worms

[R.Caley]

The main reason worms can cause such havoc is that they find themselves in a monoculture. We are in the software equivalent of the Irish potato famine.

What the government should do is enforce diversity. Requireing every government department above some minimum size to use systems from at least 3 independent sources would be a start.

Re:Regulation = Standardisation = More Worms

[Tony-A]

The main reason worms can cause such havoc is that they find themselves in a monoculture.
That makes it easy for the worms to cause havoc. The main reason worms cause so much havoc is the tendency to try to hide stuff from everybody.
CDs use Your computer to install and set up stuff so they can play themselves.
File extensions are hidden so you can click on a presumably well-named file and have the spreadsheet show up.
A general tendency to have to click on everything to be sure you don't miss something.
A belief that there's got to be a magic bullet that will make everything safe again. And the belief that with the magic bullet in place that everything is safe.
People click on things they shouldn't click on. Look at why they click on them.

"Regulation = Standardisation = More Worms"
You've got that right, but methinks there are secondary forces that are even stronger than the primary. There is a progression starting with Melissa. (Remember Melissa? Melissa was nice!) Methinks we're nowhere near seeing the end of it.

Re:Regulation = Standardisation = More Worms

[R.Caley]

The main reason worms cause so much havoc is the tendency to try to hide stuff from everybody.

That only really applies to viruses not worms, except in the sense that the low levels are (thankfully) hidden from users (I have no wish to have to think about kernel device drivers while I'm trying to write an email).

In any case, if it were not for the monoculture, viruses would only be a way you could screw up your own computer. That would be a Good Thing, hopefully you'd learn something. The monoculture allows you screwing up your computer to lead to oportunities for others to screw up theirs, or even for you to screw up theirs if your virus launches a worm.

Re:Regulation = Standardisation = More Worms

[Tony-A]

I have no wish to have to think about kernel device drivers while I'm trying to write an email. [Emphasis added]
Me neither, but there are a lot of levels between what you see and the kernel.
To whom are you sending it? Outlook wants to hide the email address and show you the nickname for the Address Book entry. (Imagine the "fun" when the worms/viruses/whatevers start messing with which nickname goes to which email;)
From where did you get it? (Right-click an Options is hardly intuitive). Think of the postmark on "real mail". You want to know which postoffice, not which postal clerk, although that would help in some cases.
"An active-x on this site may be unsafe" Which active-x?

Re:Regulation = Standardisation = More Worms

[R.Caley]

Me neither, but there are a lot of levels between what you see and the kernel.

Yes, I was just trying to point out the difference between viruses which take advantage of things which are often inapropriately hidden and worms which take advantage of things which are hidden for quite legitimate reasons.

Of course, to be complete, there is a third factor necessary for viruses. In addition to monoculture to provide a growth medium and lack ofinformation to make infection easuer, we must have inapropriate functionality. My mailer is virus proof not just because it runs on FBSD and because I know what it does in response to each command, but because it doesn't try and run anything.

Re:Regulation = Standardisation = More Worms

[Tony-A]

Thank you for the third factor.
Factor is the right term. This stuff is multiplicative not additive.
There may be a forth factor. The old greek "pride goes before a fall" brought up-to-date when the Wyle E. Coyote finally gets something working and truns to grin at the audience just before ... splat.

Re:Regulation = Standardisation = More Worms

[jc42]

Well, there is some truth to this, but there's also a major counterexample which has been mentioned here occasionally.

There are now millions of web sites, and according to the Netcraft survey, 2/3 of them are running the apache server. It may be true that not all are the latest version. But still, this is a major monoculture.

Web servers are a major target of attackers, for obvious reasons. But you don't see apache servers going crazy and sending of zillions of spams to every email address it can find. There have been only a few security holes found in apache, and they are generally fixed before anyone builds an exploit. In general, the only apache web servers that have problems turn out to be due to someone installing a CGI program with a hole. And this isn't apache's problem, of course.

Need I point out that apache is an "open source" program, available freely to anyone who can type "apache.org" and make a few mouse clicks?

The fact that MS Windows is a monoculture is a part of its problems. But the big probblem is that it's full of security holes.

To make an agricultural simile, it's as if someone were to breed a strain of wheat or potato that is susceptible to every virus known, and sell it cheaply with a billion-dollar ad campaign so that most of the farmers plant it. Then, when the inevitable happens, you blame the farmers rather than the company and its marketing campaign.

(Yes, the computer industry is this stupid. ;-)

SO MUCH FOR THE FREE MARKET

[Trolling4Dollars]

Hmmmm... what was it that republicans were supposed to be opposed to? Wasn't it regulation, taxes and wasteful spending? (think this issue, the tax on LANs and the ever more expensive war on Iraq) As a rugged individualist liberal, I'd have to say that with Bush in office, we've hit the Trifecta where the Bush admin's reputation is concerned. :P Yeah yeah, I know it's somewhat off topic, but you've got to admit it's quite comical.

Re:Kick up the A** for a certain well know company

[SpaceLifeForm]

Pressure on MS? No way. The DOJ had their chance. If you read Gates recently talking about how they (MS) are doing so much better, then it's real clear that MS does not feel any pressure, and the boyz from Redmond can continue to smoke whatever it is they are smoking.

why do we tolerate anti-virus softare

[deafgreatdane]

"There are three major things every consumer and user of computers needs to do," Scott Charney, the security chief for Microsoft, said. "One, get antivirus software and keep it up to date. [...]"

I think this spin is one of the biggest problems with the public perception of computer security.

I find it appalling that we tolerate anti-virus software as a necessary solution. IMO, every virus is an exploitation of a bug in the software, and original vendor should be responsible for fixing the hole that allowed the virus to exist.

Why doesn't the press focus on the hypocrisy holding of software vendors more accountable for fixing their problems, while at the same time, advocating supporting a third part to fix the same problems?

I about blew my top when fixing my in-laws' machine for a case of blaster, and MS so "conveniently" linked one of the trusted anti-virus sites that offered removal tools. If it's microsoft's hole, why don't they provide a cleanup method?

(This is not to say we shouldn't have virus filters on SMTP and firewalls - there's nothing wrong with trying to block the spread of virii through multiple means)

Linux would never happen again

[kaybee]

The only way Linux, FreeBSD, and all of the other operating systems that have appeared over the years were possible is because of the lack of government regulation. Once the government steps in, it will only stifle creativity and limit consumer options.

Who is best to deal with government regulations? Microsoft.

Thanks, but no thanks. This issue will work itself out. We are in our growing stages. The government is not a solution to everything... actually, not much at all, really.

Toward a Programming Safety Authority?

[SysKoll]

Typical NYT drivel. A problem pops up? The Times clamor for government regulation. Astonishingly, when faced with a dramatic, err, bug in its own journalist monitoring activity, the NYT doesn't call for the gummint to create a Journalism Ethic Control Board. But these programmers guys? Yeah, they need to be kept under control.

The gummint will be only too happy to oblige and produce several layers of ineficient, costly, slow, slightly corrupt bureaucracy that will not solve the problem but will never disappear. As usual.

Let us put on our bureaucrat hat and see what can be done, in the immortal tradition of public service that gave us the Transportation Safely Authority. Let's see. Strip search programmers when they come to work in case they bring a copy of 2600? Have them remove their shoes? A nice start, but not enough.

See, the problem is that scumbags are writing programs that are up to no good. No scumbag coding, no worm and virus, eh? So let's put all compilers under lock. Let's make sure that scripting languages only accept input scripts that have been digitally signed by a new Programming Safety Authority. Let's make it a crime to use a computer without PSA-approved tools. Each program has to be certified by the PSA. Use the TCPA and Palladium chips to lock out all the bastards using non-PSA software and operating systems. Ban all non-Palladium computers and electronics. Do an FBI criminal check on each person entrusted with a compiler. And of course, recruits thousands of new civil servants to enforce all these new rules, at a low, low cost of [#insert eye-popping budget that will be overrun anyway].There you have, secure computing. A bit harsh, but it's for our safety, isn't it?

If you think the above is funny, I am sorry. I meant it to be ironic in a chilling way. Because when you start involving the government into a human activity, you never know how the bureaucrats are going to warp it.

So I'm gonna speak slowly so that even New York Times journalists can understand: KEEP GOVERNMENT OUT OF COMPUTING. Got it?

-- SysKoll

Re:Toward a Programming Safety Authority?

Yeah, and don't you just love how the NYT and the city have conspired to condemn property that the NYT wants?

NYT = assholes

Re:Toward a Programming Safety Authority?

Excuse my mistake. It was actually the state-controlled Empire State Development Corporation, not the city.

"The New York Times Company is in line to get a choice midtown property at tens of millions of dollars below market value--and city taxpayers will foot the difference..."

It could happen

[Badanov]

Whether you like it or not the federal government could easily claim jurisdiction over software sales very, very easily, using the internet. The internet is a form of regulable communications. The FCC could easily claim regulatory oversight over software which can be used on the internet.

One idea could be that software sold which had ANY network component be required to be certified against certain types of problems, such as buffer overflows, having backdoors, etc. If a company sells a word processor with the network component disabled,(In other words, a user cannot use a network share or a network link to open a file, or they cannot use the program itself to e-mail a file) they are in the clear. If they sell a product which has some means of allowing the opening of files from a remote computers, they can be sanctioned if it can be shown their software contributed to a worm spreading( banned from further sales of that product ), until the problem is fixed.

The last two biggies in the worm department last week has opened some eyes. A lot of folks, myself included, are beginning to believe that some sort of regulation is needed to stop the damage being done by mal-adapted software operating on the internet.

Moderators...please mod up parent

[Spoing]

1. It only appears so because Microsoft's is found on practically every desktop and on the majority of server computer too.

Microsurfs repeat this myth a lot. Is it true? Does WinXX have more viruses and stability problems because it is on "practically every desktop and server"?

While I don't agree with the 'Microserfs' designation (too divisive and possibly misspelled), the AC has a point...yet, folks aren't learning it.

Re:Moderators...please mod up parent

[russotto]

"Microserfs" is probably wrong. "Microsoft agents" is more likely. The "Microsoft software is the target of most viruses because it's ubiquitous" meme popped up all over the place a few years ago; it stinks of a "stealth marketing" campaign, and I suspect it's still going on. Not that I would suggest any upstanding /. member was an MS agent himself, of course.

Regulation will stifle software

[scruffy]

Software engineering is unlike a lot of other engineering in that no one can predict with much certainty what a large program is going to do. This lack of certainly is not just bad engineering, it is a mathematically proven law of software. Add to that the fact that each computer runs a slightly different set of programs and is connected to a slightly different set of peripherals, then you have even a more impossible problem.

Software on airplanes work reasonably well because they test the hell of it and two airplanes of the same model are pretty much the same. Also, the users of the software (airplane crews) are well-trained. The exteme testing and thorough training though makes it very expensive. I don't think we can afford to hire software engineer and tutor for each household.

I would be afraid that regulation would not fully take into account the difficulties of making perfect software and dealing with untrained users.

Link with no registration required

No-registration-required version of the article.

Open letter to my congressman

Mr. Congressman,

Let's first create an oversight board for the software development of all the black box voting machines that are being deployed throughout the country, so we can feel "safe" and "secure" that our votes will actually be counted.

If that oversight board proves to be a success, THEN we'll discuss possible regulation of the rest of the software industry.

Regards,
An eligible voter in your district

MOD PARENT UP!!!!

[Theatetus]

I would run out of moderator points just when an actually insightful post appears.

Regulation / certification / etc. have always been tools of large corporations to keep smaller players out of the game. Can you think of an easier way to marginalize Linux than shoving it in the box of, "it's not made by certified programmers; it's untrustworthy"?

I'm careful what I wish for...

[cowbutt]

I do feel that, for a number of reasons, regulation will probably be the only way to make proprietary software vendors improve the quality of their products.

But on the other hand, if other industries are examined, such regulation will only turn into a further barrier to entry for new entrants to the market and non-commercial (i.e. Free and Open Source ) software.

I already see this when trying to sell FOSS solutions to the public sector, who invariably have successful "Common Criteria" evaluation as a "nice to have" (at least - in some cases it's mandatory).

Getting these evaluations done is expensive, so only the big boys get to play... Ironically, the people I talk with know that FOSS solutions are usually at least as secure as the products on their approved list, but their hands are tied by regulations and auditors.

--

Space is the last frontier

[tjstork]

If you want to explore, you'll have to start risking your life. Is it worth it? For some, it is.

$/pound for space flight continues to drop. Right now it's about $3000-$10000 for LEO. Give it another decade and we'll hit $1000 or even $500/lb. Then life starts to get really interesting...

Now watch as...

[Kyouryuu]

Now watch as Bill Gates and his cronies push for Trusted Computing, the Palladium project. After all, it's never Microsoft's fault that the bugs exist, right? It's always those darned users and by George we need to foolproof the system. Please. Trusting computing is a joke. It is a power play by top industry corporations to seize power and act as a yet another cohesive monopoly in a so-called free market. Just like the RIAA. Just like the MPAA.

Here's a thought. Hold the software companies responsible for their own goofups and bugs. Let the people sue. Let the people file their class action lawsuits against Microsoft for their errors. But don't let the government take control.

I don't want the ignorant US government, or any government for that matter, looking over the Internet and infringing on it any more than they already are. Half of those farts probably don't even know what the Internet is. I can't say I'd want these clueless individuals, easily motivated by legal bribery (lobbies) and big business (Palladium), to be involved. They will only serve to screw things up, pass ridiculous laws, and tax Internet commerce to death. Let the Internet be that one place government is unable to corrupt.

The problem is that the people who aren't on the Internet; the people who take passive interest in computers, are ignorant to these facts. That's why I feel, unfortunately, that things like Palladium are destined to pass. Microsoft and others are going to get these bills through the door while the politicians are still ignorant to computers.

I'd like to say we can stop them, but we don't have a $47 billion lobbyist group behind us.

non-homogenous networks

[gr8_phk]

One thing that would help is LESS homogeneity. If everyone is running the same software then a single flaw makes the entire network vulnerable. If we simply had more competition, the effects of such attacks would be less significant. If there were more competition, people would be more willing to drop the insecure products in favor of one their friends are using that doesn't have the problem. Yes, there will be more problems, but not as far reaching.

One place regulation would help is in mandating open standards for files so people will always have a choice of what software to use. Of course MS will say they use standards (XML) even though others can't read the files. So you could argue that mandating non-patented open source is the only way to ensure interoperability, and hence a hetergenous network, and less vulnerability. I'd prefer to get there along the present path without intervention.

Worm? What what worm?

[exadios]

Has there been a worm? Must have missed it. Nothing happened here. Can't be an "Internet problem". Possibly a problem with a particular OS?

Seriously, there is a very real possibility that governments will regulate the Internet down to Compuserve level simply because of a deficient OS and users who cannot organize their own basic security.

Silly Me, Why Didn't I Think Of This

[istartedi]

I had some buffer overflow problems in my mail client. Silly me. I ran splint and considered hiring another programmer (preferably one who knows what splint is and how to use it).

Now I've changed my mind. Instead of adding engineers who sit at computers and write C, I'm going to add beurocrats who look over their shoulders and produce Word documents.

Fortune 500, here I come!

[this post is close-captioned for the sarcasm impaired. All the previous was SARCASM.]

An incredibly BAD idea

[The+Monster]

A little regulation would be nice

It is no more possible to have 'a little regulation' than to be 'a little pregnant'. Throughout the history of industrialized society, the same pattern has been repeated over and over with a new technology:

1. None of the existing agencies seems to have jurisdiction over the peculiar characteristics of the technology, so a thousand flowers bloom. Some work; others don't. The pioneers know this. They expect it.
2. The technology becomes sufficiently stable and productive, relative to existing alternatives, as to become important to the smooth flow of commerce. The 'civilized' people move into the former frontier territory, and expect services to be delivered on demand. They don't know nor care about the work done by the pioneers to get it to work as well as it does.
3. At a certain point, when the political climate is right, the Do-Gooders move in. They declare that the industry is rife with problems that only the government can solve. They seize upon some event (such as a multi-state/province blackout that can be plausibly traced to a computer worm) and demand a law to empower a new bureaucracy to oversee this wild, untamed industry.
4. Sooner or later, the law passes, and the Do-Gooders move on to the next Great Crusade. Meanwhile, the President has to appoint people to run the agency that regulates the industry.

   Now, who knows anything about the industry.... YES! That's right. The people who

   work in that industry (for companies that donated to my campaign).

5. The agency is now part of a revolving door system, where people put in a stint working for one of the major companies in the industry, then go to work for the agency that regulates them, then possibly back to private industry...

Regulating the software business per se would lead to a Federal Software Commission dominated by ex-MS employees, who would write regulations favorable to their former employer -- not even out of corruption but because they express the corporate culture inculcated into them. Mark my words: The day is coming when it will be as illegal to write computer software without a license from the government as it is to practice medicine, law, plumbing or cosmetology without one. Have you noticed that the more laws there are to regulate an industry, the more expensive it is to be a customer thereof? And if you think closed-source is bad, just you wait until the entire profession is reserved for those who take their apprenticeships with other members of the Guild.

Far better to fight laws like UCITA, DMCA, software patents, etc. that attempt to deprive software customers of the few rights they already have, than to try to push for empowering the government to screw customers even more.

Obviously, the free market isn't going to regulate itself when the consumer and even the government has decided that this is normal and that they will just 'put up with it'.

The free market has been forbidden to regulate itself. The customer has been forced to accept shrink-wrap licenses that deprive them, potential competitors, and independent consumer advocates, of the rights that would allow the free market to function correctly (by reverse-engineering to provide competing products, and benchmarking to judge performance and reliability). These licenses are already in violation of the fundamental principles of contract law.

We need to use the laws already on the books - how about a class action suit against a software company that puts out a shrink-wrap license that is fraudulent in the 48 states that haven't yet adopted UCITA (because it tells the customer that they must either accept its terms or return the software unopened for a refund, when no such license terms asserted after the sale can possibly be valid)? That would force the

Regulation is not the answer.

[Rotten168]

Corporations and governments have got to start looking at software as a product, not just an entity that will always inherently suck. If a car existed which was always getting broken into and breaking down, would corporations continue to use it?

So why do they continue to use software that crashes and has a bad security record. The government needs to start looking at non-MS solutions.

BTW I use Microsoft cause it's a decent home OS, but I'd never use it in any setting where it's important.

Security and Open Source

[hackus]

After developing applications for a wide variety of banking industries it became clear that:

1) The only way to develope software systems, is to proactively secure the systems once they are deployed.

2) To proactively and continuously review and examine such systems, you must have the source code and build tools and access to the hardware engineering requirements of the systems involved.

3) The only known process where this can be achieved is through Open Source.

Closed binary proprietary software is not secure, cannot be MADE secure, is impossible TO secure and with patents and copyrights laws as written it could be quite possible you could be SUED for securing the software yourself.

Security became an extension of the software engineering process for the company I started previously, and it involved reviewing the source code and making changes, performing attacks, etc.

Critical to this process was to have as many eyes and opnions looking at the source code as possible. The more experienced professionals that had a chance to offer advice and opinions on the code, the better and more secure the code became.

An entire portion of the software engineering process cannot even be done with proprietary software, and I personally as a CIO, declared proprietary binary only software sales DOA in this industry 2 years ago.

-Hack

Re:Security and Open Source

An entire portion of the software engineering process cannot even be done with proprietary software, and I personally as a CIO, declared proprietary binary only software sales DOA in this industry 2 years ago.

Doesn't sound like you have a very good track record.

It's time to regulate or nationalize Microsoft

The internet infrastructure has become essential to the day-to-day business dealings of people, businesses and governments everywhere. Microsoft and Windows have monopoly control on the use of the Internet with a greater than 95 percent share of the desktop market. Microsoft consistently chooses to add features at the expense of security (for example, the windows help function) and a single successful security exploit can disrupt the world economy for days. The use of the internet is too important to be left in the hands of Microsoft without any sort of supervision or monitoring. It's time to put some sort of regulatory oversight in place which can monitor Microsoft's decisions and intercede when necessary. As an alternative, Microsoft could be nationalized and operated as a governement agency that provides essential infrastructure such as, for example, the FAA which maintains cross-country navigational aids for aviation.

Trundling out my pet kooky conspiracy theory ;)

[Canis]

Anyone considered that the recent rash of virii(1) is designed to lead a push towards greater regulation by the government?

Yes, yes, just for fun, think about it:

SoBig.F appears to be the first virus specifically designed to affect public opinion.

SoBig.F harvests email addresses from web pages that the infected machine has visited recently (via the browser cache). So the higher the probability your email address is in someone's disk cache, the more SoBig spam you get. Lots of people have email addresses on their web pages, but only a few people read them regularly enough that there's a strong chance of it being in the disk cache.

Whose email addresses are in LOTS of people's caches? Journalists, bloggers, software authors, maintainers of major websites, ISP tech support -- in other words, the people with the power to change the way email works, and the people with the voice to suggest that the way email works be changed, and have lots of people hear them. If you have articles on CNN, if you run major mailing lists like interesting-people, or run sites like slashdot, you're going to get swamped.

In effect, SoBig.F is optimised to annoy the people who are in the best position to complain about it.

(not a strong Darwinian survival trait...)

So while lots of people have been inconvenienced by this thing, it's not actually a big deal for most people: Here at work, we got a few thousand over the weekend it was at its most virulent. Nasty, but survivable, and that was for the whole company. But individual journos and bloggers were getting megabytes per minute of SoBig.F and have been writing up a storm about it, understandably.

So it looks bigger than it is, and causes a disproportionate amount of angry column inches. According to interviews with internet backbone admins, the traffic was "negligable", worldwide. I'm sure for some of you it doesn't feel that way, but then perhaps that was the point...

Note also that it's version F, the 6th generation in a series of carefully planned test iterations. It "times out", like a lot of commercial beta software, ready for the next update (which is predicted for mid-September... what happened to "When It's Done"? ;-P ). This thing seems to have a plan behind it...

And judging from the news reports, it seems to be working! ;-)

So who has a vested interest in getting people to make email and usenet less anonymous, more accountable...? And maybe doesn't mind scaring people away from porn newsgroups while they're at it? And knows they have an uphill struggle, and could use a nice big mess to point to, to persuade people to their POV? A noisy, ugly one that doesn't actually cause much damage(2), but plenty of annoyance, and gets people good and emotional?

Hmm... (1) well, I have SoBig in mind here, rather than any others

(2) sure, the press can quote a big dollar value, but that's distributed worldwide amongst many companies who individually bear a much smaller load, and anyway, I mentally take at least one zero of the end of any estimate of corporate damages quoted in a newspaper article... ;-)

We've already got Carnivore

[mec]

Ooops, make that DCS-1000.

"Oversight" and "regulation" come down to this: government filters packets. Then they drop packets, arrest the senders and/or recipients of the packets.

It sounds like it's a great idea when the government filters packets that you don't like: spam, viruses, copyright infringing materials, decss, bomb-making instructions, child pornography, gay pornography, abortion literature.

Some people like some of those things. Too bad. The big illusion of government regulation is that the supporters think the government is going to regulate the way that the supporters think is good. But the government actually regulates in whatever way the government thinks is good, and the more power it has, the more it regulates. All of the material above has been the subject of government filtering already. And now the NY Times wants more.

I'd like to ask the New York Times how much "government oversight" they want to have on the content of their newspaper.

Easy Enough Solution

[Greyfox]

License computer use. Possibly just if you want to connect it to the Internet. Yes, I've said this before. Anywhere where public infrastructure is in use and others could be harmed by your actions, a license is a good answer. It's done for cars, pilots and ham radios. I can't think of a Windows worm (at least in recent days) for which a patch hadn't been weeks or months in advance of the worm. Had the end users kept up with the security patches, the impact of the worms would have been much smaller than they previously had been.

So if you're required to take a test to insure that you won't kill someone when you get behind the wheel and you're required to take a test to insure that you won't spam all over the emergency, aviation or commercial frequencies, then why shouldn't you be required to take a test to insure that your system won't be as likely to attack the rest of the internet?

It happened in other industries

You're right. That's exactly what happened in other industries, including the automobile, airline, telephone, television and radio, insurance, securities, and dozens of other industries. In every case, once a regulatory body was introduced, small competitors were driven out of the market, and the few big players that were left came to dominate the regulatory board, as opposed to the other way around.

The continuing growth of bureaucracy and regulation is the reason why our parents were richer and more secure than we are, despite the fact that technology has increased the potential efficiency of industry by a factor of ten or more.

Re:It happened in other industries

[ScrewMaster]

Actually, technological advances have improved actual industrial efficiencies by several orders of magnitude in the past half century. The government has absorbed those continuing incremental improvements via increased taxation and regulatory requirements. The reason that our standard of living hasn't dropped even more preciptiously is that as the government increased its take, industry got more efficient and largely offset the increases. Unfortunately, there's a limit to how far you can go in that direction with out completely automating everything (which we can't do yet anyway) so the burden is starting to be felt more keenly by the population. Add to that the dramatically increased foreign competition of the past two decades, and the near-total focus on short term profits of the American shareholder and you can see why we're in trouble.

Some ISPs are getting clueful

[renehollan]

When I had DSL service, with a static IP address, in Allen, TX (a suburb of Dallas -- damn I miss living in Texas), my ISP made it clear to me that I should damn well get a firewall. Of course, (a) I knew this, (b) let them know, (c) told them I appreciated their efforts to educate their customers.

Now, this wasn't perfect, as they didn't require me to use a firewall, but it was better than nothing.

My ISP in Whitby, ON (Canada) (a suburb of Toronto -- damn I miss living in Texas), went a bit further: they were willing to provide me with a static IP address, if I could justify it to them. I let them know that (a) I liked to sink my own email with a backup MX if the connection went down and I did not run an open relay; (b) wanted to administer my home network remotely via ssh; (c) was planning to install a hardware firewall.

Interestingly, this ISP saved me the trouble of picking a firewall: they required that I use a particular brand of firewall/DSL modem. Unfortunately, it came configured wide open, but that was easy to fix. (amazing the traffic posting "crack past this firewall" to #2600 generates).

The Government Wants to Do _Something_

[Lucas+Membrane]

How about revitalizing the role of government specs in government purchasing? The government is such a big customer, if they could simply stop buying system software products that presented too big a risk, the large vendors would find it advantageoous to provide software that didn't.

This worked for accessibility. When 11 state governments said that they would stop buying software with lousy accessibility for persons with disabilities, big software vendor(s) finally did something about it. Why shouldn't it also work for security???

This approach used to bring big advantages to the private sector, as manufacturers had to learn to do the right thing on many products. It has lost its impact recently, as the government has given in to business by buying COTS, no questions asked.

avionics aren't always stable, either

The the airforce's new F-22 has been delayed because of computer glitches. Yes, it's under development, but flaws exist and will continue to exist in all forms of complex software engineering.

An incredibly BAD idea-apprenticeships.

"The free market has been forbidden to regulate itself. The customer has been forced to accept shrink-wrap licenses that deprive them, potential competitors, and independent consumer advocates, of the rights that would allow the free market to function correctly (by reverse-engineering to provide competing products, and benchmarking to judge performance and reliability). These licenses are already in violation of the fundamental principles of contract law."

And if you actually check court cases, you'll find that a lot of the terms have been thrown out. Just because it's in print doesn't make it legally viable.

"Regulating the software business per se would lead to a Federal Software Commission dominated by ex-MS employees, who would write regulations favorable to their former employer -- not even out of corruption but because they express the corporate culture inculcated into them. Mark my words: The day is coming when it will be as illegal to write computer software without a license from the government as it is to practice medicine, law, plumbing or cosmetology without one. Have you noticed that the more laws there are to regulate an industry, the more expensive it is to be a customer thereof? And if you think closed-source is bad, just you wait until the entire profession is reserved for those who take their apprenticeships with other members of the Guild."

Uh huh. And just how many 'old school' professions do you know that have apprenticeships? Not many I wager. The whole idea of apprenticing has fallen out of favour, a long time ago. As for licensing, there's many a good reason to do so. Anywere were quality, or safety issues rein (would you want an unlicensed doctor operating on you?). They also exist (licenses) because amateurs have ruined it for others (few bad apples...barrel...you know the rest).

It's easy to deride laws and regulations, until you have a need for them (malpractice, exploding gastanks, etc)

"We don't need more laws to fix bad laws. We need to kill the ones that take away our freedom to innovate, communicate, and collaborate, and the customers' freedom to choose, and then a truly free market will work."

I believe this process is called "participating in one's government". Give it a try, it can work miracles.

Re:An incredibly BAD idea-apprenticeships.

[Adrian+Lopez]

As for licensing, there's many a good reason to do so. Anywere were quality, or safety issues rein (would you want an unlicensed doctor operating on you?). They also exist (licenses) because amateurs have ruined it for others (few bad apples...barrel...you know the rest).

From Occupational Licensing by S. David Young:

A careful analysis of licensing's effects across a broad range of occupations reveals some striking, and strikingly negative, similarities. Occupational regulation has limited consumer choice, raised consumer costs, increased practitioner income, limited practitioner mobility, and deprived the poor of adequate services--all without demonstrated improvements in the quality or safety of the licensed activities.

Hmmm-Cynics on parade.

"I fully expect that we'll see increased security resolutions which are ostensively tough on companies like Microsoft, but those companies will embrace them (while all the while getting good PR about "doing the right thing and making the right sacrfices") because ultimatly they will only be minor inconveniences... while the regulations that show up will all but prohibit free software (at least for commercial purposes, and possibly for anybody who wants to connect to the Internet), meaning that in the long run Microsoft benefits hugely from those "minor inconveniences"."

Really? Well someone better call up IBM and their ilk. Tell them to move to SCO Unixware, because we all know that regulations will never touch that.

That and SCO will win their case, and dominate the entire computing market (even MS isn't safe).

See! Cynical is easy, reality is hard.

nah

[Tangurena]

Occupational licenses were created in the late 19th and early 20th centuries to prevent negroes from getting employment. Various bogus excuses are used to keep those licenses going, primarily the excuses are a combination of:
1) an agency gets a source of income,
2) the people in the profession get a barrier to entry to prevent newcomers that they do not approve of and
3) consumer protection advocates think the licensing laws are effective at protecting people. Would you trust an unlicensed X? Having a license does not meant that person is skilled, knowledgable nor low risk.

Another reason that occupational licenses for developers will never happen is that would put a serious damper on the ongoing offshoring movement. The window of opportunity to get software developers covered by some licensing requirements has passed.

The software industry has chosen to buy legislation absolving them of all liability in their actions. First part of the backlash will be the repeal of that legislation. The backlash will be there, and only the lawyers will win in the nasty lawsuits to come.

Re:Regulation is not the answer-Mainframes.

"You can write reliable software for a plane, thats true... but a plane is a relatively simple, relatively isolated system. It does a limited number of things in a limited number of ways, and therefore it can be tested exhaustively and completely. "

And yet, somehow (magic?) Mainframes prove that just because something is a computer doing multiple things, it isn't impossible to have reliability, and stability.

The plain fact is that the majority (monopoly) have never been really exposed to reliability, and stability.

No wonder people doubt it's existance.

why it shouldn't be

[mccoma]

First, let's remember that the major problem is one company's software. Others have had problems, but none the number or severity of Microsoft.

Software, as a profession, is very young compared to building cars, bridges, or planes. It takes years (sometimes centuries) to get to the point laws make sense. Let's look at the early days of any of the engineering professions for examples.

Beyond that, software is created by many more people than professionals. As an example, teacher have made hypercard stacks for students. Are we seriously going to regulate these people. Might as well outlaw bad literature.

The government can have one big positive effect on the whole industry. Do not buy software that they feel is vulnerable to these attacks. If they set a guideline not to buy from any company that doesn't meet their minimum safety requirements, then those affected companies will get off their butts and fix the problems.

Let's face it, all software developers who don't right mission critical software (e.g. avionics, nuclear control) know that all bugs aren't fixed because a business has determined that it is not cost effective to make the change. Mission critical software generally can't afford a failure, a word processor can. The customer is not willing to pay for 100% correctness.

If the government won't stop buying the software, then they have no business making regulations about it.

Professional bodies / accreditation / problems

[Anonymous+Brave+Guy]

Certifying the developers wont help if the management is still pushing pushing to ship software with inadequate testing.

It will if those developers are personally responsible for the work, accountable to a supervisory professional body, and liable to lose their professional status and hence livelihood if they make a serious mistake. All the managers in the world won't get a known bad product out the door at that point, because every professional developer will tell them where to go. It's like unionisation, but with a somewhat different (and arguably less dangerous) slant.

The problem of course, is how to form a suitable supervisory body to do the accreditation. I sure as hell wouldn't trust most of the guys I've worked with to sit in judgement over the coding practices of another. Almost no-one invests the time and effort to get their skills to that level, because in most software development industries it's not worth it unless you're doing it as much out of interest and professionalism as out of a desire to earn your pay. In civil engineering, we have a long history of success stories and failures to provide concrete evidence (no pun intended) of what works and what doesn't. There is no analogue in software development today, and without it, who's to say what really constitutes "best practice"?

Life in the hold, on Internet

[drollexecutive]

A commerce psychology is marking our means to protect our investments through an expression of a round of guilt. How this helps our mental well being ... Loosely, interference with jobs and jobs plus lives becoming stressful. Earth is currently discouraging visitors. Our own lines and ranks approach turmoil over suitable living space. Ventures are to delete minor involvement through discouraging wellful mental outlook and opposing claims in faith. Adopting illness is quick to progess it's feel. On the 1800's ships the secure holds within the ship maintained the voyages. The mercy was finding land. Why doesn't the same apply in belief and beyond regrets which too common are in news of competitive spring? I see laws to help consumers in ethical prices and non-substitute time for money, rather have time for work. The Internet has not record to relate, as viewed as a bunch of dated yahoo and yodel. Underneath is education to share and projects for tools. In terms a cost of a tree becomes support services, and deeper into jobs to support services in what jobs support the service. Guilt for victims in unregulated extortion.

Our World

[trolman]

The fact is that our world now runs on these programs and when they crash our world comes to a halt. Bad software is just as bad as a power outage that halts work. There needs to be an awareness by the user that 'they do not have to take it anymore' and that they can vote with their feet and get an application that just works as one expects the lights to be on when they get to work.

Re:Regulation is not the answer-Mainframes.

[Keeper]

The OS running on a mainframe targets one set of hardware. If you're lucky, there might be a handfull of peripherals designed to work with that mainframe from the manufacturer of the mainframe.

I could probably go on for an hour about how much simpler the OS design for a mainframe is, but I don't that's needed...

Just a thought...

[Danomatic2k]

The problem at the moment is not the weaknesses in MS products, but the lack of diversity in the software market. If you look at nature, one of the keys to the continuos success of life, is the diversity of components that make up an animal, a species, and an eco system. If it weren't for the genetic diversity in humans, for example, we would all look the same, act the same, and more importantly, be all be suseptible to the same kinds of illnesses, and be wiped out by somthing as simple as the common cold. The reason these computer viruses can attack so many systems, is the fact the they are all the same. Sure, there may differences on the user level but below that they all function of the same code, the same set of "Genes." What needs to happen is for an era of "Software Darwinism" to come about. The users need to be able to not only pick the software that they use, but to be able to change the make-up of the software to enhance it's abilities, and bolster it's defenses against out side attack. Regulations, like the one's being talked about will not allow software to evolve into a better state. The only way this will happen is if there is an open exchange of ideas in wich everyone is allowed to present there ideas and receive support, advice, and honest critisism form their peers. The open source movement is going in the right direction. Software needs to be seen as an evolving community where every one benifits from the wisdom of everyone else. What needs to happen now is for large companies to be pressured into realizing that they stand to bennifit from freely sharing all aspects of their products. If their products are truely superior, they will have the support of the community as a whole. If not, they stand to profit by using the suggestions of the community to better their products and, once again have the support of industry and the consumers. The governments role in this should not be as a regulatory body. They should have the same responibilities as any educated consumer. They should look at every option availible and then make a unbiased desicion on which options to support, and most importantly why to support them. Regulation is not the key communication is. The computer has a potential for human advancement far beyond that of anything else. It is a realm of great potential profit, both intellectualy, spirtualy and monitarialy.

Re:It has *little* do with 'professionalism'

[symbolic]

Software engineering is like no other 'engineering' discipline - with bridges, structures and the like, you're working with known methodologies that have been tried and tested for hundreds of years. Since the laws of physics don't change, the only reason for the engineering to change is when confronted by new circumstances.

With computer software, you have the very distinct possibility that every environment is slightly different than the next - a graphics card from one company (with its own driver), a hard disk from another, an operating system from another, a few utilities, thrown in, and add to this, the inherent instability from something as large as the Microsoft Windows, and there WILL be problems.

The fact is, that unless you have complete control over the user's evironment (and god forbid that ever happens), there is no reasonable way that you, as a software engineer, will be able to assess and test for every possible point of failure. It's a numbers game. Consider the ramifications of extending the testing phase to include a large number of theoretical problems...it would run the cost of software through the roof. It would destroy the software industry as we know it, and it would impose severe, if not downright draconian limits on choice.

Your computer is your responsibility. Just as you wouldn't expect your neighbor (or the government) to make sure your windows and doors are locked, it is no more their responsibility to make sure you're running a patched version of Windows. If *your* computer gets compromised, tough. Learn and move on. The people that have the correctly-patched software will not be affected, and those that refuse to heed the warnings will get what they deserve.

Government regulation will do NOTHING to stop the introduction of viruses, nor will it do anything to remedy situations where there is no prior warning. It will most definitely add a huge pile of red tape to any process that it touches, so that managing a computer network becomes a labrynthine, bureaucratic, nightmare. Imagine NOT being able to apply a patch, or some other fix because it hasn't been offically 'approved' by some government agency. If you think we have problems now....

Fair competition is the answer

[moncyb]

Rather than regulation we should let the market decide.

You are talking about software, correct? What market? There is only one communist bloc known as Microsoft here. Some people say there is Linux, FreeBSD, etc, but they're not part of the market when they are given away for free.

However, you are on to something here, the world governments need to enforce their monopoly/anti-trust laws. The US DoJ did us a big disservice. MS should not be allowed to operate like that. When software developers have to ask Microsoft: "May I please write this program? Please don't crush me." there is a problem. When MS gets their Palladium system going, developers will literally have to ask MS this question. Otherwise their code won't be signed and their program won't be able to touch any DRM enabled files. Seeing as how MS intends to make everything DRM including email, no signature means certain death for any project. No one will buy it if it can't access their files.

Re:Fair competition is the answer

[IM6100]

Why wouldn't a free, non-DRM email client be something you could write and then just install and use? Sure, it won't be able to 'touch' the DRM email files that Microsoft's app uses, but why is that important?

I like the idea of quarentine from Microsoft apps/address book and the like. I use Eudora for my email client, and have even unclicked the 'Use Microsoft HTML viewer' option in it's config. If Microsoft wants to wall off access to it's internal data structures, all the better.

Re:Fair competition is the answer

[moncyb]

Why wouldn't a free, non-DRM email client be something you could write and then just install and use?

That can be done, but I was talking about for-profit software. A nonDRM email client (or whatever program) will not be able to read DRM emails or DRM files. You'll get a thousand calls about how your "broken" program can't read emails. Even if it is understood the program doesn't work with DRM, there will still be hassles.

What about the people who insist upon sending all their emails and files in DRM format because they don't want the "wrong" people to see them (as if one couldn't take a picture of the screen)?

What about if MS configures their software to send DRM by default? Since the crap is encrypted, you can't read it. You'll have to convince the sender to change the settings--assuming they even know how.

What if MS configures their software to ignore nonDRM email under the guise this supposedly prevents spam? Even if there is a setting to turn this off, many users will insist "but I'll get more spam! I'm not turning that off!" Your email will just disappear. You may not even realize their client software is doing this and think they are ignoring you. What if your only means of communicating with these people is through email? You won't even be able to ask them to change their settings at all.

DRM is just another way for MS to push others out of the market. Off the mainstream Internet too. If they are able to get their Palladium system going (yeah, yeah, it has new name SCSBCRAPFUDNAME), then it will become difficult to communiate with DRM enabled users. Eventually they are going to migrate into a DRM only system where it doesn't have a nonDRM part. Try to run your own software then. Obviously this is their plan. When that happens, you will only be able use the internet with the small number of non-Palladium systems, assuming the ISPs don't go DRM for more "security."

I remember back in 1998 or so. I was looking for an ISP, and all of them required you use some sort of Win95/98 program to sign up. They wouldn't even give out their data telephone numbers and DNS server addresses so I could connect with Linux. A few of the larger ISPs may have had the info on some web page, but I didn't have internet access at the time. I just gave up and bought the "upgrade" to Win98. [1] With Palladium it'll be worse, they're be no way to connect to a ISP if they use some sort of Palladium protocol.

[1] A programmer friend had said it was much more stable and better than Win3.11 or Win95, just like people say about Win XP now. Yeah right, it wasn't.

Hierarchy of Professional Licenses

[The+Monster]

Another reason that occupational licenses for developers will never happen is that would put a serious damper on the ongoing offshoring movement. The window of opportunity to get software developers covered by some licensing requirements has passed.

That's easy enough to finesse. Just look at the stratification of MDs, RNs, LPNs, all the way down to various technicians, orderlies, etc., or the distinction between Barrister and Solicitor in the Commonwealth legal systems.

It will be legal for those offshore people to send submissions to a Licensed Computer Programmer, but can't be actually delivered outside the company until he signs off on them. There will be a handful of LCPs that act as project managers, and get paid a pretty penny for being licensed, while the scut work is done by cheap interns who have not yet gotten licensed to wipe their own butts without an LCP approving it.

We'll have the equivalent of specialties, as well. The larval form of them is in the various certifications that are currently available. [Let me point out that I vastly prefer certification, which is voluntary, to licensure, which is not. A certification that is irrelevant will be ignored by those in the know, but a license that is irrelevant must still be respected by them.] Once there is a law that requires a license, the demand for higher-level licensure for specialties will come as day follows night. The big money will be in the specialties.

Re:Hierarchy of Professional Licenses

[ScrewMaster]

I fear that you may be right. {sigh}. I've been a developer for twenty-four years, and I've specialized in high-reliability systems that have to run for months or years on end, and do. So I think I have the software quality thing down pretty well. And I love my work. But if I have to pass some arbitrary certification exam given by people that have, at best, a remote understanding of what I do for a living with the penalty for failure being no job ... well, I think it will be time for a career switch. And I'll tell you this: an awful lot of long-time experienced programmers just like me will follow suit. I probably know more about coding stable, reliable applications than anyone who got his degree in the past ten years, but I swear I'll take up windsurfing before I get "certified." How does that benefit anyone, or make anyone safer? Beats me.

Ban C and C++ for OS's and Mission Critical Apps

[douglasgodfrey]

It is inexcusable that any C or C++ compiler
allocates local variables in the same page
as the procedure call stack return address.

A Stack frame should be a fixed 4 word struct
with a Link Pointer to the previous frame,
a Heap Limit Address, Local Variable Base
Address and Return Address. The call stack
should be allocated at a lower address than
the heap and/or all local variables and there
should be a 4k-64k Guard Buffer of non-
addressable storage before and after the stack.

Negative array indexes and absolute pointers
should both be prohibited by the compiler
and runtime ABI. All Pointers should be
Handles that contain an offset from the
base of the heap. All pointer arithmetic
should be done with unsigned addition
before adding the base address. A Pointer
Overflow Error Exception would be raised
if the overflow, carry or sign flag was set.
A Stack Overflow Error Exception would
be raised if the local variable base is
less than the heap limit.

Such restrictions would have no impact on
well designed code but they would make it
impossible to execute arbitrary code due to
a buffer overrun.

The Heap Base and Local Variable Base would be
kept in registers. Only a 1 load penalty would
be incurred to access a local variable from a
caller's local variable frame. No value testing
or branches would be added to the procedure
call mechanism.

Re:It has *little* do with 'professionalism'

The fact is, that unless you have complete control over the user's evironment (and god forbid that ever happens)

Can you say ... MacIntosh?

Unsafe at any speed

[xixax]

I am sure that the engineers employed by Detroit were and are extremely competent and professional. They did wonders taking the motor car and turing it from an expensive luxury to a commodity transportation device. Yet despite all that professionalism, Nader found their cars to be gas-guzzling death traps.

On a similar note, I am sure Anderson only employed the most highly regarded auditors who belonged to the most rigorous professional bodies.

I think there may be a role for regultion, but like motor vehicles, such regulations would be more concerned with performance than dictating design.

Xix.

Re:Unsafe at any speed

[IM6100]

Using a highly-political 'outsider pundit' like Nader as your example weakens your arguement.

Anybody can get a law degree and then start lobbing pot-shots at an industry. If they capture on a popular public meme they can even use the opportunity to catapult themselves into a career.

Re:Unsafe at any speed

[sql*kitten]

Yet despite all that professionalism, Nader found their cars to be gas-guzzling death traps.

Independant tests found that Nader pretty much made up everything he said about the GM Corvair. He later justified it on the grounds that he was sure some car companies were doing something wrong, so he wanted to attack the largest one.

Re:Unsafe at any speed

[xixax]

Using a highly-political 'outsider pundit' like Nader as your example weakens your arguement.

Quite probably. But regulatory standards still ended up playing a big part in car design. My car has seat-belts, and meets crash & fuel consumption standards. Cars are much safer than they were. While safety is marketable now, would that design imperative arisen without that initial political interference?

Xix.

Re:Unsafe at any speed

[IM6100]

The day when you can find people whose idea of fun is dying in an automobile crash is the day when 'political interference' is responsible for safety rather than a clueful public and a responsive marketplace.

The whole idea of 'government coercion' for safty promotes the idea of the nanny state, and encourages people to be less responsible and pay less attention to safety. Because the gummint will do that for them.

do we want secure, bug-free software?

[jadavis]

Sure... it sounds great: software that's well-tested, secure, and stable.

But at what cost? Nobody seems to ask this obvious question. Software like that costs money, who's willing to pay that cost? The average consumer may rather just have unstable software than pay that extra cost.

Why should the average consumer have to pay extra costs just for the sake of the /. sysadmins who don't like buggy software?

The real reason for bugs is simple: developers develop until the software reaches some level of functionality that will be tolerated by most of the consumers, then they sell the product. If you want them to develop longer, you have to pay those costs, not the person that was happy enough with cheap, buggy software.

For a bridge to be tolerable, it needs to have near zero design flaws. But for an email client to be tolerable to most people, it can appearently have as many flaws as outlook express. By "tolerable" I mean that it's good enough that most people would rather have the product as-is than pay more for additional design.

O...K

[Olathe]

Ummm...if I ran a software company, it would be worth more to get the hell out of software development as quickly as possible to avoid huge fines for things as inevitable as human errors. Or I might consider moving out of the effective reach of whatever organization enforced it.

Are you suggesting that there's someone moronic enough to keep working in such an environment ?

I think what the original post (about the $100) meant was a voluntary payment by the company to entice people to buy from them, not a forced fine by some crazed authoritarians.

Re:Kick up the A** for a certain well know company

Heh. Right. Perhaps you haven't paid enough attention to history.

Increased government regulation is more likely to mean turning over complete control of every PC to Microsoft (can you say "Trusted Computing", boys and girls? I knew you could...) than it is to mean Microsoft gets pressured to release secure OSes, simply because Microsoft can out-lobby any competing OS that's already secure, which means that "security" will be defined by reference to installing patches.

Mark my words...government regulation of nongovernment computer security could end with it being a felony in the US to run anything but the latest Windows on your PC. But it _definitely_ won't do a single thing to make computers actually more secure.

If computers were like cars...

[jpop32]

From the article (yep, read it. yep, subscribed.):"There's a reason this kind of thing doesn't happen with automobiles," says Bruce Schneier, chief technical officer at Counterpane Internet Security in Cupertino, Calif."

Yes, but it's not the fact that MS isn't responsible for the flaws in it's OS.

The reason is that you have to have a drivers licence test in order to legally drive a car, which means you need to have certaing knowledge and skills to safely operate a car. That way, you know you don't drive 80mph in corners, and you know you have to periodically change the oil, tyres and stuff like that. On the other hand, you are not required to have absolutely any knowledge to operate a computer on the internet. And that's where the problem lies.

To expand further: both viruses that 'devastated' the internet lately propagated mainly because of ignorant users. One required you to click on an attachment in a message (Yeah, wicked screensaver, let's see it!), or not to patch your machine for a vulnerability that was announced and patched a month before MSBlaster struck (a month that the author of the virus probably spent writing and testing the virus, counting on people not patching their computers).

My point is: as much as you can't complain if you destroy the engine of your car because you neglected to change the oil, or crash while cornering at 80mph, you can't complain if your computer gets compromised because you neglected to take care of it or take the most basic precaution when operating it.

I'm not talking taking getting a CS degree here, computers can and will patch themselves if you make them do so. Similarly, everyone should know better than clicking on attachments in unexpected/strange messages. I have absolutely no fear of viruses/trojans/worms and have completely avoided all of internet 'disasters' so far, merely by excersizing common sense and judgement. I strongly believe everyone else can do so.

On the other hand, I do fear governments involvment in policing the Internet. If the proclaimed 'Internet security experts' have as little clue as the person cited at the top of my post, what chance of really understanding and doing the right thing a bunch of politicians have? Holding the software companies directly responsible for virus damage will be the end of the software industry. I really do hope the politicians aren't that hasty, although I do believe the armies of MS lobbyists will prevent the worse from happening.

Let's see the bureaucrats fuck this one up!

[core_dump_0]

Why does the government regulate technology? They obviously know nothing about it. You get laws like the felt-tip-pen-banning DMCA and firewall-banning Super-DMCA laws which show clearly their lack of knowledge on the subject. This should be fun to watch, if it happens. They'd probably fall prey to Microsoft and their lies and nothing would get done. Oh wait, they might ban Linux for the same reasons imported drugs are banned. That's a little extreme, but you never know.

You DO NOT want Microsoft to write good code

> don't you think their culture would change very
> rapidly? Instead of having the worst security
> reputation, they'd suddenly have the very best.

You want secure code from Microsoft? Be careful what you wish for, because you just might get it!

Some day Microsoft may get the hang of writing code without gaping holes. But, when they do, they will NOT use their newfound skill to implement anything which you and I would recognize as security.

When you and I say "security," we mean "nothing runs without the machine's owner's permission." When Microsoft say "security," they mean "nothing runs without Microsoft's permission."

If and when Microsoft create a secure operating system, no one (even the owner of the machine) will be able to write or run any software without prior approval from Microsoft.

Some day, every incompetently managed buffer in a Microsoft app will be a reason for celebration, because these "exploits" will be the only way you can run your own code on your own hardware.

Don't laugh, this is already happening to Xbox owners. Look how happy they were when buffer exploits were found in a couple of Xbox games. Without these exploits, Xbox owners would be unable to run excellent software like Linux and Xbox Media Player, on their own hardware.

Yes, there are "mod chips" which can be forcibly installed. But this is merely a first-version hardware oversight; surely the hardware of the next generation of Xbox will be much more difficult to modify. And, similarly, the hardware of the future "Palladium PC" will be nearly impossible to hack, because the Fritz circuitry will be integrated on the same silicon chip as the microprocessor.

Trust me: the day will come when you will hope and pray for a classic, incompetent, Microsoftian, smashable buffer!

Re:It has *little* do with 'professionalism'

[symbolic]

Can you say... less than 10% of the market?

Also remember that I can still buy a third-party accelerator, video card, sound card, or other PCI devices. I can also install third-party hard drives, CDs, etc. I can also purchase and install any number of 3rd party utilities, any of which could rely on low-level access to the operating system (or at least the ROM toolbox).