Slashdot Mirror

← Back to Stories (view on slashdot.org)

Increased Software Vulnerability, Gov't Regulation

Posted by Hemos on from the the-perils-of-regulation dept.

PogieMT writes "An article in the New York Times (registration required) suggests that the rash of security flaws, viruses and worms is leading a push towards greater regulation by the government, which, according to the piece, has largely relied on the efforts of individual companies."

15 of 291 comments (clear)

  1. Hmmm by RMH101 · · Score: 3, Insightful
    Is this being used to restrict individual freedoms in a similar way as 9-11 is used to?

    Call me cynical, but I don't think the US government are getting into this for the sake of safeguarding my PC from viruses...

    1. Re:Hmmm by rknop · · Score: 5, Insightful

      Call me cynical, but I don't think the US government are getting into this for the sake of safeguarding my PC from viruses...

      It's cynical, but it's also not an unreasonable fear based on anybody who's been rationally observing the behavior of our government recently.

      I fully expect that we'll see increased security resolutions which are ostensively tough on companies like Microsoft, but those companies will embrace them (while all the while getting good PR about "doing the right thing and making the right sacrfices") because ultimatly they will only be minor inconveniences... while the regulations that show up will all but prohibit free software (at least for commercial purposes, and possibly for anybody who wants to connect to the Internet), meaning that in the long run Microsoft benefits hugely from those "minor inconveniences".

      Meanwhile, the regulations-- like a lot of what we've seen with airport security-- won't increase actualy computer security one whit, but anybody who complains about them will be chastised by John Ashcroft as a whiner who won't let the government do what it needs to safeguard our homeland.

      Yeah, I'm cynical too.

      -Rob

  2. Regulation is not the answer by sql*kitten · · Score: 5, Insightful

    Regulation is not the answer - professionalism is. The government has oversight over the construction industry for example, but engineers are accredited and the profession is run day-to-day but the professional institution, in the UK this is the Institute of Civil Engineers. Same in medicine, the government oversees, but day to day regulation rests with the BMA, the British Medical Association, and doctors answer to them. Same with lawyers, accountants, investment bankers... even lifeguards and hairdressers have professional bodies.

    Software development needs to become more like engineering, and software developers should be required to take a qualification like CEng (UK) or PEng (US) in order to work in positions of authority and responsibility. Remember that engineering is about public safety - bridges don't often collapse, buildings don't often topple, and that's all because the people designing them have been certified by independant bodies. Programmers of safety-critical systems are already often required to be certified by the relevant body, usually that of the electrical engineers.

    1. Re:Regulation is not the answer by awol · · Score: 3, Insightful

      Of course regulation is the answer. But the implications are horrible. Any doubt that we are living in the "wilds" of the post revolution expolosion just consider the issues of industrial safety immediately after the industrial revolution. It was a disaster, people were killed and maimed hourly. Look at software, thankfully few people are actually harmed but some of what we "professionals" produce is just crap.

      Professionalism is an answer to nothing in this case. Regulation comes in many forms. Pick your jusrisdiction and even your industry and you will find a litany of standards and regulations to which a product must conform before it can be sold. Fire safety for clothes, building materials, Electrical safety standards etc etc etc. One recurring theme seems that most of these standards relate to safety, or to paraphrase to reduce the human cost of substandard products. Having never worked in the industry, I do not know, but I can imagine that the standards required for medical equipment software (pacemakers et al) and things like nuclear power stations are much higher. This is not a question of the qualifications of the people who do the work but opf the output of their work and that is regulation, plain and simple.

      Personally I think that the market is the right tool for many of these regulations, but that requires better information and we all know how companies are about disclosing the true nature of their products at the moment, but I digress. The other point is that whilst I am comfortable with my ability to choose the prudent or safe product, I don't trust the vast majority of morons out there to do the same and if they drive a crappy car they can kill me, so I am happy to have regulated standards.

      Software, ah yes software, well for starters with most software the worst thing a crash or defect will do is cost you money (or make you late for a date), so I am not so sure that I want so much regulation. Secondly, due to the nature of the process, software is more art than engineering, and that is nothing to do with the professionalism of the people writing it. Now, it is true that the baseline at which the process turns from art into engineering is increasingly high (I am comfortable relying on my compiler to turn my Arty C code into engineered machine language and that the hardware will interpret this in a way that is engineered, whereas thirty years ago that was not so much the case) and in future that boundry will be higher still, however it is not a question of the "capabilities" of the industry participants that currently determines that level and getting us to a point where it is will take a long time and a number of really astounding revolutions in the tools at our disposal.

      Having said all that. I would love to see "BS01232 - Computer Operating Systems" that defined a minimum standard of performance, but such a thing is a logistical nightmare do define yet alone to actually implement, so in the mean time I will just run the OSes for which my tasks are best suited and grin and bear the pain.

      --
      "The first thing to do when you find yourself in a hole is stop digging."
    2. Re:Regulation is not the answer by sql*kitten · · Score: 4, Insightful

      If a software program is poorly designed, it crashes, Joe User restarts his machine and goes on with his life. He doesn't even bother to investigate what caused the crash because it happens so often.

      But it is possible to write reliable software. Aircraft, for example, run on extremely reliable software. The way it works in civil engineering is, if you can't get a CEng to sign off on the plans, you can't go ahead with the project. A CEng won't sign unless he's sure, because if it fails, he's responsible and he'll likely never work again. The fact that he's an employee is neither here nor there, he answers to the ICE, not the company. A similar approach could be taken with software - make the senior programmer on a team personally responsible, and give them the authority - independant of the company employing them - to say yes or no.

    3. Re:Regulation is not the answer by sql*kitten · · Score: 3, Insightful

      I'm an MEng and I've still written programs that crash... so have you.

      Sure, it wouldn't be a perfect system - but it would better than the situation we have now, where no-one is willing to take responsibility for quality. A strong professional body for granting certified status, backed by a public unwillingness to buy software that didn't have a signature on it from a qualified engineer (maybe in turn backed by a law that some software must be signed off to be sold to the public) would work wonders.

  3. Forget the regulation... by jafo · · Score: 3, Insightful

    Regulation may or may not work. What would really work would be if the government (Microsoft's biggest customer, I've heard) stopped buying their products in favor of others that are more secure. Re-evaluate that when Microsoft's products have less of an issue.

    I know that all systems have some security problems or another. I don't recall any of them having sent me a thousand e-mail messages every day, though. And it's not like this is the first time.

    Let the government talk with it's money and people will listen.

    Personally, I don't really like my tax money going so much to Microsoft. For one thing, I don't like that the privacy of my information and security of the systems relies on something that seems to have so many problems.

    Sean

  4. trusted computing anyone? by Alien+Being · · Score: 5, Insightful

    Gates is probably telling Bush "see, this is why we need trusted computing." Bush will declare that either you are with him, or you are with the terrorists.

  5. Break up Microsoft, for God's sake by goon+america · · Score: 3, Insightful
    People accept the low level of software quality simply because the thought has never entered their heads that things could be any different. MS can get away with it, much like the old AT&T of yore, because it knows that switching and using an alternative is costly enough, if only cognitively costly enough, that people will be willing to accept a level of frustration up to the value of the cost of switching before doing so.

    Regulating computer safety makes these guys exactly like the AT&T of yore. And don't we all know what happened with that?

    So let some damned competition into the market. The only reason to trust these guys in any other situtation is to simply not understand the idea of a world without them, and sadly that seems to be the way most people think.

  6. Yes! Yes! by moehoward · · Score: 3, Insightful

    Any user who does not patch daily and harms another due to not being patched should be punished. Here is how I think it should work....

    A few big ISPs should simply start cutting service to those who have been backdoored and are zombies, have opened virus laden e-mails, or are otherwise infected and causing others problems. For example, no firewall on an open, always-on connection. Especially cable modem ISPs and DSL providers should do this. It should be VERY heavily marketed ... "If you don't patch and change your behavior, we cut you off without warning."

    My feeling is that by doing this, people will finally start learning how to patch and how to not open e-mail attachments. People will get firewalls and AV software ASAP.

    I have seen the threat of this work on a small scale. ISPs are dimwitted morons for not requiring this in the first place. How stupid to give a bunch of newbies loaded guns and then deny responsibility. Buy stock in firewall and AV companies!

    --
    "If you want to improve, be content to be thought foolish and stupid." - Epictetus
  7. Re:they forgot to mention by pesc · · Score: 3, Insightful

    Corporations would develop their own distributions and make them as feature rich and easy to use as the Windows was. In other words the (alleged) superior security of linux distributions would be broken down in a day: The systems would enable logging in as root and would run all the conceivable daemons by default to avoid problems with third-party software.

    You may have a point. But if there were several corporations creating Linux distros, they would probably have different features, default deamons, etc. Virus would not spread as easily as they do now.

    Also, with Linux an interested user can decide by himself what stuff he wants to install. If I don't want to use IE, Outlook express, Mediaplayer, etc, because I think they are full of spyware and insecure, it is quite difficult to choose something else under Windows. Not so on Linux.

    Monopolies are bad. They make viruses spread more easily.

    --

    )9TSS
  8. Make the Software Publisher Liable by Korgan · · Score: 3, Insightful

    Get rid of the whole regulation issue. Thats not necessary. It would be far better to make the software publisher liable for any faults or flaws in the software that led to an incident such as MSBlaster, Slammer or any other number of worms out there.

    Virii like SoBig.F are not something that can be avoided because the vulnerability there is the user themself. The only way to sort out virii like that is to educate users to not open email they are not expecting or recognise. Even then its still a risk.

    If Microsoft were liable for the damages caused by the worms such as MSBlaster and Slammer because their software was vulnerable, don't you think their culture would change very rapidly? Instead of having the worst security reputation, they'd suddenly have the very best. Win2k3 is a good start in the right direction by disabling everything by default. I applaud that. Now they need to sort out their coding practices so that these sorts of issues are a non-event.

    Governments don't need to regulate anything. All they need to do is make it illegal for a company to not take responsibility for faulty products, regardless of the product. It worked in the automobile industry, its worked in the medical industry, its worked in the engineering industry.

    If my car explodes because of a fault in the fuel line at manufacturing, I'm perfectly within my rights to sue that company. If my computer becomes completely unusable because a vulnerability allowed someone to damage it or similar, why shouldn't I sue the publisher of that software? I'd also reserve the right to sue the person that exploited that vulnerability and caused the damage.

    Don't need regulation, just liability and a warranty of suitability for a purpose. 'This OS is guaranteed to perform to XXXXXXX level and is considered suitable for XXXXXXXXXX purpose.'

    1. Re:Make the Software Publisher Liable by sql*kitten · · Score: 3, Insightful

      If Microsoft were liable for the damages caused by the worms such as MSBlaster and Slammer because their software was vulnerable, don't you think their culture would change very rapidly?

      Well, given that Microsoft had released patches for both of the vulnerabilities exploited by those two viruses long before the viruses were ever released, I'm not sure it even should be liable. Nothing helps if the sysadmins don't stay on top of things.

    2. Re:Make the Software Publisher Liable by ctid · · Score: 3, Insightful
      Get rid of the whole regulation issue. Thats not necessary. It would be far better to make the software publisher liable for any faults or flaws in the software that led to an incident such as MSBlaster, Slammer or any other number of worms out there.

      This wouldn't work because then no-one could use (eg) Debian Linux, as there is no one company behind it. The right way to prevent security problems is to make sure that there is fair and open competition in the OS market. This way a company whose products are proven over and over to be unreliable and insecure (naming no names) would simply be overtaken by its competitors. Once the company saw the writing on the wall, they might decide to focus properly on security, or run the risk of being driven out of the market. To achieve this, companies who sell OSs and applications should be forced to open up their secret protocols and file formats to ensure that competition is fair. This will have the additional effect of allowing a more varied ecosystem of OSes on the internet, making it far more difficult for virus and worm writers to hit a majority of machines.


      Although these ideas would be good for competition and good for security and good for the economy, they won't happen because that is not how democracies work any more. Certain companies will buy political influence to prevent this happening. We are already seeing Microsoft claiming that it's "impossible" to create a secure computing platform without secure hardware. This sort of madness is likely to be the result of government intervention.

      --
      Reality is defined by the maddest person in the room
  9. Now watch as... by Kyouryuu · · Score: 4, Insightful

    Now watch as Bill Gates and his cronies push for Trusted Computing, the Palladium project. After all, it's never Microsoft's fault that the bugs exist, right? It's always those darned users and by George we need to foolproof the system. Please. Trusting computing is a joke. It is a power play by top industry corporations to seize power and act as a yet another cohesive monopoly in a so-called free market. Just like the RIAA. Just like the MPAA.

    Here's a thought. Hold the software companies responsible for their own goofups and bugs. Let the people sue. Let the people file their class action lawsuits against Microsoft for their errors. But don't let the government take control.

    I don't want the ignorant US government, or any government for that matter, looking over the Internet and infringing on it any more than they already are. Half of those farts probably don't even know what the Internet is. I can't say I'd want these clueless individuals, easily motivated by legal bribery (lobbies) and big business (Palladium), to be involved. They will only serve to screw things up, pass ridiculous laws, and tax Internet commerce to death. Let the Internet be that one place government is unable to corrupt.

    The problem is that the people who aren't on the Internet; the people who take passive interest in computers, are ignorant to these facts. That's why I feel, unfortunately, that things like Palladium are destined to pass. Microsoft and others are going to get these bills through the door while the politicians are still ignorant to computers.

    I'd like to say we can stop them, but we don't have a $47 billion lobbyist group behind us.