Slashdot Mirror
Increased Software Vulnerability, Gov't Regulation
PogieMT writes "An
article in the New York Times
(registration required) suggests that the rash of security flaws, viruses and
worms is leading a push towards greater regulation by the government, which,
according to the piece, has largely relied on the efforts of individual
companies."
Much like car safety between the '50s and '70s. Manufacturers simply didn't care about safety, because the customer didn't care.
Be wary of any facts that confirm your opinion.
It's not just Microsoft, they are just really prevalent. With new laws coming like UCITA, software makers can disclaim all liability while making false advertisements about the softwares ability to perform a certain function. Notice how every software maker has advertised that their product is the very best, most secure product on the market? How can everyone be the best all at once? It would also allow for far more draconian licensing clauses.
A little regulation would be nice. Obviously, the free market isn't going to regulate itself when the consumer and even the government has decided that this is normal and that they will just 'put up with it'. Well, some of us have had enough.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
I tried to submit something similar before as an article but it was denied
Personally I would stop using machines if it were possible to have some form of monitoring of my actions without my authorization. Aside from that it's not a secret that the NSA has been accused of corporate espionage, so I would hope large corporations would think twice about giving them any form of say when it comes to codes for commercial software.
MoFscker
It only appears so because Microsoft's is found on practically every desktop and on the majority of server computer too.
If Linux were as popular as Windows, you can bet we'd be in the same situation. Why? Because the problem is only partially software. The main problem is the clueless user and to a lesser extent the feature bloat required by the users.
Let's imagine that the open source zealots got their wish and Microsoft was broken down or, even better, stopped selling software altogether and Linux would suddenly be the mainstay operating system both for desktops and servers. Linux would suddenly be truly big business. Corporations would develop their own distributions and make them as feature rich and easy to use as the Windows was. In other words the (alleged) superior security of linux distributions would be broken down in a day: The systems would enable logging in as root and would run all the conceivable daemons by default to avoid problems with third-party software.
But getting back to the article. If operating systems were to become a government supervised commodity with stiff penalties for those who produce insecure software, would you be prepared to accept that open source companies (or the copyright owner, FSF) would get fined for every security breach - just like the manufacturers of proprietary software?
BOO! TERRO
I'm an MEng and I've still written programs that crash... so have you. It's not a question of certification but just how much time you're prepared to take writing some code (by which I include choice of method, programming language and so on) and testing it. You can have thirty years of experience and still bang out flaky code if you're in a hurry. And if flaky code is all that's needed for the particular task, why not?
Rather than regulation we should let the market decide. Vendors could undertake: I will pay you $100 for each crash. Sometimes this already happens, eg with guarantees about the number of nines in server systems. The biggest problem is deciding responsibility for any faults. If an operating system call, which (according to POSIX or whatever) should not return null, one day does return null and the application crashes, who should pay up? And how do you find out whose fault it was? Running the whole system in some kind of virtual machine where you can roll back the last few seconds of execution would be one answer.
-- Ed Avis ed@membled.com
While regulation of software might sound like a good idea to the anti-Microsoft crowd, consider how it would effect free software developers. Imagine if you couldn't release any software that hasn't been vetted by some government agency - that would be end end of 99% of the open-source projects out there.
..
And even if there were some excemption for not-for-profit developers, what about distribution companies like Redhat? They would be out of business in seconds
Them wanting to control the IT market
Not all government control over the markets is bad. It's a fact that a capitalist society cannot self-regulate - it's natural growth is always towards a monopoly. This unhealthy growth cannot be curbed by some internal mechanism inherent in he markets (as libertarians like to believe) and external control is always required at some stage.
BOO! TERRO
You don't buy a car for $20, $50 or even $399. Nor do we build bridges for anything near that cost. Realize that adding regulation will not significantly change the security issues and will cost end users tremendously.
You thought software prices in the 80's were horrible, wait until it costs you $70,000 for a text editor (that's been "certified").. that's where we're headed.
Software "Engineering" is still in its infancy. It's like civil engineering was back hundreds of years ago. In order to create more secure systems, we'll have to completely give up low-level languages and it'll take 10x as long to build in a feature (as it has to be "engineered" in).
Software Engineers will have to buy special insurance to protect them from lawsuits related to any potential bugs and that cost will be passed on.
I think arguments that more pressure should be put on Microsoft, which has been the source of probably 90% (or more) of the vunerabilities. Of course, when the gov't just slap the hands of a giant corporation for destroying markets with its monopolistic attacks, the clout of the gov't isn't all that great.
The idea of software being distributed without warranty dates all the way back to the first ever spreadsheet. The software company's lawyers were worried that if someone used the programme to design a suspension bridge, and it later collapsed and investigation proved that it was due to a flaw in the software, they might get sued. Furthermore, it would have been a physical impossibility to test the software in all circumstances. These were the days of 2MHz 8080 processors, lest we forget.
The sane response would have been "let them try, we'll never have what they're asking for and you can't be sued for what you've not got." Instead, that company explicitly disclaimed any warranty on their software, and the situation has persisted since. Today, one company is responsible for a lot of software, and they could easily afford to pay for several suspension bridge failures. But the law has not caught up with reality. The solution is simple and everyone will like it except the distributors of substandard software.
My proposed solution is to require all software to be guaranteed to perform substantially as indicated on the packaging. If you buy any other product, and it doesn't do what the literature said it was going to do, then you are entitled to a refund.
The only exception to the requirement for a guarantee would be where the source code is available for scrutiny. IMHO, reading the source code before deploying a mission-critical application is just Due Diligence. It has been stated by some that this is a lot of work to expect people to do. It is, but there is nothing to say independent bodies could not audit software for a fee. The GPL does not seek to prohibit anyone from making money out of their own work; only by misappropriating other people's work.
Whilst stopping short of my Ultimate Ideal, I think this is a fair compromise. Most goods are required to be guaranteed, why should software be any different? But Open Source software is more like self-assembly furniture: you {or a suitably qualified person in your pay} can examine the pieces {source code} before they are put together {compiled and installed}, determine suitability for your application, and make a decision: use as-is, use slightly-modified or reject outright. You only get your money back on kit-built stuff if there are actually any pieces missing; everyone understands that circumstances of deployment are beyond the control of the supplier.
Je fume. Tu fumes. Nous fûmes!
Suddenly a bug is discovered which will give others full control of your system. Acting quickly, a patch is created and a fixed version is put online, and warnings posted to all the regular places.
Several weeks later an exploit program is seen in the wild, attacking systems owned by CLUELESS USERS who either never knew of the problem, or were too lazy/overworked to fix it. The damage is immense, and in the current fingerpointing society most people blame this company even though they did everything that could be reasonably expected from them.
And now a growing group of people feel the government should be breathing down this company's neck for not making secure software?
Replace "company" with "group of OSS developers", and tell me how things should be different for this case, and why.
Mirrors suck, huh?
The free market does a fine job regulating itself, assuming users are willing to actually inform themselves. What's going on here, is the general populace is stupid about computers, and is opting for the government to do the thinking for them.
Part of the charm of the internet has always been its lack of regulation. It has been the last frontier that we can still explore. There were parts of it that should have been labelled on the map, "Here be monsters and sea serpents". Now, it is becoming like the cow town where the railroad now reaches, and the women have arrived, and they want to civilize the place. They want to hire a sheriff and close down the saloons. They want a dry goods store and a bank. The mountainmen and adventurers who first came are no longer welcome, and they will leave by their own choice, as this safe, homogeneous town is no longer interesting. The bad thing is, where will they go? Government regulation will be the death of innovation and the publishing of unpopular or non mainstream ideas. Sure, your IM program will be declared "safe" by the government. Nothing bad can happen, but your "smileys" don't interest me, and I will be leaving then, looking for another map with an area where there just may be sea serpents.
In Soviet Union programmers were controlled by government authorities, standards, laws etc. They had to document every piece of their code. Now we see that it wasn't so stupid.
The cause of the current problem is only partially due to insecure Microsoft software. It is very noteworthy that Windows 98 and 95 were immune from the latest round of malware (W32/Blaster, W32/Welchia, W32/Sobig.F). The main cause is monoculture--the dominance of a single operating system, Windows NT and its variants.
What we need is a truly competitive market in which many operating systems compete, no single operating system dominates, and a market that uses many operating systems therefore demands and rewards inoperability and writing software to standards rather than writing to a single vendor's API.
Why don't we have it? Because Microsoft was allowed to get a monopoly and the Justice Department is not doing its job and breaking it up.
It wouldn't be any different if IBM were the dominant company--as it was a few decades ago--or Apple, or what have you.
The problem is not Microsoft. The problem is monopolization. And the answer is not the free market--monopolies exist only when the market has already failed.
"How to Do Nothing," kids activities, back in print!
I find it appalling that we tolerate anti-virus software as a necessary solution. IMO, every virus is an exploitation of a bug in the software, and original vendor should be responsible for fixing the hole that allowed the virus to exist.
Why doesn't the press focus on the hypocrisy holding of software vendors more accountable for fixing their problems, while at the same time, advocating supporting a third part to fix the same problems?
I about blew my top when fixing my in-laws' machine for a case of blaster, and MS so "conveniently" linked one of the trusted anti-virus sites that offered removal tools. If it's microsoft's hole, why don't they provide a cleanup method?
(This is not to say we shouldn't have virus filters on SMTP and firewalls - there's nothing wrong with trying to block the spread of virii through multiple means)
The gummint will be only too happy to oblige and produce several layers of ineficient, costly, slow, slightly corrupt bureaucracy that will not solve the problem but will never disappear. As usual.
Let us put on our bureaucrat hat and see what can be done, in the immortal tradition of public service that gave us the Transportation Safely Authority. Let's see. Strip search programmers when they come to work in case they bring a copy of 2600? Have them remove their shoes? A nice start, but not enough.
See, the problem is that scumbags are writing programs that are up to no good. No scumbag coding, no worm and virus, eh? So let's put all compilers under lock. Let's make sure that scripting languages only accept input scripts that have been digitally signed by a new Programming Safety Authority. Let's make it a crime to use a computer without PSA-approved tools. Each program has to be certified by the PSA. Use the TCPA and Palladium chips to lock out all the bastards using non-PSA software and operating systems. Ban all non-Palladium computers and electronics. Do an FBI criminal check on each person entrusted with a compiler. And of course, recruits thousands of new civil servants to enforce all these new rules, at a low, low cost of [#insert eye-popping budget that will be overrun anyway].There you have, secure computing. A bit harsh, but it's for our safety, isn't it?
If you think the above is funny, I am sorry. I meant it to be ironic in a chilling way. Because when you start involving the government into a human activity, you never know how the bureaucrats are going to warp it.
So I'm gonna speak slowly so that even New York Times journalists can understand: KEEP GOVERNMENT OUT OF COMPUTING. Got it?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
The main reason worms can cause such havoc is that they find themselves in a monoculture.
That makes it easy for the worms to cause havoc. The main reason worms cause so much havoc is the tendency to try to hide stuff from everybody.
CDs use Your computer to install and set up stuff so they can play themselves.
File extensions are hidden so you can click on a presumably well-named file and have the spreadsheet show up.
A general tendency to have to click on everything to be sure you don't miss something.
A belief that there's got to be a magic bullet that will make everything safe again. And the belief that with the magic bullet in place that everything is safe.
People click on things they shouldn't click on. Look at why they click on them.
"Regulation = Standardisation = More Worms"
You've got that right, but methinks there are secondary forces that are even stronger than the primary. There is a progression starting with Melissa. (Remember Melissa? Melissa was nice!) Methinks we're nowhere near seeing the end of it.
It is no more possible to have 'a little regulation' than to be 'a little pregnant'. Throughout the history of industrialized society, the same pattern has been repeated over and over with a new technology:
Regulating the software business per se would lead to a Federal Software Commission dominated by ex-MS employees, who would write regulations favorable to their former employer -- not even out of corruption but because they express the corporate culture inculcated into them. Mark my words: The day is coming when it will be as illegal to write computer software without a license from the government as it is to practice medicine, law, plumbing or cosmetology without one. Have you noticed that the more laws there are to regulate an industry, the more expensive it is to be a customer thereof? And if you think closed-source is bad, just you wait until the entire profession is reserved for those who take their apprenticeships with other members of the Guild.
Far better to fight laws like UCITA, DMCA, software patents, etc. that attempt to deprive software customers of the few rights they already have, than to try to push for empowering the government to screw customers even more.
The free market has been forbidden to regulate itself. The customer has been forced to accept shrink-wrap licenses that deprive them, potential competitors, and independent consumer advocates, of the rights that would allow the free market to function correctly (by reverse-engineering to provide competing products, and benchmarking to judge performance and reliability). These licenses are already in violation of the fundamental principles of contract law.
We need to use the laws already on the books - how about a class action suit against a software company that puts out a shrink-wrap license that is fraudulent in the 48 states that haven't yet adopted UCITA (because it tells the customer that they must either accept its terms or return the software unopened for a refund, when no such license terms asserted after the sale can possibly be valid)? That would force the
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
You're right. That's exactly what happened in other industries, including the automobile, airline, telephone, television and radio, insurance, securities, and dozens of other industries. In every case, once a regulatory body was introduced, small competitors were driven out of the market, and the few big players that were left came to dominate the regulatory board, as opposed to the other way around.
The continuing growth of bureaucracy and regulation is the reason why our parents were richer and more secure than we are, despite the fact that technology has increased the potential efficiency of industry by a factor of ten or more.
Now, this wasn't perfect, as they didn't require me to use a firewall, but it was better than nothing.
My ISP in Whitby, ON (Canada) (a suburb of Toronto -- damn I miss living in Texas), went a bit further: they were willing to provide me with a static IP address, if I could justify it to them. I let them know that (a) I liked to sink my own email with a backup MX if the connection went down and I did not run an open relay; (b) wanted to administer my home network remotely via ssh; (c) was planning to install a hardware firewall.
Interestingly, this ISP saved me the trouble of picking a firewall: they required that I use a particular brand of firewall/DSL modem. Unfortunately, it came configured wide open, but that was easy to fix. (amazing the traffic posting "crack past this firewall" to #2600 generates).
You could've hired me.
This worked for accessibility. When 11 state governments said that they would stop buying software with lousy accessibility for persons with disabilities, big software vendor(s) finally did something about it. Why shouldn't it also work for security???
This approach used to bring big advantages to the private sector, as manufacturers had to learn to do the right thing on many products. It has lost its impact recently, as the government has given in to business by buying COTS, no questions asked.
Name one monopoly that was achieved without the direct backing of government force, or more commonly, by exploiting an overly complex, ambiguous system of law.
Government is at the root of monopoly, not some "natural tendency of the market". The natural tendency of the market is to promote competition -- only government can prevent or eliminate it.