Slashdot Mirror
Increased Software Vulnerability, Gov't Regulation
PogieMT writes "An
article in the New York Times
(registration required) suggests that the rash of security flaws, viruses and
worms is leading a push towards greater regulation by the government, which,
according to the piece, has largely relied on the efforts of individual
companies."
Much like car safety between the '50s and '70s. Manufacturers simply didn't care about safety, because the customer didn't care.
Be wary of any facts that confirm your opinion.
Call me cynical, but I don't think the US government are getting into this for the sake of safeguarding my PC from viruses...
Who is going to pay for regulation? I can see goverments passing it between them waiting for someone else to pay. Self regulation by software companies will not work, can you see Microsoft, SCO, Sun and Red Hat sitting down to draft a policy? I can't.
Regulation is not the answer - professionalism is. The government has oversight over the construction industry for example, but engineers are accredited and the profession is run day-to-day but the professional institution, in the UK this is the Institute of Civil Engineers. Same in medicine, the government oversees, but day to day regulation rests with the BMA, the British Medical Association, and doctors answer to them. Same with lawyers, accountants, investment bankers... even lifeguards and hairdressers have professional bodies.
Software development needs to become more like engineering, and software developers should be required to take a qualification like CEng (UK) or PEng (US) in order to work in positions of authority and responsibility. Remember that engineering is about public safety - bridges don't often collapse, buildings don't often topple, and that's all because the people designing them have been certified by independant bodies. Programmers of safety-critical systems are already often required to be certified by the relevant body, usually that of the electrical engineers.
Regulation may or may not work. What would really work would be if the government (Microsoft's biggest customer, I've heard) stopped buying their products in favor of others that are more secure. Re-evaluate that when Microsoft's products have less of an issue.
I know that all systems have some security problems or another. I don't recall any of them having sent me a thousand e-mail messages every day, though. And it's not like this is the first time.
Let the government talk with it's money and people will listen.
Personally, I don't really like my tax money going so much to Microsoft. For one thing, I don't like that the privacy of my information and security of the systems relies on something that seems to have so many problems.
Sean
It's not just Microsoft, they are just really prevalent. With new laws coming like UCITA, software makers can disclaim all liability while making false advertisements about the softwares ability to perform a certain function. Notice how every software maker has advertised that their product is the very best, most secure product on the market? How can everyone be the best all at once? It would also allow for far more draconian licensing clauses.
A little regulation would be nice. Obviously, the free market isn't going to regulate itself when the consumer and even the government has decided that this is normal and that they will just 'put up with it'. Well, some of us have had enough.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
I tried to submit something similar before as an article but it was denied
Personally I would stop using machines if it were possible to have some form of monitoring of my actions without my authorization. Aside from that it's not a secret that the NSA has been accused of corporate espionage, so I would hope large corporations would think twice about giving them any form of say when it comes to codes for commercial software.
MoFscker
It only appears so because Microsoft's is found on practically every desktop and on the majority of server computer too.
If Linux were as popular as Windows, you can bet we'd be in the same situation. Why? Because the problem is only partially software. The main problem is the clueless user and to a lesser extent the feature bloat required by the users.
Let's imagine that the open source zealots got their wish and Microsoft was broken down or, even better, stopped selling software altogether and Linux would suddenly be the mainstay operating system both for desktops and servers. Linux would suddenly be truly big business. Corporations would develop their own distributions and make them as feature rich and easy to use as the Windows was. In other words the (alleged) superior security of linux distributions would be broken down in a day: The systems would enable logging in as root and would run all the conceivable daemons by default to avoid problems with third-party software.
But getting back to the article. If operating systems were to become a government supervised commodity with stiff penalties for those who produce insecure software, would you be prepared to accept that open source companies (or the copyright owner, FSF) would get fined for every security breach - just like the manufacturers of proprietary software?
BOO! TERRO
Isn't it strange how there is a marked surge in software control in the past few months with microsoft's main competitor being an OS that is being built with a relatively low centralized control
!
Anything government regulated is limited by borders and politics. Unless this sort of regulation is implemented by a non-governmental world body then it's useless and will only serve to segregate the internet.
Forget thrust, drag, lift and weight. Airplanes fly because of money.
Gates is probably telling Bush "see, this is why we need trusted computing." Bush will declare that either you are with him, or you are with the terrorists.
Notice how every software maker has advertised that their product is the very best, most secure product on the market? How can everyone be the best all at once?
...? I'm still waiting for the pepsi bottle that says "great taste, second only to coke"
Err.. on what planet do you live? this isn't new and it's not limited to the computer industry. What has that got to do with UCITA? Have you ever seen a company say anything else but "leader in abc", "best product of xyz",
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
That wouldn't be necessary if the user does as his third suggestion, patch the system.
And that wouldn't be necessary if the system would be built more securely from the start.
A good idea for MS would be to not make their stuff so userfriendly that it automatically executes every virus attachement that it comes across but instead would warn the user by default.
While regulation of software might sound like a good idea to the anti-Microsoft crowd, consider how it would effect free software developers. Imagine if you couldn't release any software that hasn't been vetted by some government agency - that would be end end of 99% of the open-source projects out there.
..
And even if there were some excemption for not-for-profit developers, what about distribution companies like Redhat? They would be out of business in seconds
Here.
The BBC was making similar mistakes in reporting viruses, worms and security flaws until very recently. I emailed their editors and showed them the error of their ways. They now carefully mention which platform the vulnerabilities apply to when they report them...
Stick Men
In my opinion the easiest way to cope with this threat is to make software companies responsible for their products - see article by Declan McCullagh.
Of course this regulation has to be done carefully - we shall deem liable for damages only those companies that require MONEY for that product: for instance when you install free version of RedHat Linux - RedHat (or anybody else) is not responsible for the damage, yet if you pay for this distro - then RedHat _shall_ be responsible - they can simply buy an insurance against such claims. I am sure that the price that Linux companies will pay for such insurance will be smaller than in case of Microsoft.
You can defy gravity... for a short time
when their quicken data or other very personal info is 'liberated'. or any number of other personal information. can you imagine how fast things would be patched if a virus/worm scanned for quicken/quickbooks/misc financial data and emailed them to people in the local address book?
eric
Regulating computer safety makes these guys exactly like the AT&T of yore. And don't we all know what happened with that?
So let some damned competition into the market. The only reason to trust these guys in any other situtation is to simply not understand the idea of a world without them, and sadly that seems to be the way most people think.
Them wanting to control the IT market
Not all government control over the markets is bad. It's a fact that a capitalist society cannot self-regulate - it's natural growth is always towards a monopoly. This unhealthy growth cannot be curbed by some internal mechanism inherent in he markets (as libertarians like to believe) and external control is always required at some stage.
BOO! TERRO
You don't buy a car for $20, $50 or even $399. Nor do we build bridges for anything near that cost. Realize that adding regulation will not significantly change the security issues and will cost end users tremendously.
You thought software prices in the 80's were horrible, wait until it costs you $70,000 for a text editor (that's been "certified").. that's where we're headed.
Software "Engineering" is still in its infancy. It's like civil engineering was back hundreds of years ago. In order to create more secure systems, we'll have to completely give up low-level languages and it'll take 10x as long to build in a feature (as it has to be "engineered" in).
Software Engineers will have to buy special insurance to protect them from lawsuits related to any potential bugs and that cost will be passed on.
I think arguments that more pressure should be put on Microsoft, which has been the source of probably 90% (or more) of the vunerabilities. Of course, when the gov't just slap the hands of a giant corporation for destroying markets with its monopolistic attacks, the clout of the gov't isn't all that great.
I think regulation is the wrong solution. A better solution is to hold companies responsible for security breaches.
Everybody keeps passing the buck: businesses blame the software company, software companies blame hackers, and ultimately the taxpayer and customer ends up paying for the incompetence and poor choices of the businesses.
Businesses should be primarily responsible for the harm that arises from the software they choose. If they want to pass on the risk of their choice to the software company, that should require an explicit contractual agreement.
And the government should get out of trying to regulate how software is written, and the government should get out of trying to catch "hackers".
Any user who does not patch daily and harms another due to not being patched should be punished. Here is how I think it should work....
... "If you don't patch and change your behavior, we cut you off without warning."
A few big ISPs should simply start cutting service to those who have been backdoored and are zombies, have opened virus laden e-mails, or are otherwise infected and causing others problems. For example, no firewall on an open, always-on connection. Especially cable modem ISPs and DSL providers should do this. It should be VERY heavily marketed
My feeling is that by doing this, people will finally start learning how to patch and how to not open e-mail attachments. People will get firewalls and AV software ASAP.
I have seen the threat of this work on a small scale. ISPs are dimwitted morons for not requiring this in the first place. How stupid to give a bunch of newbies loaded guns and then deny responsibility. Buy stock in firewall and AV companies!
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
Corporations would develop their own distributions and make them as feature rich and easy to use as the Windows was. In other words the (alleged) superior security of linux distributions would be broken down in a day: The systems would enable logging in as root and would run all the conceivable daemons by default to avoid problems with third-party software.
You may have a point. But if there were several corporations creating Linux distros, they would probably have different features, default deamons, etc. Virus would not spread as easily as they do now.
Also, with Linux an interested user can decide by himself what stuff he wants to install. If I don't want to use IE, Outlook express, Mediaplayer, etc, because I think they are full of spyware and insecure, it is quite difficult to choose something else under Windows. Not so on Linux.
Monopolies are bad. They make viruses spread more easily.
)9TSS
The idea of software being distributed without warranty dates all the way back to the first ever spreadsheet. The software company's lawyers were worried that if someone used the programme to design a suspension bridge, and it later collapsed and investigation proved that it was due to a flaw in the software, they might get sued. Furthermore, it would have been a physical impossibility to test the software in all circumstances. These were the days of 2MHz 8080 processors, lest we forget.
The sane response would have been "let them try, we'll never have what they're asking for and you can't be sued for what you've not got." Instead, that company explicitly disclaimed any warranty on their software, and the situation has persisted since. Today, one company is responsible for a lot of software, and they could easily afford to pay for several suspension bridge failures. But the law has not caught up with reality. The solution is simple and everyone will like it except the distributors of substandard software.
My proposed solution is to require all software to be guaranteed to perform substantially as indicated on the packaging. If you buy any other product, and it doesn't do what the literature said it was going to do, then you are entitled to a refund.
The only exception to the requirement for a guarantee would be where the source code is available for scrutiny. IMHO, reading the source code before deploying a mission-critical application is just Due Diligence. It has been stated by some that this is a lot of work to expect people to do. It is, but there is nothing to say independent bodies could not audit software for a fee. The GPL does not seek to prohibit anyone from making money out of their own work; only by misappropriating other people's work.
Whilst stopping short of my Ultimate Ideal, I think this is a fair compromise. Most goods are required to be guaranteed, why should software be any different? But Open Source software is more like self-assembly furniture: you {or a suitably qualified person in your pay} can examine the pieces {source code} before they are put together {compiled and installed}, determine suitability for your application, and make a decision: use as-is, use slightly-modified or reject outright. You only get your money back on kit-built stuff if there are actually any pieces missing; everyone understands that circumstances of deployment are beyond the control of the supplier.
Je fume. Tu fumes. Nous fûmes!
Dude, don't you have a job to do? Haven't you caught them pesky Duke boys yet?
Stick Men
Suddenly a bug is discovered which will give others full control of your system. Acting quickly, a patch is created and a fixed version is put online, and warnings posted to all the regular places.
Several weeks later an exploit program is seen in the wild, attacking systems owned by CLUELESS USERS who either never knew of the problem, or were too lazy/overworked to fix it. The damage is immense, and in the current fingerpointing society most people blame this company even though they did everything that could be reasonably expected from them.
And now a growing group of people feel the government should be breathing down this company's neck for not making secure software?
Replace "company" with "group of OSS developers", and tell me how things should be different for this case, and why.
Mirrors suck, huh?
Get rid of the whole regulation issue. Thats not necessary. It would be far better to make the software publisher liable for any faults or flaws in the software that led to an incident such as MSBlaster, Slammer or any other number of worms out there.
Virii like SoBig.F are not something that can be avoided because the vulnerability there is the user themself. The only way to sort out virii like that is to educate users to not open email they are not expecting or recognise. Even then its still a risk.
If Microsoft were liable for the damages caused by the worms such as MSBlaster and Slammer because their software was vulnerable, don't you think their culture would change very rapidly? Instead of having the worst security reputation, they'd suddenly have the very best. Win2k3 is a good start in the right direction by disabling everything by default. I applaud that. Now they need to sort out their coding practices so that these sorts of issues are a non-event.
Governments don't need to regulate anything. All they need to do is make it illegal for a company to not take responsibility for faulty products, regardless of the product. It worked in the automobile industry, its worked in the medical industry, its worked in the engineering industry.
If my car explodes because of a fault in the fuel line at manufacturing, I'm perfectly within my rights to sue that company. If my computer becomes completely unusable because a vulnerability allowed someone to damage it or similar, why shouldn't I sue the publisher of that software? I'd also reserve the right to sue the person that exploited that vulnerability and caused the damage.
Don't need regulation, just liability and a warranty of suitability for a purpose. 'This OS is guaranteed to perform to XXXXXXX level and is considered suitable for XXXXXXXXXX purpose.'
The free market does a fine job regulating itself, assuming users are willing to actually inform themselves. What's going on here, is the general populace is stupid about computers, and is opting for the government to do the thinking for them.
When M$ Windoze becomes fully warrantied (M$ can afford it), and most OSS coders don't dare accept liability for their software .... "Why should we be using Linux for our company systems? It doesn't even come with a guarantee! On with the windoze installation!"
I think that here "voluntary efforts" refers to businesses' efforts to handle security without regulations and laws forcing them to (i.e. 'voluntarily'), and doesn't refer to Open Source developers.
Have a nice day.
--
Simon
Part of the charm of the internet has always been its lack of regulation. It has been the last frontier that we can still explore. There were parts of it that should have been labelled on the map, "Here be monsters and sea serpents". Now, it is becoming like the cow town where the railroad now reaches, and the women have arrived, and they want to civilize the place. They want to hire a sheriff and close down the saloons. They want a dry goods store and a bank. The mountainmen and adventurers who first came are no longer welcome, and they will leave by their own choice, as this safe, homogeneous town is no longer interesting. The bad thing is, where will they go? Government regulation will be the death of innovation and the publishing of unpopular or non mainstream ideas. Sure, your IM program will be declared "safe" by the government. Nothing bad can happen, but your "smileys" don't interest me, and I will be leaving then, looking for another map with an area where there just may be sea serpents.
"What we're seeing is that those voluntary efforts are insufficient, and the repercussions are vast."
Did I miss a meeting? Is this not Slashdot? I'm skimming through the posts and seeing a lot of cammoring that seems to approve regulating software. IS NOT LINUX A VOLUNTARY EFFORT?! Hand this guy a copy of Knoppix and tell him to crack it!
The biggest problem with computers on the internet today is the number of people who ran out and bought a computer because it looked like an interactive television. Hold the end user responsible for what their computer does.
I like to view my computer as one of my best friends... Proverbially, man's best friend is a dog... In other words, a pet. Think of it in this light: Do you sue the kennel when your dog bites your neighbor? No... You sue the kennel for selling you a dog with physical defect, but not a personality defect. You are responsible for your pet's actions, even if the kid down the street was shooting him with the super soaker, makes the dog mad, and the dog goes out on a rampage biting old ladies.
So if your computer goes out and bites another system, then you should be responsible for the cleanup costs regardless of who or what made it go off like that. Sure, it may sound harsh, but if it takes a few "Bonzai Buddy" users out of the pool, I doubt the net will suffer too greatly.
Microsurfs repeat this myth a lot. Is it true? Does WinXX have more viruses and stability problems because it is on "practically every desktop and server"?
Obviously not. OpenSource software run 67% of the Internet, and Linux is underneath a large part of those applications, yet it is only those Internet servers running Microsoft products that are targets of the malware. It is a fact that Script Kiddies and Crackers target WinXX and its applications because they are easy to break into. As far as reliability goes, Bill Gates himself said that 50% of all WinXX platforms crash at least once a day. I have no doubts that the remaining 50% crash more than once a day. He also said that half of the stability problems were caused by drivers from 3rd party software house, but that leave four fingers pointing back at MS. He knows full well that if his platforms were more stable 3rd party software would be more stable. http://www.bugtoaster.com/dw15/Reports/OperatingS
Linux now runs about 25% of corporate America's servers and is probably settng on 10% of their desktops. In other countries the pecentages are higher. One would think that 25% of the viruses and trojans would be targeted at Linux, if susceptibility were merely a function of percentages. Not so. The fact is that unlike Windows, Linux stability is legendary, and so is the security. The properties were designed into Linux and the OpenSource paradigm is the major reason. "All bugs are shallow to a thousand eyeballs." Propriatary code can't match it. Another reason for Linux's security is that users don't run as root. Script kiddies running root kits have a much harder time breaking into a Linux box. That is why, when a Linux box is cracked, it becomes front page news, while the news about Microsoft cracks is how many millions of machines got compromised. Microsurfts failing to "patch" their boxes isn't the reason. The patches themselves can cause more holes than the ones they supposedly fix. The number of holes are so great it is becoming impossible for WinXX users to protect their machines. Anti-virus software can't work until the virus is trapped, analyzed and a fix created. By then many machines have bee compromised. It amazed me at work how much effort was required to clean up Natchi and SoBig, even though 6 MSCE labored furiously to secure our network before the infections were discovered.
Your comment reveals your ignorance about how Linux works but I'm not going to take the space here to explain it to you.
The cause of the current problem is only partially due to insecure Microsoft software. It is very noteworthy that Windows 98 and 95 were immune from the latest round of malware (W32/Blaster, W32/Welchia, W32/Sobig.F). The main cause is monoculture--the dominance of a single operating system, Windows NT and its variants.
What we need is a truly competitive market in which many operating systems compete, no single operating system dominates, and a market that uses many operating systems therefore demands and rewards inoperability and writing software to standards rather than writing to a single vendor's API.
Why don't we have it? Because Microsoft was allowed to get a monopoly and the Justice Department is not doing its job and breaking it up.
It wouldn't be any different if IBM were the dominant company--as it was a few decades ago--or Apple, or what have you.
The problem is not Microsoft. The problem is monopolization. And the answer is not the free market--monopolies exist only when the market has already failed.
"How to Do Nothing," kids activities, back in print!
What the government should do is enforce diversity. Requireing every government department above some minimum size to use systems from at least 3 independent sources would be a start.
_O_
.|< The named which can be named is not the true named
I find it appalling that we tolerate anti-virus software as a necessary solution. IMO, every virus is an exploitation of a bug in the software, and original vendor should be responsible for fixing the hole that allowed the virus to exist.
Why doesn't the press focus on the hypocrisy holding of software vendors more accountable for fixing their problems, while at the same time, advocating supporting a third part to fix the same problems?
I about blew my top when fixing my in-laws' machine for a case of blaster, and MS so "conveniently" linked one of the trusted anti-virus sites that offered removal tools. If it's microsoft's hole, why don't they provide a cleanup method?
(This is not to say we shouldn't have virus filters on SMTP and firewalls - there's nothing wrong with trying to block the spread of virii through multiple means)
The only way Linux, FreeBSD, and all of the other operating systems that have appeared over the years were possible is because of the lack of government regulation. Once the government steps in, it will only stifle creativity and limit consumer options.
Who is best to deal with government regulations? Microsoft.
Thanks, but no thanks. This issue will work itself out. We are in our growing stages. The government is not a solution to everything... actually, not much at all, really.
The gummint will be only too happy to oblige and produce several layers of ineficient, costly, slow, slightly corrupt bureaucracy that will not solve the problem but will never disappear. As usual.
Let us put on our bureaucrat hat and see what can be done, in the immortal tradition of public service that gave us the Transportation Safely Authority. Let's see. Strip search programmers when they come to work in case they bring a copy of 2600? Have them remove their shoes? A nice start, but not enough.
See, the problem is that scumbags are writing programs that are up to no good. No scumbag coding, no worm and virus, eh? So let's put all compilers under lock. Let's make sure that scripting languages only accept input scripts that have been digitally signed by a new Programming Safety Authority. Let's make it a crime to use a computer without PSA-approved tools. Each program has to be certified by the PSA. Use the TCPA and Palladium chips to lock out all the bastards using non-PSA software and operating systems. Ban all non-Palladium computers and electronics. Do an FBI criminal check on each person entrusted with a compiler. And of course, recruits thousands of new civil servants to enforce all these new rules, at a low, low cost of [#insert eye-popping budget that will be overrun anyway].There you have, secure computing. A bit harsh, but it's for our safety, isn't it?
If you think the above is funny, I am sorry. I meant it to be ironic in a chilling way. Because when you start involving the government into a human activity, you never know how the bureaucrats are going to warp it.
So I'm gonna speak slowly so that even New York Times journalists can understand: KEEP GOVERNMENT OUT OF COMPUTING. Got it?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Software on airplanes work reasonably well because they test the hell of it and two airplanes of the same model are pretty much the same. Also, the users of the software (airplane crews) are well-trained. The exteme testing and thorough training though makes it very expensive. I don't think we can afford to hire software engineer and tutor for each household.
I would be afraid that regulation would not fully take into account the difficulties of making perfect software and dealing with untrained users.
If Linux were as popular as Windows, you can bet we'd be in the same situation. Why? Because the problem is only partially software.
I can download any Linux virus I want, and I can click on it as much as I want but guess what? It still won't run unless I mark it to execute. That practically eliminates email viruses that require people run them. Not to mention that hiding file extensions by default is really not user friendly in any way, and when your OS depends on the file extension to determine its action, HIDING the file extension is the last thing you want to do.
But on the other hand, if other industries are examined, such regulation will only turn into a further barrier to entry for new entrants to the market and non-commercial (i.e. Free and Open Source ) software.
I already see this when trying to sell FOSS solutions to the public sector, who invariably have successful "Common Criteria" evaluation as a "nice to have" (at least - in some cases it's mandatory).
Getting these evaluations done is expensive, so only the big boys get to play... Ironically, the people I talk with know that FOSS solutions are usually at least as secure as the products on their approved list, but their hands are tied by regulations and auditors.
--
Now watch as Bill Gates and his cronies push for Trusted Computing, the Palladium project. After all, it's never Microsoft's fault that the bugs exist, right? It's always those darned users and by George we need to foolproof the system. Please. Trusting computing is a joke. It is a power play by top industry corporations to seize power and act as a yet another cohesive monopoly in a so-called free market. Just like the RIAA. Just like the MPAA.
Here's a thought. Hold the software companies responsible for their own goofups and bugs. Let the people sue. Let the people file their class action lawsuits against Microsoft for their errors. But don't let the government take control.
I don't want the ignorant US government, or any government for that matter, looking over the Internet and infringing on it any more than they already are. Half of those farts probably don't even know what the Internet is. I can't say I'd want these clueless individuals, easily motivated by legal bribery (lobbies) and big business (Palladium), to be involved. They will only serve to screw things up, pass ridiculous laws, and tax Internet commerce to death. Let the Internet be that one place government is unable to corrupt.
The problem is that the people who aren't on the Internet; the people who take passive interest in computers, are ignorant to these facts. That's why I feel, unfortunately, that things like Palladium are destined to pass. Microsoft and others are going to get these bills through the door while the politicians are still ignorant to computers.
I'd like to say we can stop them, but we don't have a $47 billion lobbyist group behind us.
You don't want the ISP to firewall for you. For this extra "service" you'd pay more. To open an extra port (to play quake for example) you'd have to pay extra. This would lead to every application using port 80 so they can get through the firewall, and then another mechanism (MS SOAP or whatever) to run other stuff through that port. At that point nothing is different except things are more complicated, and you gave up some freedom. Not to mention it makes the ISP responsible for the traffic on their network - something neither they nor you should want.
It is no more possible to have 'a little regulation' than to be 'a little pregnant'. Throughout the history of industrialized society, the same pattern has been repeated over and over with a new technology:
Regulating the software business per se would lead to a Federal Software Commission dominated by ex-MS employees, who would write regulations favorable to their former employer -- not even out of corruption but because they express the corporate culture inculcated into them. Mark my words: The day is coming when it will be as illegal to write computer software without a license from the government as it is to practice medicine, law, plumbing or cosmetology without one. Have you noticed that the more laws there are to regulate an industry, the more expensive it is to be a customer thereof? And if you think closed-source is bad, just you wait until the entire profession is reserved for those who take their apprenticeships with other members of the Guild.
Far better to fight laws like UCITA, DMCA, software patents, etc. that attempt to deprive software customers of the few rights they already have, than to try to push for empowering the government to screw customers even more.
The free market has been forbidden to regulate itself. The customer has been forced to accept shrink-wrap licenses that deprive them, potential competitors, and independent consumer advocates, of the rights that would allow the free market to function correctly (by reverse-engineering to provide competing products, and benchmarking to judge performance and reliability). These licenses are already in violation of the fundamental principles of contract law.
We need to use the laws already on the books - how about a class action suit against a software company that puts out a shrink-wrap license that is fraudulent in the 48 states that haven't yet adopted UCITA (because it tells the customer that they must either accept its terms or return the software unopened for a refund, when no such license terms asserted after the sale can possibly be valid)? That would force the
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
After developing applications for a wide variety of banking industries it became clear that:
1) The only way to develope software systems, is to proactively secure the systems once they are deployed.
2) To proactively and continuously review and examine such systems, you must have the source code and build tools and access to the hardware engineering requirements of the systems involved.
3) The only known process where this can be achieved is through Open Source.
Closed binary proprietary software is not secure, cannot be MADE secure, is impossible TO secure and with patents and copyrights laws as written it could be quite possible you could be SUED for securing the software yourself.
Security became an extension of the software engineering process for the company I started previously, and it involved reviewing the source code and making changes, performing attacks, etc.
Critical to this process was to have as many eyes and opnions looking at the source code as possible. The more experienced professionals that had a chance to offer advice and opinions on the code, the better and more secure the code became.
An entire portion of the software engineering process cannot even be done with proprietary software, and I personally as a CIO, declared proprietary binary only software sales DOA in this industry 2 years ago.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
Now, this wasn't perfect, as they didn't require me to use a firewall, but it was better than nothing.
My ISP in Whitby, ON (Canada) (a suburb of Toronto -- damn I miss living in Texas), went a bit further: they were willing to provide me with a static IP address, if I could justify it to them. I let them know that (a) I liked to sink my own email with a backup MX if the connection went down and I did not run an open relay; (b) wanted to administer my home network remotely via ssh; (c) was planning to install a hardware firewall.
Interestingly, this ISP saved me the trouble of picking a firewall: they required that I use a particular brand of firewall/DSL modem. Unfortunately, it came configured wide open, but that was easy to fix. (amazing the traffic posting "crack past this firewall" to #2600 generates).
You could've hired me.
This worked for accessibility. When 11 state governments said that they would stop buying software with lousy accessibility for persons with disabilities, big software vendor(s) finally did something about it. Why shouldn't it also work for security???
This approach used to bring big advantages to the private sector, as manufacturers had to learn to do the right thing on many products. It has lost its impact recently, as the government has given in to business by buying COTS, no questions asked.
There's a reason they forgot to mention that. The effect of regulation like this will to be to keep many individuals and small shops from producing software. It might be a major step towards destroying Linux and other Open Source projects. Microsoft, big and rich enough to deal with any red tape and above the law when they do things illegal, will be unaffected. They will embrace it, may even be the force behind getting it started to smash those that dared to make better products.
I'm an American. I love this country and the freedoms that we used to have.
It will if those developers are personally responsible for the work, accountable to a supervisory professional body, and liable to lose their professional status and hence livelihood if they make a serious mistake. All the managers in the world won't get a known bad product out the door at that point, because every professional developer will tell them where to go. It's like unionisation, but with a somewhat different (and arguably less dangerous) slant.
The problem of course, is how to form a suitable supervisory body to do the accreditation. I sure as hell wouldn't trust most of the guys I've worked with to sit in judgement over the coding practices of another. Almost no-one invests the time and effort to get their skills to that level, because in most software development industries it's not worth it unless you're doing it as much out of interest and professionalism as out of a desire to earn your pay. In civil engineering, we have a long history of success stories and failures to provide concrete evidence (no pun intended) of what works and what doesn't. There is no analogue in software development today, and without it, who's to say what really constitutes "best practice"?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Name one monopoly that was achieved without the direct backing of government force, or more commonly, by exploiting an overly complex, ambiguous system of law.
Government is at the root of monopoly, not some "natural tendency of the market". The natural tendency of the market is to promote competition -- only government can prevent or eliminate it.