Increased Software Vulnerability, Gov't Regulation

PogieMT writes "An article in the New York Times (registration required) suggests that the rash of security flaws, viruses and worms is leading a push towards greater regulation by the government, which, according to the piece, has largely relied on the efforts of individual companies."

Regulation is not the answer

[sql*kitten]

Regulation is not the answer - professionalism is. The government has oversight over the construction industry for example, but engineers are accredited and the profession is run day-to-day but the professional institution, in the UK this is the Institute of Civil Engineers. Same in medicine, the government oversees, but day to day regulation rests with the BMA, the British Medical Association, and doctors answer to them. Same with lawyers, accountants, investment bankers... even lifeguards and hairdressers have professional bodies.

Software development needs to become more like engineering, and software developers should be required to take a qualification like CEng (UK) or PEng (US) in order to work in positions of authority and responsibility. Remember that engineering is about public safety - bridges don't often collapse, buildings don't often topple, and that's all because the people designing them have been certified by independant bodies. Programmers of safety-critical systems are already often required to be certified by the relevant body, usually that of the electrical engineers.

Re:Regulation is not the answer

[Ed+Avis]

I'm an MEng and I've still written programs that crash... so have you. It's not a question of certification but just how much time you're prepared to take writing some code (by which I include choice of method, programming language and so on) and testing it. You can have thirty years of experience and still bang out flaky code if you're in a hurry. And if flaky code is all that's needed for the particular task, why not?

Rather than regulation we should let the market decide. Vendors could undertake: I will pay you $100 for each crash. Sometimes this already happens, eg with guarantees about the number of nines in server systems. The biggest problem is deciding responsibility for any faults. If an operating system call, which (according to POSIX or whatever) should not return null, one day does return null and the application crashes, who should pay up? And how do you find out whose fault it was? Running the whole system in some kind of virtual machine where you can roll back the last few seconds of execution would be one answer.

Re:Regulation is not the answer

[sql*kitten]

If a software program is poorly designed, it crashes, Joe User restarts his machine and goes on with his life. He doesn't even bother to investigate what caused the crash because it happens so often.

But it is possible to write reliable software. Aircraft, for example, run on extremely reliable software. The way it works in civil engineering is, if you can't get a CEng to sign off on the plans, you can't go ahead with the project. A CEng won't sign unless he's sure, because if it fails, he's responsible and he'll likely never work again. The fact that he's an employee is neither here nor there, he answers to the ICE, not the company. A similar approach could be taken with software - make the senior programmer on a team personally responsible, and give them the authority - independant of the company employing them - to say yes or no.

Re:Hmmm

[rknop]

Call me cynical, but I don't think the US government are getting into this for the sake of safeguarding my PC from viruses...

It's cynical, but it's also not an unreasonable fear based on anybody who's been rationally observing the behavior of our government recently.

I fully expect that we'll see increased security resolutions which are ostensively tough on companies like Microsoft, but those companies will embrace them (while all the while getting good PR about "doing the right thing and making the right sacrfices") because ultimatly they will only be minor inconveniences... while the regulations that show up will all but prohibit free software (at least for commercial purposes, and possibly for anybody who wants to connect to the Internet), meaning that in the long run Microsoft benefits hugely from those "minor inconveniences".

Meanwhile, the regulations-- like a lot of what we've seen with airport security-- won't increase actualy computer security one whit, but anybody who complains about them will be chastised by John Ashcroft as a whiner who won't let the government do what it needs to safeguard our homeland.

Yeah, I'm cynical too.

-Rob

Re:they forgot to mention

[Eric+Ass+Raymond]

most of the vulns are in microsoft software

It only appears so because Microsoft's is found on practically every desktop and on the majority of server computer too.

If Linux were as popular as Windows, you can bet we'd be in the same situation. Why? Because the problem is only partially software. The main problem is the clueless user and to a lesser extent the feature bloat required by the users.

Let's imagine that the open source zealots got their wish and Microsoft was broken down or, even better, stopped selling software altogether and Linux would suddenly be the mainstay operating system both for desktops and servers. Linux would suddenly be truly big business. Corporations would develop their own distributions and make them as feature rich and easy to use as the Windows was. In other words the (alleged) superior security of linux distributions would be broken down in a day: The systems would enable logging in as root and would run all the conceivable daemons by default to avoid problems with third-party software.

But getting back to the article. If operating systems were to become a government supervised commodity with stiff penalties for those who produce insecure software, would you be prepared to accept that open source companies (or the copyright owner, FSF) would get fined for every security breach - just like the manufacturers of proprietary software?

trusted computing anyone?

[Alien+Being]

Gates is probably telling Bush "see, this is why we need trusted computing." Bush will declare that either you are with him, or you are with the terrorists.

Re:Regulation is the goal

[Eric+Ass+Raymond]

I'll choose a democratically elected government over a plutocratic regime of corporations (=markets) any day.

Them wanting to control the IT market

Not all government control over the markets is bad. It's a fact that a capitalist society cannot self-regulate - it's natural growth is always towards a monopoly. This unhealthy growth cannot be curbed by some internal mechanism inherent in he markets (as libertarians like to believe) and external control is always required at some stage.

ENFORCE the antitrust laws

[dpbsmith]

The cause of the current problem is only partially due to insecure Microsoft software. It is very noteworthy that Windows 98 and 95 were immune from the latest round of malware (W32/Blaster, W32/Welchia, W32/Sobig.F). The main cause is monoculture--the dominance of a single operating system, Windows NT and its variants.

What we need is a truly competitive market in which many operating systems compete, no single operating system dominates, and a market that uses many operating systems therefore demands and rewards inoperability and writing software to standards rather than writing to a single vendor's API.

Why don't we have it? Because Microsoft was allowed to get a monopoly and the Justice Department is not doing its job and breaking it up.

It wouldn't be any different if IBM were the dominant company--as it was a few decades ago--or Apple, or what have you.

The problem is not Microsoft. The problem is monopolization. And the answer is not the free market--monopolies exist only when the market has already failed.

Now watch as...

[Kyouryuu]

Now watch as Bill Gates and his cronies push for Trusted Computing, the Palladium project. After all, it's never Microsoft's fault that the bugs exist, right? It's always those darned users and by George we need to foolproof the system. Please. Trusting computing is a joke. It is a power play by top industry corporations to seize power and act as a yet another cohesive monopoly in a so-called free market. Just like the RIAA. Just like the MPAA.

Here's a thought. Hold the software companies responsible for their own goofups and bugs. Let the people sue. Let the people file their class action lawsuits against Microsoft for their errors. But don't let the government take control.

I don't want the ignorant US government, or any government for that matter, looking over the Internet and infringing on it any more than they already are. Half of those farts probably don't even know what the Internet is. I can't say I'd want these clueless individuals, easily motivated by legal bribery (lobbies) and big business (Palladium), to be involved. They will only serve to screw things up, pass ridiculous laws, and tax Internet commerce to death. Let the Internet be that one place government is unable to corrupt.

The problem is that the people who aren't on the Internet; the people who take passive interest in computers, are ignorant to these facts. That's why I feel, unfortunately, that things like Palladium are destined to pass. Microsoft and others are going to get these bills through the door while the politicians are still ignorant to computers.

I'd like to say we can stop them, but we don't have a $47 billion lobbyist group behind us.

An incredibly BAD idea

[The+Monster]

A little regulation would be nice

It is no more possible to have 'a little regulation' than to be 'a little pregnant'. Throughout the history of industrialized society, the same pattern has been repeated over and over with a new technology:

1. None of the existing agencies seems to have jurisdiction over the peculiar characteristics of the technology, so a thousand flowers bloom. Some work; others don't. The pioneers know this. They expect it.
2. The technology becomes sufficiently stable and productive, relative to existing alternatives, as to become important to the smooth flow of commerce. The 'civilized' people move into the former frontier territory, and expect services to be delivered on demand. They don't know nor care about the work done by the pioneers to get it to work as well as it does.
3. At a certain point, when the political climate is right, the Do-Gooders move in. They declare that the industry is rife with problems that only the government can solve. They seize upon some event (such as a multi-state/province blackout that can be plausibly traced to a computer worm) and demand a law to empower a new bureaucracy to oversee this wild, untamed industry.
4. Sooner or later, the law passes, and the Do-Gooders move on to the next Great Crusade. Meanwhile, the President has to appoint people to run the agency that regulates the industry.

   Now, who knows anything about the industry.... YES! That's right. The people who

   work in that industry (for companies that donated to my campaign).

5. The agency is now part of a revolving door system, where people put in a stint working for one of the major companies in the industry, then go to work for the agency that regulates them, then possibly back to private industry...

Regulating the software business per se would lead to a Federal Software Commission dominated by ex-MS employees, who would write regulations favorable to their former employer -- not even out of corruption but because they express the corporate culture inculcated into them. Mark my words: The day is coming when it will be as illegal to write computer software without a license from the government as it is to practice medicine, law, plumbing or cosmetology without one. Have you noticed that the more laws there are to regulate an industry, the more expensive it is to be a customer thereof? And if you think closed-source is bad, just you wait until the entire profession is reserved for those who take their apprenticeships with other members of the Guild.

Far better to fight laws like UCITA, DMCA, software patents, etc. that attempt to deprive software customers of the few rights they already have, than to try to push for empowering the government to screw customers even more.

Obviously, the free market isn't going to regulate itself when the consumer and even the government has decided that this is normal and that they will just 'put up with it'.

The free market has been forbidden to regulate itself. The customer has been forced to accept shrink-wrap licenses that deprive them, potential competitors, and independent consumer advocates, of the rights that would allow the free market to function correctly (by reverse-engineering to provide competing products, and benchmarking to judge performance and reliability). These licenses are already in violation of the fundamental principles of contract law.

We need to use the laws already on the books - how about a class action suit against a software company that puts out a shrink-wrap license that is fraudulent in the 48 states that haven't yet adopted UCITA (because it tells the customer that they must either accept its terms or return the software unopened for a refund, when no such license terms asserted after the sale can possibly be valid)? That would force the