Will Security Task Force Affect OSS Acceptance?

An anonymous reader writes "An interesting article published by SD Times: "Application Security Goes National" discusses some of the talking points generated by a federal task force that will make recommendations to the Department of Homeland Security. One of these talking points is to license software developers and make them accountable for security breaches. Licensed developers would get paid more as well. The article also mentions that "Executives" might not wish to work with smaller undiciplined partners and a little further down that "Hobbyists create Web services [and] professionals create them" and that "companies relying on critical infrastructure Web services need confidence". Would OSS have to be writen entirely by licensed developers to be considered secure? . Yahoo Finance has another article on the subject." The SD Times article is current, despite the incorrect date on it.

Only as secure as platform...

[mikeyrb]

But programs are only as secure as the platform they run on, and of course the same as the people who use them. If people don't run their system properly, I'd say that's worse. Not to mention that people would use trusted vendors anyway, so I don't see what this adds.

Re:Only as secure as platform...

It adds your mom.

Re:Only as secure as platform...

[Baddsectorr]

uh, yeah. maybe they should ask Microsoft why they cant get after 3 or 4 times? write quality software that is...

Re:Only as secure as platform...

[jfdawes]

Systems are software too. The article talks about having different levels of programmers. If you want to be working on an OS (system), you'll need a certain sort of licence to do so and you will be held accountable for any problems that occur.

Your statement "programs are only as secure as the platform they run on" may or may not be true, but if it is, wouldn't insisting that the systems are built by licensed professionals who are held accountable be preferrable?

Re:Only as secure as platform...

[Geek+of+Tech]

Lets not start the paid != better debate.

My 2 cents: I don't think this will fly. I doubt that Microsoft wants to have to find only licenced developers. I also don't think Microsoft wants to pay them more. But most importantly, I have no doubt whatsoever that Microsoft doesn't want to have to do a complete rewrite of it's OS just so it will be certified. That would throw them a few more years off schedule. I think Microsoft will throw some weight against that.

Re:Only as secure as platform...

[Darth+Hubris]

If this does get pushed through, and I doubt it, the end result is the important thing. The US government should get to see the Windows source code and analyze it. It can also analyze the source code of any GPL'd OS just as easily.

May the best code win.

Re:Only as secure as platform...

[weileong]

I have no doubt whatsoever that Microsoft doesn't want to have to do a complete rewrite of it's OS just so it will be certified

actually, what's to stop a company from hiring a licensed programmer and then have him "rewrite" the code that was done by unlicensed developers (page down... page down... page down... "ok everything looks fine!!", with a resulting world's-highest-lines-written-per-day award)?

Do they not get it?

[roninmagus]

Do they really believe that licensing software developers will lead to more secure software?

I'm not following their train of thought. Software development is an industry which constantly has to defend itself from **NEW** hack attacks. The best we can do is protect ourselves from known attacks, and try our best to forsee future ones.

It puts yet another industry under undo government control, and yet against shifts the focus away from the people actually doing harm--the hackers.

Re:Do they not get it?

[vegetablespork]

On the plus side, since we're licensing for "homeland security" reasons, there's no reason non-citizens should be writing any software used in the U.S.' critical infrastructure. Right?

Re:Do they not get it?

[aheath]

Neither article explicitly touched on the issue of software quality assurance. The development of processes and procedures for writing secure software should go hand in hand with the development of processes and procedures for testing secure software. SQA methodology has to expand beyond usability and functional testing to incorporate security testing.

It's my understanding that there are procedures for developing and testing software that is used in medical products and aviation products. Perhaps the rigor that is applied to developing software to control an airplane could be applied to the development and testing of secure software.

Re:Do they not get it?

You got it, you cheese-eating surrender monkey commie bastard. Go USA!

Re:Do they not get it?

[elrond2003]

>>>>Do they really believe that licensing software developers will lead to more secure software?

You have missed the point, nobody on the committee cares about improving security. The worse it is the more money they make. Only MS (and perhaps a few other huge contributors) will be able to generate certified software engineers so only MS software will be useable. Thus LINUX will either die from lack of use or die from being commercialized by MS. There will be two benificiaries, MS by making money and selected congresspeople who will get brib^h^h^h^h campaign contributions. Meanwhile NSA software will be generated in China, rather than by US programmers.
If there were any interest in having secure software the committee recommendation would be to ONLY allow open software.

Re:Do they not get it?

[the_2nd_coming]

no, it will just lead to a more bloated Prison population as people are sent up the river for 20 years because a bug in their code crashed the security system.

Re:Do they not get it?

[the_2nd_coming]

yeah...is is called Software Engineering.

very few commercial software applications use correct software engineering techniques which is why so many bugs are in the software. medical equipment and air craft equipment and car equipment is tested. re tested and run through all the engineering processes in order to make it bullet proof.

real software engineering is not profitable with out making software cost a bloat load more than it does.

Re:Do they not get it?

[vegetablespork]

cheese-eating

Actually, I'm enjoying some Freedom onion dip right now :).

~~~

Re:Do they not get it?

[Jerf]

It's my understanding that there are procedures for developing and testing software that is used in medical products and aviation products. Perhaps the rigor that is applied to developing software to control an airplane could be applied to the development and testing of secure software.

It's a good idea on paper, which is why people like me are well-nigh terrified when this idea comes up.

The problem is one of expectations. Yes, we could apply that rigor to all software. But,

1. No more garage startups... and all new technology tends to start there. Innovation, true innovation, takes a huge hit under these schemes and we lose huge advantages to any country that doesn't enforce these rules.
2. Expense. Those methodologies eat manpower for lunch. Are you going to pay for it? For every piece of software you use? Even "ls" or "echo"? No, and neither will anyone else. It only makes sense for certain things, and different level of rigor makes sense for different kinds of programs... even different levels of rigor for different guarentees. Good luck even figuring out which of these is right, let alone getting the government to mandate the correct levels! We are far from a consensus on what is appropriate; we're not even sure where it makes economic sense to use what we know, and we certainly don't know what we don't know.
3. Freedom of choice. The converse of the above; we should be able to choose how secure our software is, because it's not free. Mandating any security level, and since other people's time is always free, you can be sure the government will mandate a very high level, means that I am forced to buy these high security products. What if I don't care? My game console is free to crash, and even if it's 0wz3r3d, who cares? On the next power cycle, it'll return to normal. (At least modern architectures.)

In the real world, it is, to put it bluntly, a shitty idea.

It's not time for government mandate, it's time for the market to start demanding security. The proven method for balancing cost vs. performance is the invisible hand of the market.

The root cause here is a monopoly, training people not to be concerned about security. The correct solution is a healthy market.

Best of all, we won't find ourselves in 2015 shackled by government mandate to 2005 engineering techniques. It's an act of shocking hubris to think we've got this figured out enough yet to mandate any solution.

Re:Do they not get it?

[peter+hoffman]

Right now there is no way to prevent incapable programmers from writing critical code. If a license was required, then programmers who cannot meet a minimum level of demonstrable competency wouldn't be allowed to get started writing critical code. A programmer who manages to get certified but who then writes sloppy code could have his license revoked (like disbarment for a lawyer) thereby preventing that programmer from writing any more critical code. By having various licensing levels you could regulate what sort of programs a programmer could work on. A person coding a fly-by-wire system might need a higher rating than someone writing a video game.

I don't like red-tape but there is a silver lining for developers: licensed programmers would get greater pay and have greater job security. Jobs requiring above a certain level of licensing would require the work to be done in this country and by U.S. citizens.

Re:Do they not get it?

[ergo98]

Do they really believe that licensing software developers will lead to more secure software?

Most licensing advocates propose licensing as some sort of magical solution that will do everything from improving security, speeding development, improving estimates, lowering bug counts, etc. The trouble is that they never provide any metrics or actual examples to back this up. It'll just happen, apparently.

I say this with interest as I'm currently reading the book "Professional Software Development", a book by an author that I otherwise think is fabulous -- Steve C McConnell (of "Rapid Development" fame). This book basically goes on and on about the disasters in software development, and continually pushes the idea of licensing as a magical fix-all. Never, at least from what I've seen, does it show an example of where a licensing simile improved software development in any way, but simply holds up failures in the cutting edge world of software development and implies that with licensing it would all go away. To say that this is weak and unreasoned wouldn't be an overstatement.

Code audits, and code certification by external auditors of any system critical software is reasonable to me. Software team and organizational standards to improve productivity and estimates seem reasonable to me. Holding organizations responsible for software that they release, for factors stipulated as important (i.e. security for certain pieces of software) seems reasonable to me. Getting large internet peers to have proactive measures to deal with trojans and worms seems reasonable (i.e. shutting down DDOS zombie connections).

Licensing software developers as some sort of illusion of improving software is not reasonable. Enforcing a universally high level of security for all software and eliminating the markets choice to weight security with all other purchasing factors (the market knows that Microsoft software has a long history of security exploits, but strangely they still buy and install it) is not reasonable.

Licensing is protectionism and "barrier to entry" under another name. How hilarious that this would be proposed under the auspices of the "Anything goes free for all" that is Homeland Security.

Re:Do they not get it?

[ergo98]

If a license was required, then programmers who cannot meet a minimum level of demonstrable competency wouldn't be allowed to get started writing critical code.

What organization is this developer working for that they threw an incompetent programmer onto critical code? Do they do appropriate code audits given that it's critical code? Do they have external code audits if it's for a critical medical or government system?

A programmer who manages to get certified but who then writes sloppy code could have his license revoked (like disbarment for a lawyer) thereby preventing that programmer from writing any more critical code.

Do you know how rare a disbarment actually is? It generally only occurs when a lawyer does something publicly that draws public interest. Otherwise those sorts of boards are generally protective huddles.

A person coding a fly-by-wire system might need a higher rating than someone writing a video game.

Here's the thing that makes this, and all similar examples, absolutely ridiculous -- Boeing doesn't call up Joe Programmer and say "Hey, could you throw together a fly-by-wire system for me?" and Joe whips up something in vi, compiles it and sends in the lib. Instead they have a _huge_ interest in ensuring that the code is as perfect as they can possibly get it, because as an organization they have huge fiscal and possibly criminal liabilities if the process that created the code was insatisfactory. Because of this Boeing, and organizations like it, go to great lengths to ensure that the coders on this team are the best of the best. They further build a heavily regimented and strictly enforced process of code audits, analysis, walk-throughs, reviews, etc.

Re:Do they not get it?

[kachuik]

The real solution to the quality/security problem already exists. Sue the bastards. A software problem causes a plane to crash (people die.) Sue the bastards. Medical equipment, cars, etc.. screw up AND PEOPLE ARE HURT, the manufacturer gets hauled into court. Seems to work.

Now the problem is to determine the $ damages if software fails & someone is not hurt. It would need to be something like net income per hour averaged from the past 12/18 months and applied to the recorded downtime plus a pre-determined recovery charge (to keep scumbags from milking disasters.)

There is the issue of ye old EULA. Those need to be rendered null and void. All software is a PRODUCT and despite whatever is said in ye old click through agreement, the software, as sold, is fit for it's intended purpose, is guaranteed to work and will not cause harm or injury in it's intended use. (Just like EVERYTHING ELSE you walk out of a store with.)

OSS probably has to drop of the radar cause there is no one to sue for enough to cover the damages. And the GPL is a EULA. It's gone too.
Now all we have to do is create software that works. Right. Always.
Gonna be slow and expensive. Join the guild before you try. Code in the approved language after years of study before touching a keyboard.
It wont work cause the software will still foul up.
Face it, computer science is still primitive. Outside of integrated systems, we do not know how to handle the compexity. For general purpose software, sometimes it works, sometimes not, and we can't prove what it will be until it's released into the wild. (Thats what testing tries to simulate.) Engineers wear the iron ring as a reminder of the things that FELL DOWN. If programmers had our own reminder like that, would we be able to recognize the things we haven't seen yet? We are still learning what the problems are, let alone the best way to prevent them. What is the best way to prevent corruption of a value chain? Whats the best way to impliment one? Whats a value chain? (Hint, does not exist, read Code Complete.) When will someone create one and what whould we use it for? Don't know yet. Might know later. Come back in 100 years.

As long as software has version numbers that change because of major improvements, we are learning about these darn computers. Hopefully getting better, but these darn computers keep getting faster and cheaper (more complexity.)

Maybe the whole thing should be put on hold until we hit the wall on Moores law. At least then, some of the shifting sand will be sitting still.
If we are still in the "too complex to predict" state in 100 years, the guild idea may be the only way to go. Until then I am willing to keep messing up and learning from the rubble. If I have to join the guild today I will. My question is: Is the guild really any better at the complexity thing?
Please include you proof.

Re:Do they not get it?

[peter+hoffman]

Would you consider banking software to be fairly important? I have seen banking software, to be used by the national banks of brittle developing economies being worked on by high school students with no engineering techniques being used at all. This software was being sold by a very large computer company with over 175,000 employees in over 100 countries, not a "fly by night" basement operation.

As to organizations being sued because their critical software failed, that is rarer than disbarments. Even then, the company suffers very little. A programmer or two might be fired. A fine might be paid. At the end of the day yet another profitable quarter is recorded which is all that really matters.

I have worked in software development for over 20 years now and, while most people advocate the careful processes you describe, nowhere I have worked actually does it (including three major companies whose names are three letter acronyms). None of my many friends and acquaintances in the business have worked at such a company either. One of the companies I worked for was ISO9000 certified to boot.

Re:Do they not get it?

[OldAndSlow]

You seem to think that poor progrmming is the problem. Poor management is the real problem. I can, in the right environment, write code with a defect density of 1 per 10 KSLOC. I've actually done that. But I can't do it on the project I'm on now, because the schedule is way to short to fit all the features that we committed to deliver. So quality goes down.

Before we hold programmers responsible for defects, let's hold program managers responsible. I wonder how many jobs that are currently bid at half what the developers say it will take to do the job would still get bid if the PM knew he could go to jail if things went south?

Ultimately, it is the fault of customers who think they can get good software cheap. I learned a long time ago that if you bid what the job will really cost, you are out of business. But if you bid 3/4 of the real cost, you can convince the customer to take "upgrades" as you go along. And you can tell him that he didn't really specify the feature that he really wants, but we can put it in for so much extra.

Re:Do they not get it?

[OldAndSlow]

Do they really believe that licensing software developers will lead to more secure software?

I'm not sure they think at all. I volunteered as a reviewer of the initial SWEBOK (Software Engineering Body of Knowledge) a few years ago. Basing licensure on the SWEBOK would have been a disaster. No design patterns. No agile methodologies. Nothing newer than the late 80s.

You can't have licenses without tests. And you can't have tests on things that are still evolving. So licensed software engineers will be expert on technologies that are 15 years old, and dead.

Alistair Cockburn advocates one methodology per project. This make perfect sense to me. I knows a several dozen ways to build software. And I tailor an approach that fits the project ==> how tight is the schedule, what is the legacy like, who do I have to work on it, how good is the customer, what is the nature of the app, etc. Write me a licensing exam on that.

Re:Do they not get it?

[aastanna]

And with Engineering, as a licenced Engineer, you are accountable to the public first, then your employer, then yourself. If you put your seal on something dangerous it's quite possible as an engineer that you end up in jail.

Often with software it's balancing conflicting demands, and it's usually better to save a few bucks and ship with a few bugs than to spend the money and do it properly. After all you can always patch your system once it's deployed.

Proper licencing and accountability would lead to developers who would be unwilling to compromise to a deadline, after all it's better to be fired than to end up in jail. I can see the value in licencing developers who work on systems can't fail without killing someone, but for a web browser or something it'll never fly.

Re:Do they not get it?

[xenocide2]

One big problem as I see it is that most of the ideas we associate with Software Engineering fit closer to Software or Engineering Management. Metrics like Halsteads's "Software Science" we teach students these days are about measuring time to completion, rather than any sort of quality. Students at my university are not taught to use any tools to assist in the development process, like lint or oxygen. We do not teach performance measurement outside of a theoretical Big O guesstimate. And nor do we teach students about security problems inherant in the current popular languages such as C or C++, and how to deal with them, even though our own Software Engineering capstone requires the use of C++ because the professor (and perhaps the cirriculum committee) feels that students shouldn't graduate without a familiarity with C++.

In short, if you're looking to be a "Software Engineer," I can't recommend Kansas State University. I'm told we have a very prominent language group, however.

Re:Do they not get it?

[pedro]

An interesting point that always seems to come up for me when eulas are discussed is this:
if software embodies patented concepts, doesn't that sort of make it an actual capital "P" PRODUCT that that can be held to standards of fitness for use, safety, performance, implied warranties, etc, regardless of what the eula says?
Otherwise, why should it deserve patent protection at all?
It seems to me that if for software to enjoy patent protection, it would have to be considered just another product like, say, a toaster, and all the liability that implies.
Might be a rather strong incentive AGAINST the filing of and holding of software patents, if you get my drift...
Now for an inventive lawyer to explore this rather novel theory in the courts..

Re:Do they not get it?

[ergo98]

I have seen banking software, to be used by the national banks of brittle developing economies being worked on by high school students with no engineering techniques being used at all.

This tells me a lot about the software development firm, and little about the software developers. I've worked with many levels of software developers -- from self-taught high school dropouts to professional certified engineers -- and I have noticed that there is incredibly little correlation between those "classic" indicators of skill and actual dedication to good quality code. (Indeed, the worst programmer I've ever worked with was a professional engineer).

I have worked in software development for over 20 years now and, while most people advocate the careful processes you describe, nowhere I have worked actually does it

And that is the core of the problem with software quality. It has nothing to do with blessing certain developers, but actually getting real quality processes in place (and audited) at software firms.

Re:Do they not get it?

[peter+hoffman]

I don't think we are disagreeing but you don't seem to quite track what I am saying so let me try another approach. Ever notice how you can talk yourself blue in the face explaining to your boss how something is illegal but he ignores you? Ever notice how there's not a peep out of him once a lawyer from legal utters one sentence saying exactly the same thing you've been saying? That's because the lawyer speaks with the weight of his license behind him. Your boss knows every competent lawyer will tell him the same thing and the courts will enforce it.

Most corporations will not put those quality processes in place until there is some sort of regulation such as licensing required. Once licensing is required, and development process guidelines for those who wish to retain their licenses are in place, corporations will have no choice but to listen when their developers say "it has to be done this way to ensure quality (or at least a defense against a lawsuit)". If you say that today at most places you are shown the door while they replace you with someone who won't argue.

Re:Do they not get it?

[miu]

No one wants to require a license to program. What is under discussion is the possibility of making software development a profession.

There are many parallels that already exist. Medicine for example: you can treat yourself with home remedies, pick up an over the counter drug, or go to a doctor. Building construction has the same sort of range, with the added complication that even for a do it yourself project there are certain safety standards you must meet and liabilities that you must assume for construction on your own property. The fact that civil engineering and medicine are professions with licensed practioners does not prevent non-professionals from building a garage or deciding to take aspirin for a headache.

The point is that licensing (and holding responsible) of some programmers and development companies could prevent things like the Diebold e-voting snafu, critical public infrastructure (atm network, electrical plants, etc.) from being connected to the internet, or any of the other idiocies carried out by companies looking only to make a fast buck. I personally think that consultants and network architects should have a professional organization and responsibility as well.

Licensing is not a magic bullet, but done properly it could do a lot to improve the stability and security of essential software and networks.

Re:Do they not get it?

[peter+hoffman]

Yes, absolutely poor programming is the problem. The question is "why do we get poor programming?". I agree with you that it is largely the fault of people, other than the programmers, making unreasonable demands. Licensing developers would provide those developers with a weapon for self defense: "I am licensed. You are required to use licensed developers. All licensed developers will tell you the same thing. You cannot fire me in favor of someone who will cut corners as no developer will sacrifice his license for your whims".

Re:Do they not get it?

[ergo98]

...You cannot fire me... ...but you can just outsource the whole thing to a country that doesn't run such a protection racket and let the whole free economy run its course...

Re:Do they not get it?

[Geek+of+Tech]

>> ...and yet against shifts the focus away from the people actually doing harm--the hackers.

No, if I figure them right, they're going to want to licence all the hackers too... At least we'd get rid of the script kiddies...

Re:Do they not get it?

[Geek+of+Tech]

Uh...

Microsoft doesn't solely exist in the US.
Linux... well, it dwells everywhere.
Apple... okay, well I'm not sure about them... anyway...

A number of IT jobs have already been outsourced. I don't really imagine the US could very well go to a OS developed only by licenced US citizens without starting from scratch.

Re:Do they not get it?

[peter+hoffman]

I am certainly in favor of the free economy but what would happen (in at least some circumstances) is that in the name of safety, national security, and for the children, the people paying for the coding would mandate that it be done in the U.S. by U.S. citizens who are licensed. It is quite possible there would be no choice in this even for those paying for the development as legislators could pass laws categorizing software development efforts and stipulating the citizenship and licensing requirements for each category.

I am not saying that any of this is necessarily a good idea, I am ultimately responding to the initial question of this thread which was something like "What is their thought process? Why do they think this will improve code quality?".

Re:Do they not get it?

real software engineering is not profitable with out making software cost a bloat load more than it does.

Bullcrap! I have worked in the computer industry for 28 years and I have heard this throughout my career. It is basically an excuse for laziness!

Well designed software (or hardware for that matter) is cheaper to produce and maintain. However, it takes one hell of a lot of work and commitment on the part of managers and that just never happens. Merely getting them to read and understand a functional spec to insure that the product being designed is exactly what they want is an impossible task. Combine that with an attitude that implies you aren't really working if you are designing, get busy coding (prototyping, whatever) and you always end up with products that are real short on design and real long on bug fixing. I repeat; this is a managerial problem.

medical equipment and air craft equipment and car equipment is tested. re tested and run through all the engineering processes in order to make it bullet proof.

You cannot test quality into a product; it must be designed in! Trying to fix design issues in the testing phase is just pissing into the wind. Unless you are willing to go back and re-design (or actually do the design in the first place) the offending processes, you always end up with endless rounds of bug fixes, testing, bug fixes, testing...

Now, having said that, no product of mine leaves the plant until it has been thoroughly tested. The last few revisions in the firmwear that I wrote took a few days to write nd almost a week to go threough a complete regression test to insure that the basic core functionality was not changed. These are relatively simple products, but I have worked on much, much larger hardware and software systems that were treated the same way.

In each and every case where the engineering team had a well-defined goal, time to design and a rigorous QA testing program in place by the time the product was implemented, it led to a better quality product with shorter development times. In each and every case where they did not, it led to a shorter (marginally, we aren't talking years here) time to ship the first units, but it also led to years of bug fixes, updates, and a waste of engineering resources that should have been working on the next product.

I'm ranting now, I'll stop. Time for another cup of coffee!

Their loss

Open Source software is either better or it shouldn't be adopted. If it is better, then it is at least partly due to the development model, which is inherently not hierarchical/certifiable. If suits really need someone to offload risks to, there's always your friendly insurance company that wants to earn a living by assessing and managing risks. I can see people contributing code for free but I doubt people are going to put their financial future on the line for free.

Re:Their loss

[zcat_NZ]

If suits really need someone to offload risks to, there's always your friendly insurance company that wants to earn a living by assessing and managing risks. I can see people contributing code for free but I doubt people are going to put their financial future on the line for free.

The stupid part is, paid programmers won't either. They'll get insurance against being sued, just like doctors take out malpractise insurance. Then they'll go on writing the same shitty code because the end users continue to demand ease of use and featurisim ahead of security.

The better idea is to just take out insurance against being hacked in the first place. Insurance companies already offer this.

Re:Their loss

[DroidBiker]

We're talking about more than just financial losses though. Insurance is great if you're talking about your company's web site being down for a couple of days. That can be covered.

(Hypothetical and hopefully impossible example follows) Imagine an Enemy(tm) exploits a vulnerability in Windows to crash the control systems on an Aegis class destroyer and the ship goes down with all hands. You CAN'T cover that with insurance.

I agree with you that licensing isn't the answer, but what IS?

Re:Their loss

Their loss? ...or OURS?

Re:Their loss

[Grishnakh]

Um, last time I checked, programmers aren't typically paid anywhere near what doctor are. How are they going to afford malpractice insurance?

Having the government recommend higher salaries isn't going to make it happen, either.

OSS Acceptance

For commonly used software this provision of jobs increasingly depends on artificial barriers to the acceptance of free alternatives. Now that millions of people are programmers with supercomputers on their desks and an itch to scratch, and now that the cost of software distribution is approximately zero, the unconstrained market value of a line of code for a commonly used application is rapidly converging to zero.

The anti-FOSS lobbying is merely an example of the artificial barriers that prop of the prices and keep all those people employed. (Though I doubt that there are actually that many people earning their living by programming operating systems, Web browsers, and word processors these days. In the future the way to make money as a programmer will be to implement special-purpose applications that only scratch the itch of some company's shareholders.)

Re:OSS Acceptance

[kfg]

Indeed, just as the New Deal introduced mandatory schooling and mandatory retirement ages not, principly, out of any ideas of children's rights or the rights of the elderly, but as a way of reducing unemployment and keeping wages high by artificially reducing the number of people who could be legally employed.

Many trade licenses fulfill the same function, such as that needed to be a plumber or electrician, where licensing is typically handled not by the state but directly through the unions.

This proposal bears the strong stink of such domestic trade protectionism.

KFG

Re:OSS Acceptance

[Fulcrum+of+Evil]

Though I doubt that there are actually that many people earning their living by programming operating systems, Web browsers, and word processors these days. In the future the way to make money as a programmer will be to implement special-purpose applications that only scratch the itch of some company's shareholders

AC, you just described the state of the world today.

NO

[rolling_rox]

In one word NO. It would not have to be written by a professional. It would simply need to be reviewed by one?

Licensing again huh?

[DroidBiker]

I suspect we'll have some sort of meaningful licensing scheme someday. It'll probably take a while tho. There will be a lot of pain and probably more than a few witch hunts before it happens.

One problem (of many) is of course that if you make programmers legally responsible for security failures you also need to give them the authority to say "No! You can't do it that way! I don't care WHAT Marketeering says!"

Texas has had licensing for a few years. Anyone know how it's worked out?

Re:Licensing again huh?

[Alan+Cox]

There is two reasons to license software developers in the USA. Neither are good. The first is so that you can forbid compilers, debuggers and other "dangerous" tools to the RIAA/MPAA being in the hands of the masses. The second is to stop the all the computing jobs leaving the US by having a US certification required but inaccessible to the competition.

I'm all for formal open standards for security. And I am very much for formal accredited qualifications in safety critical systems. I'd love to see an MSC in computer security and similar university qualifications - but it has to be a proper and open thing, not some goverment office of computer programmer licensing.

As to accountability - there is a simple solution. Do something about the ability of companies to use software licensing as a get around for liability for product in most countries. Make it like other product. If its sold then it should be suitable for purpose. (Note here sold - paid money for. I see no reason why *paying* for open or closed source ought to be different).

It will also improve computer security no end the day a company gets sued for harming others by being negligent in applying security patches to its systems.

Re:Licensing again huh?

[ces]

One problem (of many) is of course that if you make programmers legally responsible for security failures you also need to give them the authority to say "No! You can't do it that way! I don't care WHAT Marketeering says!"

From my understanding this is exactly what happens today in areas where a PE has to sign off on a design making himself legally liable for any design flaws. The PE doesn't like the design for safety reasons, the PE refuses to sign, the design gets changed. At least in an ideal world that is what happens, as I understand it the reality is somewhat different but it is still often better than what happens in the commercial software development world.

Re:Licensing again huh?

[Milo77]

I agree with most of what you say. I do, however, see a couple good things about PEs:
1. EITs have to prove themselves, its not enough to know the theory
2. EITs must endure a period of on-the-job-training where a mentor oversees their work
Where i started after college it was assumed that college was enough to completely equip me with everything i needed to be a successful software developer. Not only can i say from experience that this was not true for myself, but through observation I can say that it was not enough for many others. Further, I can say that most veteran developers I have come in contact with in the industry do not know how to develope robust/flexible/extensible/secure/internationalize d solutions (or not in a manner that would represent a "best practice"). These veteran developers are very brilliant people (wrt. CS theory and algorithms), but they do not know how to develope software, they know how to hack...

I guess all I am saying is that there is a significant amount of learning even after all the theory is understood and largely we assume this will be learned on our own sort of trial-by-fire. The best case scenario is that these new developers will only hack out crappy software until they learn some industry best practices (supposedly on their own). The worst case is that they'll hack out crappy software for many, many years to come...i've experience the former and seen the latter in many, many "veterans"...

I think required mentorship/probationary period for newbies and some sort of re-certification for "veterans" would go a long to improving software quality...

Re:Licensing again huh?

You forgot the main reason for licensing. Total control over the individual. Once the government mandates licensing, all licensed developers had better do what the Government says, or risk losing the license.

Take the psuedo-legal structure of divorce court for example. A judge always can threaten the loss of the license for a Doctor, Lawyer, etc. if the person doesn't keep up on the alimony payments. This happens all the time. And as has been well documented, occasionally, the Judge orders payments which leave absolutely nothing to live on. The same goes for tax payments. Or, in some cases, breaking certain laws.

You can kiss the concept of code being free speech good-bye.

Somehow the idea of being an certified illegal software developer by this meme is extremely troublesome. This is just another example of Government trying to dictate what the market must be like; fortunately those schemes always fail.

I have no fear of terrorists nor dictators. But I am very scared of the people in the government who are here to "help us".

How about driver's licenses?

[civilengineer]

THe idea was to give licenses to only those who can actually drive safely. But, if they really implement that there will be very few people with licenses and car companies will go bankrupt ( no more wars maybe??). So, they give this easy test for the license and every TD&H can drive. Of course we have had over 40,000 fatalities and 2 million crashes every year in the US for past 20 years.
Similarly, the licensing scheme will again create a dearth of licened software professionals,leading to high salaries for the licensed initially and then the bubble will burst. Everyone will have a license eventually, and we will be back to square one. So, the solution is to come up with better error prevention and correction methods for existing software professionals/ (drivers) rather than try to create licensed professionals. SO, as of now OSS still rocks and it will be good to see more OSS testing volunteers rather than just OSS developers.

Re:How about driver's licenses?

[thinkliberty]

Yes that is it!!! Cars cause war. You sir are a dumb ass!

Re:How about driver's licenses?

[RealProgrammer]

The analogy is with a Commercial Driver's License (CDL) versus standard license. Truckers have to have a CDL, and they can lose it pretty quickly by bad driving.

Re:How about driver's licenses?

Cars need gasoline, which is made from oil. And you say oil doesn't cause wars? Who is the dumb ass? Or would it be more fair to say naive?

Re:How about driver's licenses?

So, the solution is to come up with better error prevention and correction methods for existing software professionals/ (drivers) rather than try to create licensed professionals. SO, as of now OSS still rocks and it will be good to see more OSS testing volunteers rather than just OSS developers.

We already have the methods and know where the problems are. Now we just have to make it too expensive to ignore what we already know how to do.

Re:How about driver's licenses?

[mpe]

THe idea was to give licenses to only those who can actually drive safely. But, if they really implement that there will be very few people with licenses and car companies will go bankrupt ( no more wars maybe??). So, they give this easy test for the license and every TD&H can drive.

It dosn't help that a bunch of jokers decided that what was originally intended as a document to indicate someone could operate a motor vehicle should also (in some cases primarily) be used as an identification document.

Re:How about driver's licenses?

[greenrd]

Cars don't, but oil does. Right from civil wars right up to imperialistic wars.

Talking about development

[spearway]

May be the SD Times should hire a "licensed developper" to fix the date. They appears to be one year late "January 1, 2003".

Re:Talking about development

"licensed developper"

If they can get the spelling right, that may work...

Why is some software more secure than others?

[the+man+with+the+pla]

I got annoyed at the slashdot comments last time there was security hole in OpenSSH and wrote this page (copy pasted below). I count OpenSSL as insecure software - we need a secure replacement. GNUTLS looks somewhat better, but I don't trust it too much either.

Why is some software more secure than others?

How do you measure software security?

Here's my definition on what is secure software.

Intro

I get really tired of seeing these kinds of comments every time some widely used software has security holes:

• No software is secure. The difference is how quickly they fix it.
• It's good that they were found. Now we have less security holes.
• Popular software gets more security audits which is why they seem to have more security holes.

While they may be partially true, I think they're also very misleading and disparages the hard work that some secure software authors have done.

Simplicity Is Security

The difference between secure and insecure software is really the coding techniques being used by it's authors. Authors of secure software do everything they can to prevent accidental mistakes from ever happening. Authors of insecure software just fixes the accidental mistakes. There are very few secure software authors.

Auditing insecure software doesn't make it secure. Sendmail is a good example of this. It's been audited countless times by competent people. The simplest mistakes were catched easily long time ago, but a few very difficult to find vulnerabilities were found only recently.

How do secure software authors then avoid the kind of security holes that are difficult to find? By keeping the code simple. The code doesn't get secure by polluting it with tons of security checks. It gets secure by keeping the security checks in as few places as possible.

Auditing secure software is easy. You can just quickly browse through most of the sources without having to stop and look at it carefully. Everything just looks clean, simple and correct. vsftpd is a good example of this.

Sure, it's still possible that secure software has some security holes occationally. It just happens a lot less often (if ever) and usually the problems are less critical. For example none of the security holes in Postfix have lead to arbitrary code execution or being able to read other peoples mails. Denial of Service attacks are nothing compared to them.

(some examples in the web page not included)

--
Brought to you by the DB tool
7098931

Re:Why is some software more secure than others?

[jrockway]

Note to moderators: The DB tool that this guy's sig refers to is a program he wrote designed to find posts that will get him Karma (he posts other people's comments). Please don't mod him up.

It would be immature of me to suggest that you crap flood his site, but why not. Fight fire with fire.

Good concept, illegal in practice

[Aviancer]

This is the grant of government license to do a specific type of work. That's akin to the government granting the title of Lord, and is technically illegal.

That said, the idea itself is good -- but let ACM *and* IEEE *and* Sun *and* whatever other institution do certifications... That avoids the government regulation, and allows potential employers to select "qualified" individuals.

Re:Good concept, illegal in practice

So licensing by the state of doctors is illegal?

~~~

Re:Good concept, illegal in practice

[spearway]

How can that be illegal? MD are licensed for their work, Layer, nurses etc. are also licensed.

Re:Good concept, illegal in practice

Layers are illegal in most states, but are indeed licensed in parts of Nevada :).

~~~

Re:Good concept, illegal in practice

[Aviancer]

It's notable that the State does not license the professional, but the Bar Assn (for lawyers) and the Medical Board (for MD/RN/Etc). States (not the US Gov't) make laws that require the professionals to be licensed by an authority.

Re:Good concept, illegal in practice

[vegetablespork]

So in other words, the state licenses professions, but by proxy. Makes no difference, really. You think the IEEE, ACM, or similar (along with the states) wouldn't love to get its hands on the revenue generated by millions of programmer license application fees?

Re:Good concept, illegal in practice

[DroidBiker]

You are incorrect.

The federal government licenses many professionals. Lawyers, doctors, and architects are just a few examples. Licensing software folks just puts them in the same both as these other people: mainly that they can be sued for their mistakes and will be limited in the types of jobs they can take (if any) if they don't have a license.

Re:Good concept, illegal in practice

"The federal government licenses many professionals."

Actually, licensure of most professionals (e.g., doctors, lawyers, engineers) is handled at the state level.

Re:Good concept, illegal in practice

[boobsea]

Read the constitution.

Granting titles of nobility is only prohibited of the federal government.

Re:Good concept, illegal in practice

[boobsea]

US Constitution Article I, Section 9, Clause 8

Clause 8: No Title of Nobility shall be granted by the United States: And no Person holding any Office of Profit or Trust under them, shall, without the Consent of the Congress, accept of any present, Emolument, Office, or Title, of any kind whatever, from any King, Prince, or foreign State.

However, the licensure of these people are done by state and not federal (as you may have already read from other replies).

Re:Good concept, illegal in practice

I've read the constitution. I fail to understand how "Doctor" is a title of nobility. For one thing, M.D. is an academic rank. We're not talking about a peerage here.

~~~~

Re:Good concept, illegal in practice

[boobsea]

A title of nobility grants special rights or privileges upon someone.

Hence, a license to practice medicine is a title of nobility.

However, states are free to grant such titles.

Re:Good concept, illegal in practice

did you know that you must have a state license in Missouri to Cut Hair professionally? If this kind of licensing is illegal, how has missouri gotten away with doing it all these years? (im not saying its a good thing, infact i think it suck, allong with seatbelts, drivers licenses and, motorcycle helmates requirement laws) they are designed to legislate common sense and oh yea, i almost forgot ...$$$$$$$

Re:Good concept, illegal in practice

No State shall enter into any treaty, alliance, or confederation; grant letters of marque and reprisal; coin money; emit bills of credit; make anything but gold and silver coin a tender in payment of debts; pass any bill of attainder, ex postfacto law, or law impairing the obligation of contracts, or grant any title of nobility.

States can't, either. So it looks like there's a quandry here--either professional licensure is not granting titles of nobility, or all the states are violating the Constitution.

~~~

Re:Good concept, illegal in practice

[OldAndSlow]

It's notable that the State does not license the professional

Sorry, doesn't wash. If I treat medical ailments for money without a license, the state will put me in jail. And I know for a fact that the Commonwealth of Virginia licenses mental health practitioners.

Pointing Fingers

[RetroGeek]

All this does is create a person who can be targeted if Something Goes Wrong(tm).

With OSS there is no "someone". With a licenced developer you have someone to blame.

Re:Pointing Fingers

[javatips]

However, I don't know if developers would actually want to be liable for their work. The pay increase would have to be much higher than his current pay so he can afford some kind of liability insureance.

With the possible amount of damage a company can claim for intrusion (remember K. Mitnick case) I'm pretty sure that insurance cost will be very high.

Re:Pointing Fingers

Its far higher than medical malpractice even!

Re:Pointing Fingers

This is all about money and making a pot for the lawyers. Where is the part about making better software? Does a company care about the ultimate fate of whoever is to blame? As long as a CEO can blame a project manager or group, bad software will continue. Besides, just outsource and blame some party in India.

Re:Pointing Fingers

[greenrd]

So code securely. It's not that hard.

Fuck insurance, just put in place proper training and proper audit procedures and you won't have any problems.

Re:Pointing Fingers

[TheSpoom]

Lord knows we couldn't have executives to blame for poor business decisions and layoffs of developers, or marketing to blame for pressure to release a product before Christmas, or management to blame for creating a poor work environment...

Nope. It's all the developers' fault.

Re:Pointing Fingers

This attitude is precisely the problem. You are confusing development with accountability. In the closed-source world, the people who develop and the people who are accountable are usually one and the same, so it's an easy mistake to make.

This is not true of open-source development. When there are bugs in Red Hat Linux, Red Hat should be held responsible. Did a programmer working for them cause the bug? Almost certainly not. Is the bug their responsibility? Of course it is!

Open-source software is often judged using assumptions that are only accurate in the closed-source world. It seems to me that whenever this happens, open-source loses out, simply because people aren't as familiar with it. Hopefully, time will change this.

Paraphrase of John Milton

[Nate+B.]

I recall a quote from John Milton that went something like this, "None can love freedom but good men. Others love not freedom, but license."

How much would licensing developers much like doctors, lawyers, architects, etc. affect development? It would likely mean more than, say, an MCSE or RHCE, or NCE. Would developers need to be licensed for a specialty?

Most likely there would be some sort of age and education requirement which would prevent some of the younger and perhaps self-taught developers from contributing to certain projects. Also, what about code developed outside the USA? One would have to be rather naive to assume that all the software in use was written in the USA, but sadly, I think that perception is all too common.

Happy 2004, everyone!

- Nate >>

Re:Paraphrase of John Milton

[breadbot]

I believe the word license in this sense is:

3 a : freedom that allows or is used with irresponsibility b : disregard for standards of personal conduct : LICENTIOUSNESS

(from Webster's)

Implying that non-good men love the opportunity to act irresponsibly, which is what freedom offers them.

Re:Paraphrase of John Milton

[Pinky3]

"None can love freedom but good men. Others love not freedom, but license."

It's a nice quote, but it doesn't apply here. Milton was contrasting freedom to license, a noun meaning "an excess of liberty; freedom abused; also, licentiousness." (Webster's New Collegiate Dictionary - 1959)

OT: Re:How about driver's licenses?

[RetroGeek]

So, they give this easy test for the license and every TD&H can drive. Of course we have had over 40,000 fatalities and 2 million crashes every year in the US for past 20 years.

And then we get stupid laws like banning cell phones while driving.

If you ban cell phones, then what about police officers, firemen, ambulance drivers, truckers (and other people with CB's) who use two-way radios.

Using a microphone is more distracting than a cell phone, since you need to push a button to talk.

Of course most of the a/n people have extra training and experience (and testing).

BTW, what is a TD&H?

Re:OT: Re:How about driver's licenses?

TD&H =Tom Dick and Harry

Re:OT: Re:How about driver's licenses?

[Kent+Recal]

Erm, sorry to jump on your OT-article but what you say is bs. Banning cellphones from driving is one of the good laws that actually adds to safety. Anything that distracts your attention from the street (remember, you're moving) is to be avoided.

And btw in police cars, firetrucks and ambulances there usually is a 2nd person and NOT the driver responsible for comm. And these vehicles are a whole different story anyways but I'll tell you 'bout that another time...

Re:OT: Re:How about driver's licenses?

[RetroGeek]

usually is a 2nd person

Not always, especially in police cars.

that actually adds to safety

Maybe. But why should I be penalized because of other bad drivers? I have driven with a CB for many, many years, and have driven a big rig. No accidents. So now I can't drive responsibly because some idiot who can barely keep it within the lines normally is using a cell phone?

Our civilization is becoming run over with laws that only idiots need. I blame it on the court system and law suits. If you are an idiot and use a product wrong, then you should take the blame. For instance toasters do not work in a bathtub, yet if the toaster company does not have that specific warning on the label, they can be held liable. Bah!

Yes, this is a hot button issue with me.

Re:OT: Re:How about driver's licenses?

[Texas+Rose+on+Lava+L]

It might be a good law (there's not a lot of evidence either way), but almost all of these laws ban using a hand held cell phone while allowing hands-free cell phones. Some studies have been done that show that hands-free cell phones are just as distracting as hand held phones. In other words, it's talking to another person that's the distraction, not holding the phone. To me. this means that none of these laws has really been thought through very well, and we should wait until we know what we're doing before we go around passing a bunch of laws that may or may not actually do anyone any good.

Sometimes poorly thought out laws can accomplish the opposite of what they were supposed to accomplish. A while ago, someone proposed banning infants from sitting on a parent's lap on airplanes (and making the parent buy a separate ticket). Problem is, this would have caused a lot of parents to drive instead of fly (plane tickets aren't cheap), and driving is far more dangerous than flying regardless of where the baby sits on the plane. I don't think this one ever passed.

Re:OT: Re:How about driver's licenses?

you might be interested in overlawyered.com

Re:OT: Re:How about driver's licenses?

that should be overlawyered.com; I forgot the http://

Re:OT: Re:How about driver's licenses?

[boobsea]

What about just banning unsafe driving?

The cell-phone ban is just a "feel-good" law designed to make a people think that the government is doing something when all it is doing is just furthering its encroachments onto our own liberties.

What about banning eating while driving? Putting on makeup? Talking to the person next to/behind you?

You only think of the people who cannot drive responsibly with a cell phone but I've seen just as many if not more people who can use phones and drive properly.

Re:OT: Re:How about driver's licenses?

Anything that distracts your attention from the street (remember, you're moving) is to be avoided.

Anything that distracts your attention... such as the radio/CD/cassette, as well as other passengers. But most importantly: the ads that are visible from the road!

Re:OT: Re:How about driver's licenses?

And btw in police cars, firetrucks and ambulances there usually is a 2nd person and NOT the driver responsible for comm.

What fucking rich-bitch place do you live where they can afford to have two people to a car? I haven't seen this in twenty years in the SF bay area. Ever watch Cops on TV? How often is anyone other than the driver (and maybe) the cameraman in the car?

Re:OT: Re:How about driver's licenses?

[Greyfox]

Yeah and what's with that banning drinking while you're driving? If someone one a cellphone is as likely to be in an accident as you are if you're drunk on a fifth of Jack Daniels (And he is) then why the fuck can the cellphone person drive down the street yacking on his cellphone but I can't drive down the street hanging a bottle of vodka out the window? Life is so unfair!

CB Radio: You reach to where the mic always is, you pull it toward your face. You don't have to worry about the ear piece, and you mash a big button to briefly say something along the lines of "Watch out for deer at the 165 mile marker." or "Watch out for the drunk driver going south, currently at mile marker 9." Both of which I've heard back when I was driving as a large part of my job. Oh and also "The coffee in that titty stop they've been advertising for the last 150 miles is $10 a cup." All very pertinent information to the task at hand, I think you'll agree.

Re:OT: Re:How about driver's licenses?

[webtre]

crap post
dilbert rules
shut up

Yes, by all means, lets do it....

[Seraphim_72]

I mean, after all nothing will break the system faster then requiring those nasty Apache, Kernel, and mySQL people to become registered - just to have thier products used in the enterprise.

Licensed developers != secure

[Rosco+P.+Coltrane]

Would OSS have to be writen entirely by licensed developers to be considered secure?

I'm sure glad the DHS steps in and prevents all those 1ee7 uncontrolled hackers from creating evil unlicensed, software that aren't secure.

Why do I always picture half-drunken bar patrons reinventing the world in front of a beer when I hear about the DHS talking about things they don't have much of a clue about?

Re:Licensed developers != secure

Didn't somebody working for "aren't" get his password sniffed, and weren't "aren't"'s servers compromised because of that (and a rootkit)?

Re:Licensed developers != secure

in "evil"'s kernel)?

Re:Licensed developers != secure

And licensed developers would have done a better job because ...?

Trusted Computing

Wait, I think I didn't like these licenses the first time I saw them...when they were called MCSEs. We have competent MCSEs and incompetent MCSEs -- did that piece of paper really make that much of a difference? Probably not. Nor will any of these licenses in the future.

As for software itself, don't EULAs pretty much indemnify software companies from any oopsies they may have put in their programs?

If you want to secure your software, coin a catchphrase...say maybe "Trusted Computing" and then send oodles of press releases about retraining your engineers to hunt down buffer overflows and stuff. Then proceed as you were before except when people find bugs, you say "see, we're finding them!"

"Licensing" == "Certification"?

[mrkurt]

Quite honestly, the SD Times article told me nothing about what they're really going to do about improving security in applications. You could substitute "licensing" in that article for "certification", as in some vendor's certification of developers. Then, it looks like a useless measure of what that person knows about security. If, however, it is more of a civil service exam, and they're going to test for knowledge of how to write secure code, then it would make a lot more sense.

I'll Nazi Myself

[roninmagus]

I meant "undue government control" and "yet again shifts"

Sad thing is, I previewed!

:)

Trends are fun

[DroidBiker]

In the near term if they adopt a licensing scheme the first iteration at least will be something like the programming language Ada.

The US military brass decided at one point that it would be great if all of their software was written in one language. They forned a comittee to design what they wanted. Ada was created and various military agencies started insisting on its use.

The problem was that what they designed wasn't flexible enough and over time Ada became less and less important.

Licensing will go a similiar route. The government will spend millions on a comittee to come up with requirements for a standard software engineer license. Then they'll find out that their licensed folks STILL screw up and eventually it'll become less of a big deal.

That being said, if software engineering licenses come into existance at the federal level you can bet I'm going to get one.

Two questions

[hdparm]

Does it mean that software created by those same developers, now licensed, in the past is now cleared? Are they going to hold developers and engineers accountable even if they're forced to produce code based on inherently flawed design, driven solely by profit and questionable business practices?

Watch what happens

[lildogie]

when the next dozen Microsoft "critical vulnerabilities" come out.

Who wants to bet that Microsoft gets some kind of exemption from the revocation of licenses due to poor design and coding?

Security through Obscurity and Contracts for OSS

[Sensitive+Claude]

The concept of reverse engineering just doesn't occure to politicians and people in management.

They don't understand how it is even possible to be more secure though good mathematics than hiding the code. Heck, I've even talked to some system admins that don't understand these concepts.

Does this mean that OSS cannot be considered secure but the government? Well, companies can still represent OSS, like Red Hat. So if Red Hat gets a license for a project and uses OSS, or something modified from OSS then they are responsible on how that has been licensed to be used.

Who do you think has a better chance of writing secure software: Microsoft or Red Hat?

They both have CEOs and they can both sign contracts.

GPL??

[Lehk228]

Does this mean that programmers can put themselves under the GPL to be considered FOSS developers? and would this circumvent anti-cloning laws and human genetic engineering restrictions to have people under the GPL?

Re:GPL??

[shis-ka-bob]

If you have a Beowulf cluster in Soviet Russia, you seem to have a working time machine. In step 2, ??? = invest heavily in tech stock and dump it before the bubble bursts.

This will provide a nice infrastructure for DRM.

The upcoming operating system and hardware lockdowns will require programmers to work on their internals who can be trusted not to give away the store. What better way than to require them to be licensed and submit to a background investigation before being allowed to work on the legally mandated "trusted" platform?

There'll be jobs to be had, but not for those with Slashdot posting histories advocating the "theft" of intellectual "property."

~~~

Will this help with our outsourcing problem?

[samdaone]

If this if for homeland security does that mean the only people who can be licensed are US citizens native to this country? If so, that may help with our outsourcing epidemic.

Re:Will this help with our outsourcing problem?

Yup. The same way licensing engineers has stopped companies from bringing in engineers from overseas. Oh, wait.

~~~

Re:Will this help with our outsourcing problem?

[Evil+Pete]

Don't bet on it.

One problem with this scheme is that since programmers are now accountable then they and their companies are likely open to lawsuits. Which means developing software in the US becomes very very expensive.

Even if there are no lawsuits the sudden reduction in available programmers (just how quickly can all those current developers be licensed anyway?) means salaries go through the roof and many developers are unemployed and suddenly a lot of software becomes vapourware for the next 5 years. Ok, yeah exagerating a bit, but not much. I'm not an American, but I can't seeing it doing the US a whole lotta good. So many talented developers would be too young too broke (how much does licensing cost ?) or not have the experience / quals to get a license.

Its a dumb idea.

Re:Will this help with our outsourcing problem?

[An+Onerous+Coward]

Two words: Malpractice insurance.

This would drive the costs of coding way, way up, and presumably speed the movement of jobs towards India.

Re:Will this help with our outsourcing problem?

[El+Cabri]

You're right : in my opinion licenses should require all of the following:
- US citizen
- born in the US
- currently living in the US
- registered Republican
- $500 donation to "Jeb Bush for America 2008"

Regular church going would be a plus, but optional. The license granting ceremony would involve an oath on the Bible though.

Why the license idea doesn't fit.

[rice_burners_suck]

Would OSS have to be [written] entirely by licensed developers to be considered secure?

As the past owner of two different businesses and the present manager of a mid size company, I can confidently say that the answer is no.

This is very simple. Over the years, I have hired a wide range of different people to work as programmers. I had everything from masters degree programmers with 20 years experience to kids out of school who do it as a hobby. In all cases, what determined the success or failure of the project was not the qualifications of the programmer. I had masters degree programmers write such gibberish that multi-hundred-thousand dollar projects were cancelled. I had masters degree programmers who did a marvelous job. I had some kids code up another product that worked so beautifully that it only made the company money. I also had kids who did a crappy job and the project failed. In other words, success or failure is determined by results, and nothing else.

Returning to the above question, software is considered secure if it is tested for vulnerabilities and is found to be strong against attempts to break in. If the programmer has a Ph.D., that's all nice and pretty, but it means exactly Jack Schitt. The results are the only thing that matter.

Therefore, I think this committee should not waste its time with issues like licensing, because that will only create more bureaucracy, more fees, and entire administrative efforts... and it provides no guarantees of success. They should figure out a way to measure the reliability of a piece of software (reliability is the parent category of security, because an insecurity reduces reliability). They should make up some guidelines for how mission critical systems should be judged and tested. Perhaps they should recommend that the government should hire its own crackers to constantly look for and help fix vulnerabilities. Because security isn't a one-time thing. "Let's license programmers and the problems will go away." It doesn't work like that. Like everything else related to management, in security, the only constant is change.

Re:Why the license idea doesn't fit.

>>more bureaucracy, more fees, and entire administrative efforts...

But they LIKE such things!

>>...and it provides no guarantees of success.

But it DOES provide somone to BLAME!

Re:Official New Years 2004 Slashdot Party Thread!

Hello from New Zealand... Uggghhhhh I have a nasty hangover... slept till noon... this sucks. What, it's still 2003 in America? You guys need to catch up to the rest of the world; getting rid of that dipshit Bush would be a good start.

The mindset isn't there yet

Everyone (and especially developers) wants functionality over consistency or predictibility. If that functionality conflicts with something that came before, then it just creates more job security to understand the nature of the interplay.

The worse the systems and languages become, the more "flexibility" is needed to keep the card tower from falling. Side effects are a basic fact of everyday computer use. Bad security is one such manifestation.

Microsoft is paying the price now, but open source is equally guilty of creating a mess. Most of the problems that plagued me 10 years ago still there wasting my (and others') time. How do you get truly robust and secure when the basics never solidify.

This is the silver bullet

[RealProgrammer]

... syndrome. Lawmakers always want something that sounds good, looks good, and will make them appear to be addressing the problem.

The conceptual framework they're working under is wrong. They assume that a single person is the author of a program. Maybe some programs have just one author, but most have several. The main, lead programmer, who is typcially the copyright holder, may not even look at every line of code in a program.

The bit about a culture shift is valuable. Projects should be built with security in mind, using basic principles (least privelege, minimize scope, check your loop bounds, etc.) that are, coincidentally, good programming practice.

But the culture shift that's needed is away from blame-based analysis of security failures and toward cooperative assistance. That shift is assisted by opening source code. Licensing programmers will tend to accentuate the blame attacks when bugs are found, and will provide incentive to hide them.

No program is bug-free. No committee of Licensed Gurus can eyeball scan a progran and find all its bugs. It takes running the program in real-world situations to find some (most) bugs. Licensing the programmer will not decrease the number of bugs in a given program.

Lawmakers would do better to simply stay out of the matter entirely than to introduce bureaucracy for the sake of appearance.

Re:This is the silver bullet

[Tim+C]

The main, lead programmer, who is typcially the copyright holder

Often not - if it's a commercial piece of software, then the company will be copyright holder.

Licensing programmers will tend to accentuate the blame attacks when bugs are found, and will provide incentive to hide them.

Agreed. A licencing scheme is all but meaningless if, once a licence is obtained, it cannot be lost. Therefore, it will be in a licensed programmer's bset interests to hide any such bugs, for fear of losing their licence.

No program is bug-free. No committee of Licensed Gurus can eyeball scan a progran and find all its bugs.

Again, agreed. Writing bug-free, non-trivial code is, imho, impossible in any realistic situation. The best one can hope to do is minimise the nmber of bugs, and fix the rest quickly.

Re:This is the silver bullet

This idea of licensing software "engineers" is absolutely sickening. I don't see government solving problems but rather creating new, larger and more intractable problems. Even "common sense" laws such as licensing beauticians, lawyers, doctors, truckers and so on does not do much except transfer power to the government and to select groups who are not elected by Americans. Anyone voted for the people running the Bar Association or the AMA? Anyone actually paid a hospital bill out of pocket recently? If things are so much better with regulation then why don't prices decrease? If giving more power to the government is so great why is the U.S. going bankrupt and maintaining troops in more than 100 countries -- the Federales cannot even manage one country, much less the world, and certainly not programmers!

yes!

[The+AtomicPunk]

This is EXACTLY what we need, a government bureacracy created to step in and solve all our problems, just like they have in every other area.

Lord knows when you hire a licensed contractor, nothing will go wrong.

Instead of those "Licensed contractors build confidence" bumper stickers the union thugs put on their trucks, they should put:

"Licensed contractors build artificial barriers to competetion and inflate prices unecessarily while slowing everything down jumping through government red tape."

"only approved software"

[nurb432]

Isn't taking as long as i expected for the HSD to get involved. :(

I guess my prediction of 5 years out before all software is controlled, licensed and restricted may have been a bit optimistic.

Don't forget, hardware will go this route too in order to "be secure"... ( I.E. mandatory DRM )

First get 'corporate' acceptance of the concept by snowing them enough, then put it into law

Licensed review

[iamweezman]

It seems that licensed developers would only have to mark up open source code a bit, review it, and then implement it in a smaller business setting. On a national level licensing developers will be a minimal cost.

The Dark Side

There is a side to licenced software engineers that most people don't consider. Just like other licenced professions, you would be personally i.e. financially responsable for bugs in your code. Is this a good thing? On one hand, it would certainly improve code quality across the board with developers having this in the back of their mind. It would also do interesting things to exporting software engineering jobs overseas, but I am sure there are loopholes there. On the other hand, considering the environment the average S.E. works in and the nature of software itself, bugs exist. Until the legal shakedown, the ugly fact that it is impossible to write bug free code will cause many developers to get squished, especially since the current job market won't let you negotiate for your employeer to take up this legal burder in most cases.

Don't hurt yourself

[snkmoorthy]

The software world doesn't revolve around the US of A or for that matter the Homeland security department.

Security holes, etc.

[k4_pacific]

In the Yahoo! article, all of the companies mentioned except Microsoft use, sell, or support Linux/OSS systems. As such, they are not likely to lobby in favor of Microsoft-style security-through-obscurity. As for licenses, the question really depends on the penalty for practicing without having one. Will it work like the MSCE program, where you can still write MS code without it? Or will it be like a driver's license, where you can be penalized for practicing without it? If its the former, then I don't really care one way or the other. If its the latter, I think it will cause a lot of hassle without any real results.

Also, one should realize that many security holes are caused by bad design choices outside the control of the lowly programmers who might be penalized. Consider this example:

In MS Visual C++, the *.h files are writeable. Therefore, it is possible to create a (very slow) worm using #define macros. They could "hook" various functions to add worm code to the *.h files when ran on another machine with Visual C++. Thus, executables compiled on that machine have this "feature" as well and can spread the worm further.

static int infect_headers()
{ /*
Should contain code to somehow insert a copy of this function and the below #define into this header if its not already there. A quine implemented in a header file?
*/

return 0; // always
}

#define strlen(x) (infect_headers() + strlen(x))

Note that the C Preprocessor and compiler works as designed here. The problem lies in the idiotic decision to make the header files modifiable by anyone.

Re:Security holes, etc.

what the hell are you talking about?

I'd be fucking pissed if my development tools didn't let me modify the headers

Re:Security holes, etc.

[m_pll]

The problem lies in the idiotic decision to make the header files modifiable by anyone.

Huh? VC installs headers, libs etc under %programfiles%, which means you have to be an admin to modify them.

Re:Security holes, etc.

[k4_pacific]

The headers don't get modified at compile time, they get modified when a tainted program is run, which could occur when logged in as admin. So, even though I was wrong about the file permissions (I thank you for pointing that out BTW), this is still a theoretically possible (albeit highly ineffective) way to propagate a worm. I didn't say that this would work particularly well, just that it could work.

Also, on a less-related matter, if you don't want to write a quine-like program in the header, you could have the macro-inserted function download and run an executable that modifies the headers for it. With sufficient obfuscation and preprocessor abuse, this worm could be weaved amongst the reams of macros and definitions in the windows.h include tree, effectively making it invisible without close scrutiny.

Sounds Like a BAD idea

To put it simply, to make software developers liable for security breaches is the same thing as making the manufacturers of Locks and Burglar Alarms liable for beakins and theft.

If you really want a secure computer, keep it unconnected to anything else and in a faraday cage with only one operator allowed and 3 armed guards to prevent others from accessing it 24hours a day... Total security is unfeasible, in the brick and mortar, or the software field.

Paid more for free software?

[phliar]

I can only speak for myself: but why should I believe that some yutz who took a Kaplan's or "ITT Tech" course and passed a US government approved class is going to write decent code? I think the odds that Theo is going to take a licensing exam of a different country are exactly zero. Will that magically make OpenBSD less secure?

The proof of the pudding is in the eating, and free software has done pretty damn well on the security front. If some pinhead executive wants to pay for "confidence" -- well, I'm sure someone will be happy to take that money off him.

And getting paid more for jumping through silly hoops when you're writing for free? How much more? 10% more than zero is -- zero. The whole thing is silly.

MOD TROLL DOWN!

OMG look at his Sig! KNOWN TROLL BEWARE! Mod Down!

Re:MOD TROLL DOWN!

Poop.

Hmmmm ...

[pherris]

"Licensed developers would get paid more as well."

Yeah. Sure. That's why programming jobs are leaving by the US by the boatload, so we can license and pay programmers more. So that would be 15 offshore programmers instead of 10? This will just drive more companies out of the US.

Blaming the developers?

[Crypto+Gnome]

Here's a summary of the plan.

• A software developer (ie a programmer) gets licensed
• works on a project for (name some large company)
• company management provides direction for the programming efforts (as they do)
• software is iunsecure by design, due to management decisions (happens now, and the plan changes nothing here)
• software is finished
• ....marketed
• ....purchased
• ....deploye d
• ....ends up killing over 10 thousand people for some trivial reason
• programmer takes 100% of the blame; firing squad at dawn
• company/management who made the decisions which introduced the lack of security get off Scott Free; zero legal consequences of their stupidity

Or am I misunderstanding the whole point of the exercise?

Re:Blaming the developers?

Or am I misunderstanding the whole point of the exercise?

NOPE... I think ya purtty-much gottit!

Re:Blaming the developers?

Or am I misunderstanding the whole point of the exercise?

And the next line should read: PROFIT!

EAL Certification

[omnirealm]

Let us not forget that the IBM Linux Technology Center has certified a Linux distribution (SLES 8) under the Common Criteria Evaluation Assurance Level 2, and they are currently working on EAL 3. This qualifies a Linux distro, composed largely of Open Source software, to take part in bids on certain security-sensitive government contracts. This sounds just like the kind of assurance that this security task force is looking for.

What does the "Incorrect Date" say about

[rusty0101]

the journalistic integrity of the host of this article. If they are proposing, or even carrying the message, that programers be "licenced" and held accountable, should they not be held to the high standard of having accurate dates on their articles?

Note that this sounds fairly familiar, in that I think we have heard suggestions quite similar coming from the northwest coast of the US. I also note that the vast majority of exploitable code comes from that region of the US as well. (Ok, the vast majority of code on the market today comes from there, but that's only part of the issue.)

At the same time, I don't think Microsoft really wants to play that game, as I am pretty sure that they are aware that they would then becmoe liable for bugs and faulty security decisions in their own software.

But that's juse my opinion. I've been wrong before.

-Rusty

Re:What does the "Incorrect Date" say about

[Ohreally_factor]

You mis-spelled "licensed". Should I be questioning your integrity?

Re:What does the "Incorrect Date" say about

[Maserati]

If you're gonna flame somebody for spelling, be sure and hit all of the misspellings.

New for 2004, the Flame Flame.

Re:What does the "Incorrect Date" say about

[rusty0101]

Sure. After all I obviously have an axe to grind, and if I can't be bothered to check the spelling before posting, there is no sense in worring about whetehr I ever got that axe sharpened. Right?

Re:What does the "Incorrect Date" say about

[Ohreally_factor]

I should have put a smiley in there. I was just poking fun at your notion that the error you mentioned somehow transgressed journalistic integrity. If we're going to attack someone's integrity, let's not do it on the basis of such errors. At worst, we can point out the website's sloppiness. So tuck in your shirt before we get modded down.

AFAIK, I have no reason to question your integrity. AFAIK your integrity is just fine.

Re:What does the "Incorrect Date" say about

[rusty0101]

No problem. My response should have been taken with a grain of salt as well.

This is nothing but extending Palladium to people

[Pepebuho]

Licensing Software professionals and holding them accountable for software security is the Palladium concept applied to people. Once you have to license "software engineers" in general, you will have them digitally signing their code and then only software duly signed will run on your Palladium Computer. Otherwise, your computer might run (gasp!) pirate code!
I am assuming the compiler will digitally brand your code with your signature, in order to find out who wrote the "unsafe" code that was breached.

Moritz has NO CLUE

[Crypto+Gnome]

Moritz suggested that a sort of class system of programmers might emerge, with those creating the mission-critical applications needing to be licensed and perhaps even bonded, but also more highly paid. Those licensed professionally would be held accountable for their work, such as for security breaches to critical systems.

"We license civil engineers to have confidence their bridges will support a certain amount of weight over a certain period of time. But is it bomb-proof? We need to define software in those terms," Moritz explained.

Ok, an interesting point, except that there's NO commonality between the two situations

• A civil engineer is responsible for the design
• a programmer is always responsible for the implementation of software, and not necessarily the design

You would sue the engineer for bad design. Engineers don't actually physically build anything. They design things for construction workers to build.

If the implementation failed, but wasn't built to his design, it's not his fault.

Moritz specifically named programmers. When was the last time your job as a programmer was 100% design and 0% implementation.

Re:Moritz has NO CLUE

[El+Cabri]

There's no technical separation between design and realizaton of software. What you call implementation is just a further refinement of what you call design. Even what the compiler and linker do automatically is just a further refinement of that, in a continuous process.

Re:Moritz has NO CLUE

[Crypto+Gnome]

Ahem! Meanwhile back to the point I was making which you so blithely ignored.

You can sue the Engineer because he's wholely and solely responsible for the design, said design being a thing entirely and completely seperate from the implementation.
That's essentially the definition of his position the person who is personally accountable for all aspects of the design.

A programmer is (more often than not) neither wholely nor solely responsible for the design (management tells him at least some of the design direction).

Also, as you mention, design and implementation blur their boundaries in the programming universe.

How on earth are you going to identify exactly and in all cases that "such and such program" was insecure by design, as opposed to some funky issue as a result of implementation (eg compiler bug, core screwy-ness in some [other, third-party-provided] linked library, etc).

But really, why should we care. Ths will *never* become reality.

They'd have to either (a) fire all Microsoft Programmers (b) certify all Microsoft Programmers --- and have them re-write ALL the software at Microsoft.

Why would OSS change?

[Dalroth]

Why would OSS have to change? OSS is what it is, proof that collaboration, cooperation, and openness will eventually lead to a much better product. It doesn't matter a single iota what anybody legislates or says, if we keep building software better than everybody else eventually everybody else WILL buy into it.

Bryan

What if...

[deepvoid]

What if the only people who will get licenses are those who work in other coutries under outsourcing conditions? Hmmm... Sounds fishy to me. Hardly secure is Ishmeal of hamas has a better chance of getting an engineering job than an American or Brit.

Re:What if...

[El+Cabri]

For what I know, the hamas is not responsible for MS products. I just know that the words algorithm and algebra originated in the Arabic language.

Re:What if...

[Ohreally_factor]

Correct. Alogorithm is Arabic for "The Gorithm", and Algebra means "The Gebra".

No, I didn't stay at a Holiday Inn last night. What tipped you off?

right ...

are you in the same crowd that told people to move away from openssh in favor of lsh?

oh yea, that's right ... the openssh vulnerability for which there were no exploits. *gasp* you say! there was one! alas, it was a trojan.

yes, let's move to lsh ... for which there was a working, public, 0day remote root.

or do you recommend qmail? yes, djb, who, after 5 years, has still not paid the bounty he has promised for exploits. they are there and they are public.

The blame game

[k12linux]

license software developers and make them accountable for security breaches

How will these licensed developers be held accountable? Lose their license? Have points awarded against them (as is done with driver's licenses in many places?) Will they face fines? Jail time?

Exactly who will be willing to take personal responsibility for a security breach? How many new legal cases will come up trying to prove that a breach is the "other guy's" fault? "We'll show, your honor, that it was the 'evil bit' hidden in the compiler that caused the security hole!" I suppose we'll see programmer malpractice insurance not long after too.

Would this mean we could go after MS for monetary damages? Somehow I doubt it. Would MS's recourse be to say "Don't worry, that developer has had his license revoked."?

This whole thing seems like a big CYA bid. Just make sure someone else is available to blame. Seems like they are saying, "We can't blame the hackers because we can't find them. But don't worry, you can blame the programmer now."

Regardless of the intent, I don't see this doing a bit of good for security. People with real talent, but who want to reliable income will shy away from a system which they could easily be responsible for damages, or alternatively lose a license to practice their trade. I have a wife and kids... no matter what I think of my skills, if I'm at the mercy of every hacker out there I'll find another field.

So, the result will be that it will become very HARD to hold someone responsible. Action, if ever taken, will be only in events of gross negligence. Security *may* improve short term. But, if we drive out all but the risk-takers I suspect that security will go down and the quality will go down too.

In the end I just see an institutionalized profession which hasn't given us any real benefits.

This seems like just another knee-jerk-silver-bullet attempt to fix an embarassing problem. Why do I picture a meeting somewhere running late and somebody jumps up saying, "Hey, I know! We'll license programmers and hold them responsible for breaches." Followed by, "Yeah, and licensed programmers will get higher pay, so there is an incentive right there!" Then "Discussion? None? All in favor..." And whispers of "Great.. I'll be home in time for dinner tonight!"

Re:The blame game

[Jerf]

Exactly who will be willing to take personal responsibility for a security breach?

Slashdotites, esp. those of you young'uns developing a budding anti-corporate stance, this is one reason why you should consider being more nuanced in your opinions. Huge multi-nationals may be evil, but consider the flip side. Would you be willing to work somewhere where you are going to be held personally financially liable for your mistakes? Which, since you are a programmer and the first person in line to blame for multi-million/billion dollar "glitches", even if it was really "user error" elsewhere, will most likely happen to you?

"Corporations" are a good idea, as liability sheilds. Without them we'd all be too terrified to work, and that does nobody good.

This is also one of my canonical "second-order effect" arguments. Making people personally liable sounds like a great idea... until you project the second-order effects of everybody being liable for everything and they all go get a "safe" job (whatever that may be). It's not a good idea, and we mostly seem to do OK without it, except in exceptional circumstances.

Re:The blame game

[Ohreally_factor]

How will these licensed developers be held accountable? Lose their license? Have points awarded against them (as is done with driver's licenses in many places?) Will they face fines? Jail time?

Nah, they'll just lose XP, and possibly go down a level. Repeat offenders might be forced to wear Bill's Cursed Ring of -5 Programming.

The author is clueless

[RedHat_Linux_Man]

Apparently the author is clueless recluse that has never heard of or used OSS/Linux (which is surprising, considering the guy they were talking about comes from C.A.)

OSS fulfills every one of the criteria described in the article, if only there were some way to either get an OSS backer in a gov't position or to convince the US gov't to switch entirely to OSS.

"Java was the first language that emerged with security constants inherent," Moritz said. "Maybe we need to go back to the drawing board and apply science to the languages." <- this proves my point, the author is clueless.

I think NOT!

[BanjoBob]

I write some code for a particular application. It works perfectly there for that purpose. Then, some manager decides he wants it for an unintended application and runs it there. It fails miserably in that environment and I'm on the hook because somebody misused some software I wrote. NOT!

Also, if that same software is intended for a specific computing environment and that environment isn't configured per the requirements of the software and it then has holes all through it but I'm on the hook. NOT!

There is no way to make this concept work -- putting 100% of the blame on **ANY** security problem directly on the shoulders of a programmer or team of programmers who actually built a good program that was used badly.

This must have been suggested by a bunch of litigation lawyers or insurance companies. There are many industries that require all kinds of insurance to be in business (real estate, etc.) but those premiums are rarely, if ever used in actual practice.

I don't see any way to make what is described in the SD article work in real life.

MOD PARENT UP!

Who the fuck modded this as troll??

Re:MOD PARENT UP!

Grandparent's post was cut and pasted! The Trolls are rubbing it in our faces!

Re:Official New Years 2004 Slashdot Party Thread!

[spicedhamhawg]

The trouble is, no better dipshit has stepped forward to be a candidate, so he'll probably being going back for another four years.

And anyway, he killed a lot of terrorists, will no doubt kill a lot more before his term(s) as president end(s), and ousted Saddam Hussein, so he's not all bad.

States' rights?

[Burnon]

So, leaving aside issues of whether or not this is a good idea, are states' rights being encroached upon with this idea? States currently license engineers as they feel its necessary - why would software require federal licensing? Engineering is engineering, whether your twiddling bytes or blocks.

Re:Do they not get it? "HACKERS!?!"

"CRACKERS", if you please....

It's possible, but expensive

[Animats]

This is incompatible with both the Microsoft business model and the design of Linux. But it's not impossible.

We could, in theory, have secure message-passing microkernels enforcing a mandatory security model running on secure machines with machine-checked proofs of correctness of both the code and the hardware at the VHDL level.

But every project to build such a thing has produced only a toy OS. All the verification projects are dead. C and C++ are hopeless for code verification. Java isn't really suitable for a low-level OS.

I worked on proof of correctness technologies in the 1980s. We didn't have enough CPU time for program proving back then; it took about 45 minutes on a VAX 11/780 (1 MIPS) to do the proofs for a 1000 line program. That would equate to about three seconds today. In a real proof environment, you're doing this about as often as you compile, so the proof process has to be reasonably fast. (You can cache quite a bit, though, and save time on reruns.)

But all this is stuff so far in advance of the crap we have today that it's not worth doing. We don't even do obvious things like run browsers in jails, with a connection to a window and the net but no write access to anything else.

That's why I got out of security years ago.

Another proposal by those that don't understand

[TheBigx00FF00]

This goes back to the digital sigs for website shop front ends, and "signed" ActiveX controls etc. First off, just because something is liscensed, doesn't make it trustworthy. More problems will arise from people nievely trusting applications that have the "It's secure" sticker on it, instead of doing what they can to understand the application and it's proper implementation. Secondly it would destroy the market for developers who refuse to conform to, or cannot afford "liscensing". MANY useful and integral applications, especially for non M$ platforms, rely on people making improvements and fixes in their spare time. Who's going to be willing to submit a quick hack to fix a problem if they might be liable for the result? Hell who's going to code anything for free?? I'm certainly not willing to make myself personnaly liable without any monetary compensation. For legal fees if nothing else. Htf am I going to know that when my obscure software is compiled on the 2.9.4 kernel years from now, it creates an exploitable condition?? Going back to the first reply, the platform the software is running on makes a HUGE impact on it's security. How am I going to develop an application on a platform with an inherantly flawed API subject to hijacking etc? How about physical security issues? What if a compromise occurs on a machine, that resulted from say a hardware keylogger ($40 from thinkgeek), or a disgruntled employee? Must I bear the burden of proof that it was not my application but one of these or a host of other issues that caused a compromise in a system running my software? It's just a plain bad idea, poorly formulated, and not very well thought out. It's the "higher ups" deciding to place the blame on the developers, and remove personal liability from themselves.

Re:Another proposal by those that don't understand

[TheBigx00FF00]

and damn my browser extension for "sanitizing" the post request and stripping the [p]

Wrong (partly)

[fw3]

The conceptual framework they're working under is wrong. They assume that a single person is the author of a program.

The framework they're working under is that of Engineering practice. When a PE signs off on a job (s)he was no more the sole author of the work product than a software development lead or architect is the sole author.

Is software practice generally anywhere near ready to be held to the kinds of standards applied in structural/civil/electrical/chemical/... engineering practice?

Hell no, it's a no-brainer so in the send of today's standards of quality no this isn't a solution. Also 'software construction' (in general) is far too busy adding (mostly marginally useful) features, generating complexity, generating bugs.

That reality, however does not imply that this is the only way it can be.

100 years ago explosions of steam boilers were not uncommon and our understanding of material science and structural design had some very large holes. Today there are very conservative codes restricting steam power design and PE's who work with these things are required to meet / certify those codes.

Iff the only way to begin to hold software to a similar level of quality requires establishing a PE-stamp for software, then the lawmakers may well come to require same. They don't any more care how it happens then thier predecessors did about setting up the current system of PE licenses, all they care about is getting results and ultimately that will have to mean assigning liability.

That could come about thru several approaches, the point I think is that when (not if) it happens there will be a lot of pain in the process, because the currently sloppy standards of quality in software design will have to go.

So I don't think it's a matter of whether or how but of when. And the pain will probably be felt across all sectors.

Frankly, however by the time any practical progress is made I think OSS will be an even more deeply embedded part of the landscape. I for one hope we're succeeding more in improving actual code quality and less on 'looking like windows' which seems to be the current trend in many OSS systems.

Re:Official New Years 2004 Slashdot Party Thread!

Spoken like a true bandwagon liberal...

Hillary in '08 right? Right!! LOL

We have licensing for other professions

I dont see what the big deal is, we have licensing for other professions doctors, lawyers, and also engineers (often times you need to be licensed to do government contracts). If implemented correctly it keeps out less qualified individuals ie hacks and kiddies who can write barely working code that is full of holes and keeps good programmers employed.

IS IT WRONG TO THINK YOSHI GIRL IS HOT???

Professional Licensing a la Architects/Engineers

[R2.0]

The way licensing works in building design and construction basically boils down to the idea that some SINGLE PERSON holds responsibility. Building codes require that construction documents be stamped by a professional architect (or engineer), whose qualifications are also set down in state law. That person:
- Is responsible for the design complying with codes (also set in law)
- Bears legal responsibility for errors and omissions, for which insurance is carried.
- Does NOT have to be the person drawing the drawings or writing the specs. But if they are screwed up, it's his ass on the line, not his flunkies. It's up to him to discipline his people.
- Is NOT required to design every little thing. There are situations where local building codes do not apply, and therefor the drawings do not need to be stamped (some federal and military construction projects come to mind)

Why can't this work with software? Lets assume the Feds and State gov'ts require that ALL software purchased by them must be "stamped" by a licensed developer, said license to meet the requirements of etc, etc.

If some entity (individual, corporation) wants to sell their software to the gov't., there must be a "stamp" on it. That means that some INDIVIDUAL PERSON is saying "It complies with the codes (design practices?) under which it has been designed. That person carries the insurance, and can be held legally liable if something REALLY BAD (tm) happens.

Proprietary Source: Company M makes an operating system that they want to sell to the Gov't. Company M has a few individuals with PSD (Professional Software Developer) stamps who are the development team leaders. Company M pays their professional licensing fees and insurance. The PSD may not have read a single line of the code in question, but if he stamps it, it goes out the door. Company M pays out the ass for insurance, because the insurance company can't see the code, and therefor is taking a big risk. Cost of software is high. As for non-Gov't customers, Company M is in a quandary: either sell only the PSD stamped version with all the insurance load, or sell a "secure" version and a ... well ... "not so secure" version. They can't say that they are the same, because they can't prove it without opening the source.

Open Source/GPL: Mr. L has an OS that the Gov't wants to use, but Mr. L isn't a PSD and doesn't want to be. So the Crimson Chapeaux Company says "Hey - OUR PSD will stamp it and we'll carry the insurance." Insurance is cheap because the code is right there for review. Also note that The CCC is not *selling* Mr. L's software; they are selling the service of providing a real live person for the Gov't to go after if something bad should happen. In the meantime, non Government types that want to use Mr. L's OS don't have to pay for the PSD stamp, but they get all of the benefits, because there is no difference between the PSD stamped software and non-PSD stamped.

This could work, folks.

Who do they blame?

[gilesjuk]

Programmers of designers?

You could argue that buffer overflow hacks are partly the fault of the CPU since Intel and PPC chips can't fully protect against buffer overflow attacks (when using OpenBSD).

Immature discipline

[sjames]

Consider the many centuries we were building buildings before we had anything beyond a few guestimated best practices to assure that they wouldn't fall down. Eventually, the field matured and we figured out how to calculate the strength of a building in advance. Even then, it is only reletivly recently that we could do dynamic simulations. In spite of that, we still have mishaps.

Furthermore, we STILL are not at the point where we can guarantee that a building will hold up under attack. In fact, we are certain that ANY building can be destroyed using explosives. In fact, any device we invent can be destroyed and in turn cause destruction when deliberatly used contrary to it's design.

At the same time, there are levels of vulnerability that are clearly substandard. Buildings must not simply fall down in a light breeze and cars must not explode when you start them.

On the basis of that, licensing and liability will need to be restricted to a very small subset of applications, and they will be very expensive. For the same reason that most of us don't have bomb proof cars, most software will not be built to that standard.

The other case would be grievously stupid design decisions such as having email from anonymous strangers be executable or using gets for a publically acessable interface.

Re:Immature discipline

[Alex]

Consider the many centuries we were building buildings before we had anything beyond a few guestimated best practices to assure that they wouldn't fall down. Eventually, the field matured and we figured out how to calculate the strength of a building in advance. Even then, it is only reletivly recently that we could do dynamic simulations. In spite of that, we still have mishaps.

In the past buildings were massively over engineered, because the engineer wasn't sure what the tolerances were. Witness Isenbard Kingdom Brunels arches, still in production use 170+ years later or Sir Christopher Wren's dome at St Pauls in London.

It isn't until recently that engineers have been able to not over engineer things. This however means that things don't last as long, for example Christopher Wren never knew that the area St Pauls was going to be bombed in 1942/3, but it survived (possibly due to the over engineering). Would modern buildings have survived? I'd say unlikely.

Alex

Re:Immature discipline

[mpe]

In the past buildings were massively over engineered, because the engineer wasn't sure what the tolerances were. Witness Isenbard Kingdom Brunels arches, still in production use 170+ years later or Sir Christopher Wren's dome at St Pauls in London.

IIRC there are Roman bridges which are still in use.

It isn't until recently that engineers have been able to not over engineer things. This however means that things don't last as long,

Even all this engineering knowlage has not stopped buildings failing. A massivly over-engineered structure will most likely stay up even if the materials or construction is a little substandard.

Re:Immature discipline

[sjames]

Some of the massively overengineered buildings are still standing. We don't think about or even necessarily know about the ones that didn't make it. Think about all of the shacks, cabins, and hovels that did collapse over the centuries leaving no trace that they ever existed. For every bridge, aquaduct, and cathedral still standing, there are thousands of cabins, footbridges, and other structures that are gone without a trace.

Even today, while we build skyscrapers to decent standards, houses are routinely destroyed by fires, floods, tornados, and hurricanes.

The solution is easy

[jkorty]

We will have good software the day software companies face the same kind of liability that, say, Ford faced for the Pinto exploding gas tank.

bad for workers

[Sivaram_Velauthapill]

Employers say that people will be paid more but watch everyone end up being paid LESS for not having the license, while those that get the qualification will get the same salaries as now.

How much do you want to bet that salaries will remain the same while employers only hire those that are licensed? Those that are not licensed will probably get paid less (becoming an underclass). There is nothing better to a capitalist than shifting risks to the worker (software developers are now liable) while not wanting to pay for it themselves.

Sivaram Velauthapillai

Half of his life?

I am forever the cynic. But why would a task force so important to the idea of secure software appoint a 21 year old "security researcher to chair? And he has spent half of his life working on Internet security? Since he was 10? Please! I am getting dizzy from all the spin.

Google likes program verification

[Animats]

Type "program verification" into Google, and you get a "Work at Google" paid ad.

The BSA is a member.

[qtp]

And we all know that with the Business Software Allaiance as one of there is no possible way this could lead to the effective outlawing of Open Source (not allowed to contribute if you don't hold a license).

In all likelyhood, any government regulation over development or licensing scheme for developers will only lead to protecting the high profits of a few of the largest vendors and hurt everyone else in the industry.

It's up to the Admins

I dont think it's the developers writing insecure software that's the problem. It's the administrators. An administrator by definition is the person who administrates a computer: takes care of it, keeps it running, is reponsible for it's well being. It falls on his shoulders to determine that his system is secure. The majority of admins today are STUPID. And, by stupid, I mean, knows nothing about a computer. Think your typical MCSE. Does he understnad what a BIOS is, how it could potentially load insecure software? Does he understand how a kernel works, how a program interfaces with a kernel, the signs when watching a packet trace to see a hack attempt?

THe majority of company's these days set up intrusion detection systems that are suppose to email their admin when they're broken into. And then the admin is suppose to press some buttons to get a printout of what happened. There is very little competent thought. An admin needs to know and understand that which he is admining.

He also needs to know and trust the software he choose to run on his system. It's his job on hte line. He is tasked with protecting a system. That is what he is imployed for, if he fails it, he's fired. In the OSS world, he should be a member of all the mailing lists of hte software he works for, he should have experience and understand it's inner workings enough to trust his job on it.

Licenses developers? No. That's silly. Developers just produce stuff. License drivers? Sure.

I think there needs to be a common software security standard, like the common criteria (but actually useful). The materials need to be free, and they need to be able to be applied to most software products. Something an admin can use to certify his own software.

Yes, I realize this is far from what our industry is now. The problem we have is people deploying software they do not understand nor know how to handle. Install IIS, install Exchange, click a few buttons. No thought given to what went on behind the scenes.

Car analogy: A mechanic gets a readout from the cars computer that "Everything is A-O-K", but there is a rattling when he turns the engine on. What does he do? He knows how the car works, so he determines the source of the problem.

I'll take it, on one condition

[Todd+Knarr]

That condition comes from the licensing of civil engineers, too. You have to be licensed to be a civil engineer, pass some fairly effective exams and all that. You can be held personally and professionally liable for screw-ups in your designs. But there's another aspect: you have control. If you're the civil engineer on a project and you specify that it needs X grade of concrete, that's it. If management tries to say "That's too expensive, build it using a cheaper concrete.", you get to say "No can do." and they can't argue. If they do, you make a phone call and the next day some gentlemen with badges show up to discuss the fines and penalties management is going to pay. If management fires you and uses the cheaper concrete anyway, the discussion will be about criminal charges on top of their liability, not yours, for any damages done because of their illegal substitution.

If licensing of software engineers includes everything that licensing of civil engineers does, including the "those who don't have the license do not get to overrule you on how the job gets done" provisions, it's IMHO a good deal. We ought to press for exactly that in licensing, because while companies would be highly allergic to it it'll play very well with the public. Think about public reaction when a structural failure turns out to have been caused by someone substituting shoddy materials for what was originally specified or otherwise not doing things the way the engineers said to do them.

Getting the certificate...

I wonder if it's going to involve having sex with a zebra...

Re:Getting the certificate...

[vacuum_tuber]

If that nightmare comes to pass it will be a license, not a cert, and it will more like having to have sex with an ill-tempered duckbilled platypus, complete with venomous barbs.

As a result it will select for people on some basis other than good programming, since a lot of good programmers wouldn't go near such a process. The eccentricities of many good programmers don't tend toward an affinity for senseless and stupid bureaucracy, and poison barbs are supposed to be on one's own tinfoil helmet, not on the hind legs of the furry animal with which one is trying to have sex.

How About ...

[Bunyip+Redgum]

How about Windows developers get a licensed, FOSS ones don't and we measure (objectively) whether that makes Windows have fewer security issues?

Re:Professional Licensing a la Architects/Engineer

[westlake]

Closed Source simply means limited distribution.

Company M can self-insure the first million, the first ten million, the first one hundred million of it's losses and never feel the strain. Company M is a tough negotiator

this is a good idea, except...

[Strych9]

I think it is about time that software creation was held accountable to a standard. If you could be thrown in jail for being sloppy, would you sign off on code you couldn't confirm?

Yeah right: Would you sign off on outsourced code? Would you allow management types try to bully you into approving something and just playing the odds? What happens when code from say somewhere outside the country is made almost entirely without any sign off, who then becomes responsible?

Another boondoggle

[ScrewMaster]

This is an attempt to divert attention from the real problem with software development, and for that matter business processes in general. Programmers and software engineers are, point-blank, not responsible for the quality or reliability of shipping code. Period. That responsibility lies with management, and the resources it chooses to devote to the initial design process (very important ... Microsoft didn't pay enough attention to this and is now paying the price in spades) and, just as significantly, to the quality-assurance cycle. Attempting to lay the blame for poor quality design and implementation solely upon the shoulders of the actual programmer simply ignores the root causes of poor software. The people that design software, and those that test it, are even more important to releasing a quality product than the programmer. However, the biggest problem that I've experienced in a quarter century as a software engineer is that management simply refuses to allocate sufficient time to initial design and prototyping. They want coding to begin as soon as possible after inception, and that often doesn't allow a good foundation to be laid before the design is frozen.

I'm tired of hearing how architectural and structural engineers are "certified", and the insipid comparisons made between this status and that of software engineering. The penalties for a bridge or building collapsing are extreme of course, and no-one would want an incompetent engineer designing such a structure. But what is lost in all this talk is the design review process that occurs long before anything is actually approved for construction. Yes, perhaps the design engineer is technically accountable for a flaw in his work (I don't know, I am not a lawyer), however in any major undertaking there are dozens of others responsible for validating and double-checking the design, and there is no way in Hell that that engineer would be considered solely responsible for a serious failure when a whole review team approved his efforts. Besides, that's what we have insurance for, anyway.

Given that corporate America has proven to be even less reliable and trustworthy than Microsoft Windows 98, I think we should start by certifying the business ethics exhibited by corporate executives and middle managers. Then let them pass tests that indicate an understanding of the software development process, and once that is done make it illegal for anyone in a marketing or sales department to influence software release dates. The programmers aren't the problem. Corporate America is the problem, and until the market decides that it is willing and able to pay for quality software no amount of legislation or governmental interference will improve matters one whit. Believing otherwise is naive or disingenuous.

Of course, it won't matter if the current trend in outsourcing continues, since there won't be any software engineers or programmers left to be certified anyway.

This can be good

[Eminor]

I can definitely see the advantages of being licensed and being having a professional organization:

1) We get paid more.

2) others not acredited can not do our jobs. For example, at a company I used to work for, an Engineer was programing. Now could a computer programmer do an engineers job? No Way!

Less freedom, and the rich get richer

[Angst+Badger]

I was reading the first volume of Alexander Solzhenitsyn's The Gulag Archipelago the other night. (For those of you too young to remember either Solzhenitsyn or the Soviet Union it describes, go read it. Along with 1984, it ought to be required reading for citizens of putatively free countries.) The section I was reading dealt with the purges of competing socialist movements once Lenin's party had consolidated its power. Political dissenters were at this time -- 1924 -- being tried by special tribunals, denied counsel and contact with the outside world, and executed, first by tens, and ultimately by the hundreds of thousands.

The official explanation for all this was the accused were terrorists who threatened the security of the motherland. It was Guantanamo Bay writ large, and once it picked up steam, it did not stop until, after somewhere between 20 million and 40 million state murders, the Soviet Union collapsed under its own sheer inefficiency in the early 1990's.

In the Soviet era, the most improbable things were tied to the idea of, as we say today, homeland security. If you twist the logic far enough, and people are either stupid enough or frightened enough, you can get away with claiming that the manufacture of cheese is a matter of homeland security. (And why not? It is a fungal product susceptible to both accidental and intentional contamination with biotoxins; an economic resource vulnerable to sabotage; it is produced by wealthy companies whose political allegiances might not be entirely healthy; and worst of all, it is a national emblem of the hated French.)

This programmer licensing is a ruse. Like the bulk of the Department of Homeland Security, it is a crock of shit designed to convince the public that the government is "doing something" against a threat of dubious reality but great electoral usefulness, and it will serve only to centralize more power and money in the hands of large software companies.

Even if it weren't part of a fairly nefarious political trend, does anyone really believe this will make any damn difference? Commercial programmers don't make the important quality decisions -- they are handed down by management to suit marketing needs and the bottom line. If there's any professional programmer here who hasn't written inferior code to satisfy arbitrary time and resource requirements imposed from above, speak now and be counted with your five or six other brethren.

If you want to improve the quality of software, hold companies and their shareholders financially responsible. In other words, put pressure on the people who actually make the decisions, and they will select those programmers -- licensed or not -- who write quality software and give them the resources to do it.

Of course, the big software houses (read: Microsoft) will never go for that because neither they nor the subversives at the Department of Homeland Security give half a rat's ass about the well-being of the public. What they do care about is enhancing their own prestige, power, and wealth.

Re:Less freedom, and the rich get richer

[vacuum_tuber]

Angst Badger wrote:

Commercial programmers don't make the important quality decisions -- they are handed down by management to suit marketing needs and the bottom line. If there's any professional programmer here who hasn't written inferior code to satisfy arbitrary time and resource requirements imposed from above, speak now and be counted with your five or six other brethren.

If I have, it wasn't signicant enough to be able to remember now. But I haven't worked in the environments in which clueless marketing suits dictate features and release dates. An awful lot of the software I've designed and written was on my own initiative and sold to management on the basis that it was the best approach to accomplish the goals. In a lot of cases management was never brought into the loop, since I had considerable control over the tools I chose to adopt or write. When you invent new things in environments that are not rich in solutions, you may be able to do what you please.

Nonetheless, I doubt I'll be writing any more software in the years remaining to me, for the following reasons, among others:

• The corporate world is no longer a viable place to work, having thoroughly betrayed employees over the last several decades
• Short-sighted management is destroying the future of the nation by offshoring high-tech work and disemploying completely qualified Americans to replace them with lower-paid guest workers.
• Corporate management has become incredibly brain dead and short-sighted of late. It's now common to see waste in the form of ill-conceived and badly done projects not just in six figures but in seven, even eight figures, with no consequences to the management responsible for the waste and lost time.
• Age discrimination is now institutionalized. That's a big reason why all the job ads you see on the Internet are not by principals but by headhunters and contract houses -- there is an unwritten understanding between the hiring company and the agent that certain resumes, mostly of people who are "too old," will not be forwarded to the principal. Yet the difference between 3 years of programming experience and 20 or 30 years is huge, with productivity advantages of 10 times or more in favor of highly experienced programmers not unheard of.
• Since its ascendancy, HR has helped to dumb down the hiring process to the point at which people are not infrequently expected to have 5 years of experience in a technology that was only invented two years ago.
• "Reusable code" was apparently misunderstood, and taken to mean "Reuse everything, including a 100KB module when you only need one of its 3KB functions." Code bloat is now the rule and programming has gone all to hell.
• Programming is now influenced by IT fashion trends more than anything else, witness client/server, C, Java, etc.

I got into programming many decades ago because it was fun, and I was able to become the guru in every shop I ever worked in. It's no longer fun, so I choose not to play in this game anymore. I might consider selling executive burial plans out of a sense of retributive poetic justice but there are other fields I find more interesting.

audits,certifications can't stop security breaches

[Iamnoone]

One of these talking points is to license software developers and make them accountable for security breaches.

It seems to really prevent all possible security breaches, you need to prove that the program is correct first - I don't know of many entities that even try to prove their programs. I have heard of a few telecom infrastructure programs, but remember the big SS7 outage caused by one tech some years ago? The SS7 code is probably better "audited" than most code but would that outage have been construed as a "security breach"? - Yes, after the lawyers were done with it.

What about how quickly the world changes after a program is released? You use the best encryption technology of the day, you prove your programs correct, not just audit the code or use "good" software engineering/management methodologies. But you used DES (back in the day) or MD5 more recently, then MD5crack comes along or quantum computing and suddenly you are responsible for a "security breach" because of some exploit that didn't exist when you created the program.

That is nuts, who would want to sign up for that?

Besides DJB does anyone even have the balls to reward people for finding security problems? Or even advertise security as a feature? OpenBSD (yeah, I know its dead, blah, blah, blah), pureftpd, NSA Linux
I expect not many others, because people expect code to have security issues.

Since security is such a big concern now (and in the past), I would think that people who wanted to show off their programming prowess would be bragging about how secure their code is. But no one does, that I know of - why? because its just damn hard to be sure that the code is perfect - which is what is required to prevent all possible security problems. So where are all these people with the big security cahones going to come from?

Can a program be proven correct for all inputs?
If it isn't stateless then can each permutation of state and input be proven?
Are all the protocols used by the program verified?

The impossibility of preventing security breaches seem to make this kind of government action more likely. Burn the witches!! They hexed our computers, and were seen in the woods cavorting with unaudited code fragments!

Special circumstances for Microsoft

[InsomniaCity]

Clearly Microsoft would be forced to lobby for special exemption from these rules, otherwise no work would be done because their develoeprs would be in court all the time.

Mind you... that would be kind of selection of the fittest in terms of developers wouldnt it...

License is for something that is illegal, unlawful

License is for something that is illegal or unlawful.

So are we now going to allow the police state to say that creating or writing software is illegal?

Get a clue people, here comes the police state, all they need is a excuse like 911 and all you have to do is keep saying "protect us all mighty government, we are too lame to do it ourselves".

This depends on a false assumption....

[borgheron]

That's the best way to make sure that applications are secure. Believe it or not, most developers care if there is a security problem in their software.

The problem with this whole idea is the assumption is this: Programs depend on libraries, libraries depend on lanuges runtimes/libraries and those depend on the OS. Of course you're also depending on the compiler not to produce buggy assembler code.

So with all of these layers can we truely say who is liable when something goes wrong?

GJC

Yes and?

[SmallFurryCreature]

Computers and the software they run have long since moved away from doing the payroll. If something went wrong with that well who cares? You can always do it by hand. Compare this with building an outhouse. If it collapses. Well who cares. Bit embarrising for the person inside but nothing major.

Now scale it up. A 20 story building collapsing is major. People die and so only licensed people are allowed to design and build them.

Anyone can put on a bandaid since there is not much potential to screw that up. But the prescription of most drugs and techiniques that penetrate the skin are only allowed by people with a license. (Insulin injections are a bit outside since parents can be trained into doing it for their childeren and of course older people can be trained to do it to themselves but they are not allowed to do it to outsiders)

Now to computers. Why do we allow the computers in an hospital monitoring the patients to be written by just anyone? MS software in monitoring software. EEEK.

Of course I can't really see how they are going to do it. All the other licensed fields are relativly limited. A doctor only has to work on humans who come in basically two different versions. Complicated versions to be sure but we have known for a long time how they are put together and so far noone has been doing any upgrades on it moving important bits around or making others obsolete.

Just becoming an expert on say windows requires you to know 4 different layouts. 3.11 (still used) 9? NT and now .Net.

Oh well. No doubt this will boil down to a MSCE. Something Human Resources put on the list and then is never mentioned again.

Professionals system do work.

[twrake]

OSS has no problem with professional certification you get the source, review it, test it and certify it to a grade. The professional would do this or sign off. For closed source the process is the same except you don't have the source or your rely on the vendors professional certification.

I worked summers in an Architectural/Engineering firm before I got my degree for Computer Engineeering in 1979. The real way these firms worked at that time is that the Professionals (Registered Architects and Proffessionsal Engineers) supervised and sign off on the the work that was done by EITs (Engineers in Training - a degress but not yet passed the state boards) and Draftsmen and other technical people. This model can be used for software/hardware as well. There has been little demand or call for a state certified need for computer professionals in the last 24 years largely because the sales force said all the bugs will be fixed in the next "Gotta have" version.

Our social problem is the adoption of CPUs and related software to critical tasks in our society without review or certification for the tasks in a largely sales driven market. Having professionals review installed products would likely trim features and consider whole systems analysis of the effect of additions and changes. In the end this is a good thing because the professional at the install point can specifiy the grade and if the vendor fails he doesn't the the business.

The last point is that the State is responsible for the approval of the Professionals - so in effect the State is taking the work of people it has approved to be and act as Professionals.

In the end this just means a review of some level of quality on the software or hardware installed. We just don't take the word of the vendor.

just more evidence

[Trailer+Trash]

that the BSA isn't going to give up.

NT was declared secure

[wap911]

NT was given something like a "G5" security rating, BUT is was not attached to any network what so ever. Lot of good that certification did as Win2k and XPee were then built from this so called "secure base". The "system" is the problem not the programmers. Testing and certifing software for it designed and useful purpose, which EULAs negate, would be a starting point. Also I am sitting here on a RoadRunner connection using a Motorola SurfBoard modem. Why did I have to spend $45 for a SMC 7004VBR to secure it when 1-2 chips in the modem would have taken care of a lot of issues [log is showing 4-6 denied attacks every 5-10 minutes].

Re:NT was declared secure

Again, the open-source community shows their knowledge I tried to correct nearly two years ago before I was declared "dangerous" by certain top level kernel developers. Of course my manager went on with his alternate (insecure) plan and it wasn't until a paper was publicly presented that pointed out his methods were fundamentally flawed and couldn't be implemented in other than the way I had already implemented. But he was more interested in prolonging his job at XXX, so presenting a finished product was far from his heart's desire. He had 1-2 other coders (yes-men to his flawed design) work for over a year trying to make his flawed designed work before the company shelved the projected indefinitely. And to think, we had a working product 18 months earlier.

What OScomm. doesn't get is that security != trusted/validated. You can claim your product is secure until you are blue in the face and even give your complex algorithms to 20 programmers to review -- that means nothing.

How do we trust the compliers you use? How can you expect programmers to desk check and look for triggers that might only happen if 1 sequence out of 256 bits is set.

Last I heard, thorough auditing of every kernel security-related call was still a no-go. Yes there is auditing of some higher level security calls and auditing of security functions, but can I audit every file open failure?

Can I, at a glance see all the files a process has open and watch it in real-time in an easy-to-use GUI...sorry, strace doesn't cut it. A requirement is to be able to select which calls on each process you want to audit and have them all accumulated into an audit log. On dual 450P-II's, single SCSI disk, full auditing of *everything* generated 2-3Megabytes/second -- resulting in a 10% slowdown of a kernel compile.

On the other hand, even compiled in -- with all options off, the % slow down was less than 1% and ... compile-time, compiled out, %slowdown was -zero-.

You had complete *accountability*. Sure...we have "great" crypto and security, but it seems there's always another virus or breach around the corner and what percent of the perps are caught? How often do we even know how they did it?

Can your mom configure the security to protect system files from herself and others even if she knows the root password? Can you make your security so easy to use that even a government admin can configure it out?

Security (in the real world, vs. linux world) consists of 1) Trust - verification of stated functionality to a give level; 2) 3rd party verification of stated functions to a _specified_ level of testing (that doesn't mean no errors...it means it is verified to a specific level), 3) is development process regulated and for how long? How easy would it have been for someone to sneak in a Trojan horse, or a backdoor unaware? There was plenty of talk when the LSM (linux security modules) being designed about making sure that Linus's original plan for "truly generic security" to allow any policy including the "no security policy for embedded systems" would NOT be implemented. His lieutenants and he took a "don't ask don't tell policy" toward the corruption of the original project goals -- since if his original goals were done, it was thought, someone could add in "proprietary modules" that could spy on any kernel user and completely alter the way Unix worked -- why you could implement an NT-style ACL security system -- and of course that is against the god-created style of using 9 bits to control security for every file.

As for the security of NT -- the tested configuration includes _configuration_ and _operation_ parameters that must be followed in order for the system to remain secure. Do you think even 75% of MS users follow those unprinted specifications?

Every error code has to be defined to have meaning -- yet if you look in MS's database for error codes, most are undefined. 50% or more of their verification document is unpublished and inaccessible to the publi

Re:License is for something that is illegal, unlaw

[vacuum_tuber]

Exactly right. "License" is permission to do that which would otherwise be a crime to do. If you come into my home as my guest, you are doing with permission what could send a burglar to prison.

Historically, license as a formal permission from the state stems from the general police power of the state to prohibit things that are deemed dangers to public health or safety -- such as cutting people open with knives allegedly to treat injuries or illnesses -- and then allow select people the permission to do those things under some set of conditions and qualifications, hence licensed doctors, who *are* allowed to cut people open without fear of being charged with assault with a deadly weapon, bodily injury, maiming, etc.

Where "license" goes bad is when, in complete ignorance of what it means and where it comes from, the public accepts "licensing" for purposes such as generating tax revenues. Every one of us has seen proposals to "license" something as a way to raise revenues in the form of license fees, but few people have understood that such proposals amount to "We want to make xxxx illegal so we can then turn around and collect fees for permitting just about anyone to do xxx." It's bass-ackward and contaminates the legal concept of "license."

So, yes, writing software can only be "licensed" if writing software is first made into a crime. Whether or not the proponents of such a thing can sell the idea that a vital state health or safety issue is at stake remains to be seen, but in today's climate of ignorance it probably isn't necessary to explain such reasons to sell "licensing" of anything.

Software Devel Licensing won't work...

[JGski]

Software Development Licensing won't work for the same reason Professional Engineer certification doesn't work for Electrical Engineering: the time constant of government licensing bureaucracy is orders of magnitude longer than the time constant of technology and professional change of the industry. By the time a new subject or advance has been incorporated into the certification process, it's already obsolete or superceded. The software industry definitely qualifies in the same way: the constant mantra of complaint is how nobody can keep up with the rate of change. To use a nerdy engineering analogy: you would be trying to push a high, increasing frequency signal though a fixed, low-pass filter, with the net result being essentially 100% attenuation of usable signal.

So, you say, we'll just test the fundamentals. Wrong! I sat for the California EE EIT (the pre-test for PE) back in the 80s: most of the test subjects were Civil, Mechanical and Chemical Engineering which no EE student gets any courses on, simply because there isn't even enough time in a four-year program to get everything in your own specialization, let alone the rest of EE, let alone any other field of engineering. What few EE question there were (less than 10 out of 200-odd questions) included out-of-date novelties such as vacuum tubes and subjects like rotating machinery and power systems, a hyper-niche of EE that certainly an IC designer like myself would have never had classes in. I recently looked into the exam again and the test is essentially the same 20 years hence, despite being already out-of-date 20 years ago! Conclusion: PE Certification == irrelevant waste of time for any modern technology industry.

This is precisely what would happen to Software Development Licensing: it will become a dubious and irrelevant hurdle that disadvantages US programmers against the rest of the world. Has MSCE certification somehow made Windows installations the button-down, high-security platform that Unix more often is without any universal certification standards? Unless you have lived in at cave in 2003...

Professional Engineer certification works for Civil Engineering and Mechanical Engineering only because the core knowledge of these fields either ceased to advance more than 100 years ago or advanced only slowly with adoption of new technologies developed by other, non-regulated disciplines like CS, EE and Mat'l Sci . By contrast, the core knowledge of CS and EE have changed on almost a decade basis. When I first stated programming 30 years ago, the state of the art of common usage was FORTRAN and COBOL; then came procedural languages in the 80s, and then OO in the 90s. Each generation radically changed what was fundamentally possible to implement.

As an example: my father is a California PE in ME who does HVAC work. The only major advances in HVAC in the last 50-75 years have come from importation of CS and EE discipline advances in computing and sensors. The basic lore of enthalpy, steam tables and refrigerants was complete in the 19th century and early 20th century. In CE, berm, dam and road design theory hasn't had major technical changes since the 19th century, in some cases the 18th century; only materials developed by other disciplines have changed the constants that go into the same design equations used since the 19th century. It is precisely this "last century/centuries" knowlege that dominates professional exams in these disciplines.

It just shows that the people advocating this know nothing about existing engineering certification/licensing or the history of engineering as a whole, and worse know nothing of software development despite possibly even being former software developers.

To adopt such a thing would only guarantee that what few software development jobs that remain in the United States, after globalization exported most of the rest, will finally be destroyed also. That may suit profit-seeking business interests and micromanaging government bureaucrats, but in terms of national interest it will assure that mission-critical software is only developed outside the United States which makes backing such a proposal nothing short of treason.