Slashdot Mirror
Will Security Task Force Affect OSS Acceptance?
An anonymous reader writes "An interesting article published by SD Times: "Application Security Goes National" discusses some of the talking points generated by a federal task force that will make recommendations to the Department of Homeland Security. One of these talking points is to license software developers and make them accountable for security breaches. Licensed developers would get paid more as well. The article also mentions that "Executives" might not wish to work with smaller undiciplined partners and a little further down that "Hobbyists create Web services [and] professionals create them" and that "companies relying on critical infrastructure Web services need confidence". Would OSS have to be writen entirely by licensed developers to be considered secure? . Yahoo Finance has another article on the subject." The SD Times article is current, despite the incorrect date on it.
But programs are only as secure as the platform they run on, and of course the same as the people who use them. If people don't run their system properly, I'd say that's worse. Not to mention that people would use trusted vendors anyway, so I don't see what this adds.
Do they really believe that licensing software developers will lead to more secure software?
I'm not following their train of thought. Software development is an industry which constantly has to defend itself from **NEW** hack attacks. The best we can do is protect ourselves from known attacks, and try our best to forsee future ones.
It puts yet another industry under undo government control, and yet against shifts the focus away from the people actually doing harm--the hackers.
THe idea was to give licenses to only those who can actually drive safely. But, if they really implement that there will be very few people with licenses and car companies will go bankrupt ( no more wars maybe??). So, they give this easy test for the license and every TD&H can drive. Of course we have had over 40,000 fatalities and 2 million crashes every year in the US for past 20 years.
Similarly, the licensing scheme will again create a dearth of licened software professionals,leading to high salaries for the licensed initially and then the bubble will burst. Everyone will have a license eventually, and we will be back to square one. So, the solution is to come up with better error prevention and correction methods for existing software professionals/ (drivers) rather than try to create licensed professionals. SO, as of now OSS still rocks and it will be good to see more OSS testing volunteers rather than just OSS developers.
New year Resolution: Don't change sig this year
All this does is create a person who can be targeted if Something Goes Wrong(tm).
With OSS there is no "someone". With a licenced developer you have someone to blame.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
I recall a quote from John Milton that went something like this, "None can love freedom but good men. Others love not freedom, but license."
How much would licensing developers much like doctors, lawyers, architects, etc. affect development? It would likely mean more than, say, an MCSE or RHCE, or NCE. Would developers need to be licensed for a specialty?
Most likely there would be some sort of age and education requirement which would prevent some of the younger and perhaps self-taught developers from contributing to certain projects. Also, what about code developed outside the USA? One would have to be rather naive to assume that all the software in use was written in the USA, but sadly, I think that perception is all too common.
Happy 2004, everyone!
- Nate >>
"Insanity is doing the same thing over again expecting a different result."
Quite honestly, the SD Times article told me nothing about what they're really going to do about improving security in applications. You could substitute "licensing" in that article for "certification", as in some vendor's certification of developers. Then, it looks like a useless measure of what that person knows about security. If, however, it is more of a civil service exam, and they're going to test for knowledge of how to write secure code, then it would make a lot more sense.
Always look on the briight side of life! (whistle, whistle)
Does it mean that software created by those same developers, now licensed, in the past is now cleared? Are they going to hold developers and engineers accountable even if they're forced to produce code based on inherently flawed design, driven solely by profit and questionable business practices?
If suits really need someone to offload risks to, there's always your friendly insurance company that wants to earn a living by assessing and managing risks. I can see people contributing code for free but I doubt people are going to put their financial future on the line for free.
The stupid part is, paid programmers won't either. They'll get insurance against being sued, just like doctors take out malpractise insurance. Then they'll go on writing the same shitty code because the end users continue to demand ease of use and featurisim ahead of security.
The better idea is to just take out insurance against being hacked in the first place. Insurance companies already offer this.
455fe10422ca29c4933f95052b792ab2
So in other words, the state licenses professions, but by proxy. Makes no difference, really. You think the IEEE, ACM, or similar (along with the states) wouldn't love to get its hands on the revenue generated by millions of programmer license application fees?
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
... syndrome. Lawmakers always want something that sounds good, looks good, and will make them appear to be addressing the problem.
The conceptual framework they're working under is wrong. They assume that a single person is the author of a program. Maybe some programs have just one author, but most have several. The main, lead programmer, who is typcially the copyright holder, may not even look at every line of code in a program.
The bit about a culture shift is valuable. Projects should be built with security in mind, using basic principles (least privelege, minimize scope, check your loop bounds, etc.) that are, coincidentally, good programming practice.
But the culture shift that's needed is away from blame-based analysis of security failures and toward cooperative assistance. That shift is assisted by opening source code. Licensing programmers will tend to accentuate the blame attacks when bugs are found, and will provide incentive to hide them.
No program is bug-free. No committee of Licensed Gurus can eyeball scan a progran and find all its bugs. It takes running the program in real-world situations to find some (most) bugs. Licensing the programmer will not decrease the number of bugs in a given program.
Lawmakers would do better to simply stay out of the matter entirely than to introduce bureaucracy for the sake of appearance.
sigs, as if you care.
usually is a 2nd person
Not always, especially in police cars.
that actually adds to safety
Maybe. But why should I be penalized because of other bad drivers? I have driven with a CB for many, many years, and have driven a big rig. No accidents. So now I can't drive responsibly because some idiot who can barely keep it within the lines normally is using a cell phone?
Our civilization is becoming run over with laws that only idiots need. I blame it on the court system and law suits. If you are an idiot and use a product wrong, then you should take the blame. For instance toasters do not work in a bathtub, yet if the toaster company does not have that specific warning on the label, they can be held liable. Bah!
Yes, this is a hot button issue with me.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
There is two reasons to license software developers in the USA. Neither are good. The first is so that you can forbid compilers, debuggers and other "dangerous" tools to the RIAA/MPAA being in the hands of the masses. The second is to stop the all the computing jobs leaving the US by having a US certification required but inaccessible to the competition.
I'm all for formal open standards for security. And I am very much for formal accredited qualifications in safety critical systems. I'd love to see an MSC in computer security and similar university qualifications - but it has to be a proper and open thing, not some goverment office of computer programmer licensing.
As to accountability - there is a simple solution. Do something about the ability of companies to use software licensing as a get around for liability for product in most countries. Make it like other product. If its sold then it should be suitable for purpose. (Note here sold - paid money for. I see no reason why *paying* for open or closed source ought to be different).
It will also improve computer security no end the day a company gets sued for harming others by being negligent in applying security patches to its systems.
The proof of the pudding is in the eating, and free software has done pretty damn well on the security front. If some pinhead executive wants to pay for "confidence" -- well, I'm sure someone will be happy to take that money off him.
And getting paid more for jumping through silly hoops when you're writing for free? How much more? 10% more than zero is -- zero. The whole thing is silly.
Unlimited growth == Cancer.
- A software developer (ie a programmer) gets licensed
- works on a project for (name some large company)
- company management provides direction for the programming efforts (as they do)
- software is iunsecure by design, due to management decisions (happens now, and the plan changes nothing here)
- software is finished
- ....marketed
- ....purchased
- ....deploy
e d - ....ends up killing over 10 thousand people for some trivial reason
- programmer takes 100% of the blame; firing squad at dawn
- company/management who made the decisions which introduced the lack of security get off Scott Free; zero legal consequences of their stupidity
Or am I misunderstanding the whole point of the exercise?Visit CryptoGnome in his home.
Exactly who will be willing to take personal responsibility for a security breach? How many new legal cases will come up trying to prove that a breach is the "other guy's" fault? "We'll show, your honor, that it was the 'evil bit' hidden in the compiler that caused the security hole!" I suppose we'll see programmer malpractice insurance not long after too.
Would this mean we could go after MS for monetary damages? Somehow I doubt it. Would MS's recourse be to say "Don't worry, that developer has had his license revoked."?
This whole thing seems like a big CYA bid. Just make sure someone else is available to blame. Seems like they are saying, "We can't blame the hackers because we can't find them. But don't worry, you can blame the programmer now."
Regardless of the intent, I don't see this doing a bit of good for security. People with real talent, but who want to reliable income will shy away from a system which they could easily be responsible for damages, or alternatively lose a license to practice their trade. I have a wife and kids... no matter what I think of my skills, if I'm at the mercy of every hacker out there I'll find another field.
So, the result will be that it will become very HARD to hold someone responsible. Action, if ever taken, will be only in events of gross negligence. Security *may* improve short term. But, if we drive out all but the risk-takers I suspect that security will go down and the quality will go down too.
In the end I just see an institutionalized profession which hasn't given us any real benefits.
This seems like just another knee-jerk-silver-bullet attempt to fix an embarassing problem. Why do I picture a meeting somewhere running late and somebody jumps up saying, "Hey, I know! We'll license programmers and hold them responsible for breaches." Followed by, "Yeah, and licensed programmers will get higher pay, so there is an incentive right there!" Then "Discussion? None? All in favor..." And whispers of "Great.. I'll be home in time for dinner tonight!"
This goes back to the digital sigs for website shop front ends, and "signed" ActiveX controls etc. First off, just because something is liscensed, doesn't make it trustworthy. More problems will arise from people nievely trusting applications that have the "It's secure" sticker on it, instead of doing what they can to understand the application and it's proper implementation. Secondly it would destroy the market for developers who refuse to conform to, or cannot afford "liscensing". MANY useful and integral applications, especially for non M$ platforms, rely on people making improvements and fixes in their spare time. Who's going to be willing to submit a quick hack to fix a problem if they might be liable for the result? Hell who's going to code anything for free?? I'm certainly not willing to make myself personnaly liable without any monetary compensation. For legal fees if nothing else. Htf am I going to know that when my obscure software is compiled on the 2.9.4 kernel years from now, it creates an exploitable condition?? Going back to the first reply, the platform the software is running on makes a HUGE impact on it's security. How am I going to develop an application on a platform with an inherantly flawed API subject to hijacking etc? How about physical security issues? What if a compromise occurs on a machine, that resulted from say a hardware keylogger ($40 from thinkgeek), or a disgruntled employee? Must I bear the burden of proof that it was not my application but one of these or a host of other issues that caused a compromise in a system running my software? It's just a plain bad idea, poorly formulated, and not very well thought out. It's the "higher ups" deciding to place the blame on the developers, and remove personal liability from themselves.
This is an attempt to divert attention from the real problem with software development, and for that matter business processes in general. Programmers and software engineers are, point-blank, not responsible for the quality or reliability of shipping code. Period. That responsibility lies with management, and the resources it chooses to devote to the initial design process (very important ... Microsoft didn't pay enough attention to this and is now paying the price in spades) and, just as significantly, to the quality-assurance cycle. Attempting to lay the blame for poor quality design and implementation solely upon the shoulders of the actual programmer simply ignores the root causes of poor software. The people that design software, and those that test it, are even more important to releasing a quality product than the programmer. However, the biggest problem that I've experienced in a quarter century as a software engineer is that management simply refuses to allocate sufficient time to initial design and prototyping. They want coding to begin as soon as possible after inception, and that often doesn't allow a good foundation to be laid before the design is frozen.
I'm tired of hearing how architectural and structural engineers are "certified", and the insipid comparisons made between this status and that of software engineering. The penalties for a bridge or building collapsing are extreme of course, and no-one would want an incompetent engineer designing such a structure. But what is lost in all this talk is the design review process that occurs long before anything is actually approved for construction. Yes, perhaps the design engineer is technically accountable for a flaw in his work (I don't know, I am not a lawyer), however in any major undertaking there are dozens of others responsible for validating and double-checking the design, and there is no way in Hell that that engineer would be considered solely responsible for a serious failure when a whole review team approved his efforts. Besides, that's what we have insurance for, anyway.
Given that corporate America has proven to be even less reliable and trustworthy than Microsoft Windows 98, I think we should start by certifying the business ethics exhibited by corporate executives and middle managers. Then let them pass tests that indicate an understanding of the software development process, and once that is done make it illegal for anyone in a marketing or sales department to influence software release dates. The programmers aren't the problem. Corporate America is the problem, and until the market decides that it is willing and able to pay for quality software no amount of legislation or governmental interference will improve matters one whit. Believing otherwise is naive or disingenuous.
Of course, it won't matter if the current trend in outsourcing continues, since there won't be any software engineers or programmers left to be certified anyway.
The higher the technology, the sharper that two-edged sword.
I was reading the first volume of Alexander Solzhenitsyn's The Gulag Archipelago the other night. (For those of you too young to remember either Solzhenitsyn or the Soviet Union it describes, go read it. Along with 1984, it ought to be required reading for citizens of putatively free countries.) The section I was reading dealt with the purges of competing socialist movements once Lenin's party had consolidated its power. Political dissenters were at this time -- 1924 -- being tried by special tribunals, denied counsel and contact with the outside world, and executed, first by tens, and ultimately by the hundreds of thousands.
The official explanation for all this was the accused were terrorists who threatened the security of the motherland. It was Guantanamo Bay writ large, and once it picked up steam, it did not stop until, after somewhere between 20 million and 40 million state murders, the Soviet Union collapsed under its own sheer inefficiency in the early 1990's.
In the Soviet era, the most improbable things were tied to the idea of, as we say today, homeland security. If you twist the logic far enough, and people are either stupid enough or frightened enough, you can get away with claiming that the manufacture of cheese is a matter of homeland security. (And why not? It is a fungal product susceptible to both accidental and intentional contamination with biotoxins; an economic resource vulnerable to sabotage; it is produced by wealthy companies whose political allegiances might not be entirely healthy; and worst of all, it is a national emblem of the hated French.)
This programmer licensing is a ruse. Like the bulk of the Department of Homeland Security, it is a crock of shit designed to convince the public that the government is "doing something" against a threat of dubious reality but great electoral usefulness, and it will serve only to centralize more power and money in the hands of large software companies.
Even if it weren't part of a fairly nefarious political trend, does anyone really believe this will make any damn difference? Commercial programmers don't make the important quality decisions -- they are handed down by management to suit marketing needs and the bottom line. If there's any professional programmer here who hasn't written inferior code to satisfy arbitrary time and resource requirements imposed from above, speak now and be counted with your five or six other brethren.
If you want to improve the quality of software, hold companies and their shareholders financially responsible. In other words, put pressure on the people who actually make the decisions, and they will select those programmers -- licensed or not -- who write quality software and give them the resources to do it.
Of course, the big software houses (read: Microsoft) will never go for that because neither they nor the subversives at the Department of Homeland Security give half a rat's ass about the well-being of the public. What they do care about is enhancing their own prestige, power, and wealth.
Proud member of the Weirdo-American community.
License is for something that is illegal or unlawful.
So are we now going to allow the police state to say that creating or writing software is illegal?
Get a clue people, here comes the police state, all they need is a excuse like 911 and all you have to do is keep saying "protect us all mighty government, we are too lame to do it ourselves".
Exactly right. "License" is permission to do that which would otherwise be a crime to do. If you come into my home as my guest, you are doing with permission what could send a burglar to prison.
Historically, license as a formal permission from the state stems from the general police power of the state to prohibit things that are deemed dangers to public health or safety -- such as cutting people open with knives allegedly to treat injuries or illnesses -- and then allow select people the permission to do those things under some set of conditions and qualifications, hence licensed doctors, who *are* allowed to cut people open without fear of being charged with assault with a deadly weapon, bodily injury, maiming, etc.
Where "license" goes bad is when, in complete ignorance of what it means and where it comes from, the public accepts "licensing" for purposes such as generating tax revenues. Every one of us has seen proposals to "license" something as a way to raise revenues in the form of license fees, but few people have understood that such proposals amount to "We want to make xxxx illegal so we can then turn around and collect fees for permitting just about anyone to do xxx." It's bass-ackward and contaminates the legal concept of "license."
So, yes, writing software can only be "licensed" if writing software is first made into a crime. Whether or not the proponents of such a thing can sell the idea that a vital state health or safety issue is at stake remains to be seen, but in today's climate of ignorance it probably isn't necessary to explain such reasons to sell "licensing" of anything.
Look at the bright side: there's always seppuku.