Slashdot Mirror
Tech Companies Ask U.S. to Regulate Cyber Security
qtp writes "Wired reports that a group called the National Cyber Security Partnership, which consists of 'leading software companies' including Microsoft and Computer Associates and industry organisations such as the BSA, has asked the Department of Homeland Security to regulate what they call 'Cyber Security'. Representatives from Microsoft, Computer Associates, and the BSA headed the Security Across the Software Development Cycle Task Force that submitted this report to the Bush administration today. (For all of you who dread reading 123 page reports, there is a three page summary available as well. The Washington Post, Forbes, and Other Sources are covering this story as well. I hope this is just another [late] April Fools Day joke, but I'm afraid that this looks too scary to be real."
Back in the early 1900s, there used to be a ton of independent phone companies. In spite of using different voltages, ringing systems, etc, they interoperated pretty darned well. But AT&T wantd to be big and was buying them up, and those who wouldn't sell were effectively isolated, the main excuses being interoperability problems. The stink began getting stronger, and eventually AT&T got the government to regulate it as a utility, so it could remain intact and simply be THE phone company. Only the ignorant think regulation was imposed on AT it was their idea.
This smells to me of the same process. Being sued for security holes would be much more effective at increasing security than some hare-brained government regulation scheme. After having thought up all those EULAs which disclaim all responsibility, and blustered about Linux having no-one responsible, this is just another big corporate scheme to maintain their power and squash the small guys, and place the blame elsewhere.
The proper way to improve security is invalidate all those EULA disclaimers. A few big lawsuits with billions in damage verdicts would do far more to focus Microsoft's attention than any government regulatory body.
Infuriate left and right
they propose that gov't should regulate security in specific industries, like banking or telecom, and not a blanket "one-size-fits-none"
1) "This is your wife's divorce attorney". 2) "Hi. I'm from the government and I'm here to help".
Too lazy to create a sig...
lets all try and guess what additional percentage of their profits these companies are going to donate to the Dept of Homeland Security in order to pay for the US govt to do whats basically their own jobs for them...
Poor Bill is grasping at straws now.
Business gets .gov to regulate security.
Regulation and "Approved By.." nonsense costs money.
MS, et al pay.
Open Source can't pay.
Non-approved things can't be used, ergo closed source wins.
or is it really hard to take this seriously when Microsoft's name is on it? On the other hand, pretty much anything that MS is involved in (other than anti-trust lawsuits) with the US is equally scary.
Bored? Why not join a decent mess
"The Internet interprets censorship as damage and routes around it."
-- L. Peter Deutsch
If it's true, MS and BSA will argue that the open-source software has to be stopped because it will let terrorist see the code and come up with exploits based on it.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
NetForce isn't that far off :p
The process sub-group will work with major software vendors and key critical infrastructure customer organizations to encourage and aid vendors in their adoption of the recommended low defect, higher security-oriented practices and processes.
Wouldnt it just be easier to pass laws making software vendors responsible for the bugs that they produce instead of spending our tax money to provide a shelter for insecure code?
I can see the next big M$ lawsuit...
Plaintiff: Their buggy code cost us millions.
M$: But we follow the homeland security software development model.
Judge: So the software must be good. Perhaps the plaintiff was trying to do something illegal?
Plaintiff: Shit... *sigh*
Adopting a "top-ten" list detailing industry best practices. Patches should be well-tested, small, localized, reversible, and easy to install. Patches would also not require reboots, use consistent registration methods, include no new features, provide a consistent user experience, and support diverse deployment methods.
I thought Microsoft was involved in the partnership. How is that going to work??
This is not a troll. MS patches generally violate some or all of the goals stated above.
I want to drag this out as long as possible. Bring me my protractor.
Are you sure Microsoft is backing this ?
Big businesses ask the gov't to step in, because their processes are flawed and produce bad software.
Gov't is expected, in turn, to mandate these measures. Mandating them, of course, requires that gov't money be spent 'fixing' the systems that were flawed.
Hmm. I smell pork.
Sure, Microsoft and the BSA aren't the bosom buddies of most Slashdot readers. And for good reason. However, a quick look through the 3-page summary document revealed what seemed to be a reasonable plan of action, rather than a scheme for total world domination.
Of course, if it turns out that the outcome of the regulation process is Microsoft-controlled security protocols and procedures, then there's something to beef about. However, at this early stage I see nothing more than an attempt to codify a national stance on computer security. Accordingly, I'm going to leave my tinfoil hat in its box for the moment.
Tubal-Cain smokes the white owl.
The major thing that this department is meant to handle, response to information indicating a threat to the U.S., has been implemented willy-nilly. Terror alert levels are raised and lowered without reason or a set of expected responses, causing panic and nothing at all productive.
In terms of incidence response to computer security threats, how would they be any different? All that we'll see from this is another set of useless buzzwords, millions of dollars spent on who-knows-what, and a still-flailing and under/mis-funded department of Homeland Security.
As much as I hate to say it, I would rather see M$ in charge of computer security than our government.
After reading the summary, I find it to be very reasonable and feasible except for the idea of a certification program. If you are going to emphasize the topic of security in universities, then you don't need a certification program because it is just another way to horde money.
...get out those tinfoil hats, kids.
Not trolling either.
Anyway, i feel this is a dangerous move to let give that power to the DHS. After this trend of cut-taxes, spend-like-there's-no-tomorrow, and create more, new government agencies peaks and begins to wind down, agencies and budgets are going to be gutted. i sure as hell don't want the "new kid on the block" to have any "cyber-security" power when they get axed. We don't need to set ourselves up for an "authority vacuum".
Big businesses like regulation. It costs them, but it costs their smaller competitors more in relative terms.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
The BSA isn't just in business to chase down pirates of commerical software, they're also in the business of getting people to buy more. Effectively, what the BSA wants is for companies that don't buy any information security products to get in trouble with the SEC... therefore practically mandating that everybody by something from one of the BSA members.
Quote from the Washingtonpost.com article:
"[It] is possible that national security or critical infrastructure protection may require a greater level of security than the market will provide," it said. "Any such gap should be filled by appropriate and tailored government action that interferes with market innovation on security as little as possible."
In other words, "The legal climate is such that we are very likey to start getting sued for coding sloppy, insecure software. Rather than properly staffing to test our code, we'd rather have the taxpayers pay for this. This a.) saves us money and b.) puts the responsibility on someone other than us if there is a security problem."
Do not fold, spindle or mutilate.
It Would be good to set some mandatory guidelines and standards to follow and have some kind of certification system for products that would make things more secure....
"The report says programmers should be held personally accountable for security holes in the software they write."
Now we see, a shift of responsibility, to the programmers. Lets just try and put as many layers, as possible between the Corp Entity and responsibility as possible why don't we.
"The report said industry groups should work with the Homeland Security Department to look at ways to reduce liability, as well as examining whether new rules are needed."
And now we see a way to tie, the mass collection of data, that the GOV. is asking for, and private industry together.
This is one small step, further towards the Corp, Entity as Goverment.
My cat's picked up a Hammer. HEY! Put down that Hammer. Put Down that Hamm...THUNK!
"Industry organisations .. have asked the Department of Homeland Security to regulate what they call 'Cyber Security' Representatives from Microsoft, Computer Associates, and the BSA."
-Styopa
I can't believe Microsoft would be behind this sort of thing. They would probably fail any security certification process today.
I read the summary and it seems that they are not asking for any more than incentives and government sponsership of industry certification bodies.
I wonder what the ramifications for adoption of OpenSource technology could be. The OpenSource community will have to lobby hard to make sure the requirements will not put a financial burden on software development. One solution would be for the companies makeing money by supporting OpenSource software to pay for certifyting the software and then they could benifit from the certification as a marketing advantage.
Why would you ask the Department of Homeland Security to regulate your work(or anything for that matter)? OMG - what a scary ass idea. Hey Mr. Orwell love your book but you got the year wrong.
-- Dont be a thought criminal
"Capital punishment makes the state into a murderer. Imprisonment makes the state into a gay dungeon-master"
The industry will quickly take care of things all on their own without government dictation of the hows or wheres. All you have to do solve this multi-billion dollar problem is get rid of the EULA's ability to bypass accountability.
That's it. Problem solved.
I find it fascinating that some of the parties involved are standing-on-soap-box-high beating a cyber-security-drum when they themselves have a myriad of security issues to take care of in their own backyard. Seems to me if they can't handle the responsibility, or action required, to make or maintain a resonably secure software product, they have no credibility in a matter such as this.
boycott slashdot February 10th - 17th check out: altSlashdot.org
This is not a troll, but where was RMS and others?
It would seem that computer security would be important for the whole computing community, not just Microsoft, CA, and HP.
Simple....
Make software vendors liable, for, say, the square of the purchase price.
TODO: Something witty here...
> Representatives from Microsoft, Computer Associates, and the BSA
New Headline: Lobbyists for companies that stand to make a lot of money if Open Source / Free Software is made illegal, petition Power-Hungry Politicians protect their business model with taxpayer dollars.
So let me guess? Microsoft will "help" representatives draft legislation with Security standards and goals that make it difficult if not impossible for OSS to compete.
From the report
"Task force co-chairman Ron Moritz said the report calls for a limited government role, such as helping to develop certification standards for software that runs in sensitive systems. "
If you wanna get rich, you know that payback is a bitch
This is probably their best bet for shutting out open source software: force software to be approved by the government.
This must be fought tooth and nail. This is the big war folks.
Patches should be well-tested, small, localized, reversible, and easy to install. Patches would also not require reboots, use consistent registration methods, include no new features, provide a consistent user experience, and support diverse deployment methods. The world is falling apart!
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Looks like they'll stress that electric/water networks need *extra* security, and then sneak in computer networks, while everybody agrees on the issue.
Pretty weird if you ask me, but this is a comment I posted a few days back:
Overdependence on communications (Score:5, Insightful)
by GillBates0 (664202) on Monday March 29, @06:02PM (#8708742) (http://slashdot.org/~GillBates0 | Last Journal: Thursday February 26, @02:35PM)
This event just goes to show how much we have come to depend on complex networks in the past few decades. I use networks in a very broad sense - networks of pipes to carry water/sewage, electrical grids, telephone networks and ofcourse the intarweb.
Earlier, in the absense of adequate infrastructure, people used to depend on local resources - the water table (borewells/rain) for water, small local power stations/generators for electricity, and ofcourse local businesses for banking, etc.
With the coming of the phone system and internet, we work from home, depend on phone services for emergency help, bank with businesses across the country/world, and depend on long distance communications for the most basic needs like water/electricity. True, these advances in technology offer a large number of benefits and conveniences, but overabundance on them can cause widespread problems due to a failure of a small part of the communication system.
A problem with the electricity grid causes 1/4th of the nation to shut down, people take phone services for granted in order to provide/receive emergency assistance, and there are no adequate backup measures in place. The internet is a pretty resilient beast, but the rest of the infrastructure (telephone, electricity, water pipes (very few apartments/houses have water storage) is pretty fault-intolerant and prone to massive-widespread failure (not necessarily to the problem with the system itself - in this case a fire). The 911 problem in NYC, this fire in the UK, and ofcourse underline the fact that we either need to have an adequately fault resistant infrastructure in place, or stop overdepending on it for critical services.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
It shouldn't be surprising that the major software vendors are calling for government regulation and licensing. This is not unusual, the hidden agenda is it protects the established players by making it harder for new players to gain entry to the market.
Who's going to sit on the regulatory board? Why, the industry insiders, of course. And they're going to work in the best interests of the established players, which means keeping out the new guys by establishing, among other things, licensing and certification of software professionals.
The same as every other regulated industry.
Wouldnt it just be easier to pass laws making software vendors responsible for the bugs that they produce instead of spending our tax money to provide a shelter for insecure code? Well, there goes the phrase "no warranty express or implied," and with it most GPLed software.
REM Old programmers don't die. They just GOSUB without RETURN.
1) Because Microsoft and Symantec representatives stated that all security exploits were caused by the availability of patches to fix the exploit, new regulations are proposed that state software vendors may not indicate what issues their patches resolve, or how to test if the patch works.
2) Because Microsoft, Symantec, and BSA representatives indicated that the latest breed of computer viruses are available in source code form on the Internet, making them much more virulent, it has been recommended that making computer source code available on the Internet be considered a Class A Felony.
3) Because Homeland Security representatives stated that terrorists use encryption to avoid detection, it is recommended that the US Government issue permits to use encryption, and specify which kinds of encryption may be used. Using encryption without a permit is punishable by death. To avoid wrongful prosecution, Windows Longhorn will come with a permit that allows home computer users to use encryption in that product.
Seems pretty tame, really. I was expecting some serious black helicopter shit.
Having all the routers around you blocking what you send and recieve would accomplish, what exactly?
Ads are broken.
I said nothing about open source being more secure. I think it is more secureable, and I think it is better all around, but what annoys me is Microsoft whining that there is no one to sue with open source, when their EULAs have all manner of disclaimer. Microsoft should be sued for fraud. They claim to be more secure, brag about how they are secure, etc etc etc, and yet not only do the security holes continue to roll in, Microsoft blames everybody else for the problems.
Whereas open source fixes the problems without blaming others.
Infuriate left and right
Yeah - that was some good work to do.
As a bank, we were well on our way to getting everything ready to go, and then we had our exam and were "asked" to document everything.
Long story short - the regulators tripled the amount of work to do without effectively adding any additional safety to the banking system.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
With Unix, you are pretty much at the mercy of other programmers to provide a nice user interface. As we all know, most programmers are lazy and tend to slack off in that area.
Ensure that Software Assurance and other Information Technology Centers of Excellence include an information protection component (Emphasis mine).
Is it any surprise that Microsoft's security recommendations would include Palladium?
====---====
Together, we will drive the rats from the tundra.
Congressional Hearing
Bill Frist Testimony...
Now we will elect a new Security Head - a strong Chancellor. One who will not let this tragedy continue.
Bill Gates: Mr. President - Members of Congress, if I am elected, I promise to put an end to this CyberTerrorism..."
Later (to steve Ballmer) I have the Senate bogged down in procedures. They will have no choice but to accept your control of the system.
Much later, in Seat..(an undisclosed location)
Steve Ballmer: I bring you good news, my Lord. The war has begun.
Darth. . er Bill Gates: Excellent. Everything is going as planned.
Profit!
Microsoft wants a handout from the Feds to clean up Windows bugs.
That is all.
That's "Mr. Soulless Automaton" to you, Bub.
As the three page summary says, we need to teach security when you START to learn to program.
Too often I hear that schools are not teaching of security. Almost no high school teachers who teach programming even consider security (if they even understand the issues). In college, many schools offer an optional security class. What is up with that. At my school, the assembly language course doesn't even deal with security. New initiatives need to be taken to bring security out of the closet.
The government loves getting more and more power. More laws mean they get to grow bigger and spend more of our tax money.
Once in place you get a real big, dumb organization that can't fire anyone and will use it's power to try to grow even bigger.
The only people whose opinions matter then are lobbyists with lot's of cash and the people that make money from things staying the way they are.
If the government starts regulating security, they will be even slower to respond than MicroSoft is.
It's very similar to the reason why medical marijuana remains illegal. There is a lot of money invested in keeping people in jail and enforcing the current drug laws. The reality is that the government would make even more money from taxes if the wacky weed were legalized. Greed can be very blinding.
The subtle irony of it all is that the Government is inherently anti-democratic.
Laugh at my ignorance while I learn Rails - a Real ne
Jees, all software operating system are by default flawed and buggy (its sad but true).
The customer (end user) should sue the hell out of software develop companies for their lack of creating a piece of software that is secure and safe to use.
This is probably the only way to reset to a clean sheet and convince software developers world wide to create inherend safe and bug free software.
Maybe even that is realy useful to the consumer, a real os with abilities the consumer/customers demand, not the current day bload of 1980's moduled software.
This is not a trol or whatever, ask youre customer/consumer what they realy want to see in a computer, that would be a start.
My 0 cents
Call me cynical, but the summary reads like a M$ security announcement.
The only thing different is that now Big Brother will not be doing any tangible.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
"...I hope this is just another [late] April Fools Day joke, but I'm afraid that this looks too scary to be real."
Don't you mean "too scary to be a joke?"
My lack of God, it's Trotsky!
Although, we all know from the DeCSS case that code "isn't free speech" when it's convenient. So the end result of this would be that the government can tell you what can and can't code.
I was fine with everything in the summary until I got to the "certification" part, but who knows, maybe my tinfoil hat is on too tight.
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
Mods, grow up and read the comment before modding. Thank fuck for metamods ya?
Hey chick, have you ever taken a programming class in high school? When do you think they will teach security? In between Hello World and the grade average programs?
Not flamebait...the mods are drunk this morning i think.
.... being smart and independent sorts, with matching egos usually, have resisted unionizing. This scheme of government should help to dispel the notion that that has been a bad idea. They need to organize, and like ten years ago. They will have power then, and can not only bring better code to market, but help fight this creeping big brotherism nonsense. Then they also won't have to put up with marketing and lamer bosses BS quite as much, they can insist that code be done properly, not sloppily. Business will bingo to the fact eventually that good code is better and cheaper in the long run, both from usability for the end users and profitability for the shareholders/owners standpoints. I don't code but I've read enough horror stories here from folks who's bosses insisted on unreasonable timelines and on shipping patched kludges as finished product, to assume that it's an endemic problem.
As to suing for bad code, if it's "for sale", why not? It's a product, a for-profit product. If it's given away freely, well, that's an entire different kettle of fish isn't it? We should have never let the big for-profit companies get away with the get out of jail free card they got a long time ago. If it slows releases, guess what, I bet most people won't care. I think it's almost a given that people want things that "just work", it's just that they aren't offered that as a "job one", they take whatever is out there, or comes on their box, and then it becomes their problem, with non-guru status. Software today to the average consumer is like being sold some widget and being required to be an instant competent widget mechanic, which is nutz, IMO.
I use open source, and I also know full well it's gonna be buggy and need tweaking, BUT, if I purchased expensive coded product, I expect it to be functional and secure. I know that doesn't exist to the point of practicality in closed source/expensive, which I used for many moons, so I switched, it was a logical decision.
flamebait? Fucking give us a break. At least metamod will iron you stupid fucks out.
Microsoft either denies security problems or blames everybody else (device drivers, end users, 3rd party software). FLOSS developers fix the problems and don't point fingers.
Infuriate left and right
As an european, does I have to understand the US ambition as an atempt to have some nation make a land grab on cyberspace ?
My first thought on reading this article was actually a question: what is the impact this would have on open source software? I wouldn't be surprised if this isn't just about the government regulating security, but also shutting open source software out of the picture in the U.S.
People who 'insightfully' suggest that our lives may need to be further controlled by the Fatherland Security, are simply playing their roles exactly as planned.
We don't need more secure systems. We just need to get rid of governments, (and shadow governments), which deliberately attack their own people.
(Do the research BEFORE modding.)
-FL
damn. Mods, read shit before trigger-clicking. Oh for heaven's sake, get a clue.
Here's the next step. So very cyberpunk, isn't it?
====---====
Together, we will drive the rats from the tundra.
Microsoft, a company notorious around the globe for producing horribly insecure software, is asking the government to regulate software security? I'm having trouble saying M$ and Security in the same sentence without laughing! How could inherently secure open source projects like OpenBSD be compared with with the hole filled, virus ridden windows programs? I just don't get it.
Chaos is Divine *
The US Gov doesn't need to police the Internet or regulate the development of software. All they need to do is make companies liable for the consequences of placing my personal information in peril.
If I buy dinner at a restaurant and pay for it with my credit card... then they put my credit card number in a place where others can see it... I should be able to sue them.
Most, if not all, recent incidences were brought about by the system administrators and application hosting service providers. Software companies, even Microsoft, have released patches before the exploits became widespread. The admins didn't apply the patches in a timely fashion. They are the ones responsible.
If you leave your big screen TV on the front lawn, it's going to get stolen.
When these people feel the sting... they will either drop out of ecommerce or pay attention to security.
I might also add, that businesses should be able to sue software companies for security defects which are not addressed in a timely fashion... in much the same way auto manufacturers are.
Let's see if I got this right...
1. Distribute a development platform called .NET that allegedly does away with insecure coding practices.
2. Influence laws and regs such that any software not coded on a "secure platform" such as yours is illegal.
3. Let the feds regulate your competition out of existence.
4. Profit!
If this comes about, the only way F/OSS software will survive in the US is if both a Linux distribution and a Linux development platform can be constructed that will meet the same requirements that the conglomerate is pushing for. Of course, we're screwed with a capital F if the regs call for technology that Microsoft (or one of the other member companies) has patented.
So I guess now it's "If you can't innovate, litigate... unless of course you have political influence, in which case, regulate!"
Yes, my only tool is a hammer. And you're starting to look like a nail.
You've noticed how EULA is typically attached to things you pay MONEY for? (and get sued for using if you have not).
Have you also noticed how GPL'ed products are free (as in speech, but also, often, as in beer).
Notice how EULA does NOT usually cover things for which you have access to source code?
The point is simple - when you BUY software, the software VENDOR should carry responsibility.
GPL'ed software is given away - no money is charged. Thus, the GPL can say "we're just doing this for fun, use at your own risk"
In contrast, paying money and accepting the license as part of the transaction makes it a contract. The contractor should be held responsible for his work.
(I know, IANAL, playing fast/loose with the term ``contract'', etc.. But the chief distinction is MONEY)
I merely pointed out that we have become overdependent on distant resources due to widespread networking. That's it.
Please RTFC before replying to it. Thank you.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Yup, that was pretty much my take on things (Rule 1: industry *never* asks for regulation without an ulterior motive), although I think that there's a bit more to it -- if any cronyism can be used by existing players, it might be a useful tool against challengers, forgetting about Open Source for a moment.
I'm all for the government issuing advisories, but regulation of security is not feasible. I remember reading about older military software -- the government used to try to do much more comprehensive security reviews of all kinds of software it used with tiger teams. Unfortunately, it turned out the extreme expense of this kind of thing isn't feasible in the real world, and still left holes.
If I had to give a government recommendation, it would probably be along the lines of:
* Issue advisiories. There are organizations like CERT that do this. Unbiased (not from a vendor), trustworthy information is difficult to come by.
* Issue best-practices papers. These are probably most useful to IT professionals, though it might even be a good idea to produce them for software developers. Microsoft recently collaborated with the Fed to produce a set of best security practicees documents for Windows. This is an easy thing to add to a company security policy ("[] must comply with USG Document #135F3 Best Practices"). It just tried to deal with a couple of common misconfigurations. It's *hard* to get this kind of stuff directly from a vendor (which frequently wants to hand out information that will encourage you to buy more or is more interested in putting a positive spin on their mistakes) or a consultant (who frequently wants you to buy more consulting services) or a security software (like a firewall) company, which is primarily interested in scaring companies into thinking that they need security software.
* Government certification of software intended for non-government use is a bad idea. It takes a long time, allows cronyism, can be used to attack some sections of the market (like most Open Source). It's perfectly reasonable for USG-use purchase requirements, but it's not reasonable for broader use.
* Producing a classification system *could* be very useful, where the government writes documents describing particular classes of software, but it not responsible for ensuring that a particular version of a program fits into a class of software. For example, a hypothetical class-local/1 might require that:
a) The software bounds-checks all memory accesses to data at the compiler level (free with some languages like Java, and can be done in C if necessary).
b) The software does not access the network.
c) The software does not write to any data files.
Others useful requirements for various classes of software might be: "The software does not provide privilege escalation within the UNIX operating system's privilege system (as a suid/sgid program or a daemon running as a different user does...there would be an equivalent for the Windows security system)", "All data that the software uses from the network is either exact-match checked or bounds-checked prior to use of any of that data, and a failure to pass checks results in that data not being used" (might be useful for simple network software, like clients of the daytime protocol). The government is great at writing requirements and making them publically available--let's use that. Then, if a company guarantees that they are compliant to a particular document in a contract, there is a clear point that they can be called on for non-compliance. Finally, there would be a market for software that can check software for some elements of compliance. Automated security checking is a major issue -- it's neat, it's more and more feasible (see CMU's Java proof-carrying compiler for some neat stuff. The problem is that there are currently no standards written by security folks who know what they're doing, so it's hard for businesses to ask for compliance to a particular level of security, and no tools that can certify programs to a particular level.
There are probably a lot more suggestions that the government could use, but this is a start...
May we never see th
...Trolling for Dollars! That's what M$ and the big businesses of the U.S.A. do best. It's time to break down big business. They've had control for far too long. Much like there are labor unions, I think it's high time that we form citizen's unions that put people first, the government second and business DEAD LAST. I'm totally serious about this. Of course it won't happen because too many Americans are happy to suckle on the teat of corporate America and scrounge for the droppings they offer us. Some serious damage needs to be done to corporate America. Now.
Un-news
"Security is a serious problem and, if present trends continue, could be much worse in the future." (from the 3 page summary)
I agree -- we should do away with security!!
"Create Software Security Certification Accreditation Program."
If MS is involved, is it going to be just another paper tiger giving corps a false sense of security, because someone did a 'security bootcamp' and can pass a test. Even if there is no real world experance to back him up, just like most MCSEs I've meet in the past 10 years?
"All software should pass valadation processes"
Yea all fine and dandy until someone like me writes a small patch for an open source project, I have neither the time, inclination or resources ($$$) to have my patch certified by 'experts' that have gotten their position by appointment of the BSA, MS, or were just next in line on the cival service exam?
I don't know anymore... places other then the US are looking better and better each day....
"The word "genius" isn't applicable in football. A genius is a guy like Norman Einstein," - Joe Theisman
Make the person who *compiles* the software responsible. While this would hurt Debian, it wouldn't kill it (or other free distros). They would simply have to switch to a source based distribution method (like Gentoo's emerge or the BSD ports system).
With closed source (proprietary) solutions, they compile it themselves, so they (e.g. Microsoft) would be responsible.
Did the poster read the summary? I mean, maybe the full report is scary, but this isn't. Unless you are scared due to the clear inability of these things to change anything in the short term. But why would that be scary? It's not going to be fixed in the short term by anyone but you and I.
Can someone who actually read at least the summary please tell me what's so scary. And leave the tinfoil hats off - it gets very tiring.
Well I'm posting too late, but because this is another bash-Bush thread it should be noted that an earlier Bush administration policy on Cybersecurity was roundly criticized because it did not do enough to regulate online activities (be they really illegal or just stuff Microsoft doesn't like). You can't have it both ways.
AntiFA: An abbreviation for Anti First Amendment.
I thought it quite ironic that in the 3 page brief they said,
"No simple silver bullets will solve the software security problem."
But truly, what is the most outstanding characteristic of a silver bullet? (aside from being silver of course). That they are expensive and nearly no one can afford them. No one, except perhaps Microsoft, who happens to be the co-chair of this 'task force'.
By getting the government to adopt this, isn't Microsoft essentially forwarding all of it's tech support trouble calls towards them?
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
You can't petition the gov't for help with a name like "Security Across the Software Development Cycle Task Force". S.A.S.D.C.T.F. won't get anyone's attention. You need a cool acronym like P.A.T.R.I.O.T. How about "Funding Received from Everyone, Everywhere to Defend Our Monopolies". With a name like F.R.E.E.D.O.M., it'll *certainly* get government backing. Feel free to add more gov't friendly acronyms.
Now I'll go read the article...
do not read this line twice.
ITAA is the lobbying arm of high tech corporations.
For insight on how ITAA sets up these "blue ribbon panels", read this article about a meeting of electronic voting manufacturers. They brought in Harris Miller, ITAA's president, to see how he could help them.
Highlights from the article:
"Similarly, when we get press calls and the press says 'Joe Academic says your industry's full of crap and doesn't know what it is doing.' What do you say Harris? The reporters always want to know what are the companies saying?.. And there can be two scenarios there: The companies may want to hide behind me, they don't want to say anything... frequently that happens in a trade association, you don't want to talk about the issues as individual companies.
How is any of that related to the topic at hand? These panels we see approaching the government are coalitions formed by a lobbying firm that is paid to protect the interests of its clients. The panels are made to look as if they are unbiased experts that are only looking out for the good of all Americans. The truth is they want to control the conversation so it seems as if they are the only ones with relevant information on the subject at hand.
Harris Miller and the ITAA have been doing this for many years, and their MO is always the same. This The National Cyber Security Partnership is nothing more than an extension of ITAA's lobbying efforts.
displacedtechies.com
The report that is...
So they propose that:
- certifications
- awards
- educational programs
and that these are going to result in secure software? So they still believe in Silver Bullets.Sounds like all these software houses -- who have been touting the superiority of the proprietary development model and decrying the open source development methodology for some years now -- cannot seem to figure out how to adapt their "superior" process to produce secure software. Oh, and let's get academia involved to educate future software developers in the proper way to create secure software. Which means, I take it, that the proprietary software houses have been unable to get their current developers to produce secure software. Following this plan will result in the first crop of (supposedly) secure software developers getting their first jobs in, oh, about 2015.
So... I see this report and the suggestions contained in it as an indication that that Microsoft (and others but predominantly MS) has utterly failed in the attempt to introduce security into their product lines. Even after all of Bill Gates's pep talks and internal memoes. Now they think that creating a bunch of undergraduate courses in secure programming, certifications, and awards to software companies will somehow result in a new breed of software that won't be susceptible to worms and viruses. To me that says: ``We, the proprietary software industry have finally come to realize that writing secure software is quite beyond our capabililties and we make these suggestions so that other people can figure this out for us so that we merely have to hire new people who are already trained to do this. And, of course, these programs should be paid for by the Government.'' No. Strike that. They'd be paid for by you and me. Twice. First in the taxes that would go to create these educational programs and the certification organizations. Then, again, when the price of the software goes up because, well, now it's secure software and that's worth paying extra for isn't it?
Funny that open source software -- and, to be fair, some proprietary software -- isn't anywhere nearly as vulnerable to the sorts of attacks that Microsoft's is. Because, it seems, those Neanderthal open source programmers didn't have the insight to include features that automatically run code by clicking on mail attachments, include scripting languages inside applications that have the ability to destroy user data or launch unrelated programs that damage the local and/or remote systems, or, ... (the list goes on).
Wonder where all those open source programmers managed to learn about writing secure software (yes, yes, yes... I am aware even OSS can occasionally have bugs that affect security) without a college program, certifications, and industry awards? And how do they do it without a government subsidy? Oh, yeah. I forgot. They're able to do it because they don't have some pinhead from Marketing ranting and raving that seven new features need to be in the product in time for the next trade show and there is no time to waste with any discussions about how these features destroy the integrity of the software. Companies like Microsoft won't create more secure software once these programs are in place. Even if they are able to grab every straight-A, magna cum laude graduate of these programs in the country. Why? Because these poor folks are still going to have to answer to some pinhead from Marketing ranting and raving that all these new features need to be in the product in time for the next trade show.
I sure as hell hope that some articulate luminaries in the open source development community have the opportunity to submit a report to the folks that are going to be reviewing this piece of tripe. The opposing viewpoint and an alternate plan needs to be heard.
(Heh. If reading the summary got me this ticked off, imagine if I'd read the entire report!)
CUR ALLOC 20195.....5804M
You need read no further (in the summary) than:
"The Department of Homeland Security should support US-CERT, IT-ISAC, or other entities to work with sofware producers to determine the effectiveness of practices that reduce software security vulnerabilities."
Translation: We'd like to hop on the government gravy train under the guise of "Homeland Security." Can we get some free money please? I mean seriously, why should we pay to fix our own programming errors when we can get the government to pay us to do it?
We have a Republican president and they control half of Congress.
Since this proposal would extend the reach and powers of the Gov't, it will never pass. Republicans are for a smaller government, remember?
Wait. Why are you laughing?
Developers should use processes that consistently produce secure software.
Yes, they should. Why don't they? Because nobody really knows how to do that. And the things we do know how to do don't get done because they cost money.
While government regulation makes sense in many areas, in this one it doesn't. A far better approach would be a free market approach: if the product is defective (i.e., if it crashes, if it has a security hole, etc.), you should get your money back. Of course, companies like Microsoft and Sun know they would be bankrupt if they had to take financial responsibility for the harm they cause.
Am I the only that read these things in the summary?
Software producers should adopt practices for developing secure software. Let's talk "buffer overruns"; the causes are well-known, tools exist to search and flag source code for likely problems and, damnit, even buffer overrun problems that get through are simple to test for and find (at least on network ports). Yet, Microsoft's last major software release still suffered from a major buffer overrun exploitation!
Adopt software development processes that can measurably reduce software specification, design and implementation defects. Many of Microsoft's security problems have been stupid design decisions, not software bugs.
Patches should be well-tested, small, localized, reversible, and easy to install. Patches would also not require reboots, use consistent registration methods, include no new features, provide a consistent user experience, and support diverse deployment methods. Is there one of these industry best practices that Microsoft has not violated with some (and I say the majority of) their patches for Windows and Office?
Make the security of one's software a job performance factor Measured by such a standard, Microsoft already flunks and has flunked for the past 10 years; 'nuff said!
I'm sorry; all of this was possible for Microsoft many years ago and they just didn't do it! Now, all of a sudden, they've got wisdom and knowledge enough to tell everyone else how to do it? puh-leeeze!
We don't need Microsoft setting standards for security for everyone in the industry; in essence, they have already done that and the standard is much, much too low! What we do need is for Microsoft to be held accountable for their shortcomings. After a few lawsuits for shoddy security and piss-poor QA, then maybe we'll listen to Microsoft's views on the subject!
Look at it as a certification process. Each project tasked with protecting data on a computer (networked or not) has a security posture and a security officer responsible for ensuring that the declared posture is enforced.
This is what a bunch of people at /. fear: they expect the government to try and make it all completely secure and fail, but rather what they fail to see that government will only quantify and validate the level at which an information system is protected. This means it's not a black and white world, but rather the level of protection is paired against the threat of compromise.
A bunch of you also think this has only to do with preventing a network-based attack. And while that is in play, don't forget corporate espionage. That foreign temp worker your boss hired could be walking out with all the spreadsheets the accounting department values. This problem, by the way, is addressed in trusted operating systems such as talked about in this article asking about Trusted Linux vs. Trusted Irix or Trusted Solaris.
DCID 6/3 works both sides of that problem and quantifies for management what kind of protection their dollars have bought them.
It makes people feel more secure, but it doesn't really mean anything. Mainly because the rules for getting the accreditation are pretty trivial in most cases.
I'd prefer something like the Engineering societies where you spend a few years apprenticing and have another professional engineer (who worked with you) sponsor your membership. You'd only need one or two accredited Software Security Engineers in your company, but if they say the product doesn't ship, it doesn't ship.
Professionally accredited Engineers have that kind of power because if they refuse to sign off on a design or course of action, anyone who goes against their professional advice becomes legally liable.
It would also help if companies looked at products OTHER than Microsoft. Competition does wonderful things for innovation, which is precisely why Microsoft tries to avoid competition...
The bitter lessons of a veteran coder: http://bitterprogrammer.blogspot.com
It sounds good, but it is probably a dig at open source software. Imagine having to license the "approved" $2,000 test suite (because of patents, etc.) to test your apache module! Or, you release software but are not "certified" and did not follow the "approved" DHS methodology. What will that mean?
There should be a civil penalty - based on the price of the software. So, if you download and install a free distro - you can collect as a function of your expenditure (0.00 usd). If you license Windows 2003 for (800.00 usd) you should be able to recover say 2 times the license fee. Who in their right mind will release free (as in beer or speach) software when all that happens is that they become liable for security breaches?
And certification? Does that mean I have to attend a 3,000.00 USD class to get an 8 1/2 x 11 piece of paper saying I'm certified? What happens when Joe college student (no 8 1/2 x 11 piece of papper) publishes his senior thesis project under GPL? What is he on the hook for? And given the money grubbing bastards will be in charge of the certifications, and their people must get certified, is it going to be nothing more than a piece of paper?
My bet is that the final bill will also seek to punish independant researchers that post vulnerabilities. (They must have done something illegal under some statute to find those vulnerabilities). Hopefully this will all just blow over when people wake up and realize that nothing good comes of crossing large, corporate interests with government that wants to pretned it's doing something.
Leave the gun, take the cannoli -- Clemenza, The Godfather
[scary-looking Matrix agent]
"Do you have a permit for that 'Hello World!' program?"
Some aim to please, I aim to tease.
Cyberterror at Dep't of Fatherland Insecurity is headed by Amit Yoran, who owes Symantec a $145M favor. He follows the founding CyberFatherlander Howard Schmidt, who moved from strength to strength: CTO of Micro$oft while it developed the very software that leaves cyberspace as secure as the World Trade Center on September 11, 2001, and Fatherland Insecurity Czar during the glorious rise of the SpamWormVirus. Given the Bush team's success in securing Iraq and Afghanistan, always prioritizing science over mumbo-jumbo and easy, government-mandated corporate profits, I expect noting but smooth sailing fro {CHIRP} ALL YOUR FIREWALLS ARE BELONG TO US ~GZGZGZ~ NO CARRIER
--
make install -not war
Based on the report, this is just another Microsoft scheme to cement their control over the desktop and to further lock in their monopoly. Microsoft will define the education, training, 'best practices', the software development process, and the incentives for compliance with their rules. The time may come when the government will issue licenses for software development, desktop computer use, systems administration, etc. Needless to say, the penalties for doing whatever without the license written my Microsoft will be 'severe.'
Microsoft wants the best of all worlds by having sole ownership of a desktop OS containing numerous 'access points' to allow Microsoft, their partners, or the government to do whatever with the target system but they also want to restrict the bad guys from using those very same access points for malicious purposes. More government regulation of the end users is not the answer to Microsoft's 'swiss cheese security' approach to OS design. More government regulation and oversight of the design practices of OS vendors who have major security problems is the answer.
Why should patches even require registration or other identification? This requirement could be used in a discriminatory way and hence dissuade users from implementing them. Moreover, I'd like to add an important addition, inspired in part by this comment: patches should not modify the user's rights in any way.
For the last freaking time, the GPL is *not* a EULA. It is a distribution license. Anyone relying on the GPL for end user disclaimers is quite mistaken.
If you had super powers, would you use them for good, or for awesome?
I didn't read the full document, rather just the summary, but god almighty... I had to go back and read it twice to make sure I saw what I did.
If for some reason this were to happen, it would be tantamount to a repeat of the Stamp Act of the late 18th century, which was a precursor and one of the factors leading to the American Revolutionary War.
In short, the Stamp Act (hope I get this right) made it illegal for anyone to print anything on paper that did not carry the official (and paid for) tax stamp of the Crown (something you Brits are familiar with.) This has/had the effect of putting the power to publish in the hands of those who could afford to pay the tax. IIRC it was enacted in part to stop the printing of the revolutionary pamphlets making the rounds at the time. In addition, it was enacted without the consent of the population (hence "no taxation without representation.")
This is basically the same thing, except instead of paper we're talking about bits, and instead of publishing on paper we're talking about regulating the entire software development process!!! How convenient for Microsoft, CA, and the rest of their BSA lackeys. If we can't compete on merit, lets just try to shut them (being anyone who hopes to develop and market any software, let alone open source) down in the name of national security?!
The persons responsible for this should be hung at high noon in the nearest public park. I'll bring the beer.
I certainly hope the government does not seriously consider this in any way shape or form. If this somehow comes to fruition I'll be emigrating somewhere else, or at the very least giving up on IT altogether.
1. It takes a U.S. only view of the global internet.
2. Writing secure code can be legislated as if writing unsecure code was everyone's normal intention.
3. The majority of the vulnerabilities come from the OS and/or are included with the OS. Reducing what is the OS could (and will already) reduce vulnerabilities.
4. Many vulnerabilities have arisen due to the fact that software is a profit engine for companies and require new, and sometimes poorly thought out, features (ex. Outlook scripting or additive software which is already on and working, but never needed in the first place).
5. Security is now part of the marketing hype of software sales. This study feeds into that.
A new standard is emerging. Of course, only large corporations can afford to implement and get autited for this.
What a great way to prevent small businesses from taking a market share if you make it "compulsory" to have a certification only existing large companies can obtain easily.
It's just going to be another buzzword affecting the corporate world and they are trying to piggyback the homeland security (another buzzword) to make it easier.
My Karma is so low that even my own postings are beyond my current threshold
rather than a scheme for total world domination.
These companies are basically trying to erect additional barriers to entry into the software market: costly certification and training requirements, costly documentation requirements, etc. They know that they can satisfy them, but a small software vendor or an OSS project can't.
And they make those recommendations knowing full well that they won't work. If they knew how to make more secure software, they'd already be doing it. A bit of training and certification just is not sufficient for making software more secure.
what seemed to be a reasonable plan of action [...] However, at this early stage I see nothing more than an attempt to codify a national stance on computer security.
What's there to "codify"? What's reasonable about it? There is not a shred of evidence that the "strategy" described in the report will do anything to improve security.
At this point, we have to conclude that people continue to buy insecure software either (1) because they don't have a choice because of Microsoft's monopoly, or (2) because they don't care about security. If (1) applies, then the solution is to break up Microsoft's monopoly and give people a choice in software; then they can pick the level of security they like. If (2) applies, then what business does the government have to force a level of security into products that buyers don't want?
Its not like AT&T because they are not asking for themselves to be regulated. This is more like enron.
Once such a regulating body is establish, what will they do? They will be completely ignorant of the thing they need to regulate. Thus, they will turn to the industry for advice on what to do. These companies will be the ones with the inside ear, and can influence or even write the policies that get created.
Its elementary.
Regulations cost money and create hurdles. If they succeed in getting laws that require software to be certified as secure by some mixed public-private authority (read BSA, some universities, and the nsa) then free software will just have a complex process to go through before it can be used in government and perhaps even before it can be distributed. Whatever the claims of Microsoft and the BSA their ultimate goal is not security but to prevent the commoditization of software which is going to destroy their business model. Big companies are already warming up to the idea that money should be spent on hardware and support, not on overpriced proprietary software that is not any better than whay they can get for free.
The submission said "but I'm afraid that this looks too scary".. I read through the three page summary, and I didn't see anything "scary". There was really nothing with any teeth.
It was a proposal to form a committee that would define a bunch of recommended procedures, best practices, etc..
The negative view would be that it's just another bunch of bureaucratic bullshit that won't amount to anything.
The positive view is that they will produce a bunch of recommendations to help us avoid security flaws when creating applications.
But, I couldn't find anything scary. What am I missing?
How about funding some of the CSAB accredited computer science schools out there? It doesn't have to be done through the DHS (big scary TLA agency), you could use DARPA, who already has a good working relationship with universities.
Back when I was in school {insert joke about abacus & clay tablets here}, it would have been fun to take a 400-level course devoted to computer security. Even better if I didn't have to pay for it.
Chip H.
In other words, this is all about using security as an excuse to make DRM a legally required component of the Operating System, and force software to respect that component.
"Security" is just the horse used to hide the DRM soldiers inside.
"Live Free or Die." Don't like it? Then keep out of the USA
Wouldnt it just be easier to pass laws making software vendors responsible for the bugs that they produce instead of spending our tax money to provide a shelter for insecure code?
Security is an engineering tradeoff, just like speed and usability. I don't want every software vendor to have to conform to the highest level of security out of fear of getting sued.
The people who should worry about this sort of thing are the buyers of software. If your car mechanic can't fix your car in time because his PC got broken into, you go to a different car mechanic and he will go out of business. If a hotel can't accept reservations because their reservation system got hacked, they go out of business. For small businesses, those kinds of feedback mechanisms work pretty directly and after that sort of thing has happened once to a small business owner, they'll generally have learned their lessons.
The problem is with non-competitive markets: many people have to buy Windows no matter how insecure it is because the software they need only runs on Windows. And you can't change airlines or banks just because they keep having security problems--there are too few of them around.
If we create efficient, competitive markets in software, banking, airlines, etc., then the security of software will adjust to the optimal levels demanded by the market. Our problem is not lack of government regulation, it is lack of efficient markets.
In short, if we want secure software, the government should simply get more aggressive on anti-trust enforcement again. And they should do so first of all against Microsoft so that buyers have a real choice. That's the sort of government activity we need, not bogus "security standards" which aren't going to work anyway.
Here comes licensing
And this isn't going to be about the software license (contract) either. It will be that the government will require you to license your server for permission to "transmit" (publish information) on the Internet. All "receivers" (websurfing clients) will not be required to be licensed. This will follow a close analogy to the way the FCC licenses radio and television broadcasters. Also all outbound email will be required to flow thru officially licensed servers before it can be delivered to the recipient. Especially since in-transit thru these servers, the emails can easily be intercepted and/or traced.
Tinfoil hat firmly in place.
The Summary itself is primarily concerned with eceonomic benifits and the software industry. Since OpenSource software is not considered a "money making endeavor" then we can reasonably presume that it doesn't count as "industry". (Note: I am not asserting that people cannot be or are not now employed gainfully by Opensource only that Congresscritters generally think so).
A sample list of "recommendations" include:
All of these suggestions are targeted specifically at "industry" (I.E. Microsoft) and seem likely to carry sufficient costs/licencing issues to lock OpenSource systems and those proprietary systems that are produced by small companies out of the market (particularly for lucrative government contracts).
While this is only a talking points memo it might be worthwhile for those
Mind you, I'm not arguing that government standards are inherently bad. I am, however arguing that any standards, if they exist should level the playing field and enhance security not lock out some players and bring us more into a monoculture.
Just some suggestions.
Also, which port does the dark side use?
And is the phrase "Fear leads to Uncertainty, Uncertainty leads to Doubt, FUD leads to Windows, Windows leads to suffering"
As I understand it, lawyers for some big, national retailers in the USA were enthusiastic supporters of ending the sales tax exemption on Internet-based purchases. For a large operation that has scores of accounting and legal expert resources on staff anyway, understanding, comprehending and complying with the diverse tax laws of 50 states is a miniscule incremental cost. For a mom-and-pop operation it makes the cost of entering or continuing a small business, that might have national or even world-wide reach due to the Internet, prohibitive.
Has there ever been a documented case of actual 'cyberterrorism' against the US? It seems like all the laws and hoopla around it seem to do is hand out extremely long prison sentences to script kiddies. Most of the criminal hacking I've ever heard of was for person gain or just for reputation/attention getting. Has any actual group successfully launched anything that could be considered a terror attack?
Even the fairly cohesive stuff like the long-running India vs Pakistan web site defacement battle is just a really annoying flame war.
I'll make you a deal. Pass ONE law about cybersecurity. Make it illegal to run an open relay mail server. See if you can enforce it. We'll know if it works if spam decreases.. If you can, and it does, you can pass another law. See if you can enforce that, too. Then we'll talk.
(see you sometime in 2036)
I had a sucky sig.
that is all
Yup. It can be read right here Computer Security Report Card
Is this a case of the blind leading the sighted?
IANAL, but I've seen actors play them on TV
I hope this is just another [late] April Fools Day joke, but I'm afraid that this looks too scary to be real."
Now that just don't make no sense!!
It is appropriate that this 'report' was released on April 1st. Halloween would also have been appropriate. Here is what it will do:
1) Give M$ a shield from responsibility for the massive insecurity of their software by making a 'security organization' the accountable party. "Software companies" (i.e., mainly M$) would fund the company. The security organization would lay down rules about how bugs and holes are discovered (not a certified programmer? -- then you can't look for/report bugs. See the story of the French scientist who is being sued for pointing out vulnerabilities.), how they are reported (no public reports at all until the patch, if ever, is released, then no announcement as to how long the bug/hole has been open), and how they are released -- through 'special' sites, for a fee, of course, so that the consumer pays even more for M$ bugs.
2) Require programmers to get "security certifications" from "accredited" schools. These are schools which have received funds (guess from whom) to finance/"reward" faculty members who establish such programs. Guess which OS will have certification programs, and which won't be allowed on campus. (Just ask youself which platforms aren't allowed equal billing with Windows on Dell computers.) Programs written by "uncertified" programmers will not be allowed distribution through 'certified' channels. Uncertified channels will be made illegal.
3) No answers as to which programmers gets 'grandfathered' in but the entire MS programming staff would be a good guess.
4) Independent Software Vendors (ISV's ---i.e., OpenSource folks) will have to meet requirements which are, in effect, designed to keep them from developing software drivers for new hardware, effectively locking them out of future markets.
Microsoft, the BSA (enforcement arm of MS licensing), and other companies with less than desirable security records would then use the courts to completely muzzle news of the vulnerabilities in their software. With that accomplished they can essentially shut down their repair operations and move the whole program into the public law enforcement arena, using local and national law enforcement agencies as their "security repair" division. Just remember that French scientist who was sued as a 'terrorist' for revealing security holes in software which the vendor claimed in their ads was "100% secure". This will be in no way different than what coal mine owners did in their efforts to keep slave labor trapped in their mines, but this time it will be consumers trapped into using buggy, insecure software with no alternatives. The end result is that the software will get worse because the incentive to repair is removed and will become more expensive because there will be no Open Source competition.
The current crop of "Security Organizations", most of whom have already knuckled under to Microsoft, will not be needed in the "New Order", but I'll wager most of them haven't figured that out yet and are probably jumping on the bandwagon because they have, like so many companies Microsoft has deflowered and plundered, visions of increased revenues as Microsoft 'partners' in this new scam.
The 'security problem' doesn't need a 123 page report to identify the security problem and create solutions for it. The problem is Windows. The solution is for Bill Gates to spend some of his $50 Billion to fix the code, not buy off congressmen and judges and make their problem a law enforcement issue at the public's expense. Is there no end to this man's greed?
Running with Linux for over 20 years!
In section three of the full report there are reccomendations for education requirements for persons going into the IT and programming fields. These include a page long list of what seem to be innocuous and common sense requirements, but when this is coupled with the fact that it is Homeland Security being asked to implement the program, it adds up to background checks for anyone who wishes to learn to program, plus manditory (increasingly expensive) college education requirements.
The suggested requirements are extremely specific, and mostly are the kind of thing that programmers currently learn by doing or from both formal and informal mentoring. Taking this role out of the hands of the user groups and workplaces and placing it in the hands of the authors of standardized tests will not improve the quality of programming or security practices any more than the "No Child Left Behind Act" has improved the quality of public education in this country and will likely eliminate many of those who are capable of creating the next batch "best practices" by discouraging independant thinking, thus reducing most software authoring and administration practices to a set of "acceptable minimum requirements" that is dictated by government bureaucrats instead of determined by the combined expirience of the software community.
Read, L
I don't see how "education" can play an effective role here.
1: Some security bugs are the result of carelessness in coding. I'm not sure how "education" can eliminate this. The fact is: coders will always make mistakes, and the system needs to be designed to deal with that fact.
2: Some security bugs are the result of the chief architects deciding to include powerful features that serve as high-risk attack vectors. (For example, Windows has an excessive number of services that listen for commands on TCP ports.) I'm not sure how "education" can eliminate this, since these decisions were made by the chief architects, who are supposedly our very best and brightest.
3: Some security bugs are the result of our industry's chronic inability to design appropriate user-interfaces. (For example, a certain percentage of people will always open e-mail attachment in an unsafe manner -- and our industry has been utterly incapable of rolling out a UI solution to address that problem). I'm not sure how "education" can eliminate this. Again, it's the chief UI architects who are approving these inappropriate designs.
How can "education" achieve the kind of cultural and paradigmatic changes we need, when the "education" is a product of our current culture?
Who will teach the teachers?
If they don't, what's the friggin' point?
Come on Microsoft, this is a really cheap-ass way of trying to get rid of Open Source competition... Go back into your cave!
Maybe the DHS should send reps to usenix and blackat/defcon (if they haven't already) to actually learn something about security. This thing looks like nothing but another lobbying group. Worthless.
I find it a little odd that microsoft would a have a representative leading this group when they are the core of most scurity issues. Perhaps they should lead by example?
OTOH, of course you could go and sue a vendor, such as RedHat.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
What are they going to do, pry our compilers from our cold dead hands? I have a feeling that if MS wants to try and regulate security, they'll screw that up worse than they've screwed up their "secure" operating systems.
Isn't this virtually the same thing as "Infragard" (http://www.infragard.net)?
Microsoft wins "industry awards for secure software development practices." Of course OSS developers NEVER recieve these awards because they are not part of any "industry."
Insert Generic Sig Here:
please believe it! :(
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
Microsoft recently collaborated with the Fed to produce a set of best security practicees documents for Windows.
Of course, what I'd like to say from a process such as this is:
"Provided by the management for your protection."
Even if adopted, this won't be fatal to free software. It would cripple the US economy, but free software would continue to be developed elsewhere. Eventually, once the US was driven back into a depression, other interests would win out, and the law would be overturned.
Admittedly, not a pleasant prospect, especially in the short term.
The important thing for people to realize is that it isn't really black or white. The source to all software is open to somebody and also there will tend to be leaks. The "more open" the source is, the quicker its bugs tend to get discovered and fixed.
If the bugs can be shored up BEFORE the software gets widely deployed, so much the better.
But in the strictest sense, "open Source" is not black or white. What we commonly refer to as "open source" software is that subset of software to which the source is open to absolutely everybody. So-called "closed source" software is nonetheless still completely open to its developers. Even the tightest development teams may be subject to industrial espionage, infiltration, interception by a foreign nation's surveillance network, or plain old operator error. There is no valid argument that a relatively closed source can somehow provide greater security, especially in the long term. And as we learned from the recent Microsoft Windows sourcecode leak, what was closed source yesterday may become open sourced today. We have to respect Murphy's Law in this matter! If it can happen, you have to assume that it will happen.
When the Microsoft Windows sourcecode became disclosed, it took only a day or two for an exploit based on the disclosure to appear. So given that the sourcecode of any software you use may at some point in its life cycle become subject to scrutiny by disgruntled insiders or malicious hackers, wouldn't you prefer such a scrutiny to happen as early as possible? And preferably long before you must decide whether to deploy the software at your own site?
True security improves when there is as much code scrutiny as possible. What we call "open source" provides the best system for code scrutiny that has ever existed.
The cybersecurity initiative may indeed be a veiled move by dominant software companies to secure their own market dominance. However if this is the case, the facts are against them. I am confident that what we refer to as Open Source will triumph over any such challenges.
In my Busisness 101 class, they taught that every business has a barrier to entry, and the higher the barrier to entry is the more you can charge high prices if you are in that business because it is harder for competitors to get in and compete.
Under that, there are what I would call natural barriers to entry, and artificial barriers to entry. A natural barrier to entry might be a semiconductor plant - where in order to get started in your market you half to first get a 100Million dollar FAB. An artifical barrier to entry usually comes in the form of frviolous government regulations and laws.
This is a classis case of MS putting up an artificial barrier to entry for Linux companies. It helps noone else, and even worse the regulations and bureauocracy set up will continue to hinder everybody long after MS is becomes irrelavent. Our only hope is that other large companies like IBM will see that it's not in their best interest for this to happen and make a play to block it.
lately, i've been of the opinion that the net should be prettymuch left alone by govt, aside from possibly flooding, faud (fake 'stores', etc), and petahphonelia distribution.
hackers? imo, let them hack with no legal reprecussions. companies will build a reputation through their quality. If you choose to put something on the net, one should not be able to put someone in jail, just because their 0's and 1's that got sent were in some order different than another persons.
my main reasoning for this ideal is that currently, software says "pay us big bucks, but if our software does anything averse, tough" (meaning the software CO's depend on the law/govt to enforce THEIR SLACK SECURITY) meanwhile, people who do dare to test the lazy long arm of the law can quite frequently break the security of the software--because it isnt made that well. Additionally, often, if something 'illegal' happens to your home box, the govt wont get involved, they only will if you have some kind of money.
so i say--make it all legal on the net! reduce our taxpayers money being spent on the net law enforcement (which is only spent on the rich!), and we will see, quite fast, an ABSOLUTE DEMAND for better software.
Troll, Troll, go away and flame again some other day
If it is explicitly written into law that no employee of M$ or an affiliated company can be acredited until windows is secure.
Professional Politicians are not the solution, they ARE the problem.
These two organizations are not the same thing. I'd trust the DHS about as much as I'd trust Goebels.
US-CERT is a partnership of CMU CERT, DHS, and NCSDI would imagine that the root goal of this 'effort' would be to create a barrier for entry into the software market.
If you cant afford to be certified, then you cant enter. Only the big boys ( the ones that are making this suggestion ) will be able to afford to continue in their respective markets.
This would eliminate most of their competition instantly, and completely end the Open source movement, as a by-product.
It will also filter down to the general IT world, expect repair people to have to be government certified, bonded, etc.. Again raising the cost bar for entry. ( and the cost to the end user )
---- Booth was a patriot ----
Maybe we'd better concentrate on teaching secure practices in India.
We'll all be working at Walmart, not writing software.
Other benefits of such a classification system could be quite significant. It would be possible (and probably not very difficult) to produce tools for a runtime environment, such as a JVM or kernel, to enforce compliance.
Looking at my example from above:
a) The software bounds-checks all memory accesses to data at the compiler level (free with some languages like Java, and can be done in C if necessary).
b) The software does not access the network.
c) The software does not write to any data files.
(b) and (c) would be very easy to implement at the kernel level, and would potentially make a good capability (I believe all the POSIX capabilities extend, rather than restrict, privileges, which is a bit unfortunate for those who would like to use the kernel to sandbox processes). Windows *may* already be able to do this, and since this is a common requirement for a trusted system, it's a good bet that some trusted Linux projects already implement enough kernel support to handle this.
May we never see th
I RTTPS (read the three page summary).
From the section entitled "Principal Short-Term Recommendations"
--Adopt software development processes that can measurably reduce software specification, design and implementation defects.
Does anyone here know of a software development process that reduces defects???
We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
. . .any port with a Si[x]th in it. . ba da bing, ba da booom.
This is underwhelming, and best ignored.
Gates has a real problem in that many companies are very happy with Win2000. There are no plans to upgrade from win2k for many people, and this is going to start to cause problems for MS - they're going to get dragged down patching and supporting several versions of the operating system. To say nothing of the complication on the APIs; MSDN is a nightmare, I hadn't done any windows code until very recently - and I was shocked by how much almost-sorta-but-not-quite-duplication is appearing everywhere. There's a LOT of inertia building up daily.
So, get it regulated and set a standard. Now -everybody- has to update their OS. Probably on a regular schedule, as "best practices" change. Of course no CURRENT MS product is going to qualify. You'll have to get all new stuff.
Yeah yeah, tin foil hat time - but this is something people should watch closely. No computer connected to the internet is, or ever will be completely secure. Just like no building is completely secure. If you want a secure building you can get one, but it's going to cost a lot more. I don't see why software is any different.
I don't want to end up paying special taxes for "security" because I own a PC. That's where this is headed.
..don't panic
That is like asking the fox to gaurd the hen house.
Electric News has a report from McAfee Security on the cost of downtime and closed business in Europe due to viral infections.
Call me paranoid, but I am having a lot of trouble identifying any virus that will infect a system running Linux, Unix, HPUX, SunOS, or just about any other operating systems other than Windows by simply double clicking on an email attachment. In fact, many emails directed at intruding an MS system can infect the system just by hilighting the email to delete it.It becomes apparent to me that the main culprit in this scenario is likely to be Microsoft. Let's be generous to MS, and remove 50% of the cost of downtime as being due to other causes. We are still left with an $11B price tag. To date, it seems to me that Microsoft remains blissfully unrepentant to their customers for inflicting this level of cost and inconvenience on them ( and they are screaming about a piddly $500M fine in Europe - right!).
We have had over 15 years of virus, trojan, and assorted malware in the computer environment, and at least 90% of that volume has been directly attributable to Microsoft products. In that period Microsoft has done nothing of any level of effective repair of their products to correct the underlying problem. Instead, they have created an environment of constant upgrade and patching to slap a bandaid on the problem, while introducing new problems, and costing business and consumers further cost and inconvenience to keep up to date. They have removed the finger of blame from themselves and pointed it to their own customers, claiming they do not keep up to date with their patching, while the sucking chest wound in their core products keeps on bleeding.
MS's actions show that they have no effective method of mitigating a problem that has plagued their products for 15+ years. On the contrary, they have effectively conned business and consumers into accepting the idea that such atrociously insecure products are the norm, and that any computer user should expect these problems.
If Ford or GM released a product with such shoddy underlying development and lack of effective remedial action, resulting in such dramatic economic losses, they would be shut down, period. So why is Microsoft allowed to keep on doing business as usual, when the results of the last 15 years clearly show that their business as usual model is plainly unreliable?
If anyone has worked with the government to get a system "certified", you may remember that the process is basically a sham. Its referred to as C&A, or Certification and Accredication. One common joke is to spell this out in spanish C y A. or Cover Your Ass, which is all the C&A process is. A government organization basically papers over all its problems, documents it, and exempts itself from doing anything really productive to protect itself. Further, the government happily gives itself a ridiculous amount of time to get its systems certified and even exempts itself when it needs to. The process can literally take years to get what is referred to as an "ATO", Approval To Operate. That is supposed to be the system can not go online without an ATO, but, HAHA the government gave itself an out - the IATO. The Interim ATO, basically a "go ahead withour the ATO" exemption, which is supposed to expire. However, when it expires, agencies can and do exempt themselves from that to. In some cases this can go over for 3 or 4 years before anyone even bothers to start the ATO process.
The point is the government is literally the last organization on earth to take seriously in this area. They don't even bother to practice what they preach, so why should anyone trust them to certify anything? Its like they can be sued for messing up. Afterall, its not their money, its the tax payers. Government certifications are rarely worth more than the paper they are printed on. Its a feel good measure, and I suspect this latest "software certification" will be much better.
The point here is that with C&As', which is not what this article was about, the whole intent is to pass the buck on to someone else. We're certified, so the problem must lie elsewhere. The issue is rarely brought up that maybe the certification is worthless.
Typically, the argument is "We met the standard, theres nothing else we could do, we did everything we were supposed to, the problem must lie elsewhere." In reality, there is plenty they could have done and this is just an exercise in equivocation. Today, we know the problem is with the vendors product, tomorrow we assume its not because its "certified". certified = secure. So all certified software must be secure. War is Peace, Ignorance is Strength and Certified is Secure. Its all a clever ploy to pass the buck.
Whats really galling is that with this "new" request by industry to get a "certification", we see the same rhetoric and old tricks back in play that vendors have used before with government security certifications. Vendors will simply look for a silly set of standards, such as with the NIAP program, common criteria and other useless certifications for software. The government, being politically controlled, and bowing to the wishes of it's financial contributors (MS, CA, BSA and other big companies), will put out a flowery and impressive sounding certification program which the industry will, in a very serious sounding tone, sigh and accept as "the right thing to do". Knowing full well that its all a big paper game, with no real liability assigned to anybody in control of the process. Its all about passing the buck.
This process will probably be much like the absurd NIAP/common criteria approach which is just an excercise in mutual mental masturbation, with the vendor claiming the product meets the standard, providing miles of paperwork to prove it, and the government being totally overworked will glance at the paper and give em a stamp, or outsource it to a company that has no choice but to certify a product with a toothless standard. Then, when the inevitable break in happens, the vendors will s
Python
You might have written something worthwhile to read. After all, your comment was rated up to a 5. But I stopped at the first "$" in M$.
will use secure software, turning the US into an IT backwater. I'm sure the US will try to slip in manatory use of whatever M$ comes up with when negotiating trade aggreements. But with the growing resentment towards the US because of Bush and his cronies (ie:RIAA,Hollywood,BSA,ETC writing US laws) the rest of the sane world will ignore anything that comes out of the whitehouse. Or should that be the RIAA,Hollywood,BSA,house.
Red eye's at night, Hackers delight. Red eye's in the morning, Professors Warning.
Why is government involvement needed in any of this? After reading the 3-page summary, I don't see any function that particularly needs government intervention. Everything can be done by industry groups, private standards bodies, or other independent foundations.
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
"You might feel a little discomfort."
... gets a zero credibility rating from me unless they're building killer robots.
PHBs and one-handed typers are the only people who use use 'cyber' outside the context of jokes (or killer robots).
The use of the terms 'Microsoft' and 'security' together also lowered the rank a notch or two, but that's a personal thing.
- I am made of meat.
Why it is always a good idea to let the fox gurad the hen house. I men after all you end up with a fat fox and yourself with nothing to eat!