Slashdot Mirror
Tech Companies Ask U.S. to Regulate Cyber Security
qtp writes "Wired reports that a group called the National Cyber Security Partnership, which consists of 'leading software companies' including Microsoft and Computer Associates and industry organisations such as the BSA, has asked the Department of Homeland Security to regulate what they call 'Cyber Security'. Representatives from Microsoft, Computer Associates, and the BSA headed the Security Across the Software Development Cycle Task Force that submitted this report to the Bush administration today. (For all of you who dread reading 123 page reports, there is a three page summary available as well. The Washington Post, Forbes, and Other Sources are covering this story as well. I hope this is just another [late] April Fools Day joke, but I'm afraid that this looks too scary to be real."
lets all try and guess what additional percentage of their profits these companies are going to donate to the Dept of Homeland Security in order to pay for the US govt to do whats basically their own jobs for them...
Business gets .gov to regulate security.
Regulation and "Approved By.." nonsense costs money.
MS, et al pay.
Open Source can't pay.
Non-approved things can't be used, ergo closed source wins.
If it's true, MS and BSA will argue that the open-source software has to be stopped because it will let terrorist see the code and come up with exploits based on it.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
Adopting a "top-ten" list detailing industry best practices. Patches should be well-tested, small, localized, reversible, and easy to install. Patches would also not require reboots, use consistent registration methods, include no new features, provide a consistent user experience, and support diverse deployment methods.
I thought Microsoft was involved in the partnership. How is that going to work??
This is not a troll. MS patches generally violate some or all of the goals stated above.
I want to drag this out as long as possible. Bring me my protractor.
Big businesses ask the gov't to step in, because their processes are flawed and produce bad software.
Gov't is expected, in turn, to mandate these measures. Mandating them, of course, requires that gov't money be spent 'fixing' the systems that were flawed.
Hmm. I smell pork.
...get out those tinfoil hats, kids.
Not trolling either.
Anyway, i feel this is a dangerous move to let give that power to the DHS. After this trend of cut-taxes, spend-like-there's-no-tomorrow, and create more, new government agencies peaks and begins to wind down, agencies and budgets are going to be gutted. i sure as hell don't want the "new kid on the block" to have any "cyber-security" power when they get axed. We don't need to set ourselves up for an "authority vacuum".
Big businesses like regulation. It costs them, but it costs their smaller competitors more in relative terms.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
The BSA isn't just in business to chase down pirates of commerical software, they're also in the business of getting people to buy more. Effectively, what the BSA wants is for companies that don't buy any information security products to get in trouble with the SEC... therefore practically mandating that everybody by something from one of the BSA members.
"The report says programmers should be held personally accountable for security holes in the software they write."
Now we see, a shift of responsibility, to the programmers. Lets just try and put as many layers, as possible between the Corp Entity and responsibility as possible why don't we.
"The report said industry groups should work with the Homeland Security Department to look at ways to reduce liability, as well as examining whether new rules are needed."
And now we see a way to tie, the mass collection of data, that the GOV. is asking for, and private industry together.
This is one small step, further towards the Corp, Entity as Goverment.
My cat's picked up a Hammer. HEY! Put down that Hammer. Put Down that Hamm...THUNK!
I find it fascinating that some of the parties involved are standing-on-soap-box-high beating a cyber-security-drum when they themselves have a myriad of security issues to take care of in their own backyard. Seems to me if they can't handle the responsibility, or action required, to make or maintain a resonably secure software product, they have no credibility in a matter such as this.
boycott slashdot February 10th - 17th check out: altSlashdot.org
This is not a troll, but where was RMS and others?
It would seem that computer security would be important for the whole computing community, not just Microsoft, CA, and HP.
The proper way to improve security is invalidate all those EULA disclaimers.
You've noticed the same kinds of disclaimers on the GPL, yes? If the warranty disclaimer on a Microsoft license is invalid, what makes the one on the GPL valid; and if it is not, then how would, say, the contributors to the Linux kernel fare if they were sued for a major security breach?
I think the fuss should be that it's a waste of time. Many of the recommendations seem to be
1) Have some committee make up some security standards.
2) Award gold stars to groups that take some security classes, or who create a "security culture" in their companies.
In other words, this is completely useless, and gives the impression that progress is being made. An analogy would be the Academy Awards, where the group of insiders gives out awards to other people who are in the group of insiders, yet thousands of horrible movies are still made every year.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Patches should be well-tested, small, localized, reversible, and easy to install. Patches would also not require reboots, use consistent registration methods, include no new features, provide a consistent user experience, and support diverse deployment methods. The world is falling apart!
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
It shouldn't be surprising that the major software vendors are calling for government regulation and licensing. This is not unusual, the hidden agenda is it protects the established players by making it harder for new players to gain entry to the market.
Who's going to sit on the regulatory board? Why, the industry insiders, of course. And they're going to work in the best interests of the established players, which means keeping out the new guys by establishing, among other things, licensing and certification of software professionals.
The same as every other regulated industry.
I said nothing about open source being more secure. I think it is more secureable, and I think it is better all around, but what annoys me is Microsoft whining that there is no one to sue with open source, when their EULAs have all manner of disclaimer. Microsoft should be sued for fraud. They claim to be more secure, brag about how they are secure, etc etc etc, and yet not only do the security holes continue to roll in, Microsoft blames everybody else for the problems.
Whereas open source fixes the problems without blaming others.
Infuriate left and right
With Unix, you are pretty much at the mercy of other programmers to provide a nice user interface. As we all know, most programmers are lazy and tend to slack off in that area.
If MS, CA, and friends have perfect, 100% secure software than I think they should stop hiding it and just sell it outright without the government's blessing. Since they do not, this buddy system might be an alternative to open source software. It could be good, but it could be abused. Considering only big players are involved right now (?), the latter seems more likely.
From the report, I gather they want to define security and then they can make sure they meet that definition. Make the rules and play by them, at least in legal terms.
The summary talks about a taskforce to develope "metrics", working with government agencies and get a thumbs-up, develope industry standards, have awards for secure software (can open-source software win?), create a security license accredation program, and make "the security of one's software a job performance factor."
As the three page summary says, we need to teach security when you START to learn to program.
Too often I hear that schools are not teaching of security. Almost no high school teachers who teach programming even consider security (if they even understand the issues). In college, many schools offer an optional security class. What is up with that. At my school, the assembly language course doesn't even deal with security. New initiatives need to be taken to bring security out of the closet.
The auto industry has solved this problem. If you buy a car and find out it's "buggy", the shop will repair it and, in most states, if the bugs can't be worked out you get your money back or a different car (each state's lemon laws vary, but most states have 'em).
If a critical flaw is discovered later in the car's life cycle, the company issues a recall, notifies car owners and fixes the bug at their expense. (I'm curious, does anybody know how old a car has to be before the manufacturer is absolved of having to do recalls ?)
Am I horribly short-sighted for thinking this model would work for software too ? It has the added benefit that F/L/OSS is safe, too... when a vulnerability is discovered, you make a good faith attempt to notify your users about it, and you're obligated to either fix the bug or give them their money back. =)
25% Funny, 25% Insightful, 25% Informative, 25% Troll
Although, we all know from the DeCSS case that code "isn't free speech" when it's convenient. So the end result of this would be that the government can tell you what can and can't code.
I was fine with everything in the summary until I got to the "certification" part, but who knows, maybe my tinfoil hat is on too tight.
Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
uh, no, that's not what they mean. I think you need to remove your tinfoil hat for a moment and realize they're not out to kill open source on this one, especially given some of the other organizations that have signed onto the proposal.
They're referring to requiring universities to add "how not to write a buffer overflow" into their CS programs
And requiring various certification programs (eg MCSE, RHCT (Red Hat's certification), Cisco, etc) add "how to keep patches up-to-date" to their programs.
Yup, that was pretty much my take on things (Rule 1: industry *never* asks for regulation without an ulterior motive), although I think that there's a bit more to it -- if any cronyism can be used by existing players, it might be a useful tool against challengers, forgetting about Open Source for a moment.
I'm all for the government issuing advisories, but regulation of security is not feasible. I remember reading about older military software -- the government used to try to do much more comprehensive security reviews of all kinds of software it used with tiger teams. Unfortunately, it turned out the extreme expense of this kind of thing isn't feasible in the real world, and still left holes.
If I had to give a government recommendation, it would probably be along the lines of:
* Issue advisiories. There are organizations like CERT that do this. Unbiased (not from a vendor), trustworthy information is difficult to come by.
* Issue best-practices papers. These are probably most useful to IT professionals, though it might even be a good idea to produce them for software developers. Microsoft recently collaborated with the Fed to produce a set of best security practicees documents for Windows. This is an easy thing to add to a company security policy ("[] must comply with USG Document #135F3 Best Practices"). It just tried to deal with a couple of common misconfigurations. It's *hard* to get this kind of stuff directly from a vendor (which frequently wants to hand out information that will encourage you to buy more or is more interested in putting a positive spin on their mistakes) or a consultant (who frequently wants you to buy more consulting services) or a security software (like a firewall) company, which is primarily interested in scaring companies into thinking that they need security software.
* Government certification of software intended for non-government use is a bad idea. It takes a long time, allows cronyism, can be used to attack some sections of the market (like most Open Source). It's perfectly reasonable for USG-use purchase requirements, but it's not reasonable for broader use.
* Producing a classification system *could* be very useful, where the government writes documents describing particular classes of software, but it not responsible for ensuring that a particular version of a program fits into a class of software. For example, a hypothetical class-local/1 might require that:
a) The software bounds-checks all memory accesses to data at the compiler level (free with some languages like Java, and can be done in C if necessary).
b) The software does not access the network.
c) The software does not write to any data files.
Others useful requirements for various classes of software might be: "The software does not provide privilege escalation within the UNIX operating system's privilege system (as a suid/sgid program or a daemon running as a different user does...there would be an equivalent for the Windows security system)", "All data that the software uses from the network is either exact-match checked or bounds-checked prior to use of any of that data, and a failure to pass checks results in that data not being used" (might be useful for simple network software, like clients of the daytime protocol). The government is great at writing requirements and making them publically available--let's use that. Then, if a company guarantees that they are compliant to a particular document in a contract, there is a clear point that they can be called on for non-compliance. Finally, there would be a market for software that can check software for some elements of compliance. Automated security checking is a major issue -- it's neat, it's more and more feasible (see CMU's Java proof-carrying compiler for some neat stuff. The problem is that there are currently no standards written by security folks who know what they're doing, so it's hard for businesses to ask for compliance to a particular level of security, and no tools that can certify programs to a particular level.
There are probably a lot more suggestions that the government could use, but this is a start...
May we never see th
"Create Software Security Certification Accreditation Program."
If MS is involved, is it going to be just another paper tiger giving corps a false sense of security, because someone did a 'security bootcamp' and can pass a test. Even if there is no real world experance to back him up, just like most MCSEs I've meet in the past 10 years?
"All software should pass valadation processes"
Yea all fine and dandy until someone like me writes a small patch for an open source project, I have neither the time, inclination or resources ($$$) to have my patch certified by 'experts' that have gotten their position by appointment of the BSA, MS, or were just next in line on the cival service exam?
I don't know anymore... places other then the US are looking better and better each day....
"The word "genius" isn't applicable in football. A genius is a guy like Norman Einstein," - Joe Theisman
Did the poster read the summary? I mean, maybe the full report is scary, but this isn't. Unless you are scared due to the clear inability of these things to change anything in the short term. But why would that be scary? It's not going to be fixed in the short term by anyone but you and I.
Can someone who actually read at least the summary please tell me what's so scary. And leave the tinfoil hats off - it gets very tiring.
The government is the people's union. The problem is that most people are ignorant and/or lazy and dropped the ball.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
You need read no further (in the summary) than:
"The Department of Homeland Security should support US-CERT, IT-ISAC, or other entities to work with sofware producers to determine the effectiveness of practices that reduce software security vulnerabilities."
Translation: We'd like to hop on the government gravy train under the guise of "Homeland Security." Can we get some free money please? I mean seriously, why should we pay to fix our own programming errors when we can get the government to pay us to do it?
We have a Republican president and they control half of Congress.
Since this proposal would extend the reach and powers of the Gov't, it will never pass. Republicans are for a smaller government, remember?
Wait. Why are you laughing?
Well, people think they can do everything with software, but they know there are limits to cars. For example, try to throw your car into reverse at 60 mph. I think it's defintily a "bug" that you can't do that. How about security? Think your car is more secure than MS Windows or Linux? How many cars have you heard of being stolen. And yes, automakers are doing things to improve security, like coded keys, but so are software designers, but these cars still get stolen.
"Men lie."
"Yeah, about sleeping with other women, but never about bioluminescent plankton."
-Dan Brown
rather than a scheme for total world domination.
These companies are basically trying to erect additional barriers to entry into the software market: costly certification and training requirements, costly documentation requirements, etc. They know that they can satisfy them, but a small software vendor or an OSS project can't.
And they make those recommendations knowing full well that they won't work. If they knew how to make more secure software, they'd already be doing it. A bit of training and certification just is not sufficient for making software more secure.
what seemed to be a reasonable plan of action [...] However, at this early stage I see nothing more than an attempt to codify a national stance on computer security.
What's there to "codify"? What's reasonable about it? There is not a shred of evidence that the "strategy" described in the report will do anything to improve security.
At this point, we have to conclude that people continue to buy insecure software either (1) because they don't have a choice because of Microsoft's monopoly, or (2) because they don't care about security. If (1) applies, then the solution is to break up Microsoft's monopoly and give people a choice in software; then they can pick the level of security they like. If (2) applies, then what business does the government have to force a level of security into products that buyers don't want?
Removing all government regulation won't create a perfect utopia any more than creating those regulations did. Anyone who claims otherwise is full of it, or has a stake in getting them removed.
I used up all my sick days, so I'm calling in dead.
Here comes licensing
And this isn't going to be about the software license (contract) either. It will be that the government will require you to license your server for permission to "transmit" (publish information) on the Internet. All "receivers" (websurfing clients) will not be required to be licensed. This will follow a close analogy to the way the FCC licenses radio and television broadcasters. Also all outbound email will be required to flow thru officially licensed servers before it can be delivered to the recipient. Especially since in-transit thru these servers, the emails can easily be intercepted and/or traced.
Tinfoil hat firmly in place.
> who gets sued when my linux server gets hacked?
Who gets sued when my Windows server gets hacked? Microsoft, it its EULA disclaims all responsibility, so you can't sue them either. I find it strange that Microsoft's selling strategy is "you can sue us!" Especially since you can't, usually.
When you get the source code for FREE, the author can disclaim responsibility because anybody in the world can audit/modify it etc. When you pay money for software from a proprietary vendor, you can't take that responsibility on youself. If it's closed, it's not unreasonable to expect said vendor to shoulder the burden. That's the value (or at least should be) of propritary software over open source. On one hand, you can get complete transparency and control in exchange for a much manpower as you are comfortable expending (OSS) and OTOH you have to pay cash but you get a product whose security is the responsibility of somebody else that you shouldn't need to worry about (proprietary). In an ideal world, of course.
teeker
Also note that PARTIAL regulation biases towards the big businesses as well, by providing more subtle barriers to entry, and DEregulation after a sufficient period of regulation biases towards the big businesses as well, by opening up new niches to said big businesses immediately after the regulative die-off. In general, once regulation of any kind is imposed, the people are going to be screwed for a long time to come.
Of course, in a complete laizzes faire system, dirty tricks and irrational consumer choices means the people are eventually screwed anyway. Power corrupts, people - even the power to stop corruption.
-Hentai [in vita non pacem est]
Realize that this is a *distribution* license. So, the best way to take the above is that if you distribute a GPLed program to someone and that someone never distributes the program under the GPL, but they try to sue you, you can't punt the problem up to the person who gave you the program.
The GPL, at each link, prevents handing over liability to the next level. So, generally, each company who distributes a GPLed program is liable. This, nicely, also fits well if companies become the main provider of GPLed software since they're likely selling it to you. Works pretty nice, eh?
Eurohacker European paranoia, gun rights, and h
> how come cars can be made generally bug free or bugs are the responsibility of the manufacturer but software is generally taken to be impossible to make perfect?
Because people are actively trying to break the software (crackers, hackers...) to either gain access or knowledge. That's why the "hood is welded shut," to use a crappy premade analogy. On a car, however, all getting under the hood requires is a crowbar (or access to the cabin). At that point, you can start ripping out wires & stuff or simply hotwiring it -- in essence, "cracking" a car.
Also, cars are not bug-free. The difference is that car parts have tolerance -- if your third piston is off by two micrometers, it won't make much difference (really, because of the O-rings, but whatever). If software code is one character off, even in a billion lines of code, the whole thing can come crashing down.
I guess it partly comes down to how you think of the word "perfect." Perfectly made cars will run within 1% performance of barely-imperfect cars. Barely imperfect software, however, can cause major problems, depending on the location of the imperfection. Sometimes it's nearly impossible to find that one part because for the bug to show up, 20 other specific steps might have to take place before it appears. That is why software is more complex than a car -- it has less fault tolerance.
Another Libertarian or Anarchist comment! There are some venues in which Government is the appropirate vehicle for regulation. As a previous poster pointed out, automobile safety (at least to a point) is appropriate. Another transportation venue is aviation. If companies/corporations were allowed to do whatever they wanted, aircraft would be falling out of the sky at many times the rate they are today (I am an aviator and aircraft owner). Medical and food safety is yet another. I am sure that if given a little more time and a long sheet of paper, I could come up with quite a few and justification to support them.
Please don't say the Market Place will fix the problem. That is another of the Libertarian Myths. The real Market Place is filled with fraud and coercion (i.e Enron, Worldcom, Tyco, etc.)which would roadblock fixes.
Even if adopted, this won't be fatal to free software. It would cripple the US economy, but free software would continue to be developed elsewhere. Eventually, once the US was driven back into a depression, other interests would win out, and the law would be overturned.
Admittedly, not a pleasant prospect, especially in the short term.
An EULA is, or attempts to be at least, a license to *use* something. The GPL has nothing to do with use, anyone can use GPL'ed software without a license. The GPL only covers redistribution, something you can't normally do with copyrighted works.
Two different types of licenses entirely.
This is one reason why EULA validity is greatly contested (ie: UCITA etc...) whereas the GPL has been largely unchallenged in legal authority since it was created. (way before UCITA or DMCA, etc...)
IMHO shrinkwrap/end-user software purchases should be governed by copyright law, without any licensing or contractual obligations. If you buy a copy, you have a right to use that copy however you see fit, including making enough personal copies to a) make full use of the software and b) backup the software. (there are further copyright rules on rentals and public showings, but you get the gist...)
My way of looking at software is, its just a string of ones and zeros. If I rightfully aquire it, I should be able to do anything I want with it. (aside from wrongful distribution)
If you want general liability insurance, buy it. Don't blame the makers of a $10 widget when you base your entire company on it and find that a $10 product isn't designed to be robust, enterprise-level quality.
It's the sue-based-on-damages mentality that leads to people expecting to get rich based on doing something stupid. It's not the $10M responbility of a car company that you waited until the last day to cash in a lottery ticket and then when the car failed to start, lost the chance. There are services like AAA (or a backup car, etc) that you can pay for if you want guarantees.