Slashdot Mirror


Tech Companies Ask U.S. to Regulate Cyber Security

qtp writes "Wired reports that a group called the National Cyber Security Partnership, which consists of 'leading software companies' including Microsoft and Computer Associates and industry organisations such as the BSA, has asked the Department of Homeland Security to regulate what they call 'Cyber Security'. Representatives from Microsoft, Computer Associates, and the BSA headed the Security Across the Software Development Cycle Task Force that submitted this report to the Bush administration today. (For all of you who dread reading 123 page reports, there is a three page summary available as well. The Washington Post, Forbes, and Other Sources are covering this story as well. I hope this is just another [late] April Fools Day joke, but I'm afraid that this looks too scary to be real."

19 of 371 comments (clear)

  1. Business bastards.. by Anonymous Coward · · Score: 5, Insightful

    Business gets .gov to regulate security.

    Regulation and "Approved By.." nonsense costs money.

    MS, et al pay.

    Open Source can't pay.

    Non-approved things can't be used, ergo closed source wins.

  2. I can see it now by Bull999999 · · Score: 4, Insightful

    If it's true, MS and BSA will argue that the open-source software has to be stopped because it will let terrorist see the code and come up with exploits based on it.

    --
    1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
    1. Re:I can see it now by andih8u · · Score: 3, Insightful

      The only problem with that paranoid theory is that the government does indeed have quite a few linux servers. They aren't going to shoot themselves in the foot.

      --


      slashdot, news for crazed liberal socialist zealots
    2. Re:I can see it now by Tony · · Score: 4, Insightful

      It's due primarily to the insecurity of the underlying "open" protocols: TCP/IP. If it were based on more secure, closed protocols, Outlook would be far more secure. You can only build a solid house on a solid foundation.

      Are you insane, stupid, or just a troll?

      TCP/IP is not itself intrinsically insecure. TCP/IP has proven to be reliable, flexible, and *very* secure, if used appropriately. (That is, if security is an issue and man-in-the-middle attacks are a concern, use appropriate cryptographic techniques to secure and authenticate your communication.)

      The MS-Outlook exploits are based on stupid decisions in the design process. Until Microsoft built a mail client, it was a truism that email was not a carrier of viruses. The arbitrary execution of untrusted code is the root cause of MS-Outlook exploits, *not* some imaginary issue with TCP/IP. In fact, it doesn't matter whether the email is delivered via IPX, NetBUEI, or TCP/IP. MS-Outlook is insecure.

      On the web, IIS has proven to be significantly less secure than Apache; and since Apache accounts for over 65% of all web server installs, and the source code is available, it seems a more likely target for virus writers.

      As far as the "print the lock diagram on the door" concept goes: I don't care. The concepts and principles of lock building are available to any thief. If your lock is so poorly-designed that a diagram printed on the door will offer compromise, then an able thief will be able to get past it without the diagram. Anyone who doesn't know much about locks won't be able to make use of the information anyway. At most, it will provide a starting point for education.

      Yes, you can only build a solid house on a solid foundation; but nothing stops you from building a poor house on a solid foundation, either. In fact, I guarantee that if you are ignorant of construction principles and are unschooled in the use of the appropriate tools, you *will* build a poor house, no matter the quality of the foundation. And if the architect designed an unsafe house, you will build an unsafe house no matter how handy you are with the tools.

      --
      Microsoft is to software what Budweiser is to beer.
  3. From the summary by sczimme · · Score: 5, Insightful


    Adopting a "top-ten" list detailing industry best practices. Patches should be well-tested, small, localized, reversible, and easy to install. Patches would also not require reboots, use consistent registration methods, include no new features, provide a consistent user experience, and support diverse deployment methods.

    I thought Microsoft was involved in the partnership. How is that going to work??

    This is not a troll. MS patches generally violate some or all of the goals stated above.

    --
    I want to drag this out as long as possible. Bring me my protractor.
  4. Anyone smell pork? by Anonymous Coward · · Score: 3, Insightful

    Big businesses ask the gov't to step in, because their processes are flawed and produce bad software.

    Gov't is expected, in turn, to mandate these measures. Mandating them, of course, requires that gov't money be spent 'fixing' the systems that were flawed.

    Hmm. I smell pork.

  5. Not a surprise by bnenning · · Score: 5, Insightful

    Big businesses like regulation. It costs them, but it costs their smaller competitors more in relative terms.

    --
    How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
  6. So, how much software do you wanna buy? by LostCluster · · Score: 4, Insightful

    The BSA isn't just in business to chase down pirates of commerical software, they're also in the business of getting people to buy more. Effectively, what the BSA wants is for companies that don't buy any information security products to get in trouble with the SEC... therefore practically mandating that everybody by something from one of the BSA members.

  7. Business calls for U.S. help in Net security by CygnusXII · · Score: 3, Insightful

    "The report says programmers should be held personally accountable for security holes in the software they write."

    Now we see, a shift of responsibility, to the programmers. Lets just try and put as many layers, as possible between the Corp Entity and responsibility as possible why don't we.

    "The report said industry groups should work with the Homeland Security Department to look at ways to reduce liability, as well as examining whether new rules are needed."

    And now we see a way to tie, the mass collection of data, that the GOV. is asking for, and private industry together.

    This is one small step, further towards the Corp, Entity as Goverment.

    --
    My cat's picked up a Hammer. HEY! Put down that Hammer. Put Down that Hamm...THUNK!
  8. How many OS advocates were there? by k3v0 · · Score: 4, Insightful

    This is not a troll, but where was RMS and others?
    It would seem that computer security would be important for the whole computing community, not just Microsoft, CA, and HP.

  9. Re:Smells like a replay of the AT&T monopoly by Kirill+Lokshin · · Score: 5, Insightful

    The proper way to improve security is invalidate all those EULA disclaimers.

    You've noticed the same kinds of disclaimers on the GPL, yes? If the warranty disclaimer on a Microsoft license is invalid, what makes the one on the GPL valid; and if it is not, then how would, say, the contributors to the Linux kernel fare if they were sued for a major security breach?

  10. Re:What's the fuss? by Profane+MuthaFucka · · Score: 3, Insightful

    I think the fuss should be that it's a waste of time. Many of the recommendations seem to be

    1) Have some committee make up some security standards.
    2) Award gold stars to groups that take some security classes, or who create a "security culture" in their companies.

    In other words, this is completely useless, and gives the impression that progress is being made. An analogy would be the Academy Awards, where the group of insiders gives out awards to other people who are in the group of insiders, yet thousands of horrible movies are still made every year.

    --
    Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
  11. Not what I said or think by A+nonymous+Coward · · Score: 4, Insightful

    I said nothing about open source being more secure. I think it is more secureable, and I think it is better all around, but what annoys me is Microsoft whining that there is no one to sue with open source, when their EULAs have all manner of disclaimer. Microsoft should be sued for fraud. They claim to be more secure, brag about how they are secure, etc etc etc, and yet not only do the security holes continue to roll in, Microsoft blames everybody else for the problems.

    Whereas open source fixes the problems without blaming others.

  12. Re:Smells like a replay of the AT&T monopoly by globalar · · Score: 4, Insightful

    If MS, CA, and friends have perfect, 100% secure software than I think they should stop hiding it and just sell it outright without the government's blessing. Since they do not, this buddy system might be an alternative to open source software. It could be good, but it could be abused. Considering only big players are involved right now (?), the latter seems more likely.

    From the report, I gather they want to define security and then they can make sure they meet that definition. Make the rules and play by them, at least in legal terms.

    The summary talks about a taskforce to develope "metrics", working with government agencies and get a thumbs-up, develope industry standards, have awards for secure software (can open-source software win?), create a security license accredation program, and make "the security of one's software a job performance factor."

  13. Huh? by cptgrudge · · Score: 4, Insightful
    Know what this is like? It's like needing a certification from the government in order to publish a novel or article. Of course, it's only to make sure there are no grammatical errors, but if I can't pay the fee, my novel or article can't get published. Or it becomes a crime to read my novel because my grammatical errors might "damage" linguistic purity. And then the government has control over what you can read.

    Although, we all know from the DeCSS case that code "isn't free speech" when it's convenient. So the end result of this would be that the government can tell you what can and can't code.

    I was fine with everything in the summary until I got to the "certification" part, but who knows, maybe my tinfoil hat is on too tight.

    --
    Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
  14. Yup by 0x0d0a · · Score: 5, Insightful

    Yup, that was pretty much my take on things (Rule 1: industry *never* asks for regulation without an ulterior motive), although I think that there's a bit more to it -- if any cronyism can be used by existing players, it might be a useful tool against challengers, forgetting about Open Source for a moment.

    I'm all for the government issuing advisories, but regulation of security is not feasible. I remember reading about older military software -- the government used to try to do much more comprehensive security reviews of all kinds of software it used with tiger teams. Unfortunately, it turned out the extreme expense of this kind of thing isn't feasible in the real world, and still left holes.

    If I had to give a government recommendation, it would probably be along the lines of:

    * Issue advisiories. There are organizations like CERT that do this. Unbiased (not from a vendor), trustworthy information is difficult to come by.

    * Issue best-practices papers. These are probably most useful to IT professionals, though it might even be a good idea to produce them for software developers. Microsoft recently collaborated with the Fed to produce a set of best security practicees documents for Windows. This is an easy thing to add to a company security policy ("[] must comply with USG Document #135F3 Best Practices"). It just tried to deal with a couple of common misconfigurations. It's *hard* to get this kind of stuff directly from a vendor (which frequently wants to hand out information that will encourage you to buy more or is more interested in putting a positive spin on their mistakes) or a consultant (who frequently wants you to buy more consulting services) or a security software (like a firewall) company, which is primarily interested in scaring companies into thinking that they need security software.

    * Government certification of software intended for non-government use is a bad idea. It takes a long time, allows cronyism, can be used to attack some sections of the market (like most Open Source). It's perfectly reasonable for USG-use purchase requirements, but it's not reasonable for broader use.

    * Producing a classification system *could* be very useful, where the government writes documents describing particular classes of software, but it not responsible for ensuring that a particular version of a program fits into a class of software. For example, a hypothetical class-local/1 might require that:

    a) The software bounds-checks all memory accesses to data at the compiler level (free with some languages like Java, and can be done in C if necessary).

    b) The software does not access the network.

    c) The software does not write to any data files.

    Others useful requirements for various classes of software might be: "The software does not provide privilege escalation within the UNIX operating system's privilege system (as a suid/sgid program or a daemon running as a different user does...there would be an equivalent for the Windows security system)", "All data that the software uses from the network is either exact-match checked or bounds-checked prior to use of any of that data, and a failure to pass checks results in that data not being used" (might be useful for simple network software, like clients of the daytime protocol). The government is great at writing requirements and making them publically available--let's use that. Then, if a company guarantees that they are compliant to a particular document in a contract, there is a clear point that they can be called on for non-compliance. Finally, there would be a market for software that can check software for some elements of compliance. Automated security checking is a major issue -- it's neat, it's more and more feasible (see CMU's Java proof-carrying compiler for some neat stuff. The problem is that there are currently no standards written by security folks who know what they're doing, so it's hard for businesses to ask for compliance to a particular level of security, and no tools that can certify programs to a particular level.

    There are probably a lot more suggestions that the government could use, but this is a start...

  15. Don't worry! by dasunt · · Score: 3, Insightful

    We have a Republican president and they control half of Congress.

    Since this proposal would extend the reach and powers of the Gov't, it will never pass. Republicans are for a smaller government, remember?

    Wait. Why are you laughing?

  16. barriers to entry, and it won't work by hak1du · · Score: 4, Insightful

    rather than a scheme for total world domination.

    These companies are basically trying to erect additional barriers to entry into the software market: costly certification and training requirements, costly documentation requirements, etc. They know that they can satisfy them, but a small software vendor or an OSS project can't.

    And they make those recommendations knowing full well that they won't work. If they knew how to make more secure software, they'd already be doing it. A bit of training and certification just is not sufficient for making software more secure.

    what seemed to be a reasonable plan of action [...] However, at this early stage I see nothing more than an attempt to codify a national stance on computer security.

    What's there to "codify"? What's reasonable about it? There is not a shred of evidence that the "strategy" described in the report will do anything to improve security.

    At this point, we have to conclude that people continue to buy insecure software either (1) because they don't have a choice because of Microsoft's monopoly, or (2) because they don't care about security. If (1) applies, then the solution is to break up Microsoft's monopoly and give people a choice in software; then they can pick the level of security they like. If (2) applies, then what business does the government have to force a level of security into products that buyers don't want?

  17. Re:Graaah! by 10101001+10101001 · · Score: 3, Insightful

    Realize that this is a *distribution* license. So, the best way to take the above is that if you distribute a GPLed program to someone and that someone never distributes the program under the GPL, but they try to sue you, you can't punt the problem up to the person who gave you the program.

    The GPL, at each link, prevents handing over liability to the next level. So, generally, each company who distributes a GPLed program is liable. This, nicely, also fits well if companies become the main provider of GPLed software since they're likely selling it to you. Works pretty nice, eh?

    --
    Eurohacker European paranoia, gun rights, and h