Slashdot Mirror
Ex-NSA Analyst To Be Global Security Head At Apple
AHuxley writes "Cnet.com reports that Apple has tapped security expert and author David Rice to be its director of global security. Rice is a 1994 graduate of the US Naval Academy and has a master's degree in Information Warfare and Systems Engineering from the Naval Postgraduate School. He served as a Global Network Vulnerability analyst (Forbes used cryptographer) for the National Security Agency and as a Special Duty Cryptologic officer for the Navy. He is executive director of the Monterey Group, a cybersecurity consulting firm. He's also on the faculty of IANS, an information security research company and works with the US Cyber Consequences Unit. In a 2008 interview with Forbes, 'A Tax On Buggy Software,' Rice talks of a 'tax on software based on the number and severity of its security bugs. Even if that means passing those costs to consumers. ... Back in the '70s, the US had a huge problem with sulfur dioxide emissions. Now we tax those emissions, and coal power plants have responded by using better filters. Software vulnerabilities, like pollution, are inevitable — producing perfect software is impossible. So instead of saying all software must be secure, we tax insecurity and allow the market to determine the price it's willing to pay for vulnerability in software. Those who are the worst "emitters" of vulnerabilities end up paying the most, and it creates an economic incentive to manufacture more secure software.'"
As private industry becomes the next government, more overtly as time goes on..
For justice, we must go to Don Corleone
pay a crapload and Linux users pay nothing. Sounds like the tax is already in place. Maybe the money is just going to the wrong people.
That'll bankrupt companies like Microsoft, won't it?
We'll never jailbreak the iPhone 5. It'll either have government-grade digital locks, or it'll be accompanied by guys in black suits who "don't really exist".
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
Microsoft has deep pockets, and can hire Lobbyists by the score! This is never getting through either the Congress or the Senate. Microsoft has too much to lose if this was law, they'd have to start over from scratch and toss out all their legacy code!
Competition weeds out bugs eventually as well (just don't hold your breath)
The main issue is stovepiped data, where people have to live with bugs (iTunes?), outlook.
Or less mainstream software with less competition like CAM, Job costing/ scheduling software for business.
In other words, we already pay the price in lower productivity when data is caught in expensive traps.
Also, less security sometimes = easier to use software, so there is a tension there.
It comes down to a feeling nobody can define. Does it feel like magik? Do the developers take into account users?
Are they striving for computer shouldering more thinking? Security and bugs are only two aspects of software quality.
It's a good thing, it signals they take security seriously. He seems to have impressive credentials. When you've got a target as large as Apple you need to be smart about security.
From the article:
OK, so have a private certification company so you can see their rating on the product. Why is a tax needed? The example he cites, of automobiles, gives the buyer the choice of how safe the vehicle must be.
If determining software vulnerability were as simple as running some automated tests, it wouldn't be a problem in the first place. In his example of testing vehicles, it would be like having to protect them against a near-infinite variety of crash situations. How can you automate this, so as to give a simple rating?
OK, so let's say all software is secure. That doesn't stop people from combining it in ways that leads to insecurities, or even configuring a single piece so that it's insecure. How will this tax help that?
Here he talks of negative externalities and making those responsible pay, so that they educate themselves and avoid creating them. Sounds good, so why not do that? That doesn't involve taxation, it involves making those with vulnerable systems pay. That's the way to make the market respond.
For example, a home user's machine is infected and is now part of a botnet? Charge a fine. He'll quickly clean up his machine, switch/secure his OS, or find an ISP that will detect such a thing and automatically cut his internet connection until he cleans his machine up. Or a business leaks customer information. Fine it. That will encourage it to do what's necessary to secure the data. This way the need for security moves up the chain, from user to supplier, with whatever things are necessary to give it. Leave taxation out of it.
Seems it might not just be MS
It's not a bug... It's a feature!
Actually security is his job now. Not the markets, at the consumers "add-on and pass through" expense. If you put your name on it, you are responsible. The security aspect is only part of the product. Be the best option,period. On your own. The market will adjust on its own; without arbitrary, contrived, subjective solutions. This is the problem when institutional thinking enters the FREE marketplace. Everyone suffers... @donster1
Remember, people who worked for the government should be barred from working anywhere else for LIFE!
Do these guys actually leave the NSA? Why aren't there quotation marks around the 'EX' part of his title? Sounds to me like a good way for no-such-agency to get a mole in a powerful position to install backdoors in a popular line of consumer communication devices. At a minimum, they could get a direct hotline listing of every vulnerability as soon as Apple is alerted to them, but before patches are released.
Seth
$5 / month hosted VPS on linux = awesome!
"If builders built buildings the way programmers write programs, then the first woodpecker that came along would destroy civilization."
- Gerald M. Weinberg - Weinberg's Second Law
Sulphur dioxide emissions are a well-behaved function of the physical process input: you get a continuous function as output. Programs aren't like that: a simple transcription error can open the floodgates. On the other hand, massive program corruption may merely render a program unable to run.
Enforcing such a system would mean that, at any time, any software vendor could inadvertently release a bug that drove them out of business overnight. Too unpredictable for the stock market or indeed, any investor whatsoever. And who would work for a firm in such an environment? So with no capital and no labor, how would an IT industry exist?
Holy Crap!
RICE BOWL??
Cwm, fjord-bank glyphs vext quiz
For open source software that is easy, since bugs reports and their gravity is usually available. For proprietary software, that is definitively not the case. I guess the certification should rely on independent reports (Secunia?). Furthermore, should not just the number of bugs, but the promptness in fixing them be considered? Finally, should design choice being considered too? For example, buggy third party software that also affects your main system should be penalised against systems where a more integrated software distribution system and more secure design choices (UNIX).
As usual, the idea is nice, its efficiency depends on its implementation
Here is an Idea.
Take a piece of software, and let the company charge a price.
For every critical bug found, the company must refund a portion of the purchase price of the software, or compensate the users for data loss, install time, config time, etc.
So in this case: Windows ME would PAY you to run it.
Windows XP would compensate you for a data breach.
Linux, would do nothing, since it's already free.
I really love it when people recycle solutions for completely different problems.
And have even LESS bugs and no CPU cycle sapping DRM.
Regulatory capture is already a major problem in the agriculture, chemical, and energy, amongst many other industries. We don't need any more of it here.
Companies hiring people who know what they are doing is now "regulatory capture"!
This appears to be very bad for OpenSource. Unless the tax is in % of cost, which I highly doubt, then it will make distributing free software cost prohibitive.
If I choose to produce a free library that ends up being widely used and is later found to having a security bug, I could be forced to pay thousands or tens of thousands of dollars. Why would I want to create that risk for myself? It could have a strong chilling effect with sharing.
The US Federal Government has no authority to levy that kind of tax. Any effort to enforce this should be fought.
I figure every hole that is found should cost $1/day its left unpatched ... * # of users.
Given the fact that security has NEVER been a priority of MS, they could/should/would be bankrupt in a week.
The money would go to a regulatory authority who are paid by the number of vulns they find. (Ain't I a stinker... :-)
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Corporations depend on the great unwashed mass of people out there not being able to tell the difference.
Lenin and Mao were trying to be communists (an extreme form of socialism,) where resources are owned and controlled by the state. They ended up being murderous tyrants.
Hitler, Mussolini and Hirohito were fascist, where resources are owned by an oligarchy and controlled by the state. (Actually that is MUCH more wide spread than that. Look at what has been happening to the economy of the United States since Bush took office.)
Reagan was trying to set himself up as a free-enterprise mercantilist, where resources are owner by an oligarchy and controlled by an oligarchy. Good luck with that...
Pol Pot was an anarchist, where resources are owned and controlled by no one. Look where that got Cambodia.
" Me? I'm just a lawnmower. You can tell me by the way I walk. " - Peter Gabriel (when he was in "Genesis.)
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Now we're getting posts on the resume of their security executive? Why do I care?
Hitler, Mussolini, Stalin, Mao, even Saddam Hussein and Pol Pot were elected at first.
The tyranny of the masses known as democracy (implemented in the electoral college in the 'States and known by other names in other hegemonies,) is no insurance against stupidity.
Look at how long people thought the earth was flat and the sun went around the earth instead of the other way around.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Rice talks of a 'tax on software based on the number and severity of its security bugs.
The tax shall be called "The Apple Tax". Now we know why they're so damn expensive... they have to pay a tax based on the number and severity of security bugs...
It seems like just yesterday the Safari browser was carpet bombing hundreds of malicious files to my desktop without my permission.
Make a typo or logical error? There's a tax for that.(TM)
How about we reform EULA law such that if you pay for software, and it is full of bugs that get exploited, you can sue those responsible? Why not take the actual damages straight to the buggy software writers? Surely this would be even better a motivation than a "bug tax"; Additionally, this makes quantifying the penalty amount much easier. Developers pay according to how much damage the bugs have actually caused! </sarcasm>
I agree that bugs are bad, but this tax idea just stupid. Everyone makes mistakes, security is a moving target, computers and their applications are getting more complex faster than the economy is willing to pay for secure code.
To all that believe this sort of tax is a Good Idea(tm) I have only one word for you: BETA
It doesn't have to be restricted to the US. If other nations start applying it and getting visible, palpable results, it'll get adopted by others (even the US) faster.
My sig is better than your sig.
...if you can't beat'em, then buy'em. Perhaps, his bug tax seemed like enough of a threat to warrant action.
He sounds like a reactionary fucktard. Like Apple doesn't have enough of those already?
As a person who still only uses Apple computers, I think Apple's "security issues", once exploited will be at computer Armageddon levels.
The reason is simple. Windows users have learned their lesson in Blaster era and figured the importance of firewall/antivirus and what the heck is a zero day. For Apple community, this didn't happen and there are millions of people who thinks they are somehow using some kind of "secure NSA terminal", downloading/running all kinds of junk out there and believing every promise naively.
I personally know my daily newspaper almost didn't print one day because some guy insisted on using Quark Classic on Mac OS and somehow managed to get infected by some archaic MacOS virus. To fix the situation, they really had to do some insane trickery as he was reviewing final copy which was supposed to sent to print. Why have all happened? Basically, he didn't believe the concept that Mac can be infected by a virus so he didn't bother to run antivirus on an operating system which viruses really exist.
Just imagine some kind of Blaster.OSX and remember in this community, they harass the security professionals and amateurs instead of thanking them. Some companies even gave up writing about OSX security in their blogs as they are tired of thousands of "snake oil seller!" comment on their blog comments.
Except "anti government" types (many exist), most of security professionals will happily serve their country or the globe, it can be NSA or Interpol or FBI. Of course, I don't speak about "the code to watch everyone" kind of contribution, perhaps some serious quirk (like the DNS one) which may effect entire country or globe.
It is not like 1990s anymore, every machine is connected and I am betting there are many serious security issues being found, fixed behind closed doors.
Anyway, it really seems impractical to add "backdoors" to operating systems rather than watching/tapping the entire network which is OS/device neutral itself.
For iOS devices? As Apple doesn't allow antivirus/firewall to their devices, some trojan may already exist without anyone knowing about it. That is the problem with iOS/App Store. You can't have "extra security" even if you want to pay for it. On Symbian/Android and even Pre-Win 7 mobile, if you are paranoid or carry sensitive data, you cough some money to Kaspersky/F-Secure and have extra security/firewall.
The problem is that right now people can't figure out whether software is secure. They buy software based on what's asserted and take companies at their face values.
Nothing mentioned about FOSS. It sounds like the focus is on proprietary software exclusively, as FOSS allows anybody to scrutinize and code-review the source, making his entire argument invalid.
Oblig Image: http://imgur.com/Vnbwb.png
Yes great idea, but alas, the people always end up paying more, look at the gas prices, we are non stop getting slammed with higher prices because the refineries need to make that much profit, and when they get slammed by the gov.s with such taxes, they respond in shooting the prices way up some more...instead we need a gov. with some balls, and actually make certain companies more accountable for their problematic software...if you create a crash in some company where your software allowed xxx to happen, put a value on xxx and then let that company get reimbursed by M$ or whoever that may have shipped a shody product.
Caveman: Nyaaaa.. I want no irc an no irfanview..no twisted Firefox extensions yeh..no buggy libraries.. I wan Aple to win big man...argghh...apple can afford to pay da tax....waiiit...small men cahhnnt. Ohhhh... goooodddd... Apple winnnnn. Yeeeaahhh. Me: Meh.
The man of virtuous soul commands not, nor obeys. -- Percy Bysshe Shelley
Sure, his example worked in a world almost devoid of patents. I bet Microsoft has enough patents to hold the public by the short hairs for years. I'm sure they will resort to all kinds of stuff to survive. Just like SCO tried to do. No doubt, he's a very smart guy. Unfortunately he still has a lot to learn.
Dry Solutions Tampa carpet cleaners has been caring for the finest floors and fabrics for years. We are experienced in all types of fibers and soiling conditions, no matter how unusual they may be. Our Tampa carpet cleaners are experienced in all methods of cleaning. Dry Solutions carpet cleaners in Tampa is known for solving the cleaning related problems that no one else can. This ensures that whatever your situation is, we will be familiar with it. carpet cleaning tarpon springs
Maybe he didn't think it through. What about OpenSource software? Who and How is going to be taxed? How is he going to identify errors without having to get functional specification (sanctioned by law) before hand? What about bugs that are difficult to identify as Hardware or Software A or Software B. What about beta software? Do you have to declare to the authorities that ur software is beta?