Ex-NSA Analyst To Be Global Security Head At Apple

← Back to Stories (view on slashdot.org)

Ex-NSA Analyst To Be Global Security Head At Apple

Posted by Soulskill on Monday January 24, 2011 @12:25PM from the keeping-the-worms-out dept.

AHuxley writes "Cnet.com reports that Apple has tapped security expert and author David Rice to be its director of global security. Rice is a 1994 graduate of the US Naval Academy and has a master's degree in Information Warfare and Systems Engineering from the Naval Postgraduate School. He served as a Global Network Vulnerability analyst (Forbes used cryptographer) for the National Security Agency and as a Special Duty Cryptologic officer for the Navy. He is executive director of the Monterey Group, a cybersecurity consulting firm. He's also on the faculty of IANS, an information security research company and works with the US Cyber Consequences Unit. In a 2008 interview with Forbes, 'A Tax On Buggy Software,' Rice talks of a 'tax on software based on the number and severity of its security bugs. Even if that means passing those costs to consumers. ... Back in the '70s, the US had a huge problem with sulfur dioxide emissions. Now we tax those emissions, and coal power plants have responded by using better filters. Software vulnerabilities, like pollution, are inevitable — producing perfect software is impossible. So instead of saying all software must be secure, we tax insecurity and allow the market to determine the price it's willing to pay for vulnerability in software. Those who are the worst "emitters" of vulnerabilities end up paying the most, and it creates an economic incentive to manufacture more secure software.'"

105 of 145 comments (clear)

Min score:

Reason:

Sort:

Makes sense by countertrolling · 2011-01-24 12:28 · Score: 1, Funny

As private industry becomes the next government, more overtly as time goes on..

--
For justice, we must go to Don Corleone
1. Re:Makes sense by joocemann · 2011-01-24 12:31 · Score: 2
  
  As private industry becomes the next government, more overtly as time goes on..
  A little offtopiic here:
  Isn't it weird how intelligent and skeptical people see it as "corporate takeover", and ignorant people believe corporations telling them that its a 'socialist takeover'.
  From the looks of the lobbies and actual authors of bills, its hard to believe the latter -- but I suppose you'd believe anything if you don't question it.
2. Re:Makes sense by vbraga · 2011-01-24 12:48 · Score: 1
  
  Is there any difference between a corporate takeover of the government and a government takeover of enterprises? The end result is the same.
  
  --
  English is not my first language. Corrections and suggestions are welcome.
3. Re:Makes sense by artor3 · 2011-01-24 12:56 · Score: 4, Insightful
  
  Sure there's a difference. One exists, the other is a bogeyman intended to scare the uneducated into voting against their interests.
4. Re:Makes sense by Suki+I · 2011-01-24 13:06 · Score: 1
  
  As private industry becomes the next government, more overtly as time goes on..
  A little offtopiic here:
  Isn't it weird how intelligent and skeptical people see it as "corporate takeover", and ignorant people believe corporations telling them that its a 'socialist takeover'.
  From the looks of the lobbies and actual authors of bills, its hard to believe the latter -- but I suppose you'd believe anything if you don't question it.
  The really basic individual rights issue is: What is so damn bad about someone wanting to leave a government job for a non government job?
  
  --
  Home of The Suki Series
5. Re:Makes sense by joocemann · 2011-01-24 13:12 · Score: 1
  
  Can you please reword or elaborate? I don't quite understand what you mean.
6. Re:Makes sense by countertrolling · 2011-01-24 13:13 · Score: 1
  
  I shouldn't consider it as a "takeover" by either. They are a team. One is muscle for the other.
  
  --
  For justice, we must go to Don Corleone
7. Re:Makes sense by Suki+I · 2011-01-24 13:23 · Score: 1, Insightful
  
  Can you please reword or elaborate? I don't quite understand what you mean.
  You must be kidding. I even quoted both the person you responded to and you also.
  The NASA guy going to Apple is nothing more than some person getting a job he thinks is better, the same way I would do, maybe you too. Nobody should be denied the right to do that.
  
  --
  Home of The Suki Series
8. Re:Makes sense by icebraining · 2011-01-24 13:26 · Score: 1
  
  An "edit until someone replies or mods it" feature would be useful and hard to abuse.
  
  --
  Dilbert RSS feed
9. Re:Makes sense by Dunbal · 2011-01-24 13:40 · Score: 2
  
  Yes because "voting" really is how you change things.
  
  --
  Seven puppies were harmed during the making of this post.
10. Re:Makes sense by N3Roaster · 2011-01-24 13:57 · Score: 1
  
  I'm sure that's on the roadmap, right after proper Unicode support.
  
  --
  Remember RFC 873!
11. Re:Makes sense by Graff · 2011-01-24 14:50 · Score: 1
  
  Yeah, or an edit which has a diff-like functionality so you can see what was done in the edit. There has to be some reasonable solution that would let you correct stupid mistakes without being too revisionist.
  Ahh well, someday Slashdot will catch up with modern technology! lol...
  
  --
  Sapere aude!
12. Re:Makes sense by joocemann · 2011-01-24 15:05 · Score: 2
  
  I"m not kidding.
  Thanks for being less vague this time around.
13. Re:Makes sense by Divebus · 2011-01-24 15:17 · Score: 1
  
  Um... not NASA... it's NSA which is the National Security Agency.
  
  --
  
  Most of the stuff on /. won't survive first contact with facts.
14. Re:Makes sense by hairyfeet · 2011-01-24 15:23 · Score: 2
  
  If that is all that it is, I see no problem in it. When I DO see a problem with it is when industry insiders use jobs as rewards for getting what they want out of government. Too many in government get cushy private sector jobs for themselves and even members of their families as a payoff for playing ball and THAT I do have a problem with.
  And where will this guy's loyalty lie? Will it lie with Google and their customers? Or when one of his old spook buddies waltzes in and says "hey old buddy, we are needing some info on the quiet side. Can you help us out?" will he just walk outside for a long lunch break while his "friend" has access to his computer?
  And the whole "taxing insecurity" is about the dumbest idea I've ever heard of! Talk about an easy way to take out your competitors, just pay a team of hackers to find bugs and voila! They are buried under so many taxes they go out of business! I mean who do you think could afford 20 million in fines more, a company like MSFT or Oracle, or your average Linux distro? Seems like a great way to take out the smaller weaker corps to me, just keep getting them hit with fines and then buy them out for cheap when they can't fight back anymore. If people want more security then they can buy it, it is JUST that simple.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
15. Re:Makes sense by Pseudonym+Authority · 2011-01-24 15:45 · Score: 3, Funny
  
  And where will this guy's loyalty lie? Will it lie with Google and their customers?
  If it does, Apple is going to look really stupid for hiring this guy.
16. Re:Makes sense by countertrolling · 2011-01-24 16:08 · Score: 1
  
  Regulatory capture is already a major problem in the agriculture, chemical, and energy, amongst many other industries. We don't need any more of it here.
  
  --
  For justice, we must go to Don Corleone
17. Re:Makes sense by countertrolling · 2011-01-24 16:15 · Score: 1
  
  A tax like this could kill Free software.
  Then the idea makes even more sense. Could be the intention. So then make the tax somehow proportional to the price. That should let "free" off the hook. It's bullshit. The whole thing is just designed to featherbed another bureaucracy with... former Apple/Microsoft/Google/Oracle executives.
  
  --
  For justice, we must go to Don Corleone
18. Re:Makes sense by Nadaka · 2011-01-24 16:42 · Score: 1
  
  Not when the only choice is between overlapping but not quite identical set of corporate interests D and overlapping but not quite identical set of corporate interests R.
19. Re:Makes sense by Anonymous Coward · 2011-01-24 18:39 · Score: 1
  
  Or perhaps you do.
  It depends on how much change and in what direction you want change.
  It can certainly be argued that many events in the history of the world were affected by assassinations.
  And many more were affected by violent actions taken by a few people. You only have to look at recent history to see how a few people managed to turn the US in the direction of becoming a police state, and arguably lead to the current economic meltdown, by taking over a few airplanes and flying them into buildings.
  And how different would our history have been if Kennedy had lived? What would have changed if Lincoln had lived? Would we have been better off if Reagan had died? What if the assassination attempts on Hitler had worked?
  No, violent actions DO change things. Not always in the way the people carrying out the action intended, but some change tends to happen.
20. Re:Makes sense by Bert64 · 2011-01-24 21:34 · Score: 1
  
  I think if it only affected companies that charged for software then RedHat would just give the software away for free (like they mostly do already) and still charge for support/update services....
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
21. Re:Makes sense by cp.tar · 2011-01-24 22:37 · Score: 2
  
  I was thinking something along these lines as well.
  Then I though a bit better about it.
  Tax is usually related to the price, as a certain percentage thereof. In that case, free software would be off the hook.
  If instead of tax there was some kind of levy unrelated to the price, the Land of the Free would practically outlaw free software. So the free software companies would have to move out from the US.
  Unless the same kind of taxation was introduced throughout the world, that would pretty much mean the US cut itself off from the rest of the world. And if you want to know what turning inwards spells, observe China from two centuries ago until about a century ago.
  
  --
  Ignore this signature. By order.
22. Re:Makes sense by Dunbal · 2011-01-24 22:50 · Score: 2
  
  History disagrees with you. If you shoot enough of them it's called a "revolution". But over the long run even this won't change things. We are the victims of our nature, and human government is a reflection of what we are.
  
  --
  Seven puppies were harmed during the making of this post.
23. Re:Makes sense by tehcyder · 2011-01-25 00:37 · Score: 1
  
  Yes because "voting" really is how you change things.
  It's not as much fun as talking about guns and blowing shit up, but, yes, it is how you change things.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
24. Re:Makes sense by tehcyder · 2011-01-25 00:41 · Score: 1
  
  Or you could just re-read your post before submitting it.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
25. Re:Makes sense by AmiMoJo · 2011-01-25 00:55 · Score: 2
  
  So the French Revolution didn't change things for them? The ruling elite still eat cake while the peasants starve to death? How about the US throwing off its British masters and creating a constitution.
  Revolution changes people's beliefs and ideas about how society should work, and those ideas then shape the country and tend to stick around. I wish we had had a proper one in England because we are still stuck with many of the old ideas that other countries abandoned when their citizens revolted.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
26. Re:Makes sense by Graff · 2011-01-25 01:54 · Score: 1
  
  Or you could just re-read your post before submitting it.
  Did that, still missed it. Totally my fault, sure, but it's a common enough thing here that there probably should be some kind of edit feature. The bandaid of replying to your own post to correct it just isn't a great solution.
  
  --
  Sapere aude!
27. Re:Makes sense by Dunbal · 2011-01-25 02:05 · Score: 1
  
  So the French Revolution didn't change things for them?
  Well, if you count Napoleon as change and as "a good thing", then yes I guess it did. Instead of starving in the streets of Paris, they got to starve in the Russian steppes.
  And after Napoleon France even got a king back. So exactly how much "change" was directly and permanently effected by the storming of the Bastille? Meet the new boss, same as the old boss. If you think today's government in France is a direct descendant of the revolution you are mistaken. There is a reason it's called the FIFTH republic.
  
  --
  Seven puppies were harmed during the making of this post.
28. Re:Makes sense by coolmadsi · 2011-01-25 03:31 · Score: 1
  
  There has to be some reasonable solution that would let you correct stupid mistakes without being too revisionist.
  You mean like previewing a comment before submitting it? Case in point, I seemed to have messed up the end quote tag in this comment, noticed it in the preview, so went back to correct before actually submitting (which I will do so now so long as I don't see any other errors)
29. Re:Makes sense by geekoid · 2011-01-25 04:59 · Score: 1
  
  It's not a dumb idea, it is impractical. And he has a point. Create a force that allows the market to respond in a manner that has them design and properly test security into software.
  Better would be to have an agency that rates software.
  They get to look at the code. EVEN if it was rated for federal internal reasons only, we would still have a good stick to measure by, and corporations that want their software on Federal systems will have to raise the bar.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
30. Re:Makes sense by joocemann · 2011-01-25 05:00 · Score: 2
  
  The Italians would disagree.
  There are so many attempts (and successes) on politicians there that you'd be mind-blown.
  I'm not saying its right, but its another way that I've seen europeans keeping their democracy alive.
31. Re:Makes sense by Graff · 2011-01-25 08:17 · Score: 1
  
  You mean like previewing a comment before submitting it?
  Yeah, if you read further I already replied to someone about this. I always do preview but sometimes things still slip through. Mistakes happen, it's be nice to have a better system for handling mistakes that slip through.
  Preview works great for stuff like missed html tags and other stuff that jumps out at you. It doesn't work as well for subtle mistakes you make because a lot of times your mind replaces the version you have on the page with the version that's in your head. That's why mistakes like a double "the" are easily missed in copyediting.
  
  --
  Sapere aude!
32. Re:Makes sense by celotil · 2011-01-25 15:26 · Score: 1
  
  You missed a full stop at the end of your comment.
  
  --
  Te Quiero, Puta!
Windows users by ronmon · 2011-01-24 12:30 · Score: 3, Insightful

pay a crapload and Linux users pay nothing. Sounds like the tax is already in place. Maybe the money is just going to the wrong people.
1. Re:Windows users by joocemann · 2011-01-24 12:40 · Score: 1
  
  pay a crapload and Linux users pay nothing. Sounds like the tax is already in place. Maybe the money is just going to the wrong people.
  The pro-audio version of this goes like this:
  Digidesign users pay the most and get the most bugs
  Cubase/Logic/Live users pay less, and have far less bugs.
  ----I bet you can guess which company used every dirty business tactic in the last 20 years to establish as a studio 'norm'.... (if you're bad at guessing its DIGIDESIGN and their always crashing ProTools software)
2. Re:Windows users by jjb3rd · 2011-01-24 13:54 · Score: 2
  
  pay a crapload and Linux users pay nothing. Sounds like the tax is already in place. Maybe the money is just going to the wrong people.
  You are so dumb, you are really dumb.
  Clearly none of this matters because Linux is free. The community finds all the bugs and satisfies all of the user's every need. It is, therefore, installed on all computers, the world over, and security would no longer be an issue were it not prevalence of the password, "password".
  Paying extra for security is basically akin to insurance. If you're paying extra for insurance, you typically have a certain level of responsibility, but when you get screwed by that which is beyond your control, then, in theory, you are adequately compensated. How about factoring insurance into the whole "software == automobiles" argument.
  It'd be nice to see Slashdot debate this issue on merit as opposed to the dogmatic FOSS genuflection that seems to be taking place. A security insurance guarantee that costs extra is not something solved by an open or a closed source model, it's something that's solved through adequate product support and potentially a claims process in the event of being hacked. Slashdot used to like Apple, but it seems they hate success, which is just jealousy and really unbecoming of the level of discourse of which this site is capable. I, for one, would like to applaud Apple for taking security seriously, as I do *gasp* Microsoft for doing so for the last couple of years.
3. Re:Windows users by gl4ss · 2011-01-24 23:07 · Score: 1
  
  well, none of the linux distributions would run my old binaries from 1995..
  but this guy sounds like an idiot, he says that sw can't be perfect(it can, if you decide what perfect means) and then that it should be taxed, so everyone writing software would be taxed in advance by a random amount.
  no wonder he's going to work at apple! just up that developer fee to couple of kilo dollars and call it bug tax.
  
  --
  world was created 5 seconds before this post as it is.
4. Re:Windows users by joocemann · 2011-01-25 04:57 · Score: 1
  
  A replacement dongle from steinberg is about $30, and requires you to prove who you are to get it.
  Sorry to hear you may or may not have spent so much replacing licenses you could easily have had placed on a new 'dongle'. Remember, its not the little USB dongle that matters, its the licenses on it.
  You can also transfer the licenses.
5. Re:Windows users by CheerfulMacFanboy · 2011-01-25 05:42 · Score: 1
  
  but this guy sounds like an idiot, he says that sw can't be perfect(it can, if you decide what perfect means) and then that it should be taxed, so everyone writing software would be taxed in advance by a random amount.
  "Rice's controversial solution? Create a tax on software based on the number and severity of its security bugs" - who sounds like an idiot again?
  
  --
  Fandroids hate facts.
6. Re:Windows users by vuffi_raa · 2011-01-26 05:18 · Score: 1
  
  Personally I would never pay for anything from steinberg after I attended a clinic from them in the early 90's where they actually said - what is the difference between a professional and an amateur artist? - it is how much money they spend on their gear. We price the software high not because it costs that much to produce or is worth that much to consumers, but to discourage those that don't want to spend the money from using a professional product.
  personally, that goes against every grain of what I believe in.
7. Re:Windows users by joocemann · 2011-01-28 05:30 · Score: 1
  
  But what does that say about digidesign, whose product is always inferior in stability and function, and is priced even higher?
  Digidesign has also gone the way of Microsoft in 'ensuring' their 'standard' throughout professional audio industry despite being trash.
8. Re:Windows users by vuffi_raa · 2011-01-28 05:47 · Score: 1
  
  I certainly don't promote digidesign, I have never liked anything about pro tools (sorry to friends that work there) but that is because their product sucks and not their business model. Personally, I don't use live instruments so both pro tools and cubase are just extra layers of crap and more difficult to use UI's. Most of what I do tends to be in ableton these days.
But Brain... by Eggplant62 · 2011-01-24 12:35 · Score: 1

That'll bankrupt companies like Microsoft, won't it?
1. Re:But Brain... by Suki+I · 2011-01-24 12:45 · Score: 1
  
  I think he was the guy keeping the stealth secrets, don't worry so much.
  
  --
  Home of The Suki Series
2. Re:But Brain... by fredmosby · 2011-01-24 13:16 · Score: 1
  
  According to your link the Chinese got that technology by reverse engineering a plane that had been shot down. What does that have to do with computer security?
3. Re:But Brain... by Suki+I · 2011-01-24 13:25 · Score: 1
  
  According to your link the Chinese got that technology by reverse engineering a plane that had been shot down. What does that have to do with computer security?
  That is what the link said. Look at what I said.
  
  --
  Home of The Suki Series
4. Re:But Brain... by fredmosby · 2011-01-24 14:07 · Score: 1
  
  I'm not sure what you're trying to say. The post you replied to said that taxing companies based on security holes would bankrupt Microsoft. Your reply said you thought the guy Apple hired had something to do with stealth plane secrets. I don't see how those two statements are related.
Oh Great by SilverHatHacker · 2011-01-24 12:37 · Score: 3, Funny

We'll never jailbreak the iPhone 5. It'll either have government-grade digital locks, or it'll be accompanied by guys in black suits who "don't really exist".

--
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
1. Re:Oh Great by illumastorm · 2011-01-24 12:41 · Score: 1
  
  So, when you mention people in black suits, I take it you already have met Apple's "gardeners"?
2. Re:Oh Great by Biff+Stu · 2011-01-24 12:52 · Score: 2
  
  It's a tin foil hat with an Apple premium.
3. Re:Oh Great by marcobat · 2011-01-24 15:16 · Score: 1
  
  at apple they don't have black suits only black turtleneks
4. Re:Oh Great by R3d+M3rcury · 2011-01-24 15:24 · Score: 1
  
  But it'll be really shiny tinfoil.
  Ooo...shiny...
5. Re:Oh Great by bsDaemon · 2011-01-25 02:27 · Score: 1
  
  Well, if it has government-grade digital locks, then the keys will probably be on Wikileaks in a matter of weeks and that'll take care of that.
It'll Never Fly! by DadLeopard · 2011-01-24 12:43 · Score: 1

Microsoft has deep pockets, and can hire Lobbyists by the score! This is never getting through either the Congress or the Senate. Microsoft has too much to lose if this was law, they'd have to start over from scratch and toss out all their legacy code!
1. Re:It'll Never Fly! by artor3 · 2011-01-24 12:58 · Score: 1
  
  Considering it's supported by someone who was never a politician and is no longer even working for the government, I'd say it's not going to even see Congress any time soon.
Good for Apple by StuartHankins · 2011-01-24 12:55 · Score: 4, Insightful

It's a good thing, it signals they take security seriously. He seems to have impressive credentials. When you've got a target as large as Apple you need to be smart about security.
1. Re:Good for Apple by MattskEE · 2011-01-24 17:00 · Score: 1
  
  When you've got a target as large as Apple you need to be smart about security.
  Or you need to be William Tell.
Why not a security rating, so buyer can choose? by noidentity · 2011-01-24 12:56 · Score: 5, Interesting

From the article:

But consumers prefer secure software to insecure software. Isn't that preference enough to create an incentive for companies to focus on security?
Wouldn't that be great? The problem is that right now people can't figure out whether software is secure. They buy software based on what's asserted and take companies at their face values.
If you look at the five-star rating on automobiles, you don't have to be an expert to make a decision about safety. You can appraise the risk you're purchasing based on that rating. Today almost all the cars on the road are four or five star rated: The market has chosen more safe cars because the safety rating is visible.

OK, so have a private certification company so you can see their rating on the product. Why is a tax needed? The example he cites, of automobiles, gives the buyer the choice of how safe the vehicle must be.

How would you measure software vulnerability?
The types of attacks we've seen over the past four years haven't changed. [The U.S. Department of Homeland Security] keeps a repository of attack patterns. So just as we run cars in various crash tests to see how they respond, we can run these attack patterns on software, judge how it performs and give it a security rating.

If determining software vulnerability were as simple as running some automated tests, it wouldn't be a problem in the first place. In his example of testing vehicles, it would be like having to protect them against a near-infinite variety of crash situations. How can you automate this, so as to give a simple rating?

A tax on insecure software would be passed on to the consumer in higher prices. Is that really the goal?
There's a notion in economics of private cost and the social cost of behavior. The results of insecure software--cybercrime and cyber-espionage--are largely social costs, not paid by the individual who's responsible for the behavior.
Vulnerabilities lead a consumer's computer to be hijacked by malicious software that allows the attacker to do practically anything with it. Sometimes the attacker targets the infected machines, like the attacks on the Pentagon last year. But often the machine is used to send out more spam, more phishing attacks, or it becomes one of the hundreds of thousands of machines that are used in "denial of service attacks" like the ones that shut down Estonia's Web last year. Those social costs are very heavy.
If a tax raised the private cost of cybercrime, people would get educated very quickly. When insecure software starts costing more, people will adjust their behavior.

OK, so let's say all software is secure. That doesn't stop people from combining it in ways that leads to insecurities, or even configuring a single piece so that it's insecure. How will this tax help that?
Here he talks of negative externalities and making those responsible pay, so that they educate themselves and avoid creating them. Sounds good, so why not do that? That doesn't involve taxation, it involves making those with vulnerable systems pay. That's the way to make the market respond.
For example, a home user's machine is infected and is now part of a botnet? Charge a fine. He'll quickly clean up his machine, switch/secure his OS, or find an ISP that will detect such a thing and automatically cut his internet connection until he cleans his machine up. Or a business leaks customer information. Fine it. That will encourage it to do what's necessary to secure the data. This way the need for security moves up the chain, from user to supplier, with whatever things are necessary to give it. Leave taxation out of it.
1. Re:Why not a security rating, so buyer can choose? by hardtofindanick · 2011-01-24 13:47 · Score: 1
  
  You know what you are getting in to when you buy things. If I buy a shirt and wash it a few times and the color comes off, the shirt maker pays a tax? You can extend the same logic to anything money can buy.
  
  Apple on the other hand seems to enjoy drinking their own cool aid.
2. Re:Why not a security rating, so buyer can choose? by lennier · 2011-01-24 15:16 · Score: 1
  
  OK, so let's say all software is secure. That doesn't stop people from combining it in ways that leads to insecurities, or even configuring a single piece so that it's insecure.
  
  Doesn't it?
  It depends, I suppose, on what you mean by 'secure'. If you adopt a very wide view, like 'not making available any information in posession of the user which someone else would not want made available' - like, say, uploading and tagging a photo of a friend on Facebook at a party they would rather their boss/girlfriend not know they had attended - then yes, achieving perfect 'security' in a world of perfect knowledge is probably theoretically impossible, much like DRM.
  However, if you define security more narrowly in the sense of provable formal properties of software - such as 'guaranteed never to expose a buffer overflow or race condition exploit given any conceivable set of input data' - then it's hard for me to see how combining two such secure pieces of software could ever create a third insecure one.
  I'd settle for such a narrow definition of security, since from the days of C and Unix we've just become resigned to undetectable buffer overflows living in all our software - and that's something I think does approach criminal levels of negligence, since it's entirely preventable. (And if pointer exploits are provably not preventable with current languages, then it approaches criminal negligence to release such languages for use on Internet-attached systems.)
  tl;dr: Software is logic, it should be possible to prove that it does exactly what it was built to do. If not, it's irresponsible for us to build business and government processes on software.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
3. Re:Why not a security rating, so buyer can choose? by noidentity · 2011-01-25 13:37 · Score: 1
  
  No. A fine is payment after you do something that actually causes damages. It's like paying your neighbor when your kid hits a baseball through his window. The proposed tax would be on software itself, without any damage done to anything. A fine is part of a basic property rights system, where violations result in punishment. It's feedback for actual damage, not the mere potential for damage.
More likely Apple or Oracle by exomondo · 2011-01-24 12:59 · Score: 1

Seems it might not just be MS
It never is a bug by freakingme · 2011-01-24 13:12 · Score: 1

It's not a bug... It's a feature!
Panic!! by Anonymous Coward · 2011-01-24 13:28 · Score: 1

Remember, people who worked for the government should be barred from working anywhere else for LIFE!
how can anyone know he quit the NSA?` by SethJohnson · 2011-01-24 13:31 · Score: 2, Insightful

Do these guys actually leave the NSA? Why aren't there quotation marks around the 'EX' part of his title? Sounds to me like a good way for no-such-agency to get a mole in a powerful position to install backdoors in a popular line of consumer communication devices. At a minimum, they could get a direct hotline listing of every vulnerability as soon as Apple is alerted to them, but before patches are released.

Seth

--
$5 / month hosted VPS on linux = awesome!
1. Re:how can anyone know he quit the NSA?` by russotto · 2011-01-24 13:58 · Score: 1
  
  Do these guys actually leave the NSA? Why aren't there quotation marks around the 'EX' part of his title? Sounds to me like a good way for no-such-agency to get a mole in a powerful position to install backdoors in a popular line of consumer communication devices. At a minimum, they could get a direct hotline listing of every vulnerability as soon as Apple is alerted to them, but before patches are released.
  If NSA wanted to get a mole in place, his official background would not include the NSA.
2. Re:how can anyone know he quit the NSA?` by Anonymous Coward · 2011-01-24 14:31 · Score: 4, Informative
  
  Yes...we do. No, I'm not talking smack. Used to work there (network warfare shop). When you're done, you leave. You carry with you your "Lifetime Obligations" and some hella good memories, but there are no strings attached save for a couple (they can interview/poly you at any time, they have to review your resume any time you modify it, etc.). You watch too many movies.
3. Re:how can anyone know he quit the NSA?` by DCFusor · 2011-01-24 15:11 · Score: 4, Informative
  
  I left too, and the above AC is telling it straight. No big deal. Hard to get permission to visit some adversary countries for a few years if you knew a lot of secrets, otherwise, they pretty much ignore you after that. They once called me a few years after I'd left to help them with something in my specialty, that was it.
  The trouble with conspiracy theories around government agencies is that, well, they are government agencies. Not all that good at what they do, with some small exceptions, and mostly terrible about keeping things secret after they do them. Some secrets last years, but most of them are too boring to actually talk about, and are mostly "policy" which means, some incompetent fool classified something to cover his lousy (or unethical) job performance. We're not working with supermen or angels anymore than any other part of society there.
  There's already a tax on buggy software, it's just paid by the wrong side of the equation, the user. Bruce Schneier has a ton of stuff on the issue, and as long as the makers aren't paying the price, it'll never happen. http://www.schneier.com/
  The thing is, at the point of perfect security, no system is usable -- there is always a trade-off of some kind. This sounds so hard to adjudicate, I kind of doubt it will ever happen -- and at least one software outfit that has the most issues also has enough lobbyists to keep things the way they want them -- the billions of lost dollars yearly due to their bugs will still be with the users, not them.
  As long as people can pass off the costs of insecurity, there will be little to no progress in the field. Anyone remember the British banks claiming in court they were liable for hacked chips and pins because they were "perfect" so the customer must have made a mistake? As long as that sort of crap flies, why should they invest in security? Good security is hard.
  
  --
  Why guess when you can know? Measure!
4. Re:how can anyone know he quit the NSA?` by mozumder · 2011-01-24 15:42 · Score: 1
  
  Definitely hella good memories..
5. Re:how can anyone know he quit the NSA?` by lennier · 2011-01-24 16:08 · Score: 1
  
  People leave the NSA all the time. It's a government agency that has employees, just like the DMV or Post Office.
  "Buddy, there are two ways outta this place. You can leave in a stamped self-addressed air-freight parcel... or in a box."
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
6. Re:how can anyone know he quit the NSA?` by lennier · 2011-01-24 16:18 · Score: 1
  
  We're not working with supermen or angels anymore than any other part of society there
  But... but... you guys are the NSA! You have a crashed alien spaceship on every desk, a 100 terabit cranial jack just for the office World of Starcraft guild, and spend every waking moment clustered around huge 3D wall screens hacking all the Gibsons on the Interplanetary Interweb, simultaneously!
  Don't you? Hollywood, surely you haven't put me wrong!
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
7. Re:how can anyone know he quit the NSA?` by Pastis · 2011-01-24 18:25 · Score: 1
  
  > There's already a tax on buggy software, it's
  > just paid by the wrong side of the equation, the
  > user.
  
  I don't think software is paid by the wrong side of the equation.
  
  Software being insecure is most often insecure when used in ways not intended by their creators.
  Security is most often a property of the software, often ranked well below real functionality.
  
  e.g. You don t buy Outlook because it protects you from viruses, you buy it to read your mail.
  
  <bad_analogy>
  You don t put windows on your house because you want people to stay out of it. You put them because you want light in, view outside, etc. Ideally with little heatloss. And best if people can t in easily. Now if someone finds out that a mixture of 24.6% pee and olive oil 75.4% at 35degrees placed on the windows joints makes it easy to open the window from the outside, is it really the problem of the window builder ? As a buyer, would you hold out if you knew that an unknown liquid mixture might reduce the security of the window ? Probably not. You may add shutters and an alarm system. And a safe.
  </bad_analogy>
  
  When you have an entire industry relying on a piece of software and then complaining it doesn t have the properties they really want, I say blame them. Big industries have the mean to reduce their risks. Individuals that rely a lot on IT should think twice of how they manage their data.
  
  My take, people who buy software should invest more in checking whether it is secure or not.
  
  And if you really want to introduce 3rd parties, instead of taxes, use a (optional) insurance system. It will probably adapt better to risks than a tax. And people are used to that.
  
  --
  Sneak teach kids Algebra using a game
8. Re:how can anyone know he quit the NSA?` by MoeDumb · 2011-01-24 19:47 · Score: 1
  
  NSA relies on polygraphs?
  
  --
  Mod Me Up. You'll make a grown man cry.
9. Re:how can anyone know he quit the NSA?` by ExileOnHoth · 2011-01-24 20:23 · Score: 1
  
  Sounds to me like a good way for no-such-agency to get a mole in a powerful position to install backdoors in a popular line of consumer communication devices.
  I don't think this exec. is going to be allowed to check in code to the main repository without anyone reviewing it.
  
  So if your theory is correct, that the NSA wants back doors in iphones, they will need Apple mgmt to go along.
  
  And if Apple mgmt goes along with that (who knows), then what would the NSA need this mole for?
  
  What I'm saying is, your theory doesn't really pass Occam's razor.
10. Re:how can anyone know he quit the NSA?` by Guy+Harris · 2011-01-24 20:56 · Score: 1
  
  May be official background included NSA just to throw off the exact thinking, that if he was a mole, his background wouldnt include NSA. So by including NSA background, they are trying to give impression that he is not associated with NSA anymore ?
  Well, all the smart people on Slashdot figured that one out. So clearly the right strategy is not to include any NSA background, so that none of the smart people will think he's part of the NSA.
  But, then again, if the NSA wanted to get a mole in place, his official background would not include the NSA.
  Welcome to Another Infinite Loop. Lather, rinse, repeat. (Or step back and laugh at the smart people on Slashdot.)
11. Re:how can anyone know he quit the NSA?` by L4t3r4lu5 · 2011-01-24 22:37 · Score: 1
  
  I can't help but point out the paradox of believing the statements of ex-NSA guys regarding the NSA. Granted, you are more informed than any of us, but you're also not exactly impartial.
  
  It's Catch 22, I'm afraid.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
12. Re:how can anyone know he quit the NSA?` by bughunter · 2011-01-25 01:33 · Score: 1
  
  Correct, and if they wanted effective moles, they'd put them in at the middle-management level where the detail decisions get made, not at the Executive level where -even at Apple- they are too far removed from the code and too visible to be effective saboteurs.
  
  --
  I can see the fnords!
13. Re:how can anyone know he quit the NSA?` by geekoid · 2011-01-25 05:01 · Score: 1
  
  because may people who get articles posted are stupid gits.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
14. Re:how can anyone know he quit the NSA?` by geekoid · 2011-01-25 05:06 · Score: 1
  
  Actually, almost all government agency are very good at what they do, with few exceptions.
  Something thats be shown over and over again.
  The problem is key hole perceptions.
  People look into a room(agency) through a key hole, they will see a lot of things that don't make sense. When you open the door and look at what is actually going on, it turns out the perception wrong.
  Another issue is that in a government job you can do what you like and be good at it and not worry about being pushed out because you don't really want to be promoted. This leads to a perception of lazy and unmotivated. When its far more often someone who is happy, wants a life outside of work. It is also why most government agency have a rich knowledge of their own history. People come experts in not just what they do, but what everyone around them knows.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
15. Re:how can anyone know he quit the NSA?` by SethJohnson · 2011-01-25 06:16 · Score: 1
  
  Executives usually bring in their own middle-managers. At a minimum they get sign-off on the hiring thereof.
  
  Seth
  
  --
  $5 / month hosted VPS on linux = awesome!
David Rice?? by CODiNE · 2011-01-24 14:30 · Score: 1

Holy Crap!
RICE BOWL??

--
Cwm, fjord-bank glyphs vext quiz
How do you quantify the number of bugs? by feranick · 2011-01-24 14:34 · Score: 1

For open source software that is easy, since bugs reports and their gravity is usually available. For proprietary software, that is definitively not the case. I guess the certification should rely on independent reports (Secunia?). Furthermore, should not just the number of bugs, but the promptness in fixing them be considered? Finally, should design choice being considered too? For example, buggy third party software that also affects your main system should be penalised against systems where a more integrated software distribution system and more secure design choices (UNIX).

As usual, the idea is nice, its efficiency depends on its implementation
pollution's solutions = fixed software? by mschaffer · 2011-01-24 15:19 · Score: 1

I really love it when people recycle solutions for completely different problems.
Very bad for OpenSource by merick · 2011-01-24 16:50 · Score: 2

This appears to be very bad for OpenSource. Unless the tax is in % of cost, which I highly doubt, then it will make distributing free software cost prohibitive.
If I choose to produce a free library that ends up being widely used and is later found to having a security bug, I could be forced to pay thousands or tens of thousands of dollars. Why would I want to create that risk for myself? It could have a strong chilling effect with sharing.
The US Federal Government has no authority to levy that kind of tax. Any effort to enforce this should be fought.
1. Re:Very bad for OpenSource by Bob+Cat+-+NYMPHS · 2011-01-24 19:33 · Score: 1
  
  >The US Federal Government has no authority to levy that kind of tax.
  100 years of SCOTUS rulings on the Interstate Commerce Clause say they do.
  >Any effort to enforce this should be fought.
  Which is what Tea Party / conservatives are doing w/r/t mandatory health insurance, which Congress claimed falls under the ICC.
  This NSApple guy is in favor of something that will destroy Free Software. Apple is just behind ExxonMobil in market cap at $300 billion.
  Who will win, FSF or AAPL?
  
  --
  The latest Slashdot meme.
If the pay by the vuln, MS will HURT! by crovira · 2011-01-24 17:03 · Score: 1

I figure every hole that is found should cost $1/day its left unpatched ... * # of users.
Given the fact that security has NEVER been a priority of MS, they could/should/would be bankrupt in a week.
The money would go to a regulatory authority who are paid by the number of vulns they find. (Ain't I a stinker... :-)

--
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
1. Re:If the pay by the vuln, MS will HURT! by Bing+Tsher+E · 2011-01-24 17:33 · Score: 1
  
  Given the fact that security has NEVER been a priority of MS, they could/should/would be bankrupt in a week.
  Well, they'd at least have to stop selling Windows 98.
  Oh wait! They already have!
Corporatism is a feature of facism, not socialism by crovira · 2011-01-24 17:20 · Score: 1

Corporations depend on the great unwashed mass of people out there not being able to tell the difference.
Lenin and Mao were trying to be communists (an extreme form of socialism,) where resources are owned and controlled by the state. They ended up being murderous tyrants.
Hitler, Mussolini and Hirohito were fascist, where resources are owned by an oligarchy and controlled by the state. (Actually that is MUCH more wide spread than that. Look at what has been happening to the economy of the United States since Bush took office.)
Reagan was trying to set himself up as a free-enterprise mercantilist, where resources are owner by an oligarchy and controlled by an oligarchy. Good luck with that...
Pol Pot was an anarchist, where resources are owned and controlled by no one. Look where that got Cambodia.
" Me? I'm just a lawnmower. You can tell me by the way I walk. " - Peter Gabriel (when he was in "Genesis.)

--
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
You man make people vote anyway you want. by crovira · 2011-01-24 17:52 · Score: 1

Hitler, Mussolini, Stalin, Mao, even Saddam Hussein and Pol Pot were elected at first.
The tyranny of the masses known as democracy (implemented in the electoral college in the 'States and known by other names in other hegemonies,) is no insurance against stupidity.
Look at how long people thought the earth was flat and the sun went around the earth instead of the other way around.

--
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
1. Re:You man make people vote anyway you want. by Guy+Harris · 2011-01-24 20:48 · Score: 1
  
  ... Stalin, Mao, even Saddam Hussein and Pol Pot were elected at first.
  [citation needed] Were any of those elected in a free election by the general electorate (as opposed to a "one candidate only" election, or a "funny, 99 44/100% of the people voted for them, I guess they're popular" election, or a choice by the leadership of the ruling party)? (I'll let you have Hitler and Mussolini for that one, but even those might be subject to review.)
The "Apple Tax" is now quantifiable? by VortexCortex · 2011-01-24 18:03 · Score: 1

Rice talks of a 'tax on software based on the number and severity of its security bugs.
The tax shall be called "The Apple Tax". Now we know why they're so damn expensive... they have to pay a tax based on the number and severity of security bugs...
It seems like just yesterday the Safari browser was carpet bombing hundreds of malicious files to my desktop without my permission.
Make a typo or logical error? There's a tax for that.(TM)
How about we reform EULA law such that if you pay for software, and it is full of bugs that get exploited, you can sue those responsible? Why not take the actual damages straight to the buggy software writers? Surely this would be even better a motivation than a "bug tax"; Additionally, this makes quantifying the penalty amount much easier. Developers pay according to how much damage the bugs have actually caused! </sarcasm>
I agree that bugs are bad, but this tax idea just stupid. Everyone makes mistakes, security is a moving target, computers and their applications are getting more complex faster than the economy is willing to pay for secure code.
To all that believe this sort of tax is a Good Idea(tm) I have only one word for you: BETA
Not only in the US of A by jbatista · 2011-01-24 18:07 · Score: 1

It doesn't have to be restricted to the US. If other nations start applying it and getting visible, palpable results, it'll get adopted by others (even the US) faster.

--
My sig is better than your sig.
There's an old saying in business... by NicknamesAreStupid · 2011-01-24 18:16 · Score: 1

...if you can't beat'em, then buy'em. Perhaps, his bug tax seemed like enough of a threat to warrant action.
Re:Troll Alert! by countertrolling · 2011-01-24 20:19 · Score: 1

In cozy relationships like this, yes, it frequently is a problem. It is one of the main reasons so few companies control such a vast market and become "too big to fail". The regulations are designed by lobbyists to lock out the competition, creating artificial scarcity and high prices.

--
For justice, we must go to Don Corleone
Apple needs a psychologist/sociologist by Ilgaz · 2011-01-24 22:07 · Score: 1

As a person who still only uses Apple computers, I think Apple's "security issues", once exploited will be at computer Armageddon levels.
The reason is simple. Windows users have learned their lesson in Blaster era and figured the importance of firewall/antivirus and what the heck is a zero day. For Apple community, this didn't happen and there are millions of people who thinks they are somehow using some kind of "secure NSA terminal", downloading/running all kinds of junk out there and believing every promise naively.
I personally know my daily newspaper almost didn't print one day because some guy insisted on using Quark Classic on Mac OS and somehow managed to get infected by some archaic MacOS virus. To fix the situation, they really had to do some insane trickery as he was reviewing final copy which was supposed to sent to print. Why have all happened? Basically, he didn't believe the concept that Mac can be infected by a virus so he didn't bother to run antivirus on an operating system which viruses really exist.
Just imagine some kind of Blaster.OSX and remember in this community, they harass the security professionals and amateurs instead of thanking them. Some companies even gave up writing about OSX security in their blogs as they are tired of thousands of "snake oil seller!" comment on their blog comments.
1. Re:Apple needs a psychologist/sociologist by intheshelter · 2011-01-25 01:45 · Score: 1
  
  And how does using Quark Classic infect you with a virus? I think you may be confusing cause and effect here. I also think your analysis of OS X security if full of shit. The thought that OS X, an OS with ZERO viruses, must somehow be viral swiss cheese waiting to happen is about the biggest leap of BS logic I've ever heard.
2. Re:Apple needs a psychologist/sociologist by celotil · 2011-01-25 15:36 · Score: 1
  
  The thought that OS X, an OS with ZERO viruses, must somehow be viral swiss cheese waiting to happen is about the biggest leap of BS logic I've ever heard.
  Now, now, don't be so smug. Last time I looked I believe there were five (5) viruses in the wild for Mac OS X.
  He he.
  
  --
  Te Quiero, Puta!
3. Re:Apple needs a psychologist/sociologist by intheshelter · 2011-01-25 15:49 · Score: 1
  
  Name them.
Who isn't at NSA? or serve Govt? by Ilgaz · 2011-01-24 22:15 · Score: 1

Except "anti government" types (many exist), most of security professionals will happily serve their country or the globe, it can be NSA or Interpol or FBI. Of course, I don't speak about "the code to watch everyone" kind of contribution, perhaps some serious quirk (like the DNS one) which may effect entire country or globe.
It is not like 1990s anymore, every machine is connected and I am betting there are many serious security issues being found, fixed behind closed doors.
Anyway, it really seems impractical to add "backdoors" to operating systems rather than watching/tapping the entire network which is OS/device neutral itself.
For iOS devices? As Apple doesn't allow antivirus/firewall to their devices, some trojan may already exist without anyone knowing about it. That is the problem with iOS/App Store. You can't have "extra security" even if you want to pay for it. On Symbian/Android and even Pre-Win 7 mobile, if you are paranoid or carry sensitive data, you cough some money to Kaspersky/F-Secure and have extra security/firewall.
What about FOSS? by pinkushun · 2011-01-25 01:42 · Score: 1

The problem is that right now people can't figure out whether software is secure. They buy software based on what's asserted and take companies at their face values.
Nothing mentioned about FOSS. It sounds like the focus is on proprietary software exclusively, as FOSS allows anybody to scrutinize and code-review the source, making his entire argument invalid.
Oblig Image: http://imgur.com/Vnbwb.png
1. Re:What about FOSS? by aristotle-dude · 2011-01-25 08:58 · Score: 1
  
  The problem is that right now people can't figure out whether software is secure. They buy software based on what's asserted and take companies at their face values.
  Nothing mentioned about FOSS. It sounds like the focus is on proprietary software exclusively, as FOSS allows anybody to scrutinize and code-review the source, making his entire argument invalid.
  Oblig Image: http://imgur.com/Vnbwb.png
  Sorry but what is FOSS? There only OSS "Open" "Source" "Software". Prefacing it with "free" is redundant and is used by followers or the GNU movement in an attempt to politicize open source. The open source software movement encompasses a number of software licenses and philosophies besides just GNU approved GPL and LGPL.
  Having source code under any open source license does not guarantee that anyone will bother scrutinizing the source let alone contribute to it. In fact, a number of high profile "open source" projects only have contributions from the company that created the project so I doubt that code is scrutinized by anyone outside of the company in any great detail if at all.
  Even with access to the code, the person viewing the code has to be able to understand the code or it is quite pointless. Even assuming that the person has experience in the language used, it is doubtful that they will be able to make sense of the code if they have never worked with the codebase.
  
  --
  Jesus was a compassionate social conservative who called individuals to sin no more.
good idea,....but no. by hesaigo999ca · 2011-01-25 01:59 · Score: 1

Yes great idea, but alas, the people always end up paying more, look at the gas prices, we are non stop getting slammed with higher prices because the refineries need to make that much profit, and when they get slammed by the gov.s with such taxes, they respond in shooting the prices way up some more...instead we need a gov. with some balls, and actually make certain companies more accountable for their problematic software...if you create a crash in some company where your software allowed xxx to happen, put a value on xxx and then let that company get reimbursed by M$ or whoever that may have shipped a shody product.
Wait - this doesn't just affect Norton Antivirus.. by eloquent_loser · 2011-01-25 03:15 · Score: 1

Caveman: Nyaaaa.. I want no irc an no irfanview..no twisted Firefox extensions yeh..no buggy libraries.. I wan Aple to win big man...argghh...apple can afford to pay da tax....waiiit...small men cahhnnt. Ohhhh... goooodddd... Apple winnnnn. Yeeeaahhh. Me: Meh.

--
The man of virtuous soul commands not, nor obeys. -- Percy Bysshe Shelley
He's been living in a bubble by ebvwfbw · 2011-01-25 16:36 · Score: 1

Sure, his example worked in a world almost devoid of patents. I bet Microsoft has enough patents to hold the public by the short hairs for years. I'm sure they will resort to all kinds of stuff to survive. Just like SCO tried to do. No doubt, he's a very smart guy. Unfortunately he still has a lot to learn.
He didn't think it through by bilotrace · 2011-01-25 21:28 · Score: 1

Maybe he didn't think it through. What about OpenSource software? Who and How is going to be taxed? How is he going to identify errors without having to get functional specification (sanctioned by law) before hand? What about bugs that are difficult to identify as Hardware or Software A or Software B. What about beta software? Do you have to declare to the authorities that ur software is beta?