Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ex-NSA Analyst To Be Global Security Head At Apple

Posted by Soulskill on from the keeping-the-worms-out dept.

AHuxley writes "Cnet.com reports that Apple has tapped security expert and author David Rice to be its director of global security. Rice is a 1994 graduate of the US Naval Academy and has a master's degree in Information Warfare and Systems Engineering from the Naval Postgraduate School. He served as a Global Network Vulnerability analyst (Forbes used cryptographer) for the National Security Agency and as a Special Duty Cryptologic officer for the Navy. He is executive director of the Monterey Group, a cybersecurity consulting firm. He's also on the faculty of IANS, an information security research company and works with the US Cyber Consequences Unit. In a 2008 interview with Forbes, 'A Tax On Buggy Software,' Rice talks of a 'tax on software based on the number and severity of its security bugs. Even if that means passing those costs to consumers. ... Back in the '70s, the US had a huge problem with sulfur dioxide emissions. Now we tax those emissions, and coal power plants have responded by using better filters. Software vulnerabilities, like pollution, are inevitable — producing perfect software is impossible. So instead of saying all software must be secure, we tax insecurity and allow the market to determine the price it's willing to pay for vulnerability in software. Those who are the worst "emitters" of vulnerabilities end up paying the most, and it creates an economic incentive to manufacture more secure software.'"

20 of 145 comments (clear)

  1. Windows users by ronmon · · Score: 3, Insightful

    pay a crapload and Linux users pay nothing. Sounds like the tax is already in place. Maybe the money is just going to the wrong people.

    1. Re:Windows users by jjb3rd · · Score: 2

      pay a crapload and Linux users pay nothing. Sounds like the tax is already in place. Maybe the money is just going to the wrong people.

      You are so dumb, you are really dumb.

      Clearly none of this matters because Linux is free. The community finds all the bugs and satisfies all of the user's every need. It is, therefore, installed on all computers, the world over, and security would no longer be an issue were it not prevalence of the password, "password".

      Paying extra for security is basically akin to insurance. If you're paying extra for insurance, you typically have a certain level of responsibility, but when you get screwed by that which is beyond your control, then, in theory, you are adequately compensated. How about factoring insurance into the whole "software == automobiles" argument.

      It'd be nice to see Slashdot debate this issue on merit as opposed to the dogmatic FOSS genuflection that seems to be taking place. A security insurance guarantee that costs extra is not something solved by an open or a closed source model, it's something that's solved through adequate product support and potentially a claims process in the event of being hacked. Slashdot used to like Apple, but it seems they hate success, which is just jealousy and really unbecoming of the level of discourse of which this site is capable. I, for one, would like to applaud Apple for taking security seriously, as I do *gasp* Microsoft for doing so for the last couple of years.

  2. Re:Makes sense by joocemann · · Score: 2

    As private industry becomes the next government, more overtly as time goes on..

    A little offtopiic here:

    Isn't it weird how intelligent and skeptical people see it as "corporate takeover", and ignorant people believe corporations telling them that its a 'socialist takeover'.

    From the looks of the lobbies and actual authors of bills, its hard to believe the latter -- but I suppose you'd believe anything if you don't question it.

  3. Oh Great by SilverHatHacker · · Score: 3, Funny

    We'll never jailbreak the iPhone 5. It'll either have government-grade digital locks, or it'll be accompanied by guys in black suits who "don't really exist".

    --
    Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
    1. Re:Oh Great by Biff+Stu · · Score: 2

      It's a tin foil hat with an Apple premium.

  4. Good for Apple by StuartHankins · · Score: 4, Insightful

    It's a good thing, it signals they take security seriously. He seems to have impressive credentials. When you've got a target as large as Apple you need to be smart about security.

  5. Re:Makes sense by artor3 · · Score: 4, Insightful

    Sure there's a difference. One exists, the other is a bogeyman intended to scare the uneducated into voting against their interests.

  6. Why not a security rating, so buyer can choose? by noidentity · · Score: 5, Interesting

    From the article:

    But consumers prefer secure software to insecure software. Isn't that preference enough to create an incentive for companies to focus on security?

    Wouldn't that be great? The problem is that right now people can't figure out whether software is secure. They buy software based on what's asserted and take companies at their face values.

    If you look at the five-star rating on automobiles, you don't have to be an expert to make a decision about safety. You can appraise the risk you're purchasing based on that rating. Today almost all the cars on the road are four or five star rated: The market has chosen more safe cars because the safety rating is visible.

    OK, so have a private certification company so you can see their rating on the product. Why is a tax needed? The example he cites, of automobiles, gives the buyer the choice of how safe the vehicle must be.

    How would you measure software vulnerability?

    The types of attacks we've seen over the past four years haven't changed. [The U.S. Department of Homeland Security] keeps a repository of attack patterns. So just as we run cars in various crash tests to see how they respond, we can run these attack patterns on software, judge how it performs and give it a security rating.

    If determining software vulnerability were as simple as running some automated tests, it wouldn't be a problem in the first place. In his example of testing vehicles, it would be like having to protect them against a near-infinite variety of crash situations. How can you automate this, so as to give a simple rating?

    A tax on insecure software would be passed on to the consumer in higher prices. Is that really the goal?

    There's a notion in economics of private cost and the social cost of behavior. The results of insecure software--cybercrime and cyber-espionage--are largely social costs, not paid by the individual who's responsible for the behavior.

    Vulnerabilities lead a consumer's computer to be hijacked by malicious software that allows the attacker to do practically anything with it. Sometimes the attacker targets the infected machines, like the attacks on the Pentagon last year. But often the machine is used to send out more spam, more phishing attacks, or it becomes one of the hundreds of thousands of machines that are used in "denial of service attacks" like the ones that shut down Estonia's Web last year. Those social costs are very heavy.

    If a tax raised the private cost of cybercrime, people would get educated very quickly. When insecure software starts costing more, people will adjust their behavior.

    OK, so let's say all software is secure. That doesn't stop people from combining it in ways that leads to insecurities, or even configuring a single piece so that it's insecure. How will this tax help that?

    Here he talks of negative externalities and making those responsible pay, so that they educate themselves and avoid creating them. Sounds good, so why not do that? That doesn't involve taxation, it involves making those with vulnerable systems pay. That's the way to make the market respond.

    For example, a home user's machine is infected and is now part of a botnet? Charge a fine. He'll quickly clean up his machine, switch/secure his OS, or find an ISP that will detect such a thing and automatically cut his internet connection until he cleans his machine up. Or a business leaks customer information. Fine it. That will encourage it to do what's necessary to secure the data. This way the need for security moves up the chain, from user to supplier, with whatever things are necessary to give it. Leave taxation out of it.

  7. how can anyone know he quit the NSA?` by SethJohnson · · Score: 2, Insightful

    Do these guys actually leave the NSA? Why aren't there quotation marks around the 'EX' part of his title? Sounds to me like a good way for no-such-agency to get a mole in a powerful position to install backdoors in a popular line of consumer communication devices. At a minimum, they could get a direct hotline listing of every vulnerability as soon as Apple is alerted to them, but before patches are released.

    Seth

    --
    $5 / month hosted VPS on linux = awesome!
    1. Re:how can anyone know he quit the NSA?` by Anonymous Coward · · Score: 4, Informative

      Yes...we do. No, I'm not talking smack. Used to work there (network warfare shop). When you're done, you leave. You carry with you your "Lifetime Obligations" and some hella good memories, but there are no strings attached save for a couple (they can interview/poly you at any time, they have to review your resume any time you modify it, etc.). You watch too many movies.

    2. Re:how can anyone know he quit the NSA?` by DCFusor · · Score: 4, Informative
      I left too, and the above AC is telling it straight. No big deal. Hard to get permission to visit some adversary countries for a few years if you knew a lot of secrets, otherwise, they pretty much ignore you after that. They once called me a few years after I'd left to help them with something in my specialty, that was it.

      The trouble with conspiracy theories around government agencies is that, well, they are government agencies. Not all that good at what they do, with some small exceptions, and mostly terrible about keeping things secret after they do them. Some secrets last years, but most of them are too boring to actually talk about, and are mostly "policy" which means, some incompetent fool classified something to cover his lousy (or unethical) job performance. We're not working with supermen or angels anymore than any other part of society there.

      There's already a tax on buggy software, it's just paid by the wrong side of the equation, the user. Bruce Schneier has a ton of stuff on the issue, and as long as the makers aren't paying the price, it'll never happen. http://www.schneier.com/

      The thing is, at the point of perfect security, no system is usable -- there is always a trade-off of some kind. This sounds so hard to adjudicate, I kind of doubt it will ever happen -- and at least one software outfit that has the most issues also has enough lobbyists to keep things the way they want them -- the billions of lost dollars yearly due to their bugs will still be with the users, not them.

      As long as people can pass off the costs of insecurity, there will be little to no progress in the field. Anyone remember the British banks claiming in court they were liable for hacked chips and pins because they were "perfect" so the customer must have made a mistake? As long as that sort of crap flies, why should they invest in security? Good security is hard.

      --
      Why guess when you can know? Measure!
  8. Re:Makes sense by Dunbal · · Score: 2

    Yes because "voting" really is how you change things.

    --
    Seven puppies were harmed during the making of this post.
  9. Re:Makes sense by joocemann · · Score: 2

    I"m not kidding.

    Thanks for being less vague this time around.

  10. Re:Makes sense by hairyfeet · · Score: 2

    If that is all that it is, I see no problem in it. When I DO see a problem with it is when industry insiders use jobs as rewards for getting what they want out of government. Too many in government get cushy private sector jobs for themselves and even members of their families as a payoff for playing ball and THAT I do have a problem with.

    And where will this guy's loyalty lie? Will it lie with Google and their customers? Or when one of his old spook buddies waltzes in and says "hey old buddy, we are needing some info on the quiet side. Can you help us out?" will he just walk outside for a long lunch break while his "friend" has access to his computer?

    And the whole "taxing insecurity" is about the dumbest idea I've ever heard of! Talk about an easy way to take out your competitors, just pay a team of hackers to find bugs and voila! They are buried under so many taxes they go out of business! I mean who do you think could afford 20 million in fines more, a company like MSFT or Oracle, or your average Linux distro? Seems like a great way to take out the smaller weaker corps to me, just keep getting them hit with fines and then buy them out for cheap when they can't fight back anymore. If people want more security then they can buy it, it is JUST that simple.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  11. Re:Makes sense by Pseudonym+Authority · · Score: 3, Funny

    And where will this guy's loyalty lie? Will it lie with Google and their customers?

    If it does, Apple is going to look really stupid for hiring this guy.

  12. Very bad for OpenSource by merick · · Score: 2

    This appears to be very bad for OpenSource. Unless the tax is in % of cost, which I highly doubt, then it will make distributing free software cost prohibitive.

    If I choose to produce a free library that ends up being widely used and is later found to having a security bug, I could be forced to pay thousands or tens of thousands of dollars. Why would I want to create that risk for myself? It could have a strong chilling effect with sharing.

    The US Federal Government has no authority to levy that kind of tax. Any effort to enforce this should be fought.

  13. Re:Makes sense by cp.tar · · Score: 2

    I was thinking something along these lines as well.

    Then I though a bit better about it.

    Tax is usually related to the price, as a certain percentage thereof. In that case, free software would be off the hook.
    If instead of tax there was some kind of levy unrelated to the price, the Land of the Free would practically outlaw free software. So the free software companies would have to move out from the US.

    Unless the same kind of taxation was introduced throughout the world, that would pretty much mean the US cut itself off from the rest of the world. And if you want to know what turning inwards spells, observe China from two centuries ago until about a century ago.

    --
    Ignore this signature. By order.
  14. Re:Makes sense by Dunbal · · Score: 2

    History disagrees with you. If you shoot enough of them it's called a "revolution". But over the long run even this won't change things. We are the victims of our nature, and human government is a reflection of what we are.

    --
    Seven puppies were harmed during the making of this post.
  15. Re:Makes sense by AmiMoJo · · Score: 2

    So the French Revolution didn't change things for them? The ruling elite still eat cake while the peasants starve to death? How about the US throwing off its British masters and creating a constitution.

    Revolution changes people's beliefs and ideas about how society should work, and those ideas then shape the country and tend to stick around. I wish we had had a proper one in England because we are still stuck with many of the old ideas that other countries abandoned when their citizens revolted.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  16. Re:Makes sense by joocemann · · Score: 2

    The Italians would disagree.

    There are so many attempts (and successes) on politicians there that you'd be mind-blown.

    I'm not saying its right, but its another way that I've seen europeans keeping their democracy alive.