Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ex-NSA Analyst To Be Global Security Head At Apple

Posted by Soulskill on from the keeping-the-worms-out dept.

AHuxley writes "Cnet.com reports that Apple has tapped security expert and author David Rice to be its director of global security. Rice is a 1994 graduate of the US Naval Academy and has a master's degree in Information Warfare and Systems Engineering from the Naval Postgraduate School. He served as a Global Network Vulnerability analyst (Forbes used cryptographer) for the National Security Agency and as a Special Duty Cryptologic officer for the Navy. He is executive director of the Monterey Group, a cybersecurity consulting firm. He's also on the faculty of IANS, an information security research company and works with the US Cyber Consequences Unit. In a 2008 interview with Forbes, 'A Tax On Buggy Software,' Rice talks of a 'tax on software based on the number and severity of its security bugs. Even if that means passing those costs to consumers. ... Back in the '70s, the US had a huge problem with sulfur dioxide emissions. Now we tax those emissions, and coal power plants have responded by using better filters. Software vulnerabilities, like pollution, are inevitable — producing perfect software is impossible. So instead of saying all software must be secure, we tax insecurity and allow the market to determine the price it's willing to pay for vulnerability in software. Those who are the worst "emitters" of vulnerabilities end up paying the most, and it creates an economic incentive to manufacture more secure software.'"

8 of 145 comments (clear)

  1. Windows users by ronmon · · Score: 3, Insightful

    pay a crapload and Linux users pay nothing. Sounds like the tax is already in place. Maybe the money is just going to the wrong people.

  2. Oh Great by SilverHatHacker · · Score: 3, Funny

    We'll never jailbreak the iPhone 5. It'll either have government-grade digital locks, or it'll be accompanied by guys in black suits who "don't really exist".

    --
    Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
  3. Good for Apple by StuartHankins · · Score: 4, Insightful

    It's a good thing, it signals they take security seriously. He seems to have impressive credentials. When you've got a target as large as Apple you need to be smart about security.

  4. Re:Makes sense by artor3 · · Score: 4, Insightful

    Sure there's a difference. One exists, the other is a bogeyman intended to scare the uneducated into voting against their interests.

  5. Why not a security rating, so buyer can choose? by noidentity · · Score: 5, Interesting

    From the article:

    But consumers prefer secure software to insecure software. Isn't that preference enough to create an incentive for companies to focus on security?

    Wouldn't that be great? The problem is that right now people can't figure out whether software is secure. They buy software based on what's asserted and take companies at their face values.

    If you look at the five-star rating on automobiles, you don't have to be an expert to make a decision about safety. You can appraise the risk you're purchasing based on that rating. Today almost all the cars on the road are four or five star rated: The market has chosen more safe cars because the safety rating is visible.

    OK, so have a private certification company so you can see their rating on the product. Why is a tax needed? The example he cites, of automobiles, gives the buyer the choice of how safe the vehicle must be.

    How would you measure software vulnerability?

    The types of attacks we've seen over the past four years haven't changed. [The U.S. Department of Homeland Security] keeps a repository of attack patterns. So just as we run cars in various crash tests to see how they respond, we can run these attack patterns on software, judge how it performs and give it a security rating.

    If determining software vulnerability were as simple as running some automated tests, it wouldn't be a problem in the first place. In his example of testing vehicles, it would be like having to protect them against a near-infinite variety of crash situations. How can you automate this, so as to give a simple rating?

    A tax on insecure software would be passed on to the consumer in higher prices. Is that really the goal?

    There's a notion in economics of private cost and the social cost of behavior. The results of insecure software--cybercrime and cyber-espionage--are largely social costs, not paid by the individual who's responsible for the behavior.

    Vulnerabilities lead a consumer's computer to be hijacked by malicious software that allows the attacker to do practically anything with it. Sometimes the attacker targets the infected machines, like the attacks on the Pentagon last year. But often the machine is used to send out more spam, more phishing attacks, or it becomes one of the hundreds of thousands of machines that are used in "denial of service attacks" like the ones that shut down Estonia's Web last year. Those social costs are very heavy.

    If a tax raised the private cost of cybercrime, people would get educated very quickly. When insecure software starts costing more, people will adjust their behavior.

    OK, so let's say all software is secure. That doesn't stop people from combining it in ways that leads to insecurities, or even configuring a single piece so that it's insecure. How will this tax help that?

    Here he talks of negative externalities and making those responsible pay, so that they educate themselves and avoid creating them. Sounds good, so why not do that? That doesn't involve taxation, it involves making those with vulnerable systems pay. That's the way to make the market respond.

    For example, a home user's machine is infected and is now part of a botnet? Charge a fine. He'll quickly clean up his machine, switch/secure his OS, or find an ISP that will detect such a thing and automatically cut his internet connection until he cleans his machine up. Or a business leaks customer information. Fine it. That will encourage it to do what's necessary to secure the data. This way the need for security moves up the chain, from user to supplier, with whatever things are necessary to give it. Leave taxation out of it.

  6. Re:how can anyone know he quit the NSA?` by Anonymous Coward · · Score: 4, Informative

    Yes...we do. No, I'm not talking smack. Used to work there (network warfare shop). When you're done, you leave. You carry with you your "Lifetime Obligations" and some hella good memories, but there are no strings attached save for a couple (they can interview/poly you at any time, they have to review your resume any time you modify it, etc.). You watch too many movies.

  7. Re:how can anyone know he quit the NSA?` by DCFusor · · Score: 4, Informative
    I left too, and the above AC is telling it straight. No big deal. Hard to get permission to visit some adversary countries for a few years if you knew a lot of secrets, otherwise, they pretty much ignore you after that. They once called me a few years after I'd left to help them with something in my specialty, that was it.

    The trouble with conspiracy theories around government agencies is that, well, they are government agencies. Not all that good at what they do, with some small exceptions, and mostly terrible about keeping things secret after they do them. Some secrets last years, but most of them are too boring to actually talk about, and are mostly "policy" which means, some incompetent fool classified something to cover his lousy (or unethical) job performance. We're not working with supermen or angels anymore than any other part of society there.

    There's already a tax on buggy software, it's just paid by the wrong side of the equation, the user. Bruce Schneier has a ton of stuff on the issue, and as long as the makers aren't paying the price, it'll never happen. http://www.schneier.com/

    The thing is, at the point of perfect security, no system is usable -- there is always a trade-off of some kind. This sounds so hard to adjudicate, I kind of doubt it will ever happen -- and at least one software outfit that has the most issues also has enough lobbyists to keep things the way they want them -- the billions of lost dollars yearly due to their bugs will still be with the users, not them.

    As long as people can pass off the costs of insecurity, there will be little to no progress in the field. Anyone remember the British banks claiming in court they were liable for hacked chips and pins because they were "perfect" so the customer must have made a mistake? As long as that sort of crap flies, why should they invest in security? Good security is hard.

    --
    Why guess when you can know? Measure!
  8. Re:Makes sense by Pseudonym+Authority · · Score: 3, Funny

    And where will this guy's loyalty lie? Will it lie with Google and their customers?

    If it does, Apple is going to look really stupid for hiring this guy.