Computer security expert Bruce Schneier has waded into a debate over who is to blame for the security flaws that result from poorly coded software.
Last week, former White House cybersecurity advisor
Howard Schmidt, launched the debate at a seminar in London. Schmidt argued that programmers should be held responsible for flaws in code they write. "In software development, we need to have personal quality assurances from developers that the code they write is secure," he said.
Former cybersecurity czar Howard Schmidt says coders should be accountable for security problems in their software.
Schmidt's argument outraged large swathes of software developers, including tech luminaries such as Bruce Schneier, chief technology officer of Counterpane Internet Security. In his blog and in a Wired News column, Schneier took issue with Schmidt's comments, saying that the problem is with the companies selling the software, not with the developers.
Software companies are in the business of making a profit, Schneier argued. "They try to balance the costs of more secure software--extra developers, fewer features, longer time to market--against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales," he wrote.
The result, Schneier said, is "lousy software." Companies find money to "weather the occasional press storm" rather than to "design security right from the beginning."
"The end result is that insecure software is common," Schneier argued. "But because users, not software manufacturers, pay the price, nothing improves. Making software manufacturers liable fixes this externality."
Many ZDNet UK readers seem to agree with Schneier and put the blame for security problems squarely with the vendors selling the software.
The results of a ZDNet online poll, which attracted more than 1,000 respondents, showed that 53% of readers who replied felt that the blame lies with vendors. Of the rest, 40 percent said no one is to blame, and just 6 percent said software programmers were at fault.
As far as Schneier is concerned, "computer security isn't a technological problem--it's an economic problem."
This must be whats happening at Microsoft. __________________________________ R.K. <a class="jive-link-external" href="http://www.Remove-All-Spyware.com/" target="_newWindow">http://www.Remove-All-Spyware.com/</a>
As the company most under accusation for poor security, Microsoft must be in the limelight here. Their standard license offers no guarantees whatsoever, not even that the software you paid for will work, in exchange for all the things we the end user must agree to before loading up the software. In a non-competitive environment, Microsoft's software can be a security disaster without them feeling they need to make the smallest of concessions to the end user. They recently added a firewall with SP2 (does it actually work? - I disable it and use another brand) more for public relations purposes than anything else it would seem as it doesn't seem to ask the end user the kind of questions it should to work correctly.
I don't say Microsoft should be financially liable for loss of income due to external hackers/virus writers, but the onus should be on them to produce secure software or refund its cost to the purchaser. A bit like Ford being liable for car theft should they ever decide not to fit any form of lock on their cars. Perhaps what we need is software insurance so the insurance companies can take on Microsoft's appalling record. It's just that given the record, we couldn't afford the premiums!
It is wrong to hold developers legally liable, but it is also silly to try and hold vendors accountable. Bruce Schneier suggests that economic problems and corporate greed result in lousy software because security issues are uncovered.
I wonder if Schneier's security company offers a 100% guarantee against security breaches? When did you get a contract from a vendor guaranteeing 100% security in the software you purchased? As soon as a hacker weasles into one of Schneier's client systems, will his company also be legally liable and guilty of corporate greed?
Developers can do better in many situations, but should not be legally liable.
Vendors can do better in manu situations, but unless they are selling a product guaranteed to be 100% secure, it is unfair to hold them legally liable.
In the end, the criminal hacker is the guilty party, and the company that implemented insufficient security has nobody but themselves and the criminal to blame.
Why are we playing the blame game at all? It sounds to me like some people are trying to find targets for security law suits. Sueing a software manufacturer for the illegal actions of a criminal is like sueing a locksmith for selling you a faulty lock after your house gets broken in to.
It is a "buyer-beware" world, and if your goal is to blame somebody else for security breaches in your system, you probably don't have what it takes to run the system in the first place. You will suffer technically and economically for your misplaced trust and lack of attention to security detail.
"... Sueing a software manufacturer for the illegal actions of a criminal is like sueing a locksmith for selling you a faulty lock after your house gets broken in to."
perhaps you cited a poor example, as, IMHO, Either the lock maker and/or the manufacturer would hear from most peoples' attorney.
It IS ultimitely the criminals' fault, but since we all know there ARE criminals, the VENDOR should/must make some attempt to make sure their product is "safe/secure".
Vendors should be held liable. Most vendors put out software riddled with bugs and they know it. Your big concern is that your favorite software vendor, Microsoft, would be the biggest offender.
Nice try on the argument, but if for profit corporations are the cause, we would expect all open source, freeware, shareware, whatever to be 100% secure, right? And people don't really believe that to be the case, do they?
Open Source software tends to have less security issues, mainly because a lot of people analyze it. Software vendors often do not spend the time, money and effort for that. If you had ever worked in a software company, you would know that the way QA is handled is rather dismal. Often, QA, if it exists at all, has a lower rank in the company, is seen as enemies to the developers, and if deadlines loom, skimping on QA is the first thing that happens.
Call it greed, or call it what you like, but there is a tradeoff between resources and software quality for every form of software development.
Industry will place the pressure on software developers to complete a task in just enough time to get the basic functionality in place with minimal testing - this is "increasing efficiency" and saving money. For industry the tradeoff is money (in the form of employee wages) versus quality. If industry won't pay the individual to do the testing, then why should the individual be held accountable? Don't pin it on the individual because they're not willing to work overtime for free, unpaid, because their management doesn't want to spend the money. The management made the decision when they decided not to spend the money.
For open source, freeware, shareware, etc.. the individual is forced to make the tradeoff between the incentives to develop (satisfaction, marginal profits) and the effort spent to minimize bugs and security issues. If non-developers would like to continue to receive open source and shareware alternatives to expensive commercial products, then they have two options: Increase the incentive to develop, or live with the extra flaws without heckling the developers with liability. Doing neither will result in an atmosphere where there is no incentive to develop because you are removing the profit and/or enjoyment factor from the software development process for an individual developer. Before you call it individual greed - think about this: If a developer is unemployed and on the verge of homelessness, is asking for a fair monetary compensation for his/her efforts greed? Most of us don't have time to give away without being justly compensated. Everyone with a computer who is not in the software development field needs to realize that this is the way software developers make their living, first and foremost.
Asking an individual software developer to produce perfect software or suffer the consequences for what little incentive (monetary or not) they may receive is like going to a poor farmer who is fighting against large corporate farms and demanding 500 pages of paperwork documenting the fact that there is not a single insect infesting the bushel of corn that you bought from him for 50 cents. Maybe the farmer will go through that trouble if you give him 5000 dollars.
In other words - us software developers do this for a living - let's start with some respect for the difficulties involved in just establishing basic functionality.
If it is difficult to develop secure software, go after the corporations developing the OSes, servers, and the tools us individuals are stuck with using, because a rock solid OS with a rock solid API would not permit such flaws to exist.
Just because developers offer software for free or as open source, freeware, shareware, etc., does not mean they have unlimited resources to develop both the security and the functionality. Security is a cost issue for developers as well. As stated in the article, "computer security isn't a technological problem--it's an economic problem." Even for developers who develop for free.
...he's outspoken. Anyone whose followed his work and writing over the years knows the guy shoots from the hip with a frequently abrasive manner. Lots of us who're tired of "big corporate security firms'" pr nonsense find the guy's outspokeness refreshing. Not only does his industry shut up and listen when he reprimands it for shoddy behavior, but most important they take his criticisms to heart; security professionals have nothing but respect for the breakthroughs in cryptology and in securing the network that Shneier has delivered over the years. The fact that OS-makers like MSFT and ISP's like ELNK have taken total security suiting in-house is proof positive of Schneier's progressive influence in his field. I recommend to folks who have any doubts about his vision that they read his books and op-ed's over the years and follow his personal blog as well as Countervane's monthly free email; and only then pass judgement on the guy.
He insulted my software recently, but his comments were not entirely baseless. (I have got over it.) His opinion should at least be listened to as he does have a vast experience in the field.
I've been developing and QA'ing software for over 20 years. I can best convey my opinion on software quality in general by describing Sturgeon's Law.
The story goes that a critic accosted the late science fiction author, Theodore Sturgeon, and asked him why he wrote science fiction "because 90% of science fiction is crap."
Sturgeon's immortal reply was, "That's true... but 90% of everything is crap."
I agree. Now just replace "science fiction" with "software"...
Three words: The originals were found carved on the wall of an Egyptian temple north of Cairo. As memory is fallable, have them tattooed on the inside of your eyelid.
- Standards (including terminology) - Process - Discipline
In the absence of any one, throw expectations of high-quality [fill in the blank] out the window and gird for endless philosophical (read irresolvable) exchanges.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
When the sun goes down, that's when the iPad gets busy for folks with news readers. The iPhone? It's more of a daytime habit. If you're building an app for both devices, heed the lesson.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
__________________________________
R.K.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com/" target="_newWindow">http://www.Remove-All-Spyware.com/</a>
I don't say Microsoft should be financially liable for loss of income due to external hackers/virus writers, but the onus should be on them to produce secure software or refund its cost to the purchaser. A bit like Ford being liable for car theft should they ever decide not to fit any form of lock on their cars. Perhaps what we need is software insurance so the insurance companies can take on Microsoft's appalling record. It's just that given the record, we couldn't afford the premiums!
I wonder if Schneier's security company offers a 100% guarantee against security breaches? When did you get a contract from a vendor guaranteeing 100% security in the software you purchased? As soon as a hacker weasles into one of Schneier's client systems, will his company also be legally liable and guilty of corporate greed?
Developers can do better in many situations, but should not be legally liable.
Vendors can do better in manu situations, but unless they are selling a product guaranteed to be 100% secure, it is unfair to hold them legally liable.
In the end, the criminal hacker is the guilty party, and the company that implemented insufficient security has nobody but themselves and the criminal to blame.
Why are we playing the blame game at all? It sounds to me like some people are trying to find targets for security law suits. Sueing a software manufacturer for the illegal actions of a criminal is like sueing a locksmith for selling you a faulty lock after your house gets broken in to.
It is a "buyer-beware" world, and if your goal is to blame somebody else for security breaches in your system, you probably don't have what it takes to run the system in the first place. You will suffer technically and economically for your misplaced trust and lack of attention to security detail.
perhaps you cited a poor example, as, IMHO, Either the lock maker and/or the manufacturer would hear from most peoples' attorney.
It IS ultimitely the criminals' fault, but since we all know there ARE criminals, the VENDOR should/must make some attempt to make sure their product is "safe/secure".
If you had ever worked in a software company, you would know that the way QA is handled is rather dismal. Often, QA, if it exists at all, has a lower rank in the company, is seen as enemies to the developers, and if deadlines loom, skimping on QA is the first thing that happens.
Industry will place the pressure on software developers to complete a task in just enough time to get the basic functionality in place with minimal testing - this is "increasing efficiency" and saving money. For industry the tradeoff is money (in the form of employee wages) versus quality. If industry won't pay the individual to do the testing, then why should the individual be held accountable? Don't pin it on the individual because they're not willing to work overtime for free, unpaid, because their management doesn't want to spend the money. The management made the decision when they decided not to spend the money.
For open source, freeware, shareware, etc.. the individual is forced to make the tradeoff between the incentives to develop (satisfaction, marginal profits) and the effort spent to minimize bugs and security issues. If non-developers would like to continue to receive open source and shareware alternatives to expensive commercial products, then they have two options: Increase the incentive to develop, or live with the extra flaws without heckling the developers with liability. Doing neither will result in an atmosphere where there is no incentive to develop because you are removing the profit and/or enjoyment factor from the software development process for an individual developer. Before you call it individual greed - think about this: If a developer is unemployed and on the verge of homelessness, is asking for a fair monetary compensation for his/her efforts greed? Most of us don't have time to give away without being justly compensated. Everyone with a computer who is not in the software development field needs to realize that this is the way software developers make their living, first and foremost.
Asking an individual software developer to produce perfect software or suffer the consequences for what little incentive (monetary or not) they may receive is like going to a poor farmer who is fighting against large corporate farms and demanding 500 pages of paperwork documenting the fact that there is not a single insect infesting the bushel of corn that you bought from him for 50 cents. Maybe the farmer will go through that trouble if you give him 5000 dollars.
In other words - us software developers do this for a living - let's start with some respect for the difficulties involved in just establishing basic functionality.
If it is difficult to develop secure software, go after the corporations developing the OSes, servers, and the tools us individuals are stuck with using, because a rock solid OS with a rock solid API would not permit such flaws to exist.
The story goes that a critic accosted the late science fiction author, Theodore Sturgeon, and asked him why he wrote science fiction "because 90% of science fiction is crap."
Sturgeon's immortal reply was, "That's true... but 90% of everything is crap."
I agree. Now just replace "science fiction" with "software"...
- Standards (including terminology)
- Process
- Discipline
In the absence of any one, throw expectations of high-quality [fill in the blank] out the window and gird for endless philosophical (read irresolvable) exchanges.