Computer-Security Paranoia
This is just a lovely essay. Very subtle.
Entries Tagged "computer security"
Page 29 of 33
Liabilities and Software Vulnerabilities
My fourth column for Wired discusses liability for software vulnerabilities. Howard Schmidt argued that individual programmers should be liable for vulnerabilities in their code. (There’s a Slashdot thread on Schmidt’s comments.) I say that it should be the software vendors that should be liable, not the individual programmers.
Click on the essay for the whole argument, but here’s the critical point:
If end users can sue software manufacturers for product defects, then the cost of those defects to the software manufacturers rises. Manufacturers are now paying the true economic cost for poor software, and not just a piece of it. So when they’re balancing the cost of making their software secure versus the cost of leaving their software insecure, there are more costs on the latter side. This will provide an incentive for them to make their software more secure.
To be sure, making software more secure will cost money, and manufacturers will have to pass those costs on to users in the form of higher prices. But users are already paying extra costs for insecure software: costs of third-party security products, costs of consultants and security-services companies, direct and indirect costs of losses. Making software manufacturers liable moves those costs around, and as a byproduct causes the quality of software to improve.
This is why Schmidt’s idea won’t work. He wants individual software developers to be liable, and not the corporations. This will certainly give pissed-off users someone to sue, but it won’t reduce the externality and it won’t result in more-secure software.
EDITED TO ADD: Dan Farber has a good commentary on my essay. He says I got Schmidt wrong, that Schmidt wants programmers to be accountable but not liable. Be that as it may, I still think that making software vendors liable is a good idea.
There has been some confusion about this in the comments, that somehow this means that software vendors will be expected to achieve perfection and that they will be 100% liable for anything short of that. Clearly that’s ridiculous, and that’s not the way liabilities work. But equally ridiculous is the notion that software vendors should be 0% liable for defects. Somewhere in the middle there is a reasonable amount of liablity, and that’s what I want the courts to figure out.
EDITED TO ADD: Howard Schmidt writes: “It is unfortunate that my comments were reported inaccurately; at least Dan Farber has been trying to correct the inaccurate reports with his blog. I do not support PERSONAL LIABILITY for the developers NOR do I support liability against vendors. Vendors are nothing more then people (employees included) and anything against them hurts the very people who need to be given better tools, training and support.”
Howard wrote an essay on the topic.
Tax Breaks for Good Security
Congress is talking—it’s just talking, but at least it’s talking—about giving tax breaks to companies with good cybersecurity.
The devil is in the details, and this could be a meaningless handout, but the idea is sound. Rational companies are going to protect their assets only up to their value to that company. The problem is that many of the security risks to digital assets are not risks to the company who owns them. This is an externality. So if we all need a company to protect its digital assets to some higher level, then we need to pay for that extra protection. (At least we do in a capitalist society.) We can pay through regulation or liabilities, which translates to higher prices for whatever the company does. We can pay through directly funding that extra security, either by writing a check or reducing taxes. But we can’t expect a company to spend the extra money out of the goodness of its heart.
Microsoft Questions
Windows OneCare is the next-generation pervasive security program that will be part of Microsoft Windows. I know nothing about it. Does anyone have any comments or opinions?
And the current rumor is that Ballmer and Nash are speaking at a Microsoft event in Munich. They’re supposedly outlining Microsoft’s security roadmap. Anyone have any inside information?
Computer Malware to Have Uniform Names
Starting next month, US-CERT will start issuing uniform names for worms, viruses, and other malware. This is part of a program called the Common Malware Enumeration Initiative, and is great news.
Alan Cox on Security
The Next 50 Years of Computer Security: An Interview with Alan Cox.
He says a lot of the same things I’ve been saying.
Privacy Enhanced Computer Display
From the Mitsuibshi Research Laboratories:
The privacy-enhanced computer display uses a ferroelectric shutter glasses and a special device driver to produce a computer display which can be read only by the desired recipient, and not by an onlooker. The display alternately displays the desired information in one field, then the inverse image of the desired information in the next field, at up to 120 Hz refresh. The ferroelectric shutter glasses allow only the desired information to be viewed, while the inverse image causes unauthorized viewers to perceive only a flickering gray image, caused by the persistence of vision in the human visual system. It is also possible to use the system to “underlay” a private message on a public display system.
Marcus Ranum's "The Six Dumbest Ideas in Computer Security"
I don’t always agree with everything Marcus says, but he’s always interesting and entertaining and thought provoking. This is his latest essay: “The Six Dumbest Ideas in Computer Security.”
Code Signing
There’s a discussion on Slashdot about the security of code signing, and particularly my comments on the topic in the book Secrets and Lies.
A Socio-Technical Approach to Internet Security
Interesting research grant from the NSF:
Technical security measures are often breached through social means, but little research has tackled the problem of system security in the context of the entire socio-technical system, with the interactions between the social and technical parts integrated into one model. Similar problems exist in the field of system safety, but recently a new accident model has been devised that uses a systems-theoretic approach to understand accident causation. Systems theory allows complex relationships between events and the system as a whole to be taken into account, so this new model permits an accident to be considered not simply as arising from a chain of individual component failures, but from the interactions among system components, including those that have not failed.
This exploratory research will examine how this new approach to safety can be applied to Internet security, using worms as a first example. The long-term goal is to create a general model of trustworthiness that can incorporate both safety and security, along with system modeling tools and analysis methods that can be used to create more trustworthy socio-technical systems. This research provides a unique opportunity to link two research disciplines, safety and security, that have many commonalities but, up to now, relatively little communication or interaction.
Sidebar photo of Bruce Schneier by Joe MacInnis.