This was the title of a post on a Dutch discussion group in response to the idea of a "vulnerability tax" covered in an article on Dark Reading. Wow. This is an example of a statement's meaning becoming "lost in translation." The entire site is in Dutch and I translated the page.
The response on the website was heated, to say the least. And rightly so. My response went something like this which I wrote in English since my Dutch is rather poor (actually, non-existent). I have a feeling that translational issues will remain however.
Hi. I'm David Rice. And no, I wasn't drunk when I wrote about vulnerability taxes, nor was I on XTC. I hope to high heaven that I'm not an idiot either.
Wow. The translation for this did not come out as expected. I can understand why everyone is so upset. "Insecure Developers Must Pay Taxes," is only partly accurate.
The idea behind a "vulnerability tax" is the same idea behind taxing carbon emissions. Manufacturing inevitably creates pollution. The answer is not to stop manufacturing as this makes everyone worse off. So we tax pollution to offset the cost of its damage. This rewards "greener" companies since they pass on less tax to the consumer. Massive carbon emitters must pay higher taxes and therefore their product/service is more expensive. The market is left to determine how much tax (and therefore how much pollution) it is willing to tolerate.
The same idea is applied to software. Creating "perfect software" is not possible. Vulnerabilities are inevitable. But this does not mean we cannot do anything about it. The answer is not to stop using software as this makes everyone worse off. Taxing manufacturers of insecure software rewards those companies that produce less vulnerabilities making their product less expensive since less tax is passed on to the consumer.
The problem with cars is not that they are so expensive. It is that they are not expensive enough to drive. So they fill the atmosphere with carbon. The same problem exists with software. The problem is not that software is so expensive. The problem is that software is not expensive enough. And so it "fills" cyberspace with "pollution." Why complain about Vista costing EUR 1000 when it is extraordinary expensive to protect it from exploitation? All that time and effort, firewalls, anti-virus, intrusion detection systems...that's a lot of cost both in the private cost you pay to try to get it right as well as social costs everyone pays when you get it wrong.
I hope this clears some things up. Thank you for your heated discussion.
So that's the gist of my response. I didn't copy my response before posting so the original words are lost. I'm not even sure the site moderator will post my response since it was in English. One can only hope. If my response does actually get posted, I will replace the above quote.
Did you also see the discussion on the SC-L mailing-list?
Here are my responses to the article and some of the list questions/comments that came up, but you should read the whole thread.
http://lists.virus.org/securecoding-0712/maillist.html
Great work on the book, and I like what I see here on the blog so far.
Posted by: Andre Gironda | December 05, 2007 at 12:05 PM