I've added this "Part 2" section as another follow-up to the discussion over at tssci-security.com. Roger responded to a number of points. This post is response to some of the comments Roger provided. Overall, a great discussion. There's more from Roger after my post. This was a loooooong discussion, but again, what discussion about software security isn't?!?
Roger, you and I are certainly of the same mindset on some of these topics. I want to address some of the items you wrote about above, but I confess, it will not be complete.
Roger said, “If I look at some of the proposed measures, from your point of view you can just achieve adequate security if the code is available – which most Open Source applications prove to be wrong.”
I agree. The “openness” of software has not proven itself to offer greater security. This does not mean I am against open source, simply that the numbers have not entirely supported the assertion that open-source is better than closed-source. Openness *can* help, but it is no guarantee. Have some open source companies exhibited the ability to address security better than other software manufacturers? Yes. Absolutely. But this is a company issue, not an open/close-source issue. There are hundreds of open source projects that have simply not responded adequately to consumer’s security needs. The desire, ability, and capability to address security needs are largely an economic issue that is company-specific; that is, do open source projects/companies have the resources and the incentives to adequately address security? The answer is not nearly as clear as open/closed-source evangelists would like us to believe.
Roger said as a response to my comments regarding “the nuts behind the keyboard,” “Well, this is a more than unfair accusation. Part of the reason why this blog comments are here is just me saying that this is unfair and I do not like it.”
Amen. The notion that users are “idiots” is prevalent within the IT industry in general and the IT security industry in particular. For instance, there are many terms used to refer to users. “ID10T”. Also, PEBCAK, Problem Exists Between Chair and Keyboard. And, of course, PICNIC, Problem in Chair, Not In Computer. And finally, UCOM, User Can’t Operate Machine.
But the notion extends beyond just the IT industry. In a recent article I believe in CSO magazine, bank executives were stating, anonymously of course, that “users are dumb” in regards to how and to what extent (i.e., not at all) users protect their computers from exploitation. This is an increasingly pervasive sentiment and a troubling one.
But the fact that user’s turn off firewalls is another red-herring. Why do they need firewalls in the first place? Largely because of insecure design and implementation of whatever the firewall is trying to protect. In general, firewalls as well as a majority of other similar security protections are a network response to a software engineering problem. These security protections do nothing to solve the problem why software is, and why it largely remains, vulnerable.
Roger also responded to my question about the security of a system relying on the intellectual strength of users, “Because the consumer has a gazillion of not controllable option to mis-configure the Browser, the applications and the OS as everything is multi-purpose. This is the big, big difference between a car and software – and it is product agnostic.”
This is where we disagree. To answer, let me do some set up. First, is software more complex than a vehicle? Yes. Undoubtedly. Second, based on this complexity, will users need to be better informed and educated to “drive” safely on the Internet? Sure, but the question that remains is just how much more must users learn to “drive” safely on the Internet?
The current answer, I believe, is: users must have an exceptional, even an extraordinary level of knowledge in order to protect themselves. They are in fact expected to think and act like the engineers who designed these systems. This is unrealistic. So, which of the following is least implausible? Expecting people in developing nations who, based on statistics are largely disadvantaged educationally, or, as Roger said, living in slums, must now become the equivalent of first-world security experts in order to protect their computers (which first-world computer users cannot seem to do either by the way)…OR…imposing some level of educational requirement (the equivalent of a cyber-driver’s license) to “drive” the global network no matter where you live? I certainly don’t have an answer.
The “let’s not hurt the already-disadvantaged” sentiment is laudable and I share Roger’s concern for the problems of developing nations. This is a hard problem.
That said, a product that is so complex that neither the manufacturer nor the consumer can apparently protect it sufficiently is troubling. To imply that “hey, that’s just the way we designed the OS (as multi-purpose) and the market has to live with that,” is unacceptable. It is also largely unprecedented (or has been corrected where there might be precedent). As a public policy issue it is down right dangerous.
When there are services/products that are beneficial to humanity, but pose substantial risk to society, such as zoos (risk: wild animals escaping their enclosures), nuclear reactors (risk: melt downs, transporting HAZMAT), and even toasters (risk: electrocution), the maker/provider has eventually become subject to strict product liability. That is, yes, these things are beneficial to society (as an operating system undoubtedly is) but the risk is so great should something go wrong that the individuals who choose to engage in making/producing this product must be held accountable for any foreseeable and unforeseeable circumstances. In the case were users are also culpable as well as the manufacturer, the user is liable under contributory negligence. Everyone shares the burden comisserate with their responsibility.
This is a public policy issue, and an important one. Presumably, a multi-purpose OS would run on just about anything; making the radius of risk should the OS have a defect/vulnerability quite extensive.
Strict product liability encourages manufacturers to build systems that are better focused for intent, better engineered for use, and better designed for safety/security. Users also share the burden under contributory negligence. This is not the current state in the software market. Users bear the entire burden should anything go wrong with their computer system, manufacturing defect or not.
So the biggest question of all is, is software so special that it should not abide by, or adhere to, good public policy?
I like Roger’s thoughts on getting together for a chat. Roger is a wonderful thinker and I welcome the opportunity.
Comments