GEEKONOMICS

I had a great discussion with Dorothy Denning after she read Geekonomics. For the benefit of those readers outside the information security profession, Dorothy is one of the world's most respected computer-security experts having published four books and over 120 articles. She was a professor at Georgetown University and is now a professor at the Naval Postgraduate School. I am truly delighted to post the following review by Dorothy:

"I loved this book. It is probably the most engaging and important book relating to security that I've read. Geekonomics tackles head on the growing security and safety problems brought on by faulty software, and what needs to be done. If you read only one book this year, Geekonomics should be it."

Thanks so much for the wonderful review, Dorothy.

Raj Samani wrote the following review on Amazon.co.uk:

A Call to Action?

I really enjoyed this book, but not solely because of the message the author delivers - in terms of the poor quality of software we the consumer are forced to accept, but more in terms of the manner in which his argument is made.

The software industry is unlike any other industry, with no true comparables. It would therefore ordinarily be impossible to say look at industry x, they did solution y - so we should replicate that in its entirety. Rather, what the author did was to break down the many intricacies of the industry and found comparables there. For example, the early example regarding the manner in which portland cement was created would ordinarily have one assuming it has no correlation whatsoever with software. Any attempt to link this back would ordinarily have proved clumsy, yet the author does link it back effeciently and with consumate ease. This achieves two things, firstly it breaks the problem down without over burdening the reader with convulated descriptions, but also I particularly enjoyed a tour through history, and learning something new.

Such examples are littered throughout the book, including but not limited to the fight for standardisation - in screws!!!

Although the description of the legal framework did leave the mind to wander elsewhere, it is incredibly harsh to fault the author for this area to be, shall we say 'a little dry'.

I did find myself disagreeing on some minor points, but this was not related to facts merely a difference of opinion. Subsequently I would strongly urge one and all to not only read this, but more importantly make an attempt to demand better quality code from the software companies.

Make sure you read this so you can fully appreciate the magnitude of the problem. Thereafter treat this a vital tool in your arsenal, in the call to action - in the demand for better software.

Thank you for the wonderful review, Raj.

Ben Rothke gave a very complimentary review of Geekonomics on Slashdot:

Geekonomics

Excerpts from the review:

"First the good news — in a fascinating and timely new book Geekonomics: The Real Cost of Insecure Software, David Rice clearly and systematically shows how insecure software is a problem of epic proportions, both from an economic and safety perspective. Currently, software buyers have very little protection against insecure software and often the only recourse they have is the replacement cost of the media. For too long, software manufactures have hidden behind a virtual shield that protects them from any sort of liability, accountability or responsibility. Geekonomics attempts to stop them and can be deemed the software equivalent of Unsafe at Any Speed. That tome [warned] us against driving unsafe automobiles; Geekonomics does the same for insecure software."

Now the bad news — we live in a society that tolerates 20,000 annual alcohol-related fatalities (40% of total traffic fatalities) and cares more about Brittany Spear's antics than the national diabetes epidemic. Expecting the general public or politicians to somehow get concerned about abstract software concepts such as command injection, path manipulation, race conditions, coding errors, and myriad other software security errors, is somewhat of a pipe dream.

Geekonomics is about the lack of consumer protection in the software market and how this impacts economic and national security. Author Dave Rice considers software consumers to be akin to the proverbial crash test dummy. This combined with how little recourse consumers have for software related errors, and lack of significant financial and legal liability for the vendors, creates a scenario where computer security is failing.

Most books about software security tend to be about actual coding practices. Geekonomics focuses not on the code, but rather how insecurely written software is an infrastructure problem and an economic issue.

...

Overall, Geekonomics is an excellent book that broaches a subject left unchartered for too long. The book though does have its flaws; its analogies to physical security (bridges, cars, highways, etc.) and safety events don't always coalesce with perfect logic [My edit: please read my response to a similar critique from Richard Bejtlich here]. Also, the trite title may diminish the seriousness of the topic. As the book illustrates, insecure software kills people, and I am not sure a corny book title conveys the importance of the topic. But the book does bring to light significant topics about the state of software, from legal liability, licensing of computer programmers, consumers rights, and more, that are imperatives.

It is clear the regulations around the software industry are inevitable and it is doubtful that Congress will do it right, whenever they eventually get around to it. Geekonomics shows the effects that such lack of oversight has caused, and how beneficial it would have been had such oversight been there in the first place.

To someone reading this review, they may get the impression that Geekonomics is a polemic against the software industry. To a degree it is, but the reality is that it is a two-way street. Software is built for people who buy certain features. To date, security has not been one of those top features. Geekonomics notes that software manufacturers have little to no incentive to build security into their products. Post Geekonomics, let's hope that will change.

Geekonomics will create different feelings amongst different readers. The consumer may be angry and frustrated. The software vendors will know that their vacation from security is over. It's finally time for them to get to work on fixing the problem that Geekonomics has so eloquently written about.

From Network World:

Another new Trojan intercepts online banking information.

The Trojan, dubbed Trojan.Silentbanker by security software company Symantec, can intercept online banking transactions that normally are well guarded by two-factor authentication procedures. During a banking transaction, Silentbanker will change the user's bank account details over to the attacker's account, all the while mimicking what the user would expect to see from a typical banking transaction. Because users have no idea their account data has been changed, they then unknowingly send money to the attacker's account after entering their second authentication password.

Although the Trojan.Silentbanker is listed by Symantec as having a low level of distribution and being easy to remove from infected machines, Symantec security response team member Liam O'Murchu says it still poses a danger because of its ability to work without users detecting it.

"The scale and sophistication of this emerging banking Trojan is worrying, even for someone who sees banking Trojans on a daily basis," writes O'Murchu on Symantec's security response blog. "This Trojan downloads a configuration file that contains the domain names of over 400 banks. Not only are the usual large American banks targeted but banks in many other countries are also targeted, including France, Spain, Ireland, the UK, Finland, Turkey -- the list goes on."

The Trojan can be "downloaded or delivered silently through Web exploits," according to Symantec. Once it has been loaded to a machine, it can hook onto various APIs in both Internet Explorer and Firefox. As soon as the program is in place on a Web browser, it is free to cause all kinds of mischief, including redirecting legitimate banking requests to attacker-controlled computers; altering the HTML of pages shown to the user; and recording user names and passwords, as well as capturing screenshots of any Web pages the user visits.

Additionally, says O'Murchu, the Trojan can constantly update itself, as it relays URLs and HTML from banking Web sites to the attackers on a daily basis. "Using these submissions they can target banks for which they do not have bank accounts already," he says. "We are currently monitoring all of the updates to this Trojan."

From the Register:

Polish teen derails tram after hacking train network

An excerpt:

A Polish teenager allegedly turned the tram system in the city of Lodz into his own personal train set, triggering chaos and derailing four vehicles in the process. Twelve people were injured in one of the incidents.

The 14-year-old modified a TV remote control so that it could be used to change track points, The Telegraph reports. Local police said the youngster trespassed in tram depots to gather information needed to build the device. The teenager told police that he modified track setting for a prank.

"He studied the trams and the tracks for a long time and then built a device that looked like a TV remote control and used it to manoeuvre the trams and the tracks," said Miroslaw Micor, a spokesman for Lodz police.

"He had converted the television control into a device capable of controlling all the junctions on the line and wrote in the pages of a school exercise book where the best junctions were to move trams around and what signals to change.

"He treated it like any other schoolboy might a giant train set, but it was lucky nobody was killed. Four trams were derailed, and others had to make emergency stops that left passengers hurt. He clearly did not think about the consequences of his actions," Micor added.

Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit. The apparent ease with which Lodz's tram network was hacked, even by these low standards, is still a bit of an eye opener.

From Wired Magazine:

FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack

A short excerpt:

The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals.

The revelation is causing concern in security circles because the physical connection of the networks makes the plane's control systems vulnerable to hackers. A more secure design would physically separate the two computer networks. Boeing said it's aware of the issue and has designed a solution it will test shortly.

"This is serious," said Mark Loveless, a network security analyst with Autonomic Networks, a company in stealth mode, who presented a conference talk last year on Hacking the Friendly Skies (PowerPoint). "This isn’t a desktop computer. It's controlling the systems that are keeping people from plunging to their deaths. So I hope they are really thinking about how to get this right."

...

The design "allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane," says the FAA document. "Because of this new passenger connectivity, the proposed data-network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane."

From the San Francisco Chronicle (Friday, January 11, 2008):

Unpatched Software Flaws Put PCs at Risk

Ninety-five percent of personal computers are vulnerable to attack by hackers due to unpatched flaws in their software applications, according to data released on Wednesday by Secunia, a Danish security vendor.

The data was collected this month and comes from 20,000 computer users who used Secunia's tracking tool, Software Inspector, for the first time. The tool runs off Secunia's Web site and tracks which applications on a user's PC are insecure, meaning they have a hole for which a patch has not been applied.

The report is the latest development in the continuing battle between hackers and computer users. Software flaws have increased the past several years, say several security researchers, making it more challenging for PC owners who are trying to keep their machines secure.

According to Secunia's data, less than 5 percent of the scanned computers had software applications that were considered secure. About a quarter of the computers had as many as five flawed applications, and another quarter had as many as 10. Forty-two percent of computers had more than 11 insecure applications. About 1.8 million applications were scanned.

There are plenty of examples of troubled software...

Indeed, there are.

Ben Wright posted a great review on his website Hack-igations.

Liability for Publishing Insecure Software

My colleague at the SANS Institute, David Rice, has published an important and learned book, Geekonomics: The Real Cost of Insecure Software. This book could be for the software industry what Ralph Nader’s Unsafe At Any Speed was for the automobile industry in the 1960s. Nader’s book contributed to the legal movement requiring auto manufacturers to make safer products.

Geekonomics argues that computers would be more secure if software publishers are held legally liable for distributing faulty software. The book is destined to influence software law. David backs his argument with outstanding research and cogent explanations. He says software publishers should not be immune to liability for their mistakes.

I learned a lot from the book, and I highly recommend it.

As I studied the book, I developed a question: Legally speaking, how do we judge whether a software product is good or bad? In other words, What should be the standard for evaluating when a software publisher has failed so miserably that the publisher should be penalized through the mechanics of our judicial system?

On page 69 Geekonomics says the industry has known since the 1960s how to write “secure” software. But the book does not tell me what secure software development entails, and it does not tell me what secure software looks like when it is released.

Will “secure” software look, function and cost like an M1 Abrams tank, produced by a military contractor? Do I want that kind of software?

The book goes into quite some detail saying present software is bad. But as a consumer and small business proprietor who bought his first PC (and installed his first software) in 1987, I confess that I am absolutely dazzled with the software made available to me over the past 20 years! I love, for example, all the latest Web 2.0 stuff. I am thrilled to have all the new functionality offered to me in rapid succession. My assessment of the vast array of software I have used seriously is that it is really good. It has enabled me to be productive (and have fun) beyond any dreams I could have had in the 1970s.

I realize hackers can break into the software installed on my PCs, damage my PCs, deface my blog, and steal my credit card data. But the worst case scenario is that I have to backup my data, I must buy a new PC every once in a while (the cost of which has progressively decreased over the years) and I have to monitor things like my credit card statements and my status at the credit bureaus. I accept that no product can be perfect. And I accept that I must order my life to account for the security imperfections in software.

Little of the software I deal with personally impacts my physical safety.

On balance, I am very, very pleased with a great deal of the software available to me today and across the years. But Geekonomics says present software is really bad.

Hence, my esteemed colleague, David, and I come to this topic with two different value standards. For purposes of law, how do we know who is right?

More particularly, in a court of law, how do we know whether a software product is good enough (albeit not perfect) so that the publisher can avoid having to pay money as a consequence of the publisher’s distribution of the software to the public? If we can't answer this question with some precision, then our prolific software industry will be stunted.

Thanks for the great review, Ben. And you raise important questions that I'd like to invest time in answering for future posts.

David Shackelford posted a great review of Geekonomics on Amazon.com:

Lots to Think About

Anyone that knows me at all can tell you that I am not a fan of Fear, Uncertainty, and Doubt (FUD) in making the case for effectively managing risk. As a professional in the information security business, it is all too easy to use FUD as the "easy way out" when trying to convince people of the severity of vulnerabilities and so on. I am pleased to say that David does not employ this tactic in his book. He makes a very reasoned case, building it with example after example of how poorly software is constructed and how deep the rabbit hole goes in software manufacturers' efforts at liability avoidance.

So far, the reviewers of this book are all "security people". Please know that there are caveats to such reviews - namely, we are always looking for the "aha" publications that tell the rest of the world what we have known for a while now. This is one of those, and it may very well be the first I've really enjoyed while trying to put myself in the shoes of the "average computer user" in the world today. My usual way of doing this is by asking myself "Will my mom understand this?" I'm very pleased to report that my mom could in fact "get" the big picture David is painting here - namely, that software is something we are relying on as a critical part of society today, and it is just as fundamentally flawed as the early sewer systems he describes early in the book.

What's great about this book, aside from the points already articulated by the other reviewers, is that it takes a problem we all know exists (most software is crappy) and forces you to look at it from a number of different angles. How many books do you read in a year that actually cause you to ask yourself questions? Probably very few, I'd guess. This is a book that challenges you to think about things differently; for instance, a Windows system crashing is not just a "Blue Screen of Death" on your home PC, it's now a critical system controlling a local power grid that just went down. It's not just a poorly-written piece of Web server software, it's a perfectly viable avenue of electronic data theft. And by the way, this little problem affects every one of us. Bravo, David, you've done a great job here. I tend to agree with Richard Bejtlich that a "vulnerability tax" is somewhat infeasible, but at least we're having some interesting conversations. Change usually stems from these, and change is exactly what's on the menu.

Thanks so much for the great review, Dave.

A Wonderful Discussion

Richard Bejtlich wrote a very complementary review of Geekonomics on Amazon.com:

The future of software is legal

I would like to thank Richard for taking the time and the effort in writing his review. As an author, I am grateful for this. I am especially grateful when those who voice their praise (and reservations) are both thoughtful and meticulous in their choice of words. Richard was exemplary in this respect. I welcome his comments as important additions to the discussion.

Richard noted two aspects of Geekonomics he felt detracted from the book's message:

1) the book fails to adequately differentiate between safety and security; and
2) the chapter on open source demonstrates fundamental misconceptions that unfortunately detract from the author's message.

Indeed these are areas that need more discussion not only to clarify any misunderstandings, but because Richard’s remarks touch on broader aspects that call for deeper discussion regardless. Besides, Richard brings up some good points in his review that deserve time and attention.

There is a lot to talk about in this post, so, as courtesy, you might consider refreshing your beverage and getting comfortable. This is a rather long post, but not unnecessarily so. Also, for readability I’ve divided this post into sections highlighting its more salient points.

• Safety and Security
• The Vulnerability Tax
• Open Source: Binaries Are Not Easy to Read
• Open Source: The Misconception of First-time Innovation
• Open Source: The Threat of Project Foreclosure
• Open Source: Personal Liability
• Conclusion

With that housekeeping out of the way, let’s dig in. I hope you enjoy the discussion.

Safety and Security

Quoting Richard directly from his Amazon post:

Rice believes the governing issue in software security is the need to reduce vulnerability. The problem with this approach is that life is vulnerability. It is simply too difficult to eliminate enough vulnerability in order to reduce risk in the real world. …

Consider now the issue of safety vs security. The author makes comparisons using the London sewer, various aspects of driving, and the New York subway system. Especially in the first two cases, these are exclusively issues of safety, not security. What is the difference? Safety incidents happen because a system fails. Security incidents happen because an intelligent adversary exploits a system. The outcome of the London sewer and driving cases would be much different if the Nazis were bombing the sewer system or Mad Max was shooting at cars or blowing holes in pavement. In short, the author cannot suggest that an approach that works against a safety problem is going to succeed against a security problem. Security problems are more dynamic because the threat perceives, adapts, and returns in ways unexpected by the victim.

Richard makes some very good points. Let’s break this down into bite-sized bits.

First, I do indeed believe software vulnerabilities must be reduced in order to reduce malicious exploitation of those vulnerabilities by adversaries. I believe this for very good reasons which I explain shortly.

Second, I agree that life is vulnerability. I have no argument with this point of view. Life is fragile and I would dare say that each of us understand the truth of this in our bones. Where I take issue is that such a statement does not sufficiently distinguish between vulnerability inherent in existence and vulnerability induced by defect. The first is unavoidable, the second is. It is this second aspect of vulnerability that is the focus of Geekonomics.

What Richard highlights here is what I believe to be an especially pernicious and commonly held misunderstanding in the story of software. To reiterate Richard’s statement, “The outcome of the London sewer and driving cases would be much different if the Nazis were bombing the sewer system or Mad Max was shooting at cars or blowing holes in pavement."

Other security experts have voiced this notion also, including Andy Steingruebl of SecurityRetentive:

“Let’s be clear to distinguish between the different scenarios though[referring to safety and security]. As has been repeatedly pointed out cars are designed to be “safe” under “ordinary” operating conditions. They are not designed to be “safe” from a malicious adversary. A car won’t stop someone from deliberately ramming you in the area of the car most likely to cause personal injury. It won’t be safe if someone cuts the brakes, loosens all the wheel nuts, etc. Heck, it won’t alert you to those situation either”.

Life is fragile. So are the constructs of men. If the Nazi’s were bombing the London sewer system, it would inarguably crumble against the onslaught. If hooligans were smashing windshields and shooting cars, the vehicles would undoubtedly be damaged and, along with it, potentially the passengers. The quality of the sewer system – or the safety of a vehicle – would be moot in such situations. Bombs and crowbars have a tendency to nullify construction quality or safety devices to a certain extent. This is not in question.

But as I call out early in Geekonomics, software fundamentally challenges our analogies. No single analogy serves the discussion of software completely. To quote directly from Geekonomics (page 16):

“Cement is an imperfect analogy for software, but so too is just about everything else, which means analogies used to understand software tend to break quite easily if over-extended…This does not mean that software cannot be understood, simply that significantly more mental effort must be applied to think about software in a certain way, in the right context, and under the relevant assumptions.”

In other words, if the analogy does not "work," we must abandon it and find a new one. Geekonomics is chock full of analogies because of this. The problem with the above quotes is that the sewer system and car analogies were over-extended and were not abandoned. So taking Richard's and Andy's comments at face value, they’re right: The quality of cement in no way applies directly to its ability to withstand a Nazi bombing. An intelligent adversary is indeed difficult to combat. The safety (and quality) of the sewer system are moot when attacked by a Nazi bomb. Build a tougher sewer and the Nazis build a bigger bomb. But let’s apply this same logic to the story of insecure software and see how the analogy is fatefully over-extended.

To apply the analogy of Nazi bombs to the software world means that cyber attackers are capable of creating the equivalent of “software bombs” that allow attackers to arbitrarily “blow up” any targeted software application. This is, in fact, what bombs do. A 500 pound bomb works just as brilliantly against a high-quality, safe car as it does against a carefully designed building, train, ship, or sewer system. A crow bar works just as brilliantly against the windshield of a Lexus as it does against the windshield of a Mercedes. The nice thing about bombs and crowbars in the physical world is that they do not have any versioning issues. But this is not the case in the story of software.

For instance, exploit code such as Code Red (an exploit that targets Microsoft’s web server) does not work against a Linux machine. Why not? Because there is no corresponding weaknesses in the Linux software that allows it to be exploited by Code Red.

In essence, Linux is immune and impervious to Code Red because the Code Red “bomb” does not exploit a Linux manufacturing defect. In order to exploit a Linux vulnerability, an attacker must find a defect in the Linux software that the Linux community failed to discover themselves. Similarly, if the Microsoft web server did not have that particular vulnerability (e.g. Microsoft avoided the defect in the first place), Code Red would not have been built. There is a tight relationship between a software exploit (the “bomb”) and the software vulnerability it exploits.

Subsequently, the construction quality of a London sewer system or a vehicle would matter greatly if the example above were also the case in the physical world. Nazi bombs would only work against manufacturing defects found only in the London sewer system. If the New York sewer system used another form of cement or had different weaknesses, the Nazis would have to build an entirely different bomb to specifically exploit the weaknesses found in the New York sewer system. In either case, it would behoove the cement manufacturers in New York and London to get their cement "right" in the first place. This is an important realization. In the absence of a manufacturing defect, the effectiveness (and impact) of  corresponding exploit code (the bomb) all but disappears.

This is critical to understand when discussing software assurance. We do not see exploits (bombs) for a software application that does not have a corresponding vulnerability. If the over-extended "Nazi bombing sewers" analogy were applied to the software world, this would mean a single “software bomb” such as Code Red could be used as effectively against Windows XP as against iTunes, Salesforce.com, or Linux just as a 500lb bomb in the physical world can be used as effectively against an arbitrary car, building, or sewer system.

If such were the case, software would never be “secure” and would always be susceptible to attack no matter software’s level of quality or safety. Cyber attackers could attack any computer system arbitrarily regardless of the existence of software weaknesses. This simply isn’t true in the story of software. Security researchers are looking for vulnerabilities in order to construct bombs that specifically work against a discovered vulnerability.

Let me put this another way: cyber attackers cannot build bombs (exploits) in the absence of a software defect (see side not below). Remove the manufacturing defect, and exploits (of software vulnerabilities) become moot to a large extent. This is, of course, why the information security community so diligently tells people to patch their systems…to remove the defect and thus remove the impact of a possible exploit.

SIDE NOTE: Arguably the closest thing we have in terms of a “software bomb” is network denial-of-service attacks which, in the case of the network, works against any computer system by exhausting network bandwidth (or the capacity of the computer’s network card), but does not necessarily “exploit” the software directly (I’m thinking more in terms of malware infecting a machine. There is plenty of room for discussion here).

To re-quote Richard:

…the author cannot suggest that an approach that works against a safety problem is going to succeed against a security problem.

In fact, that is exactly what I suggest based on the above reasoning. If software were truly like cement, lack of manufacturing defects in software would do nothing to mitigate the impact of bombs. But this is not the case. There is a direct relationship between the vulnerability and “the bomb” in the story of software. Building "safe" software is a monolithic endeavor that includes quality, safety, and security. Getting the stuff right in production matters. The issue is about software assurance, not necessarily information insurance which I believe Richard is alluding to.

Software is attacked. Why? In large part because of preventable manufacturing defects that software manufacturers have little incentive to remove before placing the product into the global stream of commerce. Software manufactures would have us believe that it is sophisticated cyber attackers that are arbitrarily "dropping bombs" on our systems or smashing the wind shields of our computers when, in fact, vulnerabilities in software are specific invitations to exploitation.

The crazy thing of it is, Nazi’s and hooligans are not needed to break our windows in the story of software. Windows are already broken by the manufacturer at the factory; we just don't know how many.

In the absence of a software vulnerability, it is not possible to build a corresponding software bomb (as far as we know). So the intelligence of our adversaries really lies in their ability to discover manufacturing defects that software manufacturers failed to discover themselves and, in the case of phisphing attacks, tricking users into visiting websites containing malware that exploits vulnerabilities in victim's desktop computers.

Does squeezing out all software defects (if this were possible) remove other security concerns surrounding information assurance and the larger issues of security? Of course not. And I do not imply that is does. But I would argue that it helps. Reduce the number of defects, vulnerabilities, weaknesses (whatever you would like to call them) and the risk equation changes substantially, but not totally. Build a better firewall and yes, attackers will attack you with more sophisticated attacks. In comparison, build better software and the incentive to directly attack software diminishes.

Software vulnerabilities communicate a message of disorder into the world of cyberspace. This message promotes greater disorder and invites more serious and more sophisticated forms of crime. As with broken windows, software vulnerabilities are invitations. Unlike broken windows, software vulnerabilities are delivered by the manufacturer, not created by hooligans. This is why I believe software vulnerabilities must be reduced in order to prevent malicious exploitation by adversaries and to reduce more serious forms of crime and espionage.

Vulnerability is a fact of life; it is inherent in existence. But vulnerability induced through preventable manufacturing defects does not have to be.

The Vulnerability Tax

The second (minor) area where Richard over-extends an analogy and does not abandon it regards the vulnerability tax. To quote Richard directly:

Why weren't auto makers taxed for "unsafe" cars? If cars were being bombed on the highway, would auto makers be taxed?

In this case, the analogy of “cars being bombed” does not entirely fit because when I speak of a vulnerability tax, I treat vulnerabilities like pollution – an inevitable part of the manufacturing process and an entirely different analogy.

The pollution analogy helps us to understand that perfect software is not possible (just like pollution free manufacturing is not possible). We can still do something about it, however.

Without a carbon tax, manufactures have little incentive to reduce carbon emissions thus making the global environment worse off. Likewise, without an equivalent tax for software vulnerabilities (or something like it), manufacturers have little incentive to reduce “vulnerability emissions” thus making the environment of cyberspace worse off.

Arguably, the “cars being bombed” analogy is over-extended here: Manufacturing defects in automobiles do not elicit a corresponding bomb or crowbar to attack the defect like it does in software (as discussed at length above). As such, taxation of a manufacturer due to adversaries dropping bombs is nonsensical not because taxation is inherently nonsensical, but because the analogy is over-extended.

But we can rescue the “cars being bombed” analogy to a certain extent. To reiterate the discussion above, without a software defect, a corresponding exploit  is almost impossible to build (as we understand it today). How then to discourage bomb building? Tax vulnerabilities to create greater incentive to reduce the number of bombs. Fewer vulnerabilities possibly means fewer incentives to build bombs and the advantages attackers gain by “dropping” them.

One final point needs addressing: Why aren’t auto makers taxed for “unsafe” cars? In fact, they are. The tax is applied when an auto manufacturer chooses to make an unsafe car. How? Car buyers tend to shy away from vehicles with low NHTSA safety ratings, thus making it more expensive for the manufacturer to make an “unsafe” car (which does not sell as well) than to make a “safe” car (which sells very well in comparison). Also, auto makers are not insulated from liability which imposes another tax should they choose to put a defective car into the global stream of commerce.

The “unsafe tax” then, manifests itself in the form of lower sales for vehicles with lower safety ratings or through court-awarded damages. To avoid the “unsafe tax” manufacturers make better quality and safer cars. In fact, nearly 90 percent of all cars in the United States are four or five-star rated. This is a direct consequence of auto manufacturers attempting to avoid the “unsafe tax.”

The problem with software at this point in time is that buyers cannot choose between “safe” and “unsafe” software because there is no safety/security rating. In other words, “good” and “bad” software are indistinguishable by market participants. This makes it relatively inexpensive for software manufactures to flood the market with “bad” software because there is not a corresponding loss in sales as there is for auto-manufactures.

There is much to work out in the vulnerability taxation model. Arguably, while a vulnerability tax seems unworkable now, it does not need remain that way. It requires plenty of (more) discussion to discover what may, in fact, work.

Opens Source: Binary are Not Easy to Read

Richard states the following:

As far as open source goes (ch 6), the author makes several statements which show he does not understand the open source world. First, on p 247 the author states "While a binary is easy for a computer to read, it is tremendously difficult for a person -- even the original developer -- to understand." This is absolutely false, and the misunderstandings continue in the same paragraph. Reverse engineering techniques can determine how binaries operate, even to the point that organizations like the Zeroday Emergency Response Team (ZERT) provide patches for Microsoft vulnerabilities without having access to source code!

Given the target audience of Geekonomics (non-technical, business), I carefully choose to omit discussion of binary decompilation. Richard brings up a good point, though I consider it a technical nuance outside the primary focus of Chapter 6. Let’s talk about it here.

A software binary is not easily read by a human. How do I know? Because a majority of software developers do not know (or need to know) assembly language.

For the benefit of less-technically experienced readers of this blog, computer chips (or microchips) need instructions to do work. These instructions come in the form of operation codes - otherwise known as "op codes" - such as push, pop, add, sub(tract), shift left, shift right, and so on. The sequence of these op-codes is the totality of a shipped software application (a software binary). The microchip executes these instructions and thus accomplishes work.

Once upon a time, the only way to write software was in assembly. More advanced languages like C and C++ (known as 3rd generation languages) allowed developers to write code much more easily and intuitively than does assembly language. A software compiler translates human readable source code into machine-readable instructions, or op codes. As such, direct experience with assembly language is much less common now than “in the old days.”

Does this mean software binaries cannot be read by humans? No. Tools like SoftICE, IDAPro, and others allow us to reverse engineer binaries to figure out what they do. But because we have tools like these does not mean binaries are easily readable by a majority of the populace.

In fact, I would argue, based on my own experience, that if I gave the machine instructions (the op codes) of a given software application to the software developers who wrote the original software application, it might be days before they would recognize these instructions as coming from their own application (even if they knew assembly). Might some developers figure it out quickly? Sure, but many would not, and have not. This is what I meant when I stated, "While a binary is easy for a computer to read, it is tremendously difficult for a person -- even the original developer -- to understand”.

The fact that binaries can be read does not mean it is easily readable for a majority of market participants. Once upon a time @stake tried to write a binary analysis tool to check commercial software for vulnerabilities. The tool, and many like it, are chock full of inconsistencies not because the tool is necessarily bad, but because trying to figure out what a binary actual accomplishes can be quite cumbersome and difficult.

In short, the binary format forestalls the ability to reconstitute op-codes into the original source code thus making binaries much more difficult for a human to understand. This is, of course, why open source promotes the benefits of open source…because it is easier to understand and modify an application with the original source code than by market participants taking the time and effort to reverse-engineer a binary and then byte patch it.

At base, shipping software in binary form is simply a delay tactic on the part of commercial/proprietary software manufacturers. It is an effective tactic nonetheless. Can binaries be reverse-engineered? Certainly. How else do we figure out how malware works or get to play games for free by reversing the registration algorithm (or find vulnerabilities in the first place)?

But it is not necessarily a common skill set because 3rd, 4th, and 5th generation languages have reduced the need to know assembly among a vast majority of developers. It is also a skill that is not easily learned. Even when it is learned, it can be time-consuming and expensive in both time and resources to undertake. And that is really the advantage of shipping binaries for proprietary software manufacturers. If everyone could read assembly language and intuitively understand what it does, well, then, binaries would not be tremendously difficult to read, we would not need higher level languages to increase our productivity, and the advantage of shipping binaries would disappear. But this is not the case.

Open Source: The Misconception of First-time Innovation

Richard comments on first time innovation:

Second, on p 248 the author states "The essence of open source software is the exact opposite of proprietary software. Open source software is largely an innovation after-the-fact; that is, open source software builds upon an idea already in the marketplace that can be easily replicated or copied." On what planet?

On this planet. The following except is from Forbes magazine, quoting Larry McVoy.

The Open Source Heretic.

…Yet after all these years,[Larry] McVoy has come to believe that the open source business model, which is all the rage these days among computer makers like Hewlett-Packard and IBM cannot generate enough money to support the development of truly innovative software programs…McVoy understands open source as well as anyone on the planet…

But McVoy says it is simply not possible for an innovative software company to sustain itself using an open source business model. "The other problem is that the services model doesn't generate enough revenue to support the creation of the next generation of innovative products. Red Hat has been around for a long time--for a decade now. Yet try to name one significant thing--one innovative product--that has come out of Red Hat."

To be sure, a few open source companies are successfully generating revenue and even (possibly) profits. But none of them generates enough money to do anything really innovative, says McVoy, 43, an industry veteran who has developed operating system software at Sun Microsystems, Silicon Graphics  and Google.

"The open source guys can scrape together enough resources to reverse engineer stuff. That's easy. It's way cheaper to reverse engineer something than to create something new. But if the world goes to 100% open source, innovation goes to zero. The open source guys hate it when I say this, but it's true."

The viewpoint espoused in Geekonomics is based not on a personal misconception of the open source world, but on recognized criticisms of open source practices by technology members both within and outside the open source community.

Is it possible for open source model to be innovative? Absolutely. Plenty of other articles espouse how the open source model supports all sorts of innovation. Whether open source is a strong first-time innovator in the software world however, is open to debate as McVoy's comments demonstrate.

Regardless, whether open source is a strong first-time innovator or not, open source software exhibits the same tendencies as commercial vendors in releasing preventable defects into the global stream of commerce. This is the issue of greatest concern to me. I would tend to argue that innovators should innovate on this issue, and not on another desktop or operating system variant. But the incentives must be different in order for this to happen.

Open Source: The Threat of Project Foreclosure

The next comment by Richard is:

Third, on p 263 the author states "[O]pen source projects are almost always threatened by foreclosure," meaning if the developer loses interest the users are doomed. That claim totally misses the power of open source. When a proprietary software vendor stops coding a product, the customers are out of luck. When an open source software developer stops coding a product, the customers are NOT out of luck. They can 1) hope someone else continues the project; 2) try continuing the project themselves; or 3) hire someone else to continue developing the product.

I believe I understand what Richard is trying to say here. Open source gives companies options they would otherwise not have with proprietary software vendors. Companies can hope to find another volunteer developer with the same “itch” as the one that abandoned the original project. Also, companies can choose to take on the project themselves or hire someone else to do so. But what if company cannot do any of the above? The fourth option might be:

4) Be grumpy.

The presence of options does not remove the threat of foreclosure. Option 4 is still possible. Foreclosure is always a threat for any endeavor, but perhaps more so in the open source world because of the idiosyncrasies of individual volunteer developers. Of the 130,000 or so projects on SourceForge, only a few hundred are active. That is a lot of foreclosure. Of those projects that are active, profit margins are thin as McVoy calls out in the Forbes article thus questioning the sustainability of any given open source project. The threat of foreclosure is still very real unless the project has a deep-pocketed benefactor. Hope does not necessarily make a good business model for those choosing to use open source software.

But Richard touches a much broader issue that needs addressing. While the argument “we provide life cycle options proprietary vendors do not” sounds reasonable, it is far from economically vibrant.

At bottom, the argument for “the power of open source” is actually an economically backwards model. In other words, the “benefit” of open source software is that everyone is poorer because of it. This is hardly a benefit. This statement may sound incomprehensible at first, but let’s look at the “life cycle options argument” from an economic perspective to understand why the “benefit” of open source, as stated above, perhaps is not.

When a commercial (i.e. proprietary) software manufacturer stops coding a project it is most likely because it no longer makes financial sense to do so. I would argue that companies are not in the habit of killing profitable endeavors arbitrarily, so killing a less-profitable project is necessary to pursue other projects that are more profitable. This behavior is economically efficient. Markets are in the habit of producing what people want, not what they need. Why should a manufacturer put resources into a product for which there is no compelling demand and therefore no potential profits? It may sound heartless, even greedy, but it is one the reasons why we have more products than we can ever imagine and an economy that is robust, deep, and wide.

A failed (or defunct) product is actually good news for the market because resources that were tied up in the old product’s production are now free to be used in other places. This is very important for economic progress. Labor and capital can be moved to more productive pursuits. More liquidity in labor and capital can potentially mean a more responsive market. In general, this is good for consumers. But what about specifically?

Are the buyers of a now-defunct or failed product out of luck?

You bet. But consumers as a whole are better off because now labor and capital is available to make more appealing (and more profitable or more fulfilling) products elsewhere.

Look at it this way, a very important reason why a person can buy a new 2008 Honda Accord is because Honda stopped making 2007 Honda Accords. A very important reason why a person can buy a new DVD player is because some manufacturer somewhere stopped making VHS players. A very important reason why I have an iPod is because Apple stopped making its less profitable products.

Markets respond to demand and forsake less profitable endeavors. This model leads to economic vibrancy for everyone even though individual consumers might appear to be worse off at first.

Based on the "options argument" above, the notion that when an open source software developer stops coding a product the customers are NOT out of luck, is ruinous. Why? Because this practice transforms demand into need, and this makes everyone worse off.

Under the "options argument," instead of abandoning a defunct product, companies are encouraged to bind their labor and capital in less productive pursuits; that is, assigning time and resources into keeping a defunct project alive.

The customer is NOT out of luck precisely because the customer must now find a developer to satisfy their need for a new project leader or developer. Everyone else is worse off precisely because of this. The customer unfortunately picked a project that, for one reason or another, is now defunct. Instead of abandoning the defunct product, the customer must now invest in maintaining a declining status quo (as newer better products come out, status quo inevitably goes down).

Given the incentives model of open source, developers commit to a project to “scratch an itch” or to build "geek cred." When a software developer forgoes pursuing her “itch” it is probably because of a number of factors, one of those factors potentially being that she longer sees any advantage in doing so. Something better came along...she saw demand in another spot, money to be made pursuing something else, or another itch that needed to be scratched, and so the current project is laid to rest. This is the great strength of open source: labor liquidity to the extreme. But as I stated in Geekonomics, it may also be one factor for open source’s undoing. Let’s find out why.

For another software developer to satisfy the customer’s need, its means that this very same replacement developer is not available to satisfy market demand for better, more fulfilling products somewhere else. This robs other more promising software projects of labor as well as robs the market of better products.

When demand is reduced (that is, demand is downgraded into need), every one in the market is worse off because of it. This means products that could be made are not because labor is tied up in a pursuit that is no longer meeting a demand. So the need is met, but to meet the need, something else must be forsaken.

What is that something else? Demand for other things. It’s hard to tell exactly what might be forsaken because we cannot predict the future. But we can guess from past circumstances. If Apple did not forsake its less profitable products, would it have created the iPod? The simplistic answer is “no.”

Think about it this way: A need is a diversion of demand. Demand creates new products; it enriches our lives and expands the economy. Need simply attempts to maintain status quo. There is nothing wrong with need. We all have needs that must be satisfied to one extent or another. But as an economic model, need is far from vibrant and enriching. It is more Soviet than anything else.

Under the “options argument,” thousands of people can keep the software-equivalent of a 1960s Chevy or half-complete kit car on the roadway even though the car is less efficient, less safe, and robs other manufacturers/projects of valuable labor.

So I would tend to argue the “power of open source” is not nearly the benefit the “options argument” suggests. It is good for some companies. This is not in doubt. But it can also potentially rob the market of labor, capital, and future products. As such, everyone is just that much poorer because of it.

So, if a commercial vendor forecloses a project, some consumers are screwed, yes. If an open source project is foreclosed, the adopter might not be screwed, true. But everyone else is. In light of this, life-support for defunct projects should be rightly questioned as a benefit.

I have no issue with the "options argument" when a given open source project is meeting demand largely because options 1, 2, and 3 are moot in such circumstances. New developers must be found to meet the market demand.

In the end, markets make what we want, not what we need. Does this mean we ignore need? No.  But it is not a pathway to greater wealth. The power of open source is its ability to aggressively meet new demand through its extreme labor liquidity, not to provide life-support for products in which demand has ebbed.

Open Source: Personal Liability

To close out the open source discussion, Richards’s final comment is:

Finally, if the author is worried about open source projects not having an organization upon which liability could be enforced, he should consider the many vendors who sell open source software.

This is true. The liability argument in Chapter 6 was more focused on personal liability and the comments from the UK story it was pulled from. Indeed, liability can be assigned to open source vendors, as is suggested in Chapter 5.

Conclusion
Wow. That was a long read. I hope it was informative (as well as enjoyable). Richard provided great points for discussion and I’m grateful for his thoughts.

Geekonomics cannot and does not attempt to answer all questions regarding security in general and software assurance in particular, but I agree with Richard, it is powerful that we can have the discussion at all.