Software Quality and Cyberterror Threats, Part 4
In the last three SNS issues, I discussed the huge task confronting Richard Clarke, the counter-terrorism expert in charge of the president’s Critical Infrastructure Protection Board, made the assertion that security problems are really software quality problems, and examined some of the reasons why the software industry pays so little attention to these problems. I also took a look at the industry’s response to the rising epidemic of worms and viruses. In this final installment, I consider some current forces militating against software quality and security, and look at two possible future scenarios.
Let’s focus for a moment on potential legal remedies for security bugs. In a perfect world, wouldn’t we make software companies responsible for the quality of their products? This doesn’t seem to be too much to ask. If Firestone makes truck tires that disintegrate, isn’t it natural to hold them accountable? If a software defect allows a virus to cause a billion dollars of damage, shouldn’t the vendor compensate the victims or at least be liable in some way?
When you look at it, there’s really no reason why software should be exempt from the kind of product quality legislation in place for things like tires, washing machines, cars, ladders, airplanes, and pretty much every other thing we buy. But then again, a far worse product, cigarettes, is not held to these standards, and so don’t hold your breath waiting for this level of legal solution.
In fact, things are headed in the exact opposite direction. The States are beginning to adopt a proposed standard body of law that addresses software and other electronic products. It’s called UCITA, the Uniform Computer Information Transactions Act, and it was developed by the National Conference of Commissioners on Uniform State Laws (NCCUSL) in 1999. UCITA was designed to create a uniform commercial contract law for electronic products and attempts to be “a cyberspace commercial statute.” It covers shrink-wrap and click through licenses and gives them further strength as contracts.
UCITA is supported by Software & Information Industry Association (SIIA) whose 1,200 member companies represent most of the biggest software and content vendors around – AOL Time Warner, Apple Computer, LexisNexis, Nokia, Novell, Oracle, and Sun, for example. (Microsoft is conspicuously absent.) The association’s interest in UCITA is consistent with another of their major initiatives, the SPA Anti-Piracy effort. In 2000, Virginia and Maryland became the first states to adopt UCITA.
In a summary brief on the SIIA site, one of the main advantages of UCITA for the software industry becomes apparent:
UCITA rejects the “perfect tender” rule for commercial licenses. One of the problems with Article 2 [of the Uniform Commercial Code] is that it requires delivery of goods that conform to the contract. Software is recognized as a product that cannot be made perfect and that it almost always will have bugs. The existence of bugs in software could violate the perfect tender requirement under Article 2. UCITA eliminates the perfect tender rule and replaces it with a substantial conformance standard. The perfect tender rule is retained for transactions involving consumers.
What? “Software is recognized as a product that cannot be made perfect”? I’m not ready to agree to that, are you? Yet on the other hand, most products can’t be made perfect. I’m reminded, for example, of the time a printer told me that if I wanted perfect registration (alignment of colors) on a printing job, I’d have to pay more. One could argue that no product can be made perfect, so why is it necessary to grant software a special dispensation to be shoddy?
What’s worse, UCITA, the so-called “self help” provision, allows software developers to leave back doors and time bombs in their software as a means to enforce their copyrights or the length of software use. This provision opens such a Pandora’s box of potential security problems that even the framers of UCITA have reversed themselves and are trying to address this brain-dead provision. Yet another provision, the “automatic restraint” provision also authorizes back doors and time bombs, with even fewer restraints than the self help provision.
The problems with UCITA also include the prevention of vendor liability, even through gross negligence, for security vulnerabilities, and an implied prohibition against reverse engineering of any kind. Even worse, UCITA applies to content delivered through software as well. Imagine being prohibited from disparaging a movie review you read on AOL, or even from quoting from it.
Free software advocate Richard Stallman sums up this disaster of a law thusly:
We generally believe that big companies ought to be held to a strict standard of liability to their customers, because they can afford it and because it will keep them honest. On the other hand, individuals, amateurs, and good samaritans should be treated more favorably. UCITA does exactly the opposite. It makes individuals, amateurs, and good samaritans liable, but not big companies.
Is this the kind of future we want, one in which software vendors face no real incentive to deliver bug-free, secure software, one in which software gets less and less reliable, one in which researchers who currently point out software flaws are muzzled and arrested?
In that future, software quality will continue to decline. After all, the law says it can’t be perfected, so why try? In that future, the network will be overrun by berworms that make the Code Red worm and other recent malware look like a walk in the park in comparison. In that future, the jails will overflow with legitimate and illegitimate software researchers, script kiddies and superhackers, and penniless college students who ripped off music they couldn’t have afforded to buy anyway. But, hey, it’s not all bad. Software and content vendors will prosper. We’ll just have to be happy with what they give us.
Can we afford such a future in the post-9/11 world? Do you want critical infrastructure systems full of security flaws just waiting for terrorists to exploit them? Do you want the mission critical systems of your organization running on software created by corporations that have no liability for errors? Are we going to acquiesce and allow bad laws like DMCA and UCITA to tilt the playing field overwhelmingly in the direction of large software corporations?
Or are we going to recognize that software quality is a matter of national security? Are we going to regard as unpatriotic any software vendor that does not make security its highest priority? Are we going to fight for our right to fair and reasonable use, including the ability to analyze software to determine its quality and security?
The choice is ours. It’s an enormous choice, yet most people aren’t aware of the issues. You can help by forwarding this series of articles (part 1, part 2, part 3,part 4) to decision-makers you know, or by pointing them to the work of Bruce Schneier, Richard Stallman, the Electronic Frontier Foundation, or virtually any other security expert around. You can also support the work of the 26 state Attorneys General and others that oppose UCITA
- Shameless Self-Promotion Dept.: StratVantage has launched a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to get rid of the Guilt Stack, that pile of magazines you’ll get around to reading someday.CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor provides a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter, Just the Right Stuff™, containing links to the Top 10 Must Read articles needed to stay current. These and other CTOMentor services will let you Your Inbox™.
As part of its launch, CTOMentor is offering a two part white paper on peer-to-peer technology: Peer-to-Peer Computing and Business Networks: More Than Meets the Ear. Part 1, What is P2P?, is available for free on the CTOMentor Web site. Part 2, How Are Businesses Using P2P?, is available for $50.
- Wireless Security Fixed: As previously reported in SNS, the Wired Equivalent Privacy (WEP) standard built into 802.11b wireless LANs is a joke. So RSA Security and Hifn have developed a technology called “fast packet keying” and announced that their solution has been accepted by the IEEE standards body. The technology generates a unique RC4 key for each data packet sent over the wireless LAN. Geez, it better be fast if it’s going to do that! RSA says the solution can be distributed as a software or firmware patch by wireless LAN vendors, allowing their customers to quickly update the existing vulnerable equipment. Thanks to Alert SNS Reader David Dabbs for the pointer.
- Another Bad Trademark Granted: Well, now I’m going to try to trademark the word “the.” If there’s a more brain-dead section of government than the US Patents and Trademarks Office, I’d like to see it. Now there’s a legal battle being waged over who has the right to use the word “Entrepreneur.”Everyone who uses this word is now subject to a lawsuit from the media group that publishes Entrepreneur Magazine. Minnesota Entrepreneurs President Ed Palmer notes the irony of the situation. “Yes, I know — how could this be?An organization that purports to support entrepreneurs sues entrepreneurs?Quite perverse, yet true. By the way, long before this trademark was filed for, The Minnesota Entrepreneurs were engaged in using the name. What’s up with this trademark?”
- Spin Doctors*: TheCalifornia NanoSystems Institute, a joint effort of The University of California at Los Angeles and University of California at Santa Barbara, recently reported that it can now electronically control the “spin” of an electron. This breakthrough could mean extremely fast, dense, low heat electronics, since changing the spin takes an infinitesimal amount of energy compared to moving the charge in a wire back and forth, according to the company.
(*That headline was inevitable, wasn’t it?)