{"id":4396,"date":"2002-01-08T10:54:22","date_gmt":"2002-01-08T16:54:22","guid":{"rendered":"https:\/\/blog.socialmediaperformancegroup.com\/?p=4396"},"modified":"2002-01-08T10:54:22","modified_gmt":"2002-01-08T16:54:22","slug":"stratvantage-news-010802","status":"publish","type":"post","link":"https:\/\/stratvantage.com\/index.php\/2002\/01\/08\/stratvantage-news-010802\/","title":{"rendered":"StratVantage – The News \u2013 01\/08\/02"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
\n

\u00a0Software Quality and Cyberterror Threats, Part 4<\/i><\/b><\/h2>\n

In the last three SNS issues, I discussed the huge task confronting Richard Clarke, the counter-terrorism expert in charge of the president’s Critical Infrastructure Protection Board<\/a>, made the assertion that security problems are really software quality problems, and examined some of the reasons why the software industry pays so little attention to these problems. I also took a look at the industry\u2019s response to the rising epidemic of worms and viruses. In this final installment, I consider some current forces militating against software quality and security, and look at two possible future scenarios.<\/p>\n

Let\u2019s focus for a moment on potential legal remedies for security bugs. In a perfect world, wouldn\u2019t we make software companies responsible for the quality of their products? This doesn\u2019t seem to be too much to ask. If Firestone makes truck tires that disintegrate, isn\u2019t it natural to hold them accountable? If a software defect allows a virus to cause a billion dollars of damage, shouldn\u2019t the vendor compensate the victims or at least be liable in some way?<\/p>\n

When you look at it, there\u2019s really no reason why software should be exempt from the kind of product quality legislation in place for things like tires, washing machines, cars, ladders, airplanes, and pretty much every other thing we buy. But then again, a far worse product, cigarettes, is not held to these standards, and so don\u2019t hold your breath waiting for this level of legal solution.<\/p>\n

In fact, things are headed in the exact opposite direction. The States are beginning to adopt a proposed standard body of law that addresses software and other electronic products. It\u2019s called UCITA, the Uniform Computer Information Transactions Act, and it was developed by the National Conference of Commissioners on Uniform State Laws (NCCUSL) in 1999. UCITA was designed to create a uniform commercial contract law for electronic products and attempts to be \u201ca cyberspace commercial statute.\u201d It covers shrink-wrap and click through licenses and gives them further strength as contracts.<\/p>\n

UCITA is supported by Software & Information Industry Association (SIIA) whose 1,200 member companies represent most of the biggest software and content vendors around \u2013 AOL Time Warner, Apple Computer, LexisNexis, Nokia, Novell, Oracle, and Sun, for example. (Microsoft is conspicuously absent.) The association\u2019s interest in UCITA is consistent with another of their major initiatives, the SPA Anti-Piracy effort. In 2000, Virginia and Maryland became the first states to adopt UCITA.<\/p>\n

In a summary brief<\/a> on the SIIA site, one of the main advantages of UCITA for the software industry becomes apparent:<\/p>\n

UCITA rejects the “perfect tender” rule for commercial licenses. <\/b>One of the problems with Article 2 [of the Uniform Commercial Code] is that it requires delivery of goods that conform to the contract. Software is recognized as a product that cannot be made perfect and that it almost always will have bugs. The existence of bugs in software could violate the perfect tender requirement under Article 2. UCITA eliminates the perfect tender rule and replaces it with a substantial conformance standard. The perfect tender rule is retained for transactions involving consumers.<\/p>\n

What? \u201cSoftware is recognized as a product that cannot be made perfect<\/b>\u201d? I\u2019m not ready to agree to that, are you? Yet on the other hand, most products can\u2019t be made perfect. I\u2019m reminded, for example, of the time a printer told me that if I wanted perfect registration (alignment of colors) on a printing job, I\u2019d have to pay more. One could argue that no product can be made perfect, so why is it necessary to grant software a special dispensation to be shoddy?<\/p>\n

What\u2019s worse, UCITA, the so-called \u201cself help\u201d provision, allows software developers to leave back doors and time bombs in their software as a means to enforce their copyrights or the length of software use. This provision opens such a Pandora\u2019s box of potential security problems that even the framers of UCITA have reversed<\/a> themselves and are trying to address this brain-dead provision. Yet another provision, the \u201cautomatic restraint\u201d provision also authorizes back doors and time bombs, with even fewer restraints than the self help provision.<\/p>\n

The problems with UCITA also include the prevention of vendor liability, even through gross negligence, for security vulnerabilities, and an implied prohibition against reverse engineering of any kind. Even worse, UCITA applies to content delivered through software as well. Imagine being prohibited from disparaging a movie review you read on AOL, or even from quoting from it.<\/p>\n

Free software advocate Richard Stallman sums up<\/a> this disaster of a law thusly:<\/p>\n

We generally believe that big companies ought to be held to a strict standard of liability to their customers, because they can afford it and because it will keep them honest. On the other hand, individuals, amateurs, and good samaritans should be treated more favorably. UCITA does exactly the opposite. It makes individuals, amateurs, and good samaritans liable, but not big companies.<\/p>\n

Is this the kind of future we want, one in which software vendors face no real incentive to deliver bug-free, secure software, one in which software gets less and less reliable, one in which researchers who currently point out software flaws are muzzled and arrested?<\/p>\n

In that future, software quality will continue to decline. After all, the law says it can\u2019t be perfected, so why try? In that future, the network will be overrun by berworms that make the Code Red worm and other recent malware look like a walk in the park in comparison. In that future, the jails will overflow with legitimate and illegitimate software researchers, script kiddies and superhackers, and penniless college students who ripped off music they couldn\u2019t have afforded to buy anyway. But, hey, it\u2019s not all bad. Software and content vendors will prosper. We\u2019ll just have to be happy with what they give us.<\/p>\n

Can we afford such a future in the post-9\/11 world? Do you want critical infrastructure systems full of security flaws just waiting for terrorists to exploit them? Do you want the mission critical systems of your organization running on software created by corporations that have no liability for errors? Are we going to acquiesce and allow bad laws like DMCA and UCITA to tilt the playing field overwhelmingly in the direction of large software corporations?<\/p>\n

Or are we going to recognize that software quality is a matter of national security? Are we going to regard as unpatriotic any software vendor that does not make security its highest priority? Are we going to fight for our right to fair and reasonable use, including the ability to analyze software to determine its quality and security?<\/p>\n

The choice is ours. It\u2019s an enormous choice, yet most people aren\u2019t aware of the issues. You can help by forwarding this series of articles (part 1<\/a>, part 2<\/a>, part 3<\/a>,part 4<\/a>) to decision-makers you know, or by pointing them to the work of Bruce Schneier, Richard Stallman, the Electronic Frontier Foundation, or virtually any other security expert around. You can also support the work of the 26 state Attorneys General and others<\/a> that oppose UCITA<\/p>\n

Briefly Noted<\/i><\/b><\/p>\n