Be on the wave or under it™
News – 01/08/02
and Cyberterror Threats, Part 4
In the last three SNS issues, I discussed the
huge task confronting Richard Clarke, the counter-terrorism expert in
charge of the president's Critical
Infrastructure Protection Board, made the assertion that security
problems are really software quality problems, and examined some of the
reasons why the software industry pays so little attention to these
problems. I also took a look at the industry’s response to the rising
epidemic of worms and viruses. In this final installment, I consider some
current forces militating against software quality and security, and look
at two possible future scenarios.
Let’s focus for a moment on potential legal
remedies for security bugs. In a perfect world, wouldn’t we make software
companies responsible for the quality of their products? This doesn’t seem
to be too much to ask. If Firestone makes truck tires that disintegrate,
isn’t it natural to hold them accountable? If a software defect allows a
virus to cause a billion dollars of damage, shouldn’t the vendor compensate
the victims or at least be liable in some way?
When you look at it, there’s really no reason why
software should be exempt from the kind of product quality legislation in
place for things like tires, washing machines, cars, ladders, airplanes,
and pretty much every other thing we buy. But then again, a far worse
product, cigarettes, is not held to these standards, and so don’t hold your
breath waiting for this level of legal solution.
In fact, things are headed in the exact opposite
direction. The States are beginning to adopt a proposed standard body of
law that addresses software and other electronic products. It’s called UCITA,
the Uniform Computer Information Transactions Act, and it was developed by
the National Conference of Commissioners on Uniform State Laws (NCCUSL) in
1999. UCITA was designed to create a uniform commercial contract law for electronic
products and attempts to be “a cyberspace commercial statute.” It covers shrink-wrap
and click through licenses and gives them further strength as contracts.
UCITA is supported by Software & Information
Industry Association (SIIA) whose 1,200 member companies represent most of
the biggest software and content vendors around – AOL Time Warner, Apple
Computer, LexisNexis, Nokia, Novell, Oracle, and Sun, for example.
(Microsoft is conspicuously absent.) The association’s interest in UCITA is
consistent with another of their major initiatives, the SPA Anti-Piracy
effort. In 2000, Virginia and Maryland became the first states to adopt
In a summary brief
on the SIIA site, one of the main advantages of UCITA for the software
industry becomes apparent:
UCITA rejects the "perfect tender"
rule for commercial licenses. One of the problems with Article 2 [of
the Uniform Commercial Code] is that it requires delivery of goods that
conform to the contract. Software is recognized as a product that cannot be
made perfect and that it almost always will have bugs. The existence of
bugs in software could violate the perfect tender requirement under Article
2. UCITA eliminates the perfect tender rule and replaces it with a
substantial conformance standard. The perfect tender rule is retained for
transactions involving consumers.
What? “Software is recognized as a product that cannot
be made perfect”? I’m not ready to agree to that, are you? Yet on the
other hand, most products can’t be made perfect. I’m reminded, for example,
of the time a printer told me that if I wanted perfect registration
(alignment of colors) on a printing job, I’d have to pay more. One could
argue that no product can be made perfect, so why is it necessary to grant
software a special dispensation to be shoddy?
What’s worse, UCITA, the so-called “self help”
provision, allows software developers to leave back doors and time bombs in
their software as a means to enforce their copyrights or the length of
software use. This provision opens such a Pandora’s box of potential security
problems that even the framers of UCITA have reversed
themselves and are trying to address this brain-dead provision. Yet another
provision, the “automatic restraint” provision also authorizes back doors
and time bombs, with even fewer restraints than the self help provision.
The problems with UCITA also include the
prevention of vendor liability, even through gross negligence, for security
vulnerabilities, and an implied prohibition against reverse engineering of
any kind. Even worse, UCITA applies to content delivered through software
as well. Imagine being prohibited from disparaging a movie review you read
on AOL, or even from quoting from it.
Free software advocate Richard Stallman sums
up this disaster of a law thusly:
We generally believe that big companies ought
to be held to a strict standard of liability to their customers, because
they can afford it and because it will keep them honest. On the other hand,
individuals, amateurs, and good samaritans should be treated more
favorably. UCITA does exactly the opposite. It makes individuals, amateurs,
and good samaritans liable, but not big companies.
Is this the kind of future we want, one in which
software vendors face no real incentive to deliver bug-free, secure
software, one in which software gets less and less reliable, one in which
researchers who currently point out software flaws are muzzled and arrested?
In that future, software quality will continue to
decline. After all, the law says it can’t be perfected, so why try? In that
future, the network will be overrun by überworms that make the Code Red worm and other recent
malware look like a walk in the park in comparison. In that future, the
jails will overflow with legitimate and illegitimate software researchers,
script kiddies and superhackers, and penniless college students who ripped
off music they couldn’t have afforded to buy anyway. But, hey, it’s not all
bad. Software and content vendors will prosper. We’ll just have to be happy
with what they give us.
Can we afford such a future in the post-9/11 world?
Do you want critical infrastructure systems full of security flaws just
waiting for terrorists to exploit them? Do you want the mission critical
systems of your organization running on software created by corporations
that have no liability for errors? Are we going to acquiesce and allow bad
laws like DMCA and UCITA to tilt the playing field overwhelmingly in the
direction of large software corporations?
Or are we going to recognize that software
quality is a matter of national security? Are we going to regard as
unpatriotic any software vendor that does not make security its highest
priority? Are we going to fight for our right to fair and reasonable use,
including the ability to analyze software to determine its quality and
The choice is ours. It’s an enormous choice, yet
most people aren’t aware of the issues. You can help by forwarding this
series of articles (part
1, part 2, part 3, part 4) to decision-makers
you know, or by pointing them to the work of Bruce Schneier, Richard
Stallman, the Electronic Frontier Foundation, or virtually any other
security expert around. You can also support the work of the 26 state Attorneys
General and others
that oppose UCITA
Self-Promotion Dept.: StratVantage has launched a new
service, CTOMentor™, designed to allow Chief Technology Officers and other technical
leaders to get rid of the Guilt Stack, that pile of magazines you’ll get
around to reading someday.
CTOMentor is a subscription advisory service tailored to customers’
industry and personal information needs. Four times a year CTOMentor
provides a four-hour briefing for subscribers and their staffs on the most
important emerging technology trends that could affect their businesses. As
part of the service, subscribers also get a weekly email newsletter, Just
the Right Stuff™, containing links to the Top 10 Must Read articles needed
to stay current. These and other CTOMentor services will let you Burn Your Inbox™.
As part of its launch, CTOMentor is offering a two part white paper on
peer-to-peer technology: Peer-to-Peer Computing and Business Networks:
More Than Meets the Ear. Part 1, What is P2P?, is available for
free on the CTOMentor Web
site. Part 2, How Are Businesses Using P2P?, is available for $50.
Security Fixed: As previously reported
in SNS, the Wired Equivalent Privacy (WEP) standard built into 802.11b wireless
LANs is a joke. So RSA Security and Hifn have developed a technology called
“fast packet keying” and announced that their solution has been accepted by
the IEEE standards body. The technology generates a unique RC4 key for each
data packet sent over the wireless LAN. Geez, it better be fast if it’s
going to do that! RSA says the solution can be distributed as a software or
firmware patch by wireless LAN vendors, allowing their customers to quickly
update the existing vulnerable equipment. Thanks to Alert SNS Reader David
Dabbs for the pointer.
Bad Trademark Granted: Well, now I’m going to try to trademark the word
“the.” If there’s a more brain-dead section of government than the US
Patents and Trademarks Office, I’d like to see it. Now there’s a legal
battle being waged over who has the right to use the word
“Entrepreneur.” Everyone who uses
this word is now subject to a lawsuit from the media group that publishes
Entrepreneur Magazine. Minnesota Entrepreneurs President Ed Palmer notes
the irony of the situation. “Yes, I know — how could this be? An organization that purports to support
entrepreneurs sues entrepreneurs?
Quite perverse, yet true. By the way, long before this trademark was
filed for, The Minnesota Entrepreneurs were engaged in using the name. What’s
up with this trademark?”
Doctors*: The California NanoSystems Institute, a
joint effort of The University of California at Los Angeles and University
of California at Santa Barbara, recently reported that it can now electronically
control the "spin" of an electron. This breakthrough could mean extremely
fast, dense, low heat electronics, since changing the spin takes an infinitesimal
amount of energy compared to moving the charge in a wire back and forth,
according to the company.
was inevitable, wasn’t it?)
Return to Mike’s