[iwar] [fc:Attacks.Prompt.Debate.Over.Software.Security:.Should.vendors.be.held.accountable?]

From: Fred Cohen (fc@all.net)
Date: 2001-10-15 17:36:18


Return-Path: <sentto-279987-2985-1003192579-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Mon, 15 Oct 2001 17:39:07 -0700 (PDT)
Received: (qmail 2074 invoked by uid 510); 16 Oct 2001 00:38:14 -0000
Received: from n30.groups.yahoo.com (216.115.96.80) by 204.181.12.215 with SMTP; 16 Oct 2001 00:38:14 -0000
X-eGroups-Return: sentto-279987-2985-1003192579-fc=all.net@returns.onelist.com
Received: from [10.1.1.220] by n30.groups.yahoo.com with NNFMP; 16 Oct 2001 00:36:19 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_0_1); 16 Oct 2001 00:36:19 -0000
Received: (qmail 44819 invoked from network); 16 Oct 2001 00:36:19 -0000
Received: from unknown (10.1.10.26) by 10.1.1.220 with QMQP; 16 Oct 2001 00:36:19 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 16 Oct 2001 00:36:18 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id RAA12872 for iwar@onelist.com; Mon, 15 Oct 2001 17:36:18 -0700
Message-Id: <200110160036.RAA12872@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Mon, 15 Oct 2001 17:36:18 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Attacks.Prompt.Debate.Over.Software.Security:.Should.vendors.be.held.accountable?]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Attacks Prompt Debate Over Software Security: Should vendors be held accountable?

By Patrick Thibodeau, ComputerWorld, 10/15/2001
<a href="http://www.computerworld.com/storyba/0,4125,NAV47_STO64757,00.html">http://www.computerworld.com/storyba/0,4125,NAV47_STO64757,00.html>

Software security standards are virtually nonexistent, and resistance to
them is certain to be stiff. But the threat of terrorist-related
cyberattacks has prompted new debate on whether software makers can be
forced to make better products. 
End users and security experts want better products, especially after
the Sept. 11 attacks on the U.S. and subsequent warnings about computer
infrastructure security. 
However, unlike cars, which are required to meet government safety
standards, or new drugs, which aren't released until fully tested,
software faces no such review. 
"Immunity breeds no responsibility," said Michael Rustad, who heads the
high technology law program at Suffolk University Law School in Boston.
He added that the Uniform Computer Information Transaction Act (UCITA),
if widely adopted by states, would hurt warranty protections. UCITA has
been adopted in Virginia and Maryland. 
"There needs to be some kind of remedy for software failure, especially
when it comes to security," Rustad said. 
But there is no consensus on what could be done to get software vendors
to improve product security. 
Government agencies have tried to define security standards and
features, but those efforts can't overcome the complexity of
interconnected systems, said Richard Pethia, director of the CERT
Coordination Center at Carnegie Mellon University in Pittsburgh. 
"It's not that these products lack the right features, it's that they
fall down in the implementation," he said. On the other hand, "there are
bugs in the software," he added. 
One solution is to give software developers more training on security,
said Faburn Fox, a security planning and architecture manager at the
Bank of Hawaii in Honolulu. 
"A lot of the problem comes from programmers not having an understanding
of the security piece when they are writing code," said Fox. 
William Wulf, president of the Washington-based National Academy of
Engineering and a computer security expert, said entirely new approaches
to software development are needed to replace the idea of a Maginot line
or a perimeter-focused system of protection with a more distributed
security system. "Instead of having this perimeter defense, you have
lots of agents running around seeing if something bad is happening and
attacking when it does," said Wulf. 
Trying to improve software through increased liability won't necessarily
work, argued Wulf. "I don't believe it's possible to build a secure
system," he said, wondering how vendors can be liable for "something
that can't be done." 
The ultimate punishment for bad software, said Harris Miller, president
of the Information Technology Association of America in Arlington, Va.,
is an end-user decision not to buy a particular product. "Failures in
the marketplace can lead to extraordinary punishment," he said. 
For more coverage and information related to this topic, head to the
following Knowledge Center:

o Security


Other recent stories by Patrick Thibodeau

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:55 PST