Return-Path: <sentto-279987-2985-1003192579-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Mon, 15 Oct 2001 17:39:07 -0700 (PDT) Received: (qmail 2074 invoked by uid 510); 16 Oct 2001 00:38:14 -0000 Received: from n30.groups.yahoo.com (216.115.96.80) by 204.181.12.215 with SMTP; 16 Oct 2001 00:38:14 -0000 X-eGroups-Return: sentto-279987-2985-1003192579-fc=all.net@returns.onelist.com Received: from [10.1.1.220] by n30.groups.yahoo.com with NNFMP; 16 Oct 2001 00:36:19 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 16 Oct 2001 00:36:19 -0000 Received: (qmail 44819 invoked from network); 16 Oct 2001 00:36:19 -0000 Received: from unknown (10.1.10.26) by 10.1.1.220 with QMQP; 16 Oct 2001 00:36:19 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 16 Oct 2001 00:36:18 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id RAA12872 for iwar@onelist.com; Mon, 15 Oct 2001 17:36:18 -0700 Message-Id: <200110160036.RAA12872@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Mon, 15 Oct 2001 17:36:18 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Attacks.Prompt.Debate.Over.Software.Security:.Should.vendors.be.held.accountable?] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Attacks Prompt Debate Over Software Security: Should vendors be held accountable? By Patrick Thibodeau, ComputerWorld, 10/15/2001 <a href="http://www.computerworld.com/storyba/0,4125,NAV47_STO64757,00.html">http://www.computerworld.com/storyba/0,4125,NAV47_STO64757,00.html> Software security standards are virtually nonexistent, and resistance to them is certain to be stiff. But the threat of terrorist-related cyberattacks has prompted new debate on whether software makers can be forced to make better products. End users and security experts want better products, especially after the Sept. 11 attacks on the U.S. and subsequent warnings about computer infrastructure security. However, unlike cars, which are required to meet government safety standards, or new drugs, which aren't released until fully tested, software faces no such review. "Immunity breeds no responsibility," said Michael Rustad, who heads the high technology law program at Suffolk University Law School in Boston. He added that the Uniform Computer Information Transaction Act (UCITA), if widely adopted by states, would hurt warranty protections. UCITA has been adopted in Virginia and Maryland. "There needs to be some kind of remedy for software failure, especially when it comes to security," Rustad said. But there is no consensus on what could be done to get software vendors to improve product security. Government agencies have tried to define security standards and features, but those efforts can't overcome the complexity of interconnected systems, said Richard Pethia, director of the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. "It's not that these products lack the right features, it's that they fall down in the implementation," he said. On the other hand, "there are bugs in the software," he added. One solution is to give software developers more training on security, said Faburn Fox, a security planning and architecture manager at the Bank of Hawaii in Honolulu. "A lot of the problem comes from programmers not having an understanding of the security piece when they are writing code," said Fox. William Wulf, president of the Washington-based National Academy of Engineering and a computer security expert, said entirely new approaches to software development are needed to replace the idea of a Maginot line or a perimeter-focused system of protection with a more distributed security system. "Instead of having this perimeter defense, you have lots of agents running around seeing if something bad is happening and attacking when it does," said Wulf. Trying to improve software through increased liability won't necessarily work, argued Wulf. "I don't believe it's possible to build a secure system," he said, wondering how vendors can be liable for "something that can't be done." The ultimate punishment for bad software, said Harris Miller, president of the Information Technology Association of America in Arlington, Va., is an end-user decision not to buy a particular product. "Failures in the marketplace can lead to extraordinary punishment," he said. For more coverage and information related to this topic, head to the following Knowledge Center: o Security Other recent stories by Patrick Thibodeau ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:55 PST