[LINK] Identity theft virus infects 10,000 computers

Rick Welykochy pirkeepie at yahoo.com.au
Thu Aug 17 15:55:38 AEST 2006


I have read ahead of this email to see other well considered replies, many
of which are in agreement with my own thoughts. I will not repeat those below...

--- Craig Sanders <cas at taz.net.au> wrote:

> On Wed, Aug 16, 2006 at 03:20:57PM +1000, Rick Welykochy wrote:
> > --- Craig Sanders <cas at taz.net.au> wrote:
> > > also, the fact that source code is available to be examined and
> > > fixed by the user (or their agent) is (or should be) a significant
> > > mitigating factor in any liability claim.
> >
> > Why so? It is very impractical for every single user of every single
> > piece of FOSS to download the source, examine it for bugs, test it
> 
> because you can't avoid all personal responsibility for your actions by
> saying "i couldn't be bothered".

"I am not able to evaluate the security fitness of this source code"
is more like it.

If I gave you 14,000 lines of C++ code, or better yet, 5,000 lines of
Perl6, could *you* tell me if it is secure, Craig? How about 1000
very compact lines of OCAML? I can read the stuff and understand it,
and you think I should? Should Mrs Ima Goose do the same?


> so what if the testers include the entire population of users?

They don't.
And throwing a beta version of software out to an untrained
population does not constitute acceptance testing.


> i do, but mostly for my own use and for people with my level of skill.
> systems admin tools rather than applications for the most part. in fact,
> i hate doing applications development.

Sounds like the Craig Sanders I always read on Link, i.e. "me me me".
Think outside your world and think of millions of people using FOSS out
of the box with no ability to even use the shell. That is where FOSS is
going. FOSS is actually REPLACING Windows on the desktop, slowly but surely.
For every experienced shell user, I can show you 1,000,000 GUI clueless
GUI users. How's that for a sense of perspective?

The issue I am addressing here is software security and reliability for
the great unwashed masses, not for the tiny minority of geeks out there
who know a DDoS from a phishing scam. Perspective, Craig, perspective.



> they CAN eventually discover them all. they can certainly discover a lot
> more than if the source code is not available.

Uh huh. No-one will argue with the latter statement. But I'll tell you
now that all bugs will *NEVER* be discovered. Believe me.


> strict liability from the moment of publication wont help here - it will
> actually make that kind of scrutiny impossible because it will be too
> risky to publish the source until after all the bugs have been found.
> i.e. never.

What an agony you are putting yourself through. I am only proposing that
liability legislation be considered. I haven't proposed anything as draconian
as what you are, Craig. You seem to putting the cart before the horse.

Think about what form the legislation would practically take if you wish
to think about it at all. Surely you would not wish the very ideas / fear
mongers that you raise in this discussion to be actually implemented
and thus to so disadvantage the FOSS community, would you? I certainly
wouldn't.


> also, what of the case where the author/developer releases only source
> code, not an executable (which is a fairly common practice in the FOSS
> world) - are they liable for someone else compiling and running it, or
> compiling and re-distributing it?
 
Of course not. Not if I were writing the legislation.
You really are a worry wart, Craig!


> which implies that this can not and should not be a liability under any
> legislation.  if there are no reasonable precautions that you could have
> taken, then how can you be held liable for failing to take them?

You can't. Legislation is meant to be *reasonable* and *implementable*.
You seem to think that I am proposing to take the law to a new and
heretofore never seen level of draconian punishment to be unleashed
on a naive and unsuspecting populace of FOSS developers. Nothing could 
be further from my intent.


> > Yes, software liability legislation will have a chilling effect on
> > FOSS. It will also have a chilling effect on proprietary software. So
> > what? The goal is more reliable, secure and safe software. The outcome
> > depends on the ability to deliver the same. I have complete faith in
> > the FOSS community to deliver same. I DO NOT have faith in some of the
> > more prominent proprietary software producers to deliver same. And I
> > certainly have little time or interest in FOSS or proprietary software
> > (crapware?) that does not meet stringent standards in security, safety
> > and merchantability.
> 
> in an ideal world, what you say could work.
> 
> in the actual world, it would be just another tool for Microsoft et al
> to attack FOSS developers with - bankrupt them into submission with
> trumped up case after trumped up case...they already do astro-turf
> campaigns in the advertising world, it's no great leap of the
> imagination for them to do the same kind of thing in the court-rooms.

There-in lies the danger of prosposals like this one. MS and other
interested parties would of course lobby for the law to be skewed to
harm FOSS development and also minimise the risk for their own ilk.

> at the same time, the legislation wouldn't work against huge proprietary
> software developers because nobody could afford to sue them, they could
> drag it out in court long enough to bankrupt anyone with less resources
> than them.

Criminal sanctions would do the job nicely.


> given the typical quality of programmers who have just completed their
> uni degree but have little or no actual experience, this is essential.

But it is *not* essential to allow software tyros to unleash insecure
and dangerous software on an unsuspecting and ill-informed public.

The problem you raise regarding novice programmers equally applies
to software quality, especially for commericial outfits who have
a reputation to maintain, or a contracted service to provide. In my
early years of gaining experience, my goofups and mistakes were
*usually* caught during acceptance testing.

OTOH I recall bringing a campus-wide network and its Amdahl mainframe
to its knees for about 1/2 hour while a tied up all the I/O channels
due to a bug in the front-end processor. This was effectively a DoS.
But I would hardly think that grounds for prosecution under the
Software Quality and Security ASsurance Act 2007.

Before announcing the end of the software development world as we
know it, let's remain clam and consider what does and does not consitute
criminal negligence when it comes to software quality and security.
I can give you many examples of such negligence by proprietary
software companies, where they purposely made the decision to eschew
consumer safety and security for the sake of the rush to market, grabbing
market share, killing competition and securing fast profits. Getting
the picture yet? 

> free software, by the way, isn't just about being a cheaper, better
> way of developing quality software. it's primarily about freedom, the
> freedom of developers *AND* users to collaborate to develop, refine,
> and *share* their software. the exclusive focus on just software
> quality rather than freedom is the thing that distinguishes Open Source
> advocates from Free Software advocates.

Perhaps. I myself won't quibble with such distinctions.

I'll conclude by stating that software security issues are going to get
much more serious and have far more deep-reaching effects into all
aspects of society before things improve in this area. And the only
way of compelling improvement is through legislation. I have not heard
anyone so far propose any other way of resolving this important issue.

And if it is not an important issue, we can pick up the discussion
once again when it does become important ... to you.

cheers
rickw



		
____________________________________________________ 
On Yahoo!7 
The new Yahoo!7 home page - scan your email inbox, start an IM conversation or update your blog 
http://au.yahoo.com/



More information about the Link mailing list