Andrew

From CSEP590TU
Revision as of 22:01, 13 November 2004 by Apardoe (talk | contribs)

Jump to: navigation, search

Santtu: Discussion on threatened targets will cover the threats posed by integration of computer systems into an ever increasing number of devices and areas where the effect of attacks may extend from disruption of service and to life threatening. such as health and financial record management, everyday appliances, and military equipment.

Andrew proposed: This chapter examines who is ultimately responsible for the costs incurred through security flaws and exploitations? How does this differ when the software is produced by corporations, individuals or an open sourced project? What kind of incentives are there for companies/open source groups to produce more reliable software? Can these incentives be improved?

Responsibility should scale with the importance of usage. Does a click-wrap license or a disclaimer in an OSS license indemnify the creator of the software of all responsiblity? Do corporate products incur more liability than OSS projects? What responsibility does a software vendor have to society? If a single vendor holds a significant portion of the market is there a greater responsibility to protect the users of this network? Software which controls critical societal infrastructure (such as an automobile, a power plant or a voting machine) is at the far end of this scale. Are governments choosing software responsibly?

What incentives exist to produce secure software? Would legal liability be a greater incentive or a disincentive to innovate? Would anyone produce important but risky software if their company were potentially liable for all damages resulting from usage of that software?

Top

Computers and software are a combinatorially complex problems. Windows Server 2003 written by about 5000 developers working on over 50 million lines of code (interview with Microsoft Distinguished Engineer Mark Lucovsky at http://www.winsupersite.com/reviews/winserver2k3_gold2.asp .) Intel's "Prescott" microprocessor contains 330 million transistors in an area the size of a fingernail.( http://www.intel.com/pressroom/archive/releases/20020813tech.htm .)

Given their complexity people it's not surprising that we've had the kind of problems we've had with computers. Intel has had a number of issues with their microprocessors, the most famous of which were the FDIV bug of 1994 and the F00F bug of 1997. ( http://x86.ddj.com/errata/errataseries.htm .) The former returns incorrect results for a particular class of floating-point division operations. The latter freezes the microprocessor, halting the system and, for a network server, any systems relying upon that system. Software problems are even more numerous. One famous issue is that Windows 95 and Windows 98 can cause the computer to hang after 49.7 days of continuous operation ( http://support.microsoft.com/kb/q216641/ .) A similar bug existed in Windows 2000 wherein parts of programs can stop working after the computer has been running for 497 days (http://support.microsoft.com/default.aspx?scid=kb;en-us;322913 .)

We have come to expect that computers are naturally prone to failure. Knuth--quality. DOET--making excuses. Rina Piccolo drew a cartoon for King Features' comic strip "Six Chix" which depicts two secretaries playing solitaire with cards on their desks. One is speaking on the phone saying "Our computers are down so we have to do everything manually." One of the main reasons we are willing to accept low quality in software is that a large number of the functions performed by computers are essentially unimportant. But what happens when we employ something which is increasingly complex to perform a simple task?

Tax software

In 1986 the IRS ruled that authors of tax software may be liable for advice given to taxpayers ( http://catless.ncl.ac.uk/Risks/3.04.html#subj2.1 .) The industry was barely in existence then. Now that tax software is big business things have changed. The license of one popular program, TaxCut 2003, clearly specifies that "While Block (the vendor of TaxCut 2003) is providing the Software as a general tool to assist you in preparing and/or filing your tax returns, the software does not replace your obligation to exercise your independent judgement in using the software. Your use of the Software does not make Block your tax preparer... Block does not warrant any particular results that you may obtain in using the Software." ( (emphasis removed) http://www.taxcut.com/license/TCB2003.pdf .) The IRS's current guidelines for e-File providers specify that the software used to file tax returns must pass a test which verifies, in part, that "returns have few validation or math errors." ( http://www.irs.gov/pub/irs-pdf/p1345.pdf .) Who is liable when a consumer trusts software to do the math on his tax return correctly?

One option is to go with the 1986 IRS ruling and make Block liable for errors in TaxCut software. The Uniform Commercial Code provides an implied warranty of merchantability, essentially, that the product will do what it is sold to do. This warranty can be waived if notification is provided to the buyer in "conspicuous writing...prior to the sale" ( Cem Kaner's Bad Software at http://www.badsoftware.com/support1.htm .)

Retrieved from "http://cubist.cs.washington.edu/CSEP590TU-wiki/index.php?title=Andrew&oldid=1959"