[ISN] Commentary: The Best Way to Make Software Secure: Liability

From: InfoSec News (isnat_private)
Date: Wed Mar 13 2002 - 01:15:00 PST

  • Next message: InfoSec News: "Re: [ISN] Air Force seeks better security from Microsoft"

    By Ira Sager and Jay Greene
    MARCH 18, 2002 
    Microsoft Corp. is having a tough time making sure its products are
    free of glitches. On Feb. 21, the software giant alerted customers
    that it had released three fixes for gaping security holes in its
    Internet browser and other Web software that could allow hackers to
    crash Web servers or snatch files from a personal computer and send
    them to an attacker's machine.
    Those revelations came just three weeks after developers in
    Microsoft's Windows division temporarily stopped writing software.  
    Instead, the 7,000 programmers that work on the company's ubiquitous
    operating system and Web-server software are spending this month
    learning how to turn out bug-free programs, while combing products for
    any existing flaws.
    No wonder Microsoft Chairman William H. Gates III has set security as
    his top priority. On Jan. 15, he sent an e-mail urging Microsoft's
    50,000 employees to make their software as reliable and trustworthy as
    electric, water, and telephone service. Gates knows that if he wants
    customers to buy software and services via the Web--a key element of
    his vision for Microsoft--he can't afford security snafus. "Our
    software should be so fundamentally secure that customers never even
    worry about it," Gates wrote.
    Bill, you're right. But you're a little late. Microsoft and other tech
    companies have neglected security issues for years. It's time
    companies that sell software with yawning security flaws or fail to
    secure their computer systems be held liable. Companies, or
    individuals, should be able to sue to recover any damages brought on
    by faulty programs or improperly installed security software.
    Today, no one is held accountable for such lapses, and there's little
    incentive to improve the situation. On Jan. 8, the prestigious
    National Academy of Sciences, frustrated that security measures
    already available aren't being used, suggested lawmakers consider
    legislation that would end software companies' protection from product
    liability lawsuits.
    Consider the experience of CERT, the government-funded computer
    security group. After trying for nine months to get computer companies
    to fix a flaw that could hit a multitude of networked devices, from
    printers to Web servers, CERT issued a public warning on Feb. 12 of a
    security gap. Even so, a day later the majority of the 240 companies
    affected had yet to contact CERT.
    Much of the talk about improving computer safeguards overlooks a
    fundamental problem: Poorly written software is at the root of many
    security breaches. That's why the same mistakes keep cropping up. For
    example, recent problems with Microsoft's new Windows XP operating
    system and America Online's popular instant messaging program involved
    a design flaw that has been tripping up programmers for 20 years--even
    though tools are available to test for this vulnerability. "Software
    companies don't spend enough time on design and testing the product
    before it's made public," says Marty Linder, a security expert at
    Hence, the bug hunt at the Windows division. So far, it's unclear if
    Microsoft will do the same with all its products. It's trying to
    change a culture that hasn't believed the problem was faulty software.  
    Instead, Microsoft employees pointed the finger at users who didn't
    safeguard their systems. Microsoft notifies customers to update its
    products with software patches to take care of the latest scourge. But
    they left that task to users and, more often than not, it was ignored.  
    "People didn't spend the two clicks to do it," says Craig J. Mundie,
    Microsoft's senior vice-president. This spring, Microsoft will unveil
    technology that allows Windows users to receive automatic updates each
    time a bug fix is available.
    To date, there has been little incentive for Microsoft and other
    off-the-shelf software makers to do more. Why? Because they have
    insulated themselves by disclaiming all product liability. The courts
    have decided that buyers waive their right to sue after clicking the
    "I accept" button when they install software. "If Firestone produces
    tires with systemic vulnerabilities, they are liable," says Bruce
    Schneier, chief technology officer of Counterpane Internet Security
    Inc., a provider of network protection services. "If Microsoft
    produces software with systemic vulnerabilities, they're not liable."
    A better model for improving security may be the Y2K bug. Facing the
    threat of widespread computer meltdowns at the millennium, industry
    mobilized to change business practices and governments passed laws
    requiring Y2K certification for tech gear. Companies underwent massive
    campaigns to make certain they complied because they didn't want to be
    held liable for damages. The Securities & Exchange Commission required
    corporations to provide details of their Y2K efforts in quarterly
    earnings reports.
    There are signs that Microsoft is trying to change the way it develops
    software. But it won't be enough to rely on one company to get it
    right. To get serious about computer security, there must be
    Sager writes about computer security from New York. Greene covers
    Microsoft from Seattle.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 04:29:11 PST