Chey Cobb web site

 

Index for Chey Cobb
Articles and books by Chey Cobb
Hobbies of Chey Cobb's
Pictures from Chey Cobb
Contact for Chey Cobb

   
 
Chey Cobb
  
   

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 

Newsscan Computer Security Column
Stephen Cobb, CISSP and Chey Cobb, CISSP

Who's Responsible for Software Security Holes?

Is computer security pain all in the mind? Our column that appeared on January 9th ("Safe & Sound In The Cyber Age: Securing Your New Computer") prompted NewsScan reader Robert Dominiec to wonder: "What did we do to deserve this?" He went on to ask "What does it say about us, as willing victims, to be told that your brand-spanking-new Christmas computer immediately needs hours of downloading patches for it to operate in a manner which you expected when you bought it. And to know that you'll be forced to do this weekly if not more often."


We sympathize with these sentiments. On too many occasions during the last two decades you could have found us sitting in a computer room somewhere, surrounded by corrupted or discombobulated computers muttering: "What did we do to deserve this?" It is tempting to think that the answer is nothing, but if we are honest with ourselves we have to disagree. What we did to deserve this was accept what people selling us computers told us; accept it as the truth, the whole truth, and nothing but the truth, as opposed to a very optimistic, best-case scenario.


Depending upon your perspective, the sin was that of naiveté, or gullibility, or plain old failing to learn from the past. However, we did not sin alone. There is no doubt we were misled, although you would be hard pressed to find a computer industry conspiracy to mislead consumers. It's not like anyone expects General Motors to say "See America in a Chevrolet, and possibly crash and burn." So why should Dell say, "Dude, you're getting a Dell, that you will have to patch and coddle and maintain or else your data might disappear and your identity could get stolen."


The automotive analogy comes naturally. The computer has revolutionized life at least as much as the automobile. Indeed, Mr. Dominiec likened the current situation with computer security to "taking your car into the shop almost daily." We hate to show our age, but we can remember when the family car did have to make a lot of trips to the shop (and if our parents are to be believed, their fathers' cars really did need almost daily maintenance). However, many of today's cars can run for months, even years, without serious maintenance. Which suggests a silver lining: computers will eventually become more reliable and more secure, requiring less and less operator intervention to stay that way.


There is just one big "if." Security is not going to get better in a hurry if the people who buy computers don't demand that their makers do better. Both the hardware and the software has got to improve. We're not talking improve speed and add fancy features. You can't type any faster with today's 2000MHz Pentium 4 than you could on that '80s-vintage 30MHz 486 (and if the company that makes the word processing software that we use adds one more useless feature we'll be tempted to reach for the old Remington).


Fortunately, there are signs of growing pressure for security improvements. Computer security has become a mainstream consumer issue, for example, February 2 marks the beginning of this year's National Consumer Protection Week (NCPW), the focus of which is Information Security (http://www.consumer.gov/ncpw/).


And here's another government initiative pushing computer security improvements: the Critical Infrastructure Protection Board, now part of the Office of Homeland Security. In an interview in the June issue of CIO Magazine last year, board chairman Richard Clarke said: "We're in favor of holding vendors accountable. When a product fails, the vendor has a responsibility to quickly identify a way of fixing it and getting that patch out, and the patch not only should fix the problem, it should not interact badly with other widely utilized applications." While Clarke stopped short of advocating litigation to enforce accountability -- we'd like to try to find solutions that are quicker than long, multiyear litigation -- you can bet that lawyers are already circling, looking for cases of poor product security to prosecute.


Although the current administration frowns on legislation to encourage computer security, it may be only a matter of time before someone on the hill attempts to emulate Senators Magnuson and Ribicoff who, urged on by Ralph Nader, helped pass a law in the '60s that forced Detroit to devote more resources to auto safety. Of course, the computer industry is opposed to equivalent security legislation today, but remember that it was Henry Ford who said, on "Meet the Press" in 1977: "We wouldn't have the kinds of safety built into automobiles that we have had unless there had been a federal law."


The bottom line is that our expectations of computers were set too high by the people who marketed them. We bought their spiel and expected to get amazing information technology at bargain prices with no down side. We forgot that with technology there is always a down side. With cars it has been pollution, dependence on foreign oil, and a leading cause of death among Americans under 35. With computers it is a wide range of unethical actors, from criminal hackers to malicious code writers, slick software marketing managers to slimy spam writers. We need a concerted broad-based campaign for more inherently secure products. And a large dose of preventative education to reduce the number of unethical actors would not be amiss.

 

  


©2003 Chey Cobb. All rights reserved.
chey@patriot.net
FAQs Contact Us