Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ex-NSA Analyst To Be Global Security Head At Apple

Soulskill posted more than 3 years ago | from the keeping-the-worms-out dept.

Security 145

AHuxley writes "Cnet.com reports that Apple has tapped security expert and author David Rice to be its director of global security. Rice is a 1994 graduate of the US Naval Academy and has a master's degree in Information Warfare and Systems Engineering from the Naval Postgraduate School. He served as a Global Network Vulnerability analyst (Forbes used cryptographer) for the National Security Agency and as a Special Duty Cryptologic officer for the Navy. He is executive director of the Monterey Group, a cybersecurity consulting firm. He's also on the faculty of IANS, an information security research company and works with the US Cyber Consequences Unit. In a 2008 interview with Forbes, 'A Tax On Buggy Software,' Rice talks of a 'tax on software based on the number and severity of its security bugs. Even if that means passing those costs to consumers. ... Back in the '70s, the US had a huge problem with sulfur dioxide emissions. Now we tax those emissions, and coal power plants have responded by using better filters. Software vulnerabilities, like pollution, are inevitable — producing perfect software is impossible. So instead of saying all software must be secure, we tax insecurity and allow the market to determine the price it's willing to pay for vulnerability in software. Those who are the worst "emitters" of vulnerabilities end up paying the most, and it creates an economic incentive to manufacture more secure software.'"

Sorry! There are no comments related to the filter you selected.

Makes sense (1, Funny)

countertrolling (1585477) | more than 3 years ago | (#34988896)

As private industry becomes the next government, more overtly as time goes on..

Re:Makes sense (2)

joocemann (1273720) | more than 3 years ago | (#34988922)

As private industry becomes the next government, more overtly as time goes on..

A little offtopiic here:

Isn't it weird how intelligent and skeptical people see it as "corporate takeover", and ignorant people believe corporations telling them that its a 'socialist takeover'.

From the looks of the lobbies and actual authors of bills, its hard to believe the latter -- but I suppose you'd believe anything if you don't question it.

Re:Makes sense (1)

vbraga (228124) | more than 3 years ago | (#34989046)

Is there any difference between a corporate takeover of the government and a government takeover of enterprises? The end result is the same.

Re:Makes sense (4, Insightful)

artor3 (1344997) | more than 3 years ago | (#34989104)

Sure there's a difference. One exists, the other is a bogeyman intended to scare the uneducated into voting against their interests.

Re:Makes sense (2)

Dunbal (464142) | more than 3 years ago | (#34989514)

Yes because "voting" really is how you change things.

Re:Makes sense (1)

Nadaka (224565) | more than 3 years ago | (#34990594)

Not when the only choice is between overlapping but not quite identical set of corporate interests D and overlapping but not quite identical set of corporate interests R.

Re:Makes sense (0)

Anonymous Coward | more than 3 years ago | (#34990716)

Yes because "voting" really is how you change things.

You certainly don't do it by shooting congressmen in the face.

Re:Makes sense (1)

Anonymous Coward | more than 3 years ago | (#34991068)

Or perhaps you do.

It depends on how much change and in what direction you want change.

It can certainly be argued that many events in the history of the world were affected by assassinations.

And many more were affected by violent actions taken by a few people. You only have to look at recent history to see how a few people managed to turn the US in the direction of becoming a police state, and arguably lead to the current economic meltdown, by taking over a few airplanes and flying them into buildings.

And how different would our history have been if Kennedy had lived? What would have changed if Lincoln had lived? Would we have been better off if Reagan had died? What if the assassination attempts on Hitler had worked?

No, violent actions DO change things. Not always in the way the people carrying out the action intended, but some change tends to happen.

You man make people vote anyway you want. (1)

crovira (10242) | more than 3 years ago | (#34990874)

Hitler, Mussolini, Stalin, Mao, even Saddam Hussein and Pol Pot were elected at first.

The tyranny of the masses known as democracy (implemented in the electoral college in the 'States and known by other names in other hegemonies,) is no insurance against stupidity.

Look at how long people thought the earth was flat and the sun went around the earth instead of the other way around.

Re:You man make people vote anyway you want. (1)

Guy Harris (3803) | more than 3 years ago | (#34991556)

... Stalin, Mao, even Saddam Hussein and Pol Pot were elected at first.

[citation needed] Were any of those elected in a free election by the general electorate (as opposed to a "one candidate only" election, or a "funny, 99 44/100% of the people voted for them, I guess they're popular" election, or a choice by the leadership of the ruling party)? (I'll let you have Hitler and Mussolini for that one, but even those might be subject to review.)

Re:Makes sense (1)

countertrolling (1585477) | more than 3 years ago | (#34989260)

I shouldn't consider it as a "takeover" by either. They are a team. One is muscle for the other.

Re:Makes sense (1)

Suki I (1546431) | more than 3 years ago | (#34989196)

As private industry becomes the next government, more overtly as time goes on..

A little offtopiic here:

Isn't it weird how intelligent and skeptical people see it as "corporate takeover", and ignorant people believe corporations telling them that its a 'socialist takeover'.

From the looks of the lobbies and actual authors of bills, its hard to believe the latter -- but I suppose you'd believe anything if you don't question it.

The really basic individual rights issue is: What is so damn bad about someone wanting to leave a government job for a non government job?

Re:Makes sense (1)

joocemann (1273720) | more than 3 years ago | (#34989254)

Can you please reword or elaborate? I don't quite understand what you mean.

Re:Makes sense (1, Insightful)

Suki I (1546431) | more than 3 years ago | (#34989354)

Can you please reword or elaborate? I don't quite understand what you mean.

You must be kidding. I even quoted both the person you responded to and you also.

The NASA guy going to Apple is nothing more than some person getting a job he thinks is better, the same way I would do, maybe you too. Nobody should be denied the right to do that.

Re:Makes sense (-1)

Anonymous Coward | more than 3 years ago | (#34989820)

For a girl you're such a dick. The only reason he couldn't understand you was that you were so far off topic, he probably thought you responded to the wrong forum. It's probably true. You make no sense whatsoever. Almost nonhuman actually.

Re:Makes sense (0)

Anonymous Coward | more than 3 years ago | (#34990616)

For a girl you're such a dick. The only reason he couldn't understand you was that you were so far off topic, he probably thought you responded to the wrong forum. It's probably true. You make no sense whatsoever. Almost nonhuman actually.

Let me guess, troll. You got lost at "basic individual rights" and never made it to "issue"?

Re:Makes sense (0)

Anonymous Coward | more than 3 years ago | (#34990894)

For a girl you're such a dick. The only reason he couldn't understand you was that you were so far off topic, he probably thought you responded to the wrong forum. It's probably true. You make no sense whatsoever. Almost nonhuman actually.

Let me guess, troll. You got lost at "basic individual rights" and never made it to "issue"?

Nice troll, troll.

Re:Makes sense (2)

joocemann (1273720) | more than 3 years ago | (#34990100)

I"m not kidding.

Thanks for being less vague this time around.

Re:Makes sense (0)

Suki I (1546431) | more than 3 years ago | (#34990316)

I"m not kidding.

kk

Re:Makes sense (1)

Divebus (860563) | more than 3 years ago | (#34990178)

Um... not NASA... it's NSA which is the National Security Agency [nsa.gov] .

Re:Makes sense (0)

Anonymous Coward | more than 3 years ago | (#34990214)

otherwise known as No Such Agency

Re:Makes sense (0)

Suki I (1546431) | more than 3 years ago | (#34990326)

Either way, no big deal. Moving to a new job that you want better should not be an impediment to what you want to do.

Re:Makes sense (1)

countertrolling (1585477) | more than 3 years ago | (#34990454)

Regulatory capture is already a major problem in the agriculture, chemical, and energy, amongst many other industries. We don't need any more of it here.

Troll Alert! (0)

Anonymous Coward | more than 3 years ago | (#34990534)

Regulatory capture is already a major problem in the agriculture, chemical, and energy, amongst many other industries. We don't need any more of it here.

Companies hiring people who know what they are doing is now "regulatory capture"!

Re:Troll Alert! (1)

countertrolling (1585477) | more than 3 years ago | (#34991430)

In cozy relationships like this, yes, it frequently is a problem. It is one of the main reasons so few companies control such a vast market and become "too big to fail". The regulations are designed by lobbyists to lock out the competition, creating artificial scarcity and high prices.

Re:Makes sense (2)

hairyfeet (841228) | more than 3 years ago | (#34990218)

If that is all that it is, I see no problem in it. When I DO see a problem with it is when industry insiders use jobs as rewards for getting what they want out of government. Too many in government get cushy private sector jobs for themselves and even members of their families as a payoff for playing ball and THAT I do have a problem with.

And where will this guy's loyalty lie? Will it lie with Google and their customers? Or when one of his old spook buddies waltzes in and says "hey old buddy, we are needing some info on the quiet side. Can you help us out?" will he just walk outside for a long lunch break while his "friend" has access to his computer?

And the whole "taxing insecurity" is about the dumbest idea I've ever heard of! Talk about an easy way to take out your competitors, just pay a team of hackers to find bugs and voila! They are buried under so many taxes they go out of business! I mean who do you think could afford 20 million in fines more, a company like MSFT or Oracle, or your average Linux distro? Seems like a great way to take out the smaller weaker corps to me, just keep getting them hit with fines and then buy them out for cheap when they can't fight back anymore. If people want more security then they can buy it, it is JUST that simple.

Re:Makes sense (3, Funny)

Pseudonym Authority (1591027) | more than 3 years ago | (#34990334)

And where will this guy's loyalty lie? Will it lie with Google and their customers?

If it does, Apple is going to look really stupid for hiring this guy.

Re:Makes sense (0)

Suki I (1546431) | more than 3 years ago | (#34990348)

If that is all that it is, I see no problem in it. When I DO see a problem with it is when industry insiders use jobs as rewards for getting what they want out of government. Too many in government get cushy private sector jobs for themselves and even members of their families as a payoff for playing ball and THAT I do have a problem with.

And where will this guy's loyalty lie? Will it lie with Google and their customers? Or when one of his old spook buddies waltzes in and says "hey old buddy, we are needing some info on the quiet side. Can you help us out?" will he just walk outside for a long lunch break while his "friend" has access to his computer?

And the whole "taxing insecurity" is about the dumbest idea I've ever heard of! Talk about an easy way to take out your competitors, just pay a team of hackers to find bugs and voila! They are buried under so many taxes they go out of business! I mean who do you think could afford 20 million in fines more, a company like MSFT or Oracle, or your average Linux distro? Seems like a great way to take out the smaller weaker corps to me, just keep getting them hit with fines and then buy them out for cheap when they can't fight back anymore. If people want more security then they can buy it, it is JUST that simple.

Sounds like most of that is something for the employer to evaluate. In the US labor market the employers may demand zombies all they like but there is no guarantee that they get them.

Re:Makes sense (0)

Graff (532189) | more than 3 years ago | (#34989270)

Isn't it weird how intelligent and skeptical people see it as "corporate takeover", and ignorant people believe corporations telling them that its a 'socialist takeover'.

There's also plenty of ignorant people seeing it as a 'socialist takeover' and intelligent people seeing it as a 'corporate takeover'. Ignorance and intelligence are on both sides of the issue because it's a complex issue. In fact you can even have both takeovers at the same time, they don't need to be mutually exclusive.

I personally think that the best take on it is to protect the ability of people to think for themselves and decide their own fates. If they want to band together into collectives then let them, if they want to trust corporations then let them. It's all good as long as they aren't allowed to oppress other people too much by forcing others into their "club".

Re:Makes sense (0)

Graff (532189) | more than 3 years ago | (#34989316)

There's also plenty of ignorant people seeing it as a 'socialist takeover' and intelligent people seeing it as a 'corporate takeover'. Ignorance and intelligence are on both sides of the issue because it's a complex issue. In fact you can even have both takeovers at the same time, they don't need to be mutually exclusive.

Blergh messed that one up, I meant to flip socialist and corporate in my first paragraph to contrast the grandparent's statement. My main point is that both sides have their bright and dim people, to say that only one view is the view of intelligent people is to commit a type of ad hominum attack on the issues.

Although I'm sure it would be abused there's some times that I wish Slashdot had an edit post feature!

Re:Makes sense (1)

icebraining (1313345) | more than 3 years ago | (#34989394)

An "edit until someone replies or mods it" feature would be useful and hard to abuse.

Re:Makes sense (1)

N3Roaster (888781) | more than 3 years ago | (#34989628)

I'm sure that's on the roadmap, right after proper Unicode support.

Re:Makes sense (1)

Graff (532189) | more than 3 years ago | (#34990030)

Yeah, or an edit which has a diff-like [wikipedia.org] functionality so you can see what was done in the edit. There has to be some reasonable solution that would let you correct stupid mistakes without being too revisionist.

Ahh well, someday Slashdot will catch up with modern technology! lol...

Corporatism is a feature of facism, not socialism (1)

crovira (10242) | more than 3 years ago | (#34990730)

Corporations depend on the great unwashed mass of people out there not being able to tell the difference.

Lenin and Mao were trying to be communists (an extreme form of socialism,) where resources are owned and controlled by the state. They ended up being murderous tyrants.

Hitler, Mussolini and Hirohito were fascist, where resources are owned by an oligarchy and controlled by the state. (Actually that is MUCH more wide spread than that. Look at what has been happening to the economy of the United States since Bush took office.)

Reagan was trying to set himself up as a free-enterprise mercantilist, where resources are owner by an oligarchy and controlled by an oligarchy. Good luck with that...

Pol Pot was an anarchist, where resources are owned and controlled by no one. Look where that got Cambodia.

" Me? I'm just a lawnmower. You can tell me by the way I walk. " - Peter Gabriel (when he was in "Genesis.)

Re:Makes sense (0)

Anonymous Coward | more than 3 years ago | (#34989078)

As private industry becomes the next government, more overtly as time goes on..

It's sorta hard to argue this is more overt than having Al Gore on your board...

What the hell is this rambling post about anyway? Is it about the new spook on board at Apple, is it about his many accomplishments, or is it about environmentalism hysteria, or is it about pushing for a new tax on software? I'll go with the last one/two... Acid rain was a billion dollar solution to a million dollar problem. [worldandi.com] This sounds similar. The software I use has bugs. It comes with the territory. It's open source and when I find bugs, I fix them. So some schmuck says bugs cost everyone money so we should pay him a tax to create some market based invisible hand to solve it? Does anyone actually buy this BS argument? You know what a tax will do? Encourage people to use IE 6 for the rest of eternity because the new version is taxed and the old buggy piece of shit works 'good enough.' I swear, some days I just want to slap the taste out of these people's mouths.

Re:Makes sense (0)

Anonymous Coward | more than 3 years ago | (#34989828)

So, the proposal is to tax the distribution of software. A tax like this could kill Free software. Imagine that there was a law that said if you distributed software that had a security vulnerability that you had to pay a tax on it. Now, Microsoft, with an army of lawyers would report each and every open source developer to the IRS for every security vulnerability in every major open source project.

So, what if it only affected companies that charged for software? Well, even then it would be horrible. Imagine the tax liability for a company like Red Hat. They would have to pay taxes on every Linux application that they shipped (unless of course they had no security vulnerabilities at all, which is unlikely.)

The end result is that the rules of the game would favor big companies that had good lawyers and lobbyists and were able to carve out exemptions for themselves. If I were Microsoft, for example, I would get lobbyists (that will no doubt write the law) to carve some kind of exemption for big companies who make a token effort at following the law. I would make the exemption require a lot of bureaucracy (like achieving CMM Level 3, for example) so that small companies would have trouble competing.

 

Re:Makes sense (1)

countertrolling (1585477) | more than 3 years ago | (#34990496)

A tax like this could kill Free software.

Then the idea makes even more sense. Could be the intention. So then make the tax somehow proportional to the price. That should let "free" off the hook. It's bullshit. The whole thing is just designed to featherbed another bureaucracy with... former Apple/Microsoft/Google/Oracle executives.

Windows users (3, Insightful)

ronmon (95471) | more than 3 years ago | (#34988914)

pay a crapload and Linux users pay nothing. Sounds like the tax is already in place. Maybe the money is just going to the wrong people.

Re:Windows users (1)

joocemann (1273720) | more than 3 years ago | (#34988984)

pay a crapload and Linux users pay nothing. Sounds like the tax is already in place. Maybe the money is just going to the wrong people.

The pro-audio version of this goes like this:

Digidesign users pay the most and get the most bugs

Cubase/Logic/Live users pay less, and have far less bugs.

----I bet you can guess which company used every dirty business tactic in the last 20 years to establish as a studio 'norm'.... (if you're bad at guessing its DIGIDESIGN and their always crashing ProTools software)

Re:Windows users (0)

Anonymous Coward | more than 3 years ago | (#34990094)

I beg to differ. Steinberg and their license dongle for VST plugins is worst than DigiDesign. Some jackass steals your license key dongle at a gig? Guess who now has to repurchase all their software, or download cracks? Insurance doesn't cover dongles in most cases, so you are out that.

Someone steals a Mac with Logic Studio? Insurance covers Mac, and with new Mac, you sign into the App Store, restore your Time Machine backup, perhaps reinstall any lost apps from the App Store, and go back to jamming.

Reaper users pay even less. (0)

Anonymous Coward | more than 3 years ago | (#34990336)

And have even LESS bugs and no CPU cycle sapping DRM.

Re:Windows users (2)

jjb3rd (1138577) | more than 3 years ago | (#34989608)

pay a crapload and Linux users pay nothing. Sounds like the tax is already in place. Maybe the money is just going to the wrong people.

You are so dumb, you are really dumb.

Clearly none of this matters because Linux is free. The community finds all the bugs and satisfies all of the user's every need. It is, therefore, installed on all computers, the world over, and security would no longer be an issue were it not prevalence of the password, "password".

Paying extra for security is basically akin to insurance. If you're paying extra for insurance, you typically have a certain level of responsibility, but when you get screwed by that which is beyond your control, then, in theory, you are adequately compensated. How about factoring insurance into the whole "software == automobiles" argument.

It'd be nice to see Slashdot debate this issue on merit as opposed to the dogmatic FOSS genuflection that seems to be taking place. A security insurance guarantee that costs extra is not something solved by an open or a closed source model, it's something that's solved through adequate product support and potentially a claims process in the event of being hacked. Slashdot used to like Apple, but it seems they hate success, which is just jealousy and really unbecoming of the level of discourse of which this site is capable. I, for one, would like to applaud Apple for taking security seriously, as I do *gasp* Microsoft for doing so for the last couple of years.

If the pay by the vuln, MS will HURT! (1)

crovira (10242) | more than 3 years ago | (#34990676)

I figure every hole that is found should cost $1/day its left unpatched ... * # of users.

Given the fact that security has NEVER been a priority of MS, they could/should/would be bankrupt in a week.

The money would go to a regulatory authority who are paid by the number of vulns they find. (Ain't I a stinker... :-)

Re:If the pay by the vuln, MS will HURT! (1)

Bing Tsher E (943915) | more than 3 years ago | (#34990794)

Given the fact that security has NEVER been a priority of MS, they could/should/would be bankrupt in a week.

Well, they'd at least have to stop selling Windows 98.

Oh wait! They already have!

But Brain... (1)

Eggplant62 (120514) | more than 3 years ago | (#34988952)

That'll bankrupt companies like Microsoft, won't it?

Re:But Brain... (1)

Suki I (1546431) | more than 3 years ago | (#34989024)

I think he was the guy keeping the stealth secrets [slashdot.org] , don't worry so much.

Re:But Brain... (1)

fredmosby (545378) | more than 3 years ago | (#34989284)

According to your link the Chinese got that technology by reverse engineering a plane that had been shot down. What does that have to do with computer security?

Re:But Brain... (1)

Suki I (1546431) | more than 3 years ago | (#34989374)

According to your link the Chinese got that technology by reverse engineering a plane that had been shot down. What does that have to do with computer security?

That is what the link said. Look at what I said.

Re:But Brain... (1)

fredmosby (545378) | more than 3 years ago | (#34989728)

I'm not sure what you're trying to say. The post you replied to said that taxing companies based on security holes would bankrupt Microsoft. Your reply said you thought the guy Apple hired had something to do with stealth plane secrets. I don't see how those two statements are related.

Oh Great (3, Funny)

SilverHatHacker (1381259) | more than 3 years ago | (#34988970)

We'll never jailbreak the iPhone 5. It'll either have government-grade digital locks, or it'll be accompanied by guys in black suits who "don't really exist".

Re:Oh Great (1)

illumastorm (172101) | more than 3 years ago | (#34988998)

So, when you mention people in black suits, I take it you already have met Apple's "gardeners"?

Re:Oh Great (0)

Anonymous Coward | more than 3 years ago | (#34989018)

WTF is a silver hat - a tin foil hat?

Re:Oh Great (2)

Biff Stu (654099) | more than 3 years ago | (#34989076)

It's a tin foil hat with an Apple premium.

Re:Oh Great (1)

R3d M3rcury (871886) | more than 3 years ago | (#34990226)

But it'll be really shiny tinfoil.

Ooo...shiny...

Re:Oh Great (1)

marcobat (1178909) | more than 3 years ago | (#34990170)

at apple they don't have black suits only black turtleneks

Re:Oh Great (0)

Anonymous Coward | more than 3 years ago | (#34990330)

We'll never jailbreak the iPhone 5. It'll either have government-grade digital locks, or it'll be accompanied by guys in black suits who "don't really exist".

Yeah, but on the plus side, we'll finally have cryptographically-secure communications systems that are easy enough to use that they could receive widespread adoption. Why, security might even become fashionable!

If even NSA's mad skills combined Apple's marketing savvy can't convince Joe Sixpack of the value of security, then nothing can, nor ever will. I'll concede that giving up and throwing in the towel on security is probably the safer bet, but a proof by counterexample would be awesome, and well worth the minimal expense of trying.

We're nerds. We wouldn't be in this business if we didn't think problems can be solved. We can still dream, can't we?

Re:Oh Great (0)

Anonymous Coward | more than 3 years ago | (#34991106)

Yeah, but on the plus side, we'll finally have cryptographically-secure communications systems that are easy enough to use that they could receive widespread adoption.

It's not really a plus side when you realise that all the security improvements are in place to stop you doing what you want to do, not the hackers.

It'll Never Fly! (1)

DadLeopard (1290796) | more than 3 years ago | (#34989012)

Microsoft has deep pockets, and can hire Lobbyists by the score! This is never getting through either the Congress or the Senate. Microsoft has too much to lose if this was law, they'd have to start over from scratch and toss out all their legacy code!

Re:It'll Never Fly! (1)

artor3 (1344997) | more than 3 years ago | (#34989126)

Considering it's supported by someone who was never a politician and is no longer even working for the government, I'd say it's not going to even see Congress any time soon.

Not only in the US of A (1)

jbatista (1205630) | more than 3 years ago | (#34990932)

It doesn't have to be restricted to the US. If other nations start applying it and getting visible, palpable results, it'll get adopted by others (even the US) faster.

Tax is not the answer (0)

Anonymous Coward | more than 3 years ago | (#34989014)

Competition weeds out bugs eventually as well (just don't hold your breath)
The main issue is stovepiped data, where people have to live with bugs (iTunes?), outlook.
Or less mainstream software with less competition like CAM, Job costing/ scheduling software for business.

In other words, we already pay the price in lower productivity when data is caught in expensive traps.
Also, less security sometimes = easier to use software, so there is a tension there.
It comes down to a feeling nobody can define. Does it feel like magik? Do the developers take into account users?
Are they striving for computer shouldering more thinking? Security and bugs are only two aspects of software quality.

Good for Apple (4, Insightful)

StuartHankins (1020819) | more than 3 years ago | (#34989100)

It's a good thing, it signals they take security seriously. He seems to have impressive credentials. When you've got a target as large as Apple you need to be smart about security.

Re:Good for Apple (1)

MattskEE (925706) | more than 3 years ago | (#34990656)

When you've got a target as large as Apple you need to be smart about security.

Or you need to be William Tell.

Re:Good for Apple (0)

Anonymous Coward | more than 3 years ago | (#34990746)

"a target as large as Apple"
less than 10% user share in PC and #3 on smartphone share is not big, that Apple users believe they're the greatest is another thing.

"He seems to have impressive credentials"
It doesn't matter since the NSA and the FBI admit they treat most of their networks as compromised. Not even wall street is free from hacking but you think a NAME is going to make Apple immune to hacking? thats only insightful for people that are used to believe anything they're told: Apple consumers,

Why not a security rating, so buyer can choose? (5, Interesting)

noidentity (188756) | more than 3 years ago | (#34989106)

From the article:

But consumers prefer secure software to insecure software. Isn't that preference enough to create an incentive for companies to focus on security?

Wouldn't that be great? The problem is that right now people can't figure out whether software is secure. They buy software based on what's asserted and take companies at their face values.

If you look at the five-star rating on automobiles, you don't have to be an expert to make a decision about safety. You can appraise the risk you're purchasing based on that rating. Today almost all the cars on the road are four or five star rated: The market has chosen more safe cars because the safety rating is visible.

OK, so have a private certification company so you can see their rating on the product. Why is a tax needed? The example he cites, of automobiles, gives the buyer the choice of how safe the vehicle must be.

How would you measure software vulnerability?

The types of attacks we've seen over the past four years haven't changed. [The U.S. Department of Homeland Security] keeps a repository of attack patterns. So just as we run cars in various crash tests to see how they respond, we can run these attack patterns on software, judge how it performs and give it a security rating.

If determining software vulnerability were as simple as running some automated tests, it wouldn't be a problem in the first place. In his example of testing vehicles, it would be like having to protect them against a near-infinite variety of crash situations. How can you automate this, so as to give a simple rating?

A tax on insecure software would be passed on to the consumer in higher prices. Is that really the goal?

There's a notion in economics of private cost and the social cost of behavior. The results of insecure software--cybercrime and cyber-espionage--are largely social costs, not paid by the individual who's responsible for the behavior.

Vulnerabilities lead a consumer's computer to be hijacked by malicious software that allows the attacker to do practically anything with it. Sometimes the attacker targets the infected machines, like the attacks on the Pentagon last year. But often the machine is used to send out more spam, more phishing attacks, or it becomes one of the hundreds of thousands of machines that are used in "denial of service attacks" like the ones that shut down Estonia's Web last year. Those social costs are very heavy.

If a tax raised the private cost of cybercrime, people would get educated very quickly. When insecure software starts costing more, people will adjust their behavior.

OK, so let's say all software is secure. That doesn't stop people from combining it in ways that leads to insecurities, or even configuring a single piece so that it's insecure. How will this tax help that?

Here he talks of negative externalities and making those responsible pay, so that they educate themselves and avoid creating them. Sounds good, so why not do that? That doesn't involve taxation, it involves making those with vulnerable systems pay. That's the way to make the market respond.

For example, a home user's machine is infected and is now part of a botnet? Charge a fine. He'll quickly clean up his machine, switch/secure his OS, or find an ISP that will detect such a thing and automatically cut his internet connection until he cleans his machine up. Or a business leaks customer information. Fine it. That will encourage it to do what's necessary to secure the data. This way the need for security moves up the chain, from user to supplier, with whatever things are necessary to give it. Leave taxation out of it.

Re:Why not a security rating, so buyer can choose? (0)

Anonymous Coward | more than 3 years ago | (#34989180)

For example, a home user's machine is infected and is now part of a botnet?

So we know he's running Windows. Why not tax Microsoft for the problem, making their OS ever less desirable, instead of the plan that depends on end users getting educated?

Re:Why not a security rating, so buyer can choose? (1)

hardtofindanick (1105361) | more than 3 years ago | (#34989564)

You know what you are getting in to when you buy things. If I buy a shirt and wash it a few times and the color comes off, the shirt maker pays a tax? You can extend the same logic to anything money can buy.

Apple on the other hand seems to enjoy drinking their own cool aid.

Re:Why not a security rating, so buyer can choose? (0)

Anonymous Coward | more than 3 years ago | (#34990088)

uh, can we have this guy get the big bucks and the top job, instead of that other corporation-groomed less-intelligent-sounding guy? Oh wait, this isn't a cybersecurity czar position, but an Apple employee? Ok, let apple have him.

Re:Why not a security rating, so buyer can choose? (1)

lennier (44736) | more than 3 years ago | (#34990172)

OK, so let's say all software is secure. That doesn't stop people from combining it in ways that leads to insecurities, or even configuring a single piece so that it's insecure.

Doesn't it?

It depends, I suppose, on what you mean by 'secure'. If you adopt a very wide view, like 'not making available any information in posession of the user which someone else would not want made available' - like, say, uploading and tagging a photo of a friend on Facebook at a party they would rather their boss/girlfriend not know they had attended - then yes, achieving perfect 'security' in a world of perfect knowledge is probably theoretically impossible, much like DRM.

However, if you define security more narrowly in the sense of provable formal properties of software - such as 'guaranteed never to expose a buffer overflow or race condition exploit given any conceivable set of input data' - then it's hard for me to see how combining two such secure pieces of software could ever create a third insecure one.

I'd settle for such a narrow definition of security, since from the days of C and Unix we've just become resigned to undetectable buffer overflows living in all our software - and that's something I think does approach criminal levels of negligence, since it's entirely preventable. (And if pointer exploits are provably not preventable with current languages, then it approaches criminal negligence to release such languages for use on Internet-attached systems.)

tl;dr: Software is logic, it should be possible to prove that it does exactly what it was built to do. If not, it's irresponsible for us to build business and government processes on software.

Re:Why not a security rating, so buyer can choose? (0)

Anonymous Coward | more than 3 years ago | (#34990324)

For example, a home user's machine is infected and is now part of a botnet? Charge a fine. He'll quickly clean up his machine, switch/secure his OS, or find an ISP that will detect such a thing and automatically cut his internet connection until he cleans his machine up. Or a business leaks customer information. Fine it. That will encourage it to do what's necessary to secure the data. This way the need for security moves up the chain, from user to supplier, with whatever things are necessary to give it. Leave taxation out of it.

I agree about taxation being a bad solution, particularly because this industry has traditionally tried to create innovation on a smaller amount of capital compared to most other industries. The taxation will damage small innovative players, unless the innovations are build using tried and tested components and their combinations and environments, slowing the speed of innovation. Of course, taxation is better solution than The Way of The Infinite Liability.

In order to have reasonable consequences for the home user in the example, the markets would have to work really well and possibly even have regulation enforced competition in the ISP sector. Also, how many people can actually secure their OS installations unless it is secure by default? Suddenly, many Linux distributions would have to copyleft their new motto from the OpenBSD project. Just think of the consequences for the typical Windows customer. They better hope the wizards with their wizard hats will help them.

The fine could be an administrative payment, in the German style, and not a criminal fine. The case of business leaking, or potentially leaking customer information is already well regulated in many states in the US as I understand.

Re:Why not a security rating, so buyer can choose? (0)

Anonymous Coward | more than 3 years ago | (#34990544)

...or even configuring a single piece so that it's insecure.

If some software allows you to configure it so that it's insecure, without warning you that you're doing so, then it's not secure.

It never is a bug (1)

freakingme (1244996) | more than 3 years ago | (#34989250)

It's not a bug... It's a feature!

Rice is an institutional thinker (market handicap) (0)

Anonymous Coward | more than 3 years ago | (#34989380)

Actually security is his job now. Not the markets, at the consumers "add-on and pass through" expense. If you put your name on it, you are responsible. The security aspect is only part of the product. Be the best option,period. On your own. The market will adjust on its own; without arbitrary, contrived, subjective solutions. This is the problem when institutional thinking enters the FREE marketplace. Everyone suffers... @donster1

Panic!! (1)

Anonymous Coward | more than 3 years ago | (#34989412)

Remember, people who worked for the government should be barred from working anywhere else for LIFE!

how can anyone know he quit the NSA?` (2, Insightful)

SethJohnson (112166) | more than 3 years ago | (#34989436)

Do these guys actually leave the NSA? Why aren't there quotation marks around the 'EX' part of his title? Sounds to me like a good way for no-such-agency to get a mole in a powerful position to install backdoors in a popular line of consumer communication devices. At a minimum, they could get a direct hotline listing of every vulnerability as soon as Apple is alerted to them, but before patches are released.

Seth

Re:how can anyone know he quit the NSA?` (1)

russotto (537200) | more than 3 years ago | (#34989636)

Do these guys actually leave the NSA? Why aren't there quotation marks around the 'EX' part of his title? Sounds to me like a good way for no-such-agency to get a mole in a powerful position to install backdoors in a popular line of consumer communication devices. At a minimum, they could get a direct hotline listing of every vulnerability as soon as Apple is alerted to them, but before patches are released.

If NSA wanted to get a mole in place, his official background would not include the NSA.

Re:how can anyone know he quit the NSA?` (0)

Anonymous Coward | more than 3 years ago | (#34989888)

May be official background included NSA just to throw off the exact thinking, that if he was a mole, his background
wouldnt include NSA. So by including NSA background, they are trying to give impression that he is
not associated with NSA anymore ?

Re:how can anyone know he quit the NSA?` (0)

Anonymous Coward | more than 3 years ago | (#34989786)

People leave the NSA all the time. It's a government agency that has employees, just like the DMV or Post Office.

Re:how can anyone know he quit the NSA?` (1)

lennier (44736) | more than 3 years ago | (#34990456)

People leave the NSA all the time. It's a government agency that has employees, just like the DMV or Post Office.

"Buddy, there are two ways outta this place. You can leave in a stamped self-addressed air-freight parcel... or in a box."

Re:how can anyone know he quit the NSA?` (4, Informative)

Anonymous Coward | more than 3 years ago | (#34989896)

Yes...we do. No, I'm not talking smack. Used to work there (network warfare shop). When you're done, you leave. You carry with you your "Lifetime Obligations" and some hella good memories, but there are no strings attached save for a couple (they can interview/poly you at any time, they have to review your resume any time you modify it, etc.). You watch too many movies.

Re:how can anyone know he quit the NSA?` (4, Informative)

DCFusor (1763438) | more than 3 years ago | (#34990146)

I left too, and the above AC is telling it straight. No big deal. Hard to get permission to visit some adversary countries for a few years if you knew a lot of secrets, otherwise, they pretty much ignore you after that. They once called me a few years after I'd left to help them with something in my specialty, that was it.

The trouble with conspiracy theories around government agencies is that, well, they are government agencies. Not all that good at what they do, with some small exceptions, and mostly terrible about keeping things secret after they do them. Some secrets last years, but most of them are too boring to actually talk about, and are mostly "policy" which means, some incompetent fool classified something to cover his lousy (or unethical) job performance. We're not working with supermen or angels anymore than any other part of society there.

There's already a tax on buggy software, it's just paid by the wrong side of the equation, the user. Bruce Schneier has a ton of stuff on the issue, and as long as the makers aren't paying the price, it'll never happen. http://www.schneier.com/ [schneier.com]

The thing is, at the point of perfect security, no system is usable -- there is always a trade-off of some kind. This sounds so hard to adjudicate, I kind of doubt it will ever happen -- and at least one software outfit that has the most issues also has enough lobbyists to keep things the way they want them -- the billions of lost dollars yearly due to their bugs will still be with the users, not them.

As long as people can pass off the costs of insecurity, there will be little to no progress in the field. Anyone remember the British banks claiming in court they were liable for hacked chips and pins because they were "perfect" so the customer must have made a mistake? As long as that sort of crap flies, why should they invest in security? Good security is hard.

Re:how can anyone know he quit the NSA?` (1)

lennier (44736) | more than 3 years ago | (#34990510)

We're not working with supermen or angels anymore than any other part of society there

But... but... you guys are the NSA! You have a crashed alien spaceship on every desk, a 100 terabit cranial jack just for the office World of Starcraft guild, and spend every waking moment clustered around huge 3D wall screens hacking all the Gibsons on the Interplanetary Interweb, simultaneously!

Don't you? Hollywood, surely you haven't put me wrong!

Re:how can anyone know he quit the NSA?` (1)

Pastis (145655) | more than 3 years ago | (#34991010)

> There's already a tax on buggy software, it's
> just paid by the wrong side of the equation, the
> user.

I don't think software is paid by the wrong side of the equation.

Software being insecure is most often insecure when used in ways not intended by their creators.
Security is most often a property of the software, often ranked well below real functionality.

e.g. You don t buy Outlook because it protects you from viruses, you buy it to read your mail.

<bad_analogy>
You don t put windows on your house because you want people to stay out of it. You put them because you want light in, view outside, etc. Ideally with little heatloss. And best if people can t in easily. Now if someone finds out that a mixture of 24.6% pee and olive oil 75.4% at 35degrees placed on the windows joints makes it easy to open the window from the outside, is it really the problem of the window builder ? As a buyer, would you hold out if you knew that an unknown liquid mixture might reduce the security of the window ? Probably not. You may add shutters and an alarm system. And a safe.
</bad_analogy>

When you have an entire industry relying on a piece of software and then complaining it doesn t have the properties they really want, I say blame them. Big industries have the mean to reduce their risks. Individuals that rely a lot on IT should think twice of how they manage their data.

My take, people who buy software should invest more in checking whether it is secure or not.

And if you really want to introduce 3rd parties, instead of taxes, use a (optional) insurance system. It will probably adapt better to risks than a tax. And people are used to that.

Re:how can anyone know he quit the NSA?` (1)

mozumder (178398) | more than 3 years ago | (#34990314)

Definitely hella good memories..

Re:how can anyone know he quit the NSA?` (1)

MoeDumb (1108389) | more than 3 years ago | (#34991326)

NSA relies on polygraphs?

Re:how can anyone know he quit the NSA?` (0)

Anonymous Coward | more than 3 years ago | (#34990384)

If NSA doesn't already have moles in every technology company on the planet, the American taxpayer isn't getting their money's worth.

Remember that they have a dual mandate: Not merely to pwn everyone else's b0xen, but to protect our b0xen from pwnage by our adversaries.

I imagine it's like sysadminning. We all admire the guy who types a few cryptic commands and *poof*, the botnet that's DDOSing us magically disappears in a halon-extinguished fire in a Chinese datacenter. But the guys who really get shit done are the guys who phoned up Cisco and said "Hey, can you get this patch in so that the ISPs have enough time to patch their core routers so that malformed packets from $WHEREVER can be properly dropped before anyone else sees them? Otherwise your support queue is gonna get clogged with ISPs whose support queues are themselves clogged with customers who got really pissed when the DDOS starts tomorrow and their ISP's core routers weren't protecting their cheapie home-office-grade crap. Patch yo' stuff, dudes."

Re:how can anyone know he quit the NSA?` (1)

ExileOnHoth (53325) | more than 3 years ago | (#34991442)

Sounds to me like a good way for no-such-agency to get a mole in a powerful position to install backdoors in a popular line of consumer communication devices.

I don't think this exec. is going to be allowed to check in code to the main repository without anyone reviewing it.

So if your theory is correct, that the NSA wants back doors in iphones, they will need Apple mgmt to go along.

And if Apple mgmt goes along with that (who knows), then what would the NSA need this mole for?

What I'm saying is, your theory doesn't really pass Occam's razor.

Makes No Sense: Programs are Unpredictable (0)

Anonymous Coward | more than 3 years ago | (#34989738)

"If builders built buildings the way programmers write programs, then the first woodpecker that came along would destroy civilization."
- Gerald M. Weinberg - Weinberg's Second Law

Sulphur dioxide emissions are a well-behaved function of the physical process input: you get a continuous function as output. Programs aren't like that: a simple transcription error can open the floodgates. On the other hand, massive program corruption may merely render a program unable to run.

Enforcing such a system would mean that, at any time, any software vendor could inadvertently release a bug that drove them out of business overnight. Too unpredictable for the stock market or indeed, any investor whatsoever. And who would work for a firm in such an environment? So with no capital and no labor, how would an IT industry exist?

David Rice?? (1)

CODiNE (27417) | more than 3 years ago | (#34989890)

Holy Crap!
RICE BOWL??

How do you quantify the number of bugs? (1)

feranick (858651) | more than 3 years ago | (#34989912)

For open source software that is easy, since bugs reports and their gravity is usually available. For proprietary software, that is definitively not the case. I guess the certification should rely on independent reports (Secunia?). Furthermore, should not just the number of bugs, but the promptness in fixing them be considered? Finally, should design choice being considered too? For example, buggy third party software that also affects your main system should be penalised against systems where a more integrated software distribution system and more secure design choices (UNIX).

As usual, the idea is nice, its efficiency depends on its implementation

Price Inversely Proportional to Bugs (0)

Anonymous Coward | more than 3 years ago | (#34990086)

Here is an Idea.

Take a piece of software, and let the company charge a price.

For every critical bug found, the company must refund a portion of the purchase price of the software, or compensate the users for data loss, install time, config time, etc.

So in this case: Windows ME would PAY you to run it.

Windows XP would compensate you for a data breach.

Linux, would do nothing, since it's already free.

pollution's solutions = fixed software? (1)

mschaffer (97223) | more than 3 years ago | (#34990190)

I really love it when people recycle solutions for completely different problems.

Very bad for OpenSource (2)

merick (1878106) | more than 3 years ago | (#34990614)

This appears to be very bad for OpenSource. Unless the tax is in % of cost, which I highly doubt, then it will make distributing free software cost prohibitive.

If I choose to produce a free library that ends up being widely used and is later found to having a security bug, I could be forced to pay thousands or tens of thousands of dollars. Why would I want to create that risk for myself? It could have a strong chilling effect with sharing.

The US Federal Government has no authority to levy that kind of tax. Any effort to enforce this should be fought.

Re:Very bad for OpenSource (1)

Bob Cat - NYMPHS (313647) | more than 3 years ago | (#34991278)

>The US Federal Government has no authority to levy that kind of tax.

100 years of SCOTUS rulings on the Interstate Commerce Clause say they do.

>Any effort to enforce this should be fought.

Which is what Tea Party / conservatives are doing w/r/t mandatory health insurance, which Congress claimed falls under the ICC.

This NSApple guy is in favor of something that will destroy Free Software. Apple is just behind ExxonMobil in market cap at $300 billion.

Who will win, FSF or AAPL?

fago8z (-1)

Anonymous Coward | more than 3 years ago | (#34990628)

Share. FrreBSD is Sanctions, and The reaper BSD's However I don't

Has the Apple hype gone far enough (0)

Anonymous Coward | more than 3 years ago | (#34990834)

Now we're getting posts on the resume of their security executive? Why do I care?

The "Apple Tax" is now quantifiable? (1)

VortexCortex (1117377) | more than 3 years ago | (#34990916)

Rice talks of a 'tax on software based on the number and severity of its security bugs.

The tax shall be called "The Apple Tax". Now we know why they're so damn expensive... they have to pay a tax based on the number and severity of security bugs...

It seems like just yesterday the Safari browser was carpet bombing hundreds of malicious files to my desktop without my permission [zdnet.com] .

Make a typo or logical error? There's a tax for that.(TM)

How about we reform EULA law such that if you pay for software, and it is full of bugs that get exploited, you can sue those responsible? Why not take the actual damages straight to the buggy software writers? Surely this would be even better a motivation than a "bug tax"; Additionally, this makes quantifying the penalty amount much easier. Developers pay according to how much damage the bugs have actually caused! </sarcasm>

I agree that bugs are bad, but this tax idea just stupid. Everyone makes mistakes, security is a moving target, computers and their applications are getting more complex faster than the economy is willing to pay for secure code.

To all that believe this sort of tax is a Good Idea(tm) I have only one word for you: BETA

There's an old saying in business... (1)

NicknamesAreStupid (1040118) | more than 3 years ago | (#34990980)

...if you can't beat'em, then buy'em. Perhaps, his bug tax seemed like enough of a threat to warrant action.

A surfeit of penises (0)

boundary (1226600) | more than 3 years ago | (#34991500)

He sounds like a reactionary fucktard. Like Apple doesn't have enough of those already?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?