Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Will Security Task Force Affect OSS Acceptance?

simoniker posted more than 10 years ago | from the your-name's-not-down dept.

Security 224

An anonymous reader writes "An interesting article published by SD Times: "Application Security Goes National" discusses some of the talking points generated by a federal task force that will make recommendations to the Department of Homeland Security. One of these talking points is to license software developers and make them accountable for security breaches. Licensed developers would get paid more as well. The article also mentions that "Executives" might not wish to work with smaller undiciplined partners and a little further down that "Hobbyists create Web services [and] professionals create them" and that "companies relying on critical infrastructure Web services need confidence". Would OSS have to be writen entirely by licensed developers to be considered secure? . Yahoo Finance has another article on the subject." The SD Times article is current, despite the incorrect date on it.

Sorry! There are no comments related to the filter you selected.

Don't forget... (-1)

SCO$699FeeTroll (695565) | more than 10 years ago | (#7849996)

...to pay your $t99 licensing fee you cock-smoking teabaggers.

** HAPPY NEW YEAR, SCUMBAGS! ** (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7850020)

It's 2004 in Germany now and I'm posting on Slashdot because I don't have any friends who could invite me to a party. And even if I had some, they probably wouldn't. And to make the day perfect, my TFT-display's PSU decided to break today and I have to run the fucking thing on a laboratory power supply whose fan is so loud that it ruins all the fun.

Anyway, I'm going to get a life next year. Really.

Re:** HAPPY NEW YEAR, SCUMBAGS! ** (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7850043)

You do have some friends waiting to chat with you.

I suggest you join my "Official New Years 2004 Slashdot Party Thread!" thread discussion, just a few posts down.

Unfortunately since this is a chat room, you have to bring your own beer. See you there!!

Re:** HAPPY NEW YEAR, SCUMBAGS! ** (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7850069)

_ MM MM MMNMMMM MMMMMMMMM MMMMMMMMMMMMMMMM MMMMMM MMMNM MM M Happy New Year Teabaggers.
_ M_M_r'_.',._.',.',._.__________________.',._.',.', ___r_@MM Happy New Year Teabaggers.
_MM_W_M'_.',._.',.'-|SCO REMINDERS FOREVER!|-,_'_._`__7M_X_M Happy New Year Teabaggers.
_M,___M'_.',._.',.', _'------------------'_,_'_.',____M__B_0 Happy New Year Teabaggers.
_M_W__M'_.',._.',.',._.',.',._.', ',._.',._,_'_.',___WM__0_MX Happy New Year Teabaggers.
_M2_S_M_;_,_Xi'_.',. .',.',._.',.',._.', ',._.',.',___M7__ii@ Happy New Year Teabaggers.
_MS_@MM_X0'_.',._.',.',____S_____;i'_.',._.',.',__ ____MM__M_M Happy New Year Teabaggers.
_MWMMM'_._`__a0BMMMZ.',._`__XB_rS___.MMMMMMMMMB'_. ',___M__M_M Happy New Year Teabaggers.
_MM_MM____MMMMMMMMMMMMMMMMr'_._`_:MMMMMMMMMMMMMMMM MW___MM_MiS Happy New Year Teabaggers.
_ MMM2__MMMM.____.MMMMMMMMMM __ XMMMMMMMMMMMMMMMMMMMM._BM:MX Happy New Year Teabaggers.
_ MMM__MMMMM|._. |MMMMMMMMMMM _ MMMMMMMMMMMMMMMMMMMMMM__MMMM Happy New Year Teabaggers.
_MMZ__BMMMMM||o| |MMMMMMMMMMM _ MMMMMMMMMMMMMMMMMMMMMB____MM Happy New Year Teabaggers.
_M____MMMMMM'----'MMMMMMMMMMM _ MMMMMMMMMMMMMMMMMMMMMW_WM__M Happy New Year Teabaggers.
WM__i_MMMMMMMMMMMMMMMMMMMMMMM _M MMMMMMMMMMM.____.MMM,_____M0 Happy New Year Teabaggers.
MX__r_MMMMMMMMMMMMMMMMMMMMMM'_._` MMMMMMMMMM|._. |MMM'_._`_MM Happy New Year Teabaggers.
MZ____7MMMMMMMMMMMMMMMMMMMM __._Z_ MMMMMMMMM||o| |MMM__X___ZM Happy New Year Teabaggers.
MM__Z__MMMMMMMMMMMMMMMMMM; __MM_MM_ WMMMMMMM'----'MM__a____M0 Happy New Year Teabaggers.
_M__,r___XMMMMMMMMMMMMM ___:MMM_MMM:_ MMMMMMMMM MM____7____M Happy New Year Teabaggers.
_MM'_.',____,M0'_.',_____,,MMMB_MMMM_,____ZMMM:___ raW_____MM Happy New Year Teabaggers.
_ M_____ii_X___7__S_,2____SMMMM_MMMM'_.',______2:r'_ .',___M Happy New Year Teabaggers.
_ MM'_.',._.',._,_'_._`_8:MMMMM_MMMMM_;__;ii.',._,_' _._`_MM Happy New Year Teabaggers.
__ MM'_.',._.',.',______;WMMMMM_MMMMM_M'_.',._.',.',_ __.MM Happy New Year Teabaggers.
____ MMM'_.',._.',.',_____MMMMM_MMMMM'_.',._.',.',___XM MM Happy New Year Teabaggers.
____ 0MMMMr'_._,_'_.',____BMMM@_ZMMM;'_._,_'_._`__aMMMM M Happy New Year Teabaggers.
'_._` MMMMMM_M_,__;'_._,_'_._`_i'_._,_'_._`_i____MMMMaMa Happy New Year Teabaggers.
'_._` M__BMMMM_2_ZM__@r___Z'_.',___,,__._'___M__;M@___M Happy New Year Teabaggers.
'_._` MM___M2MMM8M___Z___XM___X,____M._r_____MMMM@____M Happy New Year Teabaggers.
'_._` MM___M___ZMMMMMMMMMMMiMMM_____WMSMMMMMMM_ZM____MM Happy New Year Teabaggers.
'_._`_ MW__MM__W__X___M___iMaXMMMMMMBM_S__7__:_MM____MX Happy New Year Teabaggers.
'_._`_ MM__XMM2MM_M___M___,r__M' ._`_r__B_aMBM_M2___iM Happy New Year Teabaggers.
'_.',__ M2__M__@__MMMMMMMMMr _M__M._MM_ZMZMM_;MM____MM Happy New Year Teabaggers.
'_.',___ M___MMM0_Z___M_ _MMB7MM2MM_M__S_____MW_____M Happy New Year Teabaggers.
'_.',___ M_____SMMMMWSM_ __i__M___a_M___M:MMB_S____MM Happy New Year Teabaggers.
'_.',___ MM'_.',___2XMMMWMMMM0MMMMMMMMMMMM__r_____2M Happy New Year Teabaggers.
'_.',____ MM_:'_.',______;_____8'_.',._.',.',____MM Happy New Year Teabaggers.
'_.',_____ XMMM'_._`_.aM'_._`__, ____;;:'_._`__MMM Happy New Year Teabaggers.
'_._,_'_.',__ WMM'_._,_' ._`_B__M__ _a.',._`_MMMr Happy New Year Teabaggers.
'_.',._.',.',__ MMM_:__,____M.__XS2,_____ZMMMX Happy New Year Teabaggers.
'_.',._.',.',___ rMMMZMM___;____B_____rMMMM Happy New Year Teabaggers.
'_.',._.',._,_'_._` irXS2MMMMMMB8ZMMMMX: Happy New Year Teabaggers.

FIRST POST OF THE gmt NEW YEAR FUCKERS!!1 (-1, Offtopic)

(TK10)Dessimat0r (672413) | more than 10 years ago | (#7849997)

_ MM MM MMNMMMM MMMMMMMMM MMMMMMMMMMMMMMMM MMMMMM MMMNM MM M Fuck your mother
_ M_M_r'_.',._.',.',._.__________________.',._.',.', ___r_@MM Fuck your mother
_MM_W_M'_.',._.',.'---|Trollkore Forever!|---,_'_._`__7M_X_M Fuck your mother
_M,___M'_.',._.',.', _'------------------'_,_'_.',____M__B_0 Fuck your mother
_M_W__M'_.',._.',.',._.',.',._.', ',._.',._,_'_.',___WM__0_MX Fuck your mother
_M2_S_M_;_,_Xi'_.',. .',.',._.',.',._.', ',._.',.',___M7__ii@ Fuck your mother
_MS_@MM_X0'_.',._.',.',____S_____;i'_.',._.',.',__ ____MM__M_M Fuck your mother
_MWMMM'_._`__a0BMMMZ.',._`__XB_rS___.MMMMMMMMMB'_. ',___M__M_M Fuck your mother
_MM_MM____MMMMMMMMMMMMMMMMr'_._`_:MMMMMMMMMMMMMMMM MW___MM_MiS Fuck your mother
_ MMM2__MMMM.____.MMMMMMMMMM __ XMMMMMMMMMMMMMMMMMMMM._BM:MX Fuck your mother
_ MMM__MMMMM|._. |MMMMMMMMMMM _ MMMMMMMMMMMMMMMMMMMMMM__MMMM Fuck your mother
_MMZ__BMMMMM||o| |MMMMMMMMMMM _ MMMMMMMMMMMMMMMMMMMMMB____MM Fuck your mother
_M____MMMMMM'----'MMMMMMMMMMM _ MMMMMMMMMMMMMMMMMMMMMW_WM__M Fuck your mother
WM__i_MMMMMMMMMMMMMMMMMMMMMMM _M MMMMMMMMMMM.____.MMM,_____M0 Fuck your mother
MX__r_MMMMMMMMMMMMMMMMMMMMMM'_._` MMMMMMMMMM|._. |MMM'_._`_MM Fuck your mother
MZ____7MMMMMMMMMMMMMMMMMMMM __._Z_ MMMMMMMMM||o| |MMM__X___ZM Fuck your mother
MM__Z__MMMMMMMMMMMMMMMMMM; __MM_MM_ WMMMMMMM'----'MM__a____M0 Fuck your mother
_M__,r___XMMMMMMMMMMMMM ___:MMM_MMM:_ MMMMMMMMM MM____7____M Fuck your mother
_MM'_.',____,M0'_.',_____,,MMMB_MMMM_,____ZMMM:___ raW_____MM Fuck your mother
_ M_____ii_X___7__S_,2____SMMMM_MMMM'_.',______2:r'_ .',___M Fuck your mother
_ MM'_.',._.',._,_'_._`_8:MMMMM_MMMMM_;__;ii.',._,_' _._`_MM Fuck your mother
__ MM'_.',._.',.',______;WMMMMM_MMMMM_M'_.',._.',.',_ __.MM Fuck your mother
____ MMM'_.',._.',.',_____MMMMM_MMMMM'_.',._.',.',___XM MM Fuck your mother
____ 0MMMMr'_._,_'_.',____BMMM@_ZMMM;'_._,_'_._`__aMMMM M Fuck your mother
'_._` MMMMMM_M_,__;'_._,_'_._`_i'_._,_'_._`_i____MMMMaMa Fuck your mother
'_._` M__BMMMM_2_ZM__@r___Z'_.',___,,__._'___M__;M@___M Fuck your mother
'_._` MM___M2MMM8M___Z___XM___X,____M._r_____MMMM@____M Fuck your mother
'_._` MM___M___ZMMMMMMMMMMMiMMM_____WMSMMMMMMM_ZM____MM Fuck your mother
'_._`_ MW__MM__W__X___M___iMaXMMMMMMBM_S__7__:_MM____MX Fuck your mother
'_._`_ MM__XMM2MM_M___M___,r__M' ._`_r__B_aMBM_M2___iM Fuck your mother
'_.',__ M2__M__@__MMMMMMMMMr _M__M._MM_ZMZMM_;MM____MM Fuck your mother
'_.',___ M___MMM0_Z___M_ _MMB7MM2MM_M__S_____MW_____M Fuck your mother
'_.',___ M_____SMMMMWSM_ __i__M___a_M___M:MMB_S____MM Fuck your mother
'_.',___ MM'_.',___2XMMMWMMMM0MMMMMMMMMMMM__r_____2M Fuck your mother
'_.',____ MM_:'_.',______;_____8'_.',._.',.',____MM Fuck your mother
'_.',_____ XMMM'_._`_.aM'_._`__, ____;;:'_._`__MMM Fuck your mother
'_._,_'_.',__ WMM'_._,_' ._`_B__M__ _a.',._`_MMMr Fuck your mother
'_.',._.',.',__ MMM_:__,____M.__XS2,_____ZMMMX Fuck your mother
'_.',._.',.',___ rMMMZMM___;____B_____rMMMM Fuck your mother
'_.',._.',._,_'_._` irXS2MMMMMMB8ZMMMMX: Fuck your mother

TROLLKORE HEAD, I'M IN YOUR BED
I'M FIZZY FIZZY WIZZY, I'M OFF MY HEAD

miserable failure (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7850035)

You are such a fucking failure. I bet your mom hates you.

You can't do anything right. You failed at everything you ever tried in life.

And now this.

fp (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7849999)

gnaa pawns u

So this is the new year (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7850000)

yes.

Re:So this is the new year (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7850021)

What a waste of a landmark post number.

Official New Years 2004 Slashdot Party Thread! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7850004)

Official New Years 2004 Slashdot Party Thread!

Here we go folks!! Its New Years Eve agin, and time for a Slashdot Online Party!!

Post your party chatter here and lets countdown the final minutes of 2003 together!!

Come on, lets really get this chat group rolling!!

Re:Official New Years 2004 Slashdot Party Thread! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7850051)

Stupid American... again, you're behind Europe. We already have a new year. Will probably take forever until they introduce it in the US tho...

Re:Official New Years 2004 Slashdot Party Thread! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7850083)

Yes, but our new year will be better, faster, stronger, cause we are the BESTEST!!!!

Re:Official New Years 2004 Slashdot Party Thread! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7850058)

It's already 1:50 AM, 2004-01-01, you insensitive clod!

Re:Official New Years 2004 Slashdot Party Thread! (0)

Anonymous Coward | more than 10 years ago | (#7850249)

Hello from New Zealand... Uggghhhhh I have a nasty hangover... slept till noon... this sucks. What, it's still 2003 in America? You guys need to catch up to the rest of the world; getting rid of that dipshit Bush would be a good start.

yoshise.cx (-1)

Wigfield (730339) | more than 10 years ago | (#7850007)

Check out the amazing Yoshi girl [bayou.com] and her playful tentacle friend! Rides starting soon at $29.99 (Saddle not included; children ride for half-price).

Yoshi-girl is genetically engineered to be in constant sexual heat and is guaranteed to pounce on even the smelliest nerd with little coaxing! Spending a few hours with Yoshi-girl is sure to be the most gratifying experience you've had in years. Don't believe us? Just look at these testimonials from previous customers:

Hunched over in that uncomfortable chair writing Linux kernel code all day was really tense. Human girls wouldn't come near me, but Yoshi-girl treated me like I was the last man on Earth. Two thumbs up!
-- Linus Torvalds

Sure she's not human, but it sure beats all the sleazy Mexican whores I've been with, and believe me, I've been with more than you can count. You go Yoshi!
-- Miguel De Icaza

You gotta love the 2-foot-long tongue.
-- Richard Stallman

Official webpage with registration info and pricing coming soon, be patient /.'ers. In the meantime try these other quality sites for all your horny geek fanboy needs:

Lara Croft Land [goatse.cx]
Natalie Portman covered with hot grits [tubgirl.com]
RMS gone wild! [stallman.org]
CowboyNeal: behind the blubber [cowboyneal.org]
Taco's new .com venture [orbitz.com]



# Important Smurfs: Please try to keep posts on Smurfette.
# Try to spooge on other people's comments instead of starting new threads (of semen.)
# Read George Bush's subliminablble messages before posting your own to avoid simply duplicating what has already been said. (Like George W and his Dad)
# Use a clear lubricant that describes what your message is about.
# Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be NAZI-Fied. (You can read everything, even moderated posts, by adjusting your threshold on the Loser Rights Page)
# If you want replies to your trolls sent to you, consider logging in or creating a trolling account.

Problems regarding accounts or comment posting should be sent to Hitler [tiscali.dk]

# Important Smurfs: Please try to keep posts on Smurfette.
# Try to spooge on other people's comments instead of starting new threads (of semen.)
# Read George Bush's subliminablble messages before posting your own to avoid simply duplicating what has already been said. (Like George W and his Dad)
# Use a clear lubricant that describes what your message is about.
# Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be NAZI-Fied. (You can read everything, even moderated posts, by adjusting your threshold on the Loser Rights Page)
# If you want replies to your trolls sent to you, consider logging in or creating a trolling account.

Problems regarding accounts or comment posting should be sent to Hitler [tiscali.dk]

# Important Smurfs: Please try to keep posts on Smurfette.
# Try to spooge on other people's comments instead of starting new threads (of semen.)
# Read George Bush's subliminablble messages before posting your own to avoid simply duplicating what has already been said. (Like George W and his Dad)
# Use a clear lubricant that describes what your message is about.
# Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be NAZI-Fied. (You can read everything, even moderated posts, by adjusting your threshold on the Loser Rights Page)
# If you want replies to your trolls sent to you, consider logging in or creating a trolling account.

Problems regarding accounts or comment posting should be sent to Hitler [tiscali.dk]

Only as secure as platform... (5, Insightful)

mikeyrb (686396) | more than 10 years ago | (#7850024)

But programs are only as secure as the platform they run on, and of course the same as the people who use them. If people don't run their system properly, I'd say that's worse. Not to mention that people would use trusted vendors anyway, so I don't see what this adds.

Re:Only as secure as platform... (0)

Anonymous Coward | more than 10 years ago | (#7850037)

It adds your mom.

Re:Only as secure as platform... (1)

Baddsectorr (709324) | more than 10 years ago | (#7850294)

uh, yeah. maybe they should ask Microsoft why they cant get after 3 or 4 times? write quality software that is...

Re:Only as secure as platform... (1)

jfdawes (254678) | more than 10 years ago | (#7850354)

Systems are software too. The article talks about having different levels of programmers. If you want to be working on an OS (system), you'll need a certain sort of licence to do so and you will be held accountable for any problems that occur.

Your statement "programs are only as secure as the platform they run on" may or may not be true, but if it is, wouldn't insisting that the systems are built by licensed professionals who are held accountable be preferrable?

GMT :-) (-1, Offtopic)

3lb4rt0 (736495) | more than 10 years ago | (#7850025)

1'st post of the proper new year!

Re:GMT :-) (-1)

CmdrTaco (troll) (578383) | more than 10 years ago | (#7850030)

Your failure speaks for Europe.

Do they not get it? (5, Insightful)

roninmagus (721889) | more than 10 years ago | (#7850038)

Do they really believe that licensing software developers will lead to more secure software?

I'm not following their train of thought. Software development is an industry which constantly has to defend itself from **NEW** hack attacks. The best we can do is protect ourselves from known attacks, and try our best to forsee future ones.

It puts yet another industry under undo government control, and yet against shifts the focus away from the people actually doing harm--the hackers.

Re:Do they not get it? (5, Insightful)

vegetablespork (575101) | more than 10 years ago | (#7850046)

On the plus side, since we're licensing for "homeland security" reasons, there's no reason non-citizens should be writing any software used in the U.S.' critical infrastructure. Right?

Re:Do they not get it? (0)

Anonymous Coward | more than 10 years ago | (#7850093)

You got it, you cheese-eating surrender monkey commie bastard. Go USA!

Re:Do they not get it? (4, Funny)

vegetablespork (575101) | more than 10 years ago | (#7850265)

cheese-eating

Actually, I'm enjoying some Freedom onion dip right now :).

~~~

Re:Do they not get it? (4, Insightful)

aheath (628369) | more than 10 years ago | (#7850079)

Neither article explicitly touched on the issue of software quality assurance. The development of processes and procedures for writing secure software should go hand in hand with the development of processes and procedures for testing secure software. SQA methodology has to expand beyond usability and functional testing to incorporate security testing.

It's my understanding that there are procedures for developing and testing software that is used in medical products and aviation products. Perhaps the rigor that is applied to developing software to control an airplane could be applied to the development and testing of secure software.

Re:Do they not get it? (4, Informative)

the_2nd_coming (444906) | more than 10 years ago | (#7850240)

yeah...is is called Software Engineering.

very few commercial software applications use correct software engineering techniques which is why so many bugs are in the software. medical equipment and air craft equipment and car equipment is tested. re tested and run through all the engineering processes in order to make it bullet proof.

real software engineering is not profitable with out making software cost a bloat load more than it does.

Re:Do they not get it? (5, Insightful)

Jerf (17166) | more than 10 years ago | (#7850412)

It's my understanding that there are procedures for developing and testing software that is used in medical products and aviation products. Perhaps the rigor that is applied to developing software to control an airplane could be applied to the development and testing of secure software.

It's a good idea on paper, which is why people like me are well-nigh terrified when this idea comes up.

The problem is one of expectations. Yes, we could apply that rigor to all software. But,
  1. No more garage startups... and all new technology tends to start there. Innovation, true innovation, takes a huge hit under these schemes and we lose huge advantages to any country that doesn't enforce these rules.
  2. Expense. Those methodologies eat manpower for lunch. Are you going to pay for it? For every piece of software you use? Even "ls" or "echo"? No, and neither will anyone else. It only makes sense for certain things, and different level of rigor makes sense for different kinds of programs... even different levels of rigor for different guarentees. Good luck even figuring out which of these is right, let alone getting the government to mandate the correct levels! We are far from a consensus on what is appropriate; we're not even sure where it makes economic sense to use what we know, and we certainly don't know what we don't know.
  3. Freedom of choice. The converse of the above; we should be able to choose how secure our software is, because it's not free. Mandating any security level, and since other people's time is always free, you can be sure the government will mandate a very high level, means that I am forced to buy these high security products. What if I don't care? My game console is free to crash, and even if it's 0wz3r3d, who cares? On the next power cycle, it'll return to normal. (At least modern architectures.)
In the real world, it is, to put it bluntly, a shitty idea.

It's not time for government mandate, it's time for the market to start demanding security. The proven method for balancing cost vs. performance is the invisible hand of the market.

The root cause here is a monopoly, training people not to be concerned about security. The correct solution is a healthy market.

Best of all, we won't find ourselves in 2015 shackled by government mandate to 2005 engineering techniques. It's an act of shocking hubris to think we've got this figured out enough yet to mandate any solution.

Re:Do they not get it? (5, Insightful)

elrond2003 (675701) | more than 10 years ago | (#7850117)

>>>>Do they really believe that licensing software developers will lead to more secure software?


You have missed the point, nobody on the committee cares about improving security. The worse it is the more money they make. Only MS (and perhaps a few other huge contributors) will be able to generate certified software engineers so only MS software will be useable. Thus LINUX will either die from lack of use or die from being commercialized by MS. There will be two benificiaries, MS by making money and selected congresspeople who will get brib^h^h^h^h campaign contributions. Meanwhile NSA software will be generated in China, rather than by US programmers.
If there were any interest in having secure software the committee recommendation would be to ONLY allow open software.

I'll Nazi Myself (1)

roninmagus (721889) | more than 10 years ago | (#7850143)

I meant "undue government control" and "yet again shifts"

Sad thing is, I previewed!

:)

Re:Do they not get it? (1)

the_2nd_coming (444906) | more than 10 years ago | (#7850211)

no, it will just lead to a more bloated Prison population as people are sent up the river for 20 years because a bug in their code crashed the security system.

Their loss (0)

Anonymous Coward | more than 10 years ago | (#7850041)

Open Source software is either better or it shouldn't be adopted. If it is better, then it is at least partly due to the development model, which is inherently not hierarchical/certifiable. If suits really need someone to offload risks to, there's always your friendly insurance company that wants to earn a living by assessing and managing risks. I can see people contributing code for free but I doubt people are going to put their financial future on the line for free.

Re:Their loss (2, Insightful)

zcat_NZ (267672) | more than 10 years ago | (#7850162)

If suits really need someone to offload risks to, there's always your friendly insurance company that wants to earn a living by assessing and managing risks. I can see people contributing code for free but I doubt people are going to put their financial future on the line for free.

The stupid part is, paid programmers won't either. They'll get insurance against being sued, just like doctors take out malpractise insurance. Then they'll go on writing the same shitty code because the end users continue to demand ease of use and featurisim ahead of security.

The better idea is to just take out insurance against being hacked in the first place. Insurance companies already offer this.

Re:Their loss (1)

DroidBiker (715045) | more than 10 years ago | (#7850273)

We're talking about more than just financial losses though. Insurance is great if you're talking about your company's web site being down for a couple of days. That can be covered.

(Hypothetical and hopefully impossible example follows) Imagine an Enemy(tm) exploits a vulnerability in Windows to crash the control systems on an Aegis class destroyer and the ship goes down with all hands. You CAN'T cover that with insurance.

I agree with you that licensing isn't the answer, but what IS?

OSS Acceptance (2, Interesting)

Anonymous Coward | more than 10 years ago | (#7850044)

For commonly used software this provision of jobs increasingly depends on artificial barriers to the acceptance of free alternatives. Now that millions of people are programmers with supercomputers on their desks and an itch to scratch, and now that the cost of software distribution is approximately zero, the unconstrained market value of a line of code for a commonly used application is rapidly converging to zero.

The anti-FOSS lobbying is merely an example of the artificial barriers that prop of the prices and keep all those people employed. (Though I doubt that there are actually that many people earning their living by programming operating systems, Web browsers, and word processors these days. In the future the way to make money as a programmer will be to implement special-purpose applications that only scratch the itch of some company's shareholders.)

Re:OSS Acceptance (1)

kfg (145172) | more than 10 years ago | (#7850257)

Indeed, just as the New Deal introduced mandatory schooling and mandatory retirement ages not, principly, out of any ideas of children's rights or the rights of the elderly, but as a way of reducing unemployment and keeping wages high by artificially reducing the number of people who could be legally employed.

Many trade licenses fulfill the same function, such as that needed to be a plumber or electrician, where licensing is typically handled not by the state but directly through the unions.

This proposal bears the strong stink of such domestic trade protectionism.

KFG

NO (0)

rolling_rox (690973) | more than 10 years ago | (#7850047)

In one word NO. It would not have to be written by a professional. It would simply need to be reviewed by one?

Licensing again huh? (5, Interesting)

DroidBiker (715045) | more than 10 years ago | (#7850048)

I suspect we'll have some sort of meaningful licensing scheme someday. It'll probably take a while tho. There will be a lot of pain and probably more than a few witch hunts before it happens.

One problem (of many) is of course that if you make programmers legally responsible for security failures you also need to give them the authority to say "No! You can't do it that way! I don't care WHAT Marketeering says!"

Texas has had licensing for a few years. Anyone know how it's worked out?

Re:Licensing again huh? (4, Insightful)

Alan Cox (27532) | more than 10 years ago | (#7850349)

There is two reasons to license software developers in the USA. Neither are good. The first is so that you can forbid compilers, debuggers and other "dangerous" tools to the RIAA/MPAA being in the hands of the masses. The second is to stop the all the computing jobs leaving the US by having a US certification required but inaccessible to the competition.

I'm all for formal open standards for security. And I am very much for formal accredited qualifications in safety critical systems. I'd love to see an MSC in computer security and similar university qualifications - but it has to be a proper and open thing, not some goverment office of computer programmer licensing.

As to accountability - there is a simple solution. Do something about the ability of companies to use software licensing as a get around for liability for product in most countries. Make it like other product. If its sold then it should be suitable for purpose. (Note here sold - paid money for. I see no reason why *paying* for open or closed source ought to be different).

It will also improve computer security no end the day a company gets sued for harming others by being negligent in applying security patches to its systems.

Re:Licensing again huh? (1)

ces (119879) | more than 10 years ago | (#7850368)

One problem (of many) is of course that if you make programmers legally responsible for security failures you also need to give them the authority to say "No! You can't do it that way! I don't care WHAT Marketeering says!"

From my understanding this is exactly what happens today in areas where a PE has to sign off on a design making himself legally liable for any design flaws. The PE doesn't like the design for safety reasons, the PE refuses to sign, the design gets changed. At least in an ideal world that is what happens, as I understand it the reality is somewhat different but it is still often better than what happens in the commercial software development world.

How about driver's licenses? (4, Insightful)

civilengineer (669209) | more than 10 years ago | (#7850064)

THe idea was to give licenses to only those who can actually drive safely. But, if they really implement that there will be very few people with licenses and car companies will go bankrupt ( no more wars maybe??). So, they give this easy test for the license and every TD&H can drive. Of course we have had over 40,000 fatalities and 2 million crashes every year in the US for past 20 years.
Similarly, the licensing scheme will again create a dearth of licened software professionals,leading to high salaries for the licensed initially and then the bubble will burst. Everyone will have a license eventually, and we will be back to square one. So, the solution is to come up with better error prevention and correction methods for existing software professionals/ (drivers) rather than try to create licensed professionals. SO, as of now OSS still rocks and it will be good to see more OSS testing volunteers rather than just OSS developers.

OT: Re:How about driver's licenses? (0, Offtopic)

RetroGeek (206522) | more than 10 years ago | (#7850108)

So, they give this easy test for the license and every TD&H can drive. Of course we have had over 40,000 fatalities and 2 million crashes every year in the US for past 20 years.

And then we get stupid laws like banning cell phones while driving.

If you ban cell phones, then what about police officers, firemen, ambulance drivers, truckers (and other people with CB's) who use two-way radios.

Using a microphone is more distracting than a cell phone, since you need to push a button to talk.

Of course most of the a/n people have extra training and experience (and testing).

BTW, what is a TD&H?

Re:OT: Re:How about driver's licenses? (0)

Anonymous Coward | more than 10 years ago | (#7850126)

TD&H =Tom Dick and Harry

Re:OT: Re:How about driver's licenses? (0, Offtopic)

Kent Recal (714863) | more than 10 years ago | (#7850226)

Erm, sorry to jump on your OT-article but what you say is bs. Banning cellphones from driving is one of the good laws that actually adds to safety. Anything that distracts your attention from the street (remember, you're moving) is to be avoided.

And btw in police cars, firetrucks and ambulances there usually is a 2nd person and NOT the driver responsible for comm. And these vehicles are a whole different story anyways but I'll tell you 'bout that another time...

Re:OT: Re:How about driver's licenses? (2, Insightful)

RetroGeek (206522) | more than 10 years ago | (#7850290)

usually is a 2nd person

Not always, especially in police cars.

that actually adds to safety

Maybe. But why should I be penalized because of other bad drivers? I have driven with a CB for many, many years, and have driven a big rig. No accidents. So now I can't drive responsibly because some idiot who can barely keep it within the lines normally is using a cell phone?

Our civilization is becoming run over with laws that only idiots need. I blame it on the court system and law suits. If you are an idiot and use a product wrong, then you should take the blame. For instance toasters do not work in a bathtub, yet if the toaster company does not have that specific warning on the label, they can be held liable. Bah!

Yes, this is a hot button issue with me.

Re:OT: Re:How about driver's licenses? (0)

Anonymous Coward | more than 10 years ago | (#7850372)

you might be interested in overlawyered.com [slashdot.org]

Re:OT: Re:How about driver's licenses? (0)

Anonymous Coward | more than 10 years ago | (#7850384)

that should be overlawyered.com [overlawyered.com] ; I forgot the http://

Re:OT: Re:How about driver's licenses? (1)

Texas Rose on Lava L (712928) | more than 10 years ago | (#7850321)

It might be a good law (there's not a lot of evidence either way), but almost all of these laws ban using a hand held cell phone while allowing hands-free cell phones. Some studies have been done that show that hands-free cell phones are just as distracting as hand held phones. In other words, it's talking to another person that's the distraction, not holding the phone. To me. this means that none of these laws has really been thought through very well, and we should wait until we know what we're doing before we go around passing a bunch of laws that may or may not actually do anyone any good.

Sometimes poorly thought out laws can accomplish the opposite of what they were supposed to accomplish. A while ago, someone proposed banning infants from sitting on a parent's lap on airplanes (and making the parent buy a separate ticket). Problem is, this would have caused a lot of parents to drive instead of fly (plane tickets aren't cheap), and driving is far more dangerous than flying regardless of where the baby sits on the plane. I don't think this one ever passed.

Re:OT: Re:How about driver's licenses? (0, Offtopic)

boobsea (728173) | more than 10 years ago | (#7850398)

What about just banning unsafe driving?

The cell-phone ban is just a "feel-good" law designed to make a people think that the government is doing something when all it is doing is just furthering its encroachments onto our own liberties.

What about banning eating while driving? Putting on makeup? Talking to the person next to/behind you?

You only think of the people who cannot drive responsibly with a cell phone but I've seen just as many if not more people who can use phones and drive properly.

Re:How about driver's licenses? (1)

thinkliberty (593776) | more than 10 years ago | (#7850332)

Yes that is it!!! Cars cause war. You sir are a dumb ass!

Talking about development (3, Funny)

spearway (169040) | more than 10 years ago | (#7850068)

May be the SD Times should hire a "licensed developper" to fix the date. They appears to be one year late "January 1, 2003".

Why is some software more secure than others? (2, Troll)

the man with the pla (710711) | more than 10 years ago | (#7850073)

I got annoyed at the slashdot comments last time there was security hole in OpenSSH and wrote this page [irccrew.org] (copy pasted below). I count OpenSSL as insecure software - we need a secure replacement. GNUTLS [gnutls.org] looks somewhat better, but I don't trust it too much either.

Why is some software more secure than others?

How do you measure software security?

Here's my definition on what is secure software.

Intro

I get really tired of seeing these kinds of comments every time some widely used software has security holes:

  • No software is secure. The difference is how quickly they fix it.
  • It's good that they were found. Now we have less security holes.
  • Popular software gets more security audits which is why they seem to have more security holes.

While they may be partially true, I think they're also very misleading and disparages the hard work that some secure software authors have done.

Simplicity Is Security

The difference between secure and insecure software is really the coding techniques being used by it's authors. Authors of secure software do everything they can to prevent accidental mistakes from ever happening. Authors of insecure software just fixes the accidental mistakes. There are very few secure software authors.

Auditing insecure software doesn't make it secure. Sendmail is a good example of this. It's been audited countless times by competent people. The simplest mistakes were catched easily long time ago, but a few very difficult to find vulnerabilities were found only recently.

How do secure software authors then avoid the kind of security holes that are difficult to find? By keeping the code simple. The code doesn't get secure by polluting it with tons of security checks. It gets secure by keeping the security checks in as few places as possible.

Auditing secure software is easy. You can just quickly browse through most of the sources without having to stop and look at it carefully. Everything just looks clean, simple and correct. vsftpd is a good example of this.

Sure, it's still possible that secure software has some security holes occationally. It just happens a lot less often (if ever) and usually the problems are less critical. For example none of the security holes in Postfix have lead to arbitrary code execution or being able to read other peoples mails. Denial of Service attacks are nothing compared to them.

(some examples in the web page not included)

--
Brought to you by the DB tool [anti-slash.org]
7098931

MOD TROLL DOWN! (0)

Anonymous Coward | more than 10 years ago | (#7850380)

OMG look at his Sig! KNOWN TROLL BEWARE! Mod Down!

Good concept, illegal in practice (2, Interesting)

Aviancer (645528) | more than 10 years ago | (#7850078)

This is the grant of government license to do a specific type of work. That's akin to the government granting the title of Lord, and is technically illegal.

That said, the idea itself is good -- but let ACM *and* IEEE *and* Sun *and* whatever other institution do certifications... That avoids the government regulation, and allows potential employers to select "qualified" individuals.

Re:Good concept, illegal in practice (0)

Anonymous Coward | more than 10 years ago | (#7850088)

So licensing by the state of doctors is illegal?

~~~

Re:Good concept, illegal in practice (1)

boobsea (728173) | more than 10 years ago | (#7850289)

Read the constitution.

Granting titles of nobility is only prohibited of the federal government.

Re:Good concept, illegal in practice (1)

spearway (169040) | more than 10 years ago | (#7850104)

How can that be illegal? MD are licensed for their work, Layer, nurses etc. are also licensed.

Re:Good concept, illegal in practice (0)

Anonymous Coward | more than 10 years ago | (#7850119)

Layers are illegal in most states, but are indeed licensed in parts of Nevada :).

~~~

Re:Good concept, illegal in practice (2, Informative)

Aviancer (645528) | more than 10 years ago | (#7850121)

It's notable that the State does not license the professional, but the Bar Assn (for lawyers) and the Medical Board (for MD/RN/Etc). States (not the US Gov't) make laws that require the professionals to be licensed by an authority.

Re:Good concept, illegal in practice (2, Insightful)

vegetablespork (575101) | more than 10 years ago | (#7850181)

So in other words, the state licenses professions, but by proxy. Makes no difference, really. You think the IEEE, ACM, or similar (along with the states) wouldn't love to get its hands on the revenue generated by millions of programmer license application fees?

Re:Good concept, illegal in practice (1)

DroidBiker (715045) | more than 10 years ago | (#7850192)

You are incorrect.

The federal government licenses many professionals. Lawyers, doctors, and architects are just a few examples. Licensing software folks just puts them in the same both as these other people: mainly that they can be sued for their mistakes and will be limited in the types of jobs they can take (if any) if they don't have a license.

Re:Good concept, illegal in practice (0)

Anonymous Coward | more than 10 years ago | (#7850278)

"The federal government licenses many professionals."

Actually, licensure of most professionals (e.g., doctors, lawyers, engineers) is handled at the state level.

Re:Good concept, illegal in practice (1)

boobsea (728173) | more than 10 years ago | (#7850327)

US Constitution Article I, Section 9, Clause 8

Clause 8: No Title of Nobility shall be granted by the United States: And no Person holding any Office of Profit or Trust under them, shall, without the Consent of the Congress, accept of any present, Emolument, Office, or Title, of any kind whatever, from any King, Prince, or foreign State.

However, the licensure of these people are done by state and not federal (as you may have already read from other replies).

Pointing Fingers (4, Insightful)

RetroGeek (206522) | more than 10 years ago | (#7850081)

All this does is create a person who can be targeted if Something Goes Wrong(tm).

With OSS there is no "someone". With a licenced developer you have someone to blame.

Re:Pointing Fingers (1)

javatips (66293) | more than 10 years ago | (#7850183)

However, I don't know if developers would actually want to be liable for their work. The pay increase would have to be much higher than his current pay so he can afford some kind of liability insureance.

With the possible amount of damage a company can claim for intrusion (remember K. Mitnick case) I'm pretty sure that insurance cost will be very high.

Re:Pointing Fingers (0)

Anonymous Coward | more than 10 years ago | (#7850403)

Its far higher than medical malpractice even!

Paraphrase of John Milton (5, Insightful)

Nate B. (2907) | more than 10 years ago | (#7850107)

I recall a quote from John Milton that went something like this, "None can love freedom but good men. Others love not freedom, but license."

How much would licensing developers much like doctors, lawyers, architects, etc. affect development? It would likely mean more than, say, an MCSE or RHCE, or NCE. Would developers need to be licensed for a specialty?

Most likely there would be some sort of age and education requirement which would prevent some of the younger and perhaps self-taught developers from contributing to certain projects. Also, what about code developed outside the USA? One would have to be rather naive to assume that all the software in use was written in the USA, but sadly, I think that perception is all too common.

Happy 2004, everyone!

- Nate >>

Re:Paraphrase of John Milton (3, Informative)

breadbot (147896) | more than 10 years ago | (#7850325)

I believe the word license in this sense is:

3 a : freedom that allows or is used with irresponsibility b : disregard for standards of personal conduct : LICENTIOUSNESS
(from Webster's [webster.com] )

Implying that non-good men love the opportunity to act irresponsibly, which is what freedom offers them.

Yes, by all means, lets do it.... (0)

Seraphim_72 (622457) | more than 10 years ago | (#7850109)


I mean, after all nothing will break the system faster then requiring those nasty Apache, Kernel, and mySQL people to become registered - just to have thier products used in the enterprise.

Licensed developers != secure (1)

Rosco P. Coltrane (209368) | more than 10 years ago | (#7850116)

Would OSS have to be writen entirely by licensed developers to be considered secure?

I'm sure glad the DHS steps in and prevents all those 1ee7 uncontrolled hackers from creating [apache.org] evil [kernel.org] unlicensed [gpg.org] , software [openbsd.org] that [freebsd.org] aren't [debian.org] secure [openssh.org] .

Why do I always picture half-drunken bar patrons reinventing the world in front of a beer when I hear about the DHS talking about things they don't have much of a clue about?

Re:Licensed developers != secure (0)

Anonymous Coward | more than 10 years ago | (#7850163)

Didn't somebody working for "aren't" get his password sniffed, and weren't "aren't"'s servers compromised because of that (and a rootkit)?

Re:Licensed developers != secure (0)

Anonymous Coward | more than 10 years ago | (#7850175)

in "evil"'s kernel)?

Re:Licensed developers != secure (0)

Anonymous Coward | more than 10 years ago | (#7850186)

And licensed developers would have done a better job because ...?

Trusted Computing (0)

Anonymous Coward | more than 10 years ago | (#7850123)

Wait, I think I didn't like these licenses the first time I saw them...when they were called MCSEs. We have competent MCSEs and incompetent MCSEs -- did that piece of paper really make that much of a difference? Probably not. Nor will any of these licenses in the future.

As for software itself, don't EULAs pretty much indemnify software companies from any oopsies they may have put in their programs?

If you want to secure your software, coin a catchphrase...say maybe "Trusted Computing" and then send oodles of press releases about retraining your engineers to hunt down buffer overflows and stuff. Then proceed as you were before except when people find bugs, you say "see, we're finding them!"

"Licensing" == "Certification"? (4, Insightful)

mrkurt (613936) | more than 10 years ago | (#7850125)

Quite honestly, the SD Times article told me nothing about what they're really going to do about improving security in applications. You could substitute "licensing" in that article for "certification", as in some vendor's certification of developers. Then, it looks like a useless measure of what that person knows about security. If, however, it is more of a civil service exam, and they're going to test for knowledge of how to write secure code, then it would make a lot more sense.

Trends are fun (5, Interesting)

DroidBiker (715045) | more than 10 years ago | (#7850144)

In the near term if they adopt a licensing scheme the first iteration at least will be something like the programming language Ada.

The US military brass decided at one point that it would be great if all of their software was written in one language. They forned a comittee to design what they wanted. Ada was created and various military agencies started insisting on its use.

The problem was that what they designed wasn't flexible enough and over time Ada became less and less important.

Licensing will go a similiar route. The government will spend millions on a comittee to come up with requirements for a standard software engineer license. Then they'll find out that their licensed folks STILL screw up and eventually it'll become less of a big deal.

That being said, if software engineering licenses come into existance at the federal level you can bet I'm going to get one.

Two questions (4, Insightful)

hdparm (575302) | more than 10 years ago | (#7850145)

Does it mean that software created by those same developers, now licensed, in the past is now cleared? Are they going to hold developers and engineers accountable even if they're forced to produce code based on inherently flawed design, driven solely by profit and questionable business practices?

Watch what happens (1)

lildogie (54998) | more than 10 years ago | (#7850157)

when the next dozen Microsoft "critical vulnerabilities" come out.

Who wants to bet that Microsoft gets some kind of exemption from the revocation of licenses due to poor design and coding?

Security through Obscurity and Contracts for OSS (1)

Sensitive Claude (709959) | more than 10 years ago | (#7850159)

The concept of reverse engineering just doesn't occure to politicians and people in management.

They don't understand how it is even possible to be more secure though good mathematics than hiding the code. Heck, I've even talked to some system admins that don't understand these concepts.

Does this mean that OSS cannot be considered secure but the government? Well, companies can still represent OSS, like Red Hat. So if Red Hat gets a license for a project and uses OSS, or something modified from OSS then they are responsible on how that has been licensed to be used.

Who do you think has a better chance of writing secure software: Microsoft or Red Hat?

They both have CEOs and they can both sign contracts.

GPL?? (1)

Lehk228 (705449) | more than 10 years ago | (#7850171)

Does this mean that programmers can put themselves under the GPL to be considered FOSS developers? and would this circumvent anti-cloning laws and human genetic engineering restrictions to have people under the GPL?

This will provide a nice infrastructure for DRM. (0)

Anonymous Coward | more than 10 years ago | (#7850204)

The upcoming operating system and hardware lockdowns will require programmers to work on their internals who can be trusted not to give away the store. What better way than to require them to be licensed and submit to a background investigation before being allowed to work on the legally mandated "trusted" platform?

There'll be jobs to be had, but not for those with Slashdot posting histories advocating the "theft" of intellectual "property."

~~~

Will this help with our outsourcing problem? (2, Interesting)

samdaone (736750) | more than 10 years ago | (#7850206)

If this if for homeland security does that mean the only people who can be licensed are US citizens native to this country? If so, that may help with our outsourcing epidemic.

Re:Will this help with our outsourcing problem? (0)

Anonymous Coward | more than 10 years ago | (#7850250)

Yup. The same way licensing engineers has stopped companies from bringing in engineers from overseas. Oh, wait.

~~~

Re:Will this help with our outsourcing problem? (1)

Evil Pete (73279) | more than 10 years ago | (#7850404)

Don't bet on it.

One problem with this scheme is that since programmers are now accountable then they and their companies are likely open to lawsuits. Which means developing software in the US becomes very very expensive.

Even if there are no lawsuits the sudden reduction in available programmers (just how quickly can all those current developers be licensed anyway?) means salaries go through the roof and many developers are unemployed and suddenly a lot of software becomes vapourware for the next 5 years. Ok, yeah exagerating a bit, but not much. I'm not an American, but I can't seeing it doing the US a whole lotta good. So many talented developers would be too young too broke (how much does licensing cost ?) or not have the experience / quals to get a license.

Its a dumb idea.

Why the license idea doesn't fit. (4, Interesting)

rice_burners_suck (243660) | more than 10 years ago | (#7850212)

Would OSS have to be [written] entirely by licensed developers to be considered secure?

As the past owner of two different businesses and the present manager of a mid size company, I can confidently say that the answer is no.

This is very simple. Over the years, I have hired a wide range of different people to work as programmers. I had everything from masters degree programmers with 20 years experience to kids out of school who do it as a hobby. In all cases, what determined the success or failure of the project was not the qualifications of the programmer. I had masters degree programmers write such gibberish that multi-hundred-thousand dollar projects were cancelled. I had masters degree programmers who did a marvelous job. I had some kids code up another product that worked so beautifully that it only made the company money. I also had kids who did a crappy job and the project failed. In other words, success or failure is determined by results, and nothing else.

Returning to the above question, software is considered secure if it is tested for vulnerabilities and is found to be strong against attempts to break in. If the programmer has a Ph.D., that's all nice and pretty, but it means exactly Jack Schitt. The results are the only thing that matter.

Therefore, I think this committee should not waste its time with issues like licensing, because that will only create more bureaucracy, more fees, and entire administrative efforts... and it provides no guarantees of success. They should figure out a way to measure the reliability of a piece of software (reliability is the parent category of security, because an insecurity reduces reliability). They should make up some guidelines for how mission critical systems should be judged and tested. Perhaps they should recommend that the government should hire its own crackers to constantly look for and help fix vulnerabilities. Because security isn't a one-time thing. "Let's license programmers and the problems will go away." It doesn't work like that. Like everything else related to management, in security, the only constant is change.

The mindset isn't there yet (0)

Anonymous Coward | more than 10 years ago | (#7850262)

Everyone (and especially developers) wants functionality over consistency or predictibility. If that functionality conflicts with something that came before, then it just creates more job security to understand the nature of the interplay.

The worse the systems and languages become, the more "flexibility" is needed to keep the card tower from falling. Side effects are a basic fact of everyday computer use. Bad security is one such manifestation.

Microsoft is paying the price now, but open source is equally guilty of creating a mess. Most of the problems that plagued me 10 years ago still there wasting my (and others') time. How do you get truly robust and secure when the basics never solidify.

This is the silver bullet (4, Insightful)

RealProgrammer (723725) | more than 10 years ago | (#7850263)

... syndrome. Lawmakers always want something that sounds good, looks good, and will make them appear to be addressing the problem.

The conceptual framework they're working under is wrong. They assume that a single person is the author of a program. Maybe some programs have just one author, but most have several. The main, lead programmer, who is typcially the copyright holder, may not even look at every line of code in a program.

The bit about a culture shift is valuable. Projects should be built with security in mind, using basic principles (least privelege, minimize scope, check your loop bounds, etc.) that are, coincidentally, good programming practice.

But the culture shift that's needed is away from blame-based analysis of security failures and toward cooperative assistance. That shift is assisted by opening source code. Licensing programmers will tend to accentuate the blame attacks when bugs are found, and will provide incentive to hide them.

No program is bug-free. No committee of Licensed Gurus can eyeball scan a progran and find all its bugs. It takes running the program in real-world situations to find some (most) bugs. Licensing the programmer will not decrease the number of bugs in a given program.

Lawmakers would do better to simply stay out of the matter entirely than to introduce bureaucracy for the sake of appearance.

yes! (1)

The AtomicPunk (450829) | more than 10 years ago | (#7850282)

This is EXACTLY what we need, a government bureacracy created to step in and solve all our problems, just like they have in every other area.

Lord knows when you hire a licensed contractor, nothing will go wrong.

Instead of those "Licensed contractors build confidence" bumper stickers the union thugs put on their trucks, they should put:

"Licensed contractors build artificial barriers to competetion and inflate prices unecessarily while slowing everything down jumping through government red tape."

"only approved software" (1)

nurb432 (527695) | more than 10 years ago | (#7850288)

Isn't taking as long as i expected for the HSD to get involved. :(

I guess my prediction of 5 years out before all software is controlled, licensed and restricted may have been a bit optimistic.

Don't forget, hardware will go this route too in order to "be secure"... ( I.E. mandatory DRM )

First get 'corporate' acceptance of the concept by snowing them enough, then put it into law

Licensed review (1)

iamweezman (648494) | more than 10 years ago | (#7850295)

It seems that licensed developers would only have to mark up open source code a bit, review it, and then implement it in a smaller business setting. On a national level licensing developers will be a minimal cost.

The Dark Side (0)

Anonymous Coward | more than 10 years ago | (#7850320)

There is a side to licenced software engineers that most people don't consider. Just like other licenced professions, you would be personally i.e. financially responsable for bugs in your code. Is this a good thing? On one hand, it would certainly improve code quality across the board with developers having this in the back of their mind. It would also do interesting things to exporting software engineering jobs overseas, but I am sure there are loopholes there. On the other hand, considering the environment the average S.E. works in and the nature of software itself, bugs exist. Until the legal shakedown, the ugly fact that it is impossible to write bug free code will cause many developers to get squished, especially since the current job market won't let you negotiate for your employeer to take up this legal burder in most cases.

Don't hurt yourself (0)

snkmoorthy (665423) | more than 10 years ago | (#7850338)

The software world doesn't revolve around the US of A or for that matter the Homeland security department.

Security holes, etc. (1)

k4_pacific (736911) | more than 10 years ago | (#7850342)

In the Yahoo! article, all of the companies mentioned except Microsoft use, sell, or support Linux/OSS systems. As such, they are not likely to lobby in favor of Microsoft-style security-through-obscurity. As for licenses, the question really depends on the penalty for practicing without having one. Will it work like the MSCE program, where you can still write MS code without it? Or will it be like a driver's license, where you can be penalized for practicing without it? If its the former, then I don't really care one way or the other. If its the latter, I think it will cause a lot of hassle without any real results.

Also, one should realize that many security holes are caused by bad design choices outside the control of the lowly programmers who might be penalized. Consider this example:

In MS Visual C++, the *.h files are writeable. Therefore, it is possible to create a (very slow) worm using #define macros. They could "hook" various functions to add worm code to the *.h files when ran on another machine with Visual C++. Thus, executables compiled on that machine have this "feature" as well and can spread the worm further.

static int infect_headers()
{ /*
Should contain code to somehow insert a copy of this function and the below #define into this header if its not already there. A quine implemented in a header file?
*/

return 0; // always
}

#define strlen(x) (infect_headers() + strlen(x))

Note that the C Preprocessor and compiler works as designed here. The problem lies in the idiotic decision to make the header files modifiable by anyone.

Re:Security holes, etc. (0)

Anonymous Coward | more than 10 years ago | (#7850410)

what the hell are you talking about?

I'd be fucking pissed if my development tools didn't let me modify the headers

Sounds Like a BAD idea (0)

Anonymous Coward | more than 10 years ago | (#7850343)

To put it simply, to make software developers liable for security breaches is the same thing as making the manufacturers of Locks and Burglar Alarms liable for beakins and theft.

If you really want a secure computer, keep it unconnected to anything else and in a faraday cage with only one operator allowed and 3 armed guards to prevent others from accessing it 24hours a day... Total security is unfeasible, in the brick and mortar, or the software field.

Paid more for free software? (2, Insightful)

phliar (87116) | more than 10 years ago | (#7850364)

I can only speak for myself: but why should I believe that some yutz who took a Kaplan's or "ITT Tech" course and passed a US government approved class is going to write decent code? I think the odds that Theo is going to take a licensing exam of a different country are exactly zero. Will that magically make OpenBSD less secure?

The proof of the pudding is in the eating, and free software has done pretty damn well on the security front. If some pinhead executive wants to pay for "confidence" -- well, I'm sure someone will be happy to take that money off him.

And getting paid more for jumping through silly hoops when you're writing for free? How much more? 10% more than zero is -- zero. The whole thing is silly.

Hmmmm ... (0)

pherris (314792) | more than 10 years ago | (#7850395)

"Licensed developers would get paid more as well."

Yeah. Sure. That's why programming jobs are leaving by the US by the boatload, so we can license and pay programmers more. So that would be 15 offshore programmers instead of 10? This will just drive more companies out of the US.

Blaming the developers? (4, Insightful)

Crypto Gnome (651401) | more than 10 years ago | (#7850413)

Here's a summary of the plan.
  • A software developer (ie a programmer) gets licensed
  • works on a project for (name some large company)
  • company management provides direction for the programming efforts (as they do)
  • software is iunsecure by design, due to management decisions (happens now, and the plan changes nothing here)
  • software is finished
  • ....marketed
  • ....purchased
  • ....deploye d
  • ....ends up killing over 10 thousand people for some trivial reason
  • programmer takes 100% of the blame; firing squad at dawn
  • company/management who made the decisions which introduced the lack of security get off Scott Free; zero legal consequences of their stupidity
Or am I misunderstanding the whole point of the exercise?

EAL Certification (2, Informative)

omnirealm (244599) | more than 10 years ago | (#7850414)

Let us not forget that the IBM Linux Technology Center has certified a Linux distribution (SLES 8) under the Common Criteria Evaluation Assurance Level 2, and they are currently working on EAL 3. This qualifies a Linux distro, composed largely of Open Source software, to take part in bids on certain security-sensitive government contracts. This sounds just like the kind of assurance that this security task force is looking for.

What does the "Incorrect Date" say about (1)

rusty0101 (565565) | more than 10 years ago | (#7850415)

the journalistic integrity of the host of this article. If they are proposing, or even carrying the message, that programers be "licenced" and held accountable, should they not be held to the high standard of having accurate dates on their articles?

Note that this sounds fairly familiar, in that I think we have heard suggestions quite similar coming from the northwest coast of the US. I also note that the vast majority of exploitable code comes from that region of the US as well. (Ok, the vast majority of code on the market today comes from there, but that's only part of the issue.)

At the same time, I don't think Microsoft really wants to play that game, as I am pretty sure that they are aware that they would then becmoe liable for bugs and faulty security decisions in their own software.

But that's juse my opinion. I've been wrong before.

-Rusty
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?