Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Geekonomics

samzenpus posted more than 6 years ago | from the read-all-about-it dept.

Book Reviews 227

Ben Rothke writes "First the good news — in a fascinating and timely new book Geekonomics: The Real Cost of Insecure Software, David Rice clearly and systematically shows how insecure software is a problem of epic proportions, both from an economic and safety perspective. Currently, software buyers have very little protection against insecure software and often the only recourse they have is the replacement cost of the media. For too long, software manufactures have hidden behind a virtual shield that protects them from any sort of liability, accountability or responsibility. Geekonomics attempts to stop them and can be deemed the software equivalent of Unsafe at Any Speed. That tome warned us against driving unsafe automobiles; Geekonomics does the same for insecure software." Read on for Ben's take on this book. Now the bad news — we live in a society that tolerates 20,000 annual alcohol-related fatalities (40% of total traffic fatalities) and cares more about Brittany Spears' antics than the national diabetes epidemic. Expecting the general public or politicians to somehow get concerned about abstract software concepts such as command injection, path manipulation, race conditions, coding errors, and myriad other software security errors, is somewhat of a pipe dream.

Geekonomics is about the lack of consumer protection in the software market and how this impacts economic and national security. Author Dave Rice considers software consumers to be akin to the proverbial crash test dummy. This combined with how little recourse consumers have for software related errors, and lack of significant financial and legal liability for the vendors, creates a scenario where computer security is failing.

Most books about software security tend to be about actual coding practices. Geekonomics focuses not on the code, but rather how insecurely written software is an infrastructure problem and an economic issue. Geekonomics has 3 main themes. First — software is becoming the foundation of modern civilization. Second — software is not sufficiently engineered to fulfill the role of foundation. And third — economic, legal and regulatory incentives are needed to change the state of insecure software.

The book notes that bad software costs the US roughly $180 billion in 2007 alone (Pete Lindstrom's take on that dollar figure). Not only that, the $180 billion might be on the low-end, and the state of software security is getting worse, not better, according the Software Engineering Institute. Additional research shows that 90% of security threats exploit known flaws in software, yet the software manufacturers remain immune to almost all of the consequences in their poorly written software. Society tolerates 90% failure rates in software due to their unawareness of the problem. Also, huge amount of software problems entice attackers who attempt to take advantage of those vulnerabilities.

The books 7 chapters are systematically written and provide a compelling case for the need for security software. The book tells of how Joseph Bazalgette, chief engineer of the city of London used formal engineering practices in the mid-1800's to deal with the city's growing sewage problem. Cement was a crucial part of the project, and the book likens the development of secure software to that of cement, that can without decades of use and abuse.

One reason software has significant security vulnerabilities as noted in chapter 2, is that software manufacturers are primarily focused on features, since each additional feature (whether they have real benefit or not) offers a compelling value proposition to the buyer. But on the other side, a lack of software security functionality and controls imposes social costs on the rest of the populace.

Chapter 4 gets into the issues of oversight, standards, licensing and regulations. Other industries have lived under the watchful eyes of regulators (FAA, FDA, SEC, et al) for decades. But software is written removed from oversight by unlicensed programmers. Regulations exist primarily to guard the health, safety and welfare of the populace, in addition to the environment. Yet oversight amongst software programmers is almost nil and this lack of oversight and immunity breeds irresponsibility. The book notes that software does not have to be perfect, but it must rise to the level of quality expected of something that is the foundation of an infrastructure. And the only way to remove the irresponsibility is to remove the immunity, which lack of regulation has created a vacuum for.

Chapter 5 gets into more detail about the need to impose liability on software manufacturers. The books premise is that increased liability will lead to a decrease in software defects, will reward socially responsible software companies, and will redistribute the costs consumers have traditionally paid for protecting software from exploitation, shifting it back to the software manufacturer, where it belongs.

Since regulations and the like are likely years or decades away, chapter 7 notes that short of litigation, contracts are the best legal option software buyers can use to leverage in address software security problems. Unfortunately, most companies do not use this contractual option to the degree they should which can benefit them.

Overall, Geekonomics is an excellent book that broaches a subject left unchartered for too long. The book though does have its flaws; its analogies to physical security (bridges, cars, highways, etc.) and safety events don't always coalesce with perfect logic. Also, the trite title may diminish the seriousness of the topic. As the book illustrates, insecure software kills people, and I am not sure a corny book title conveys the importance of the topic. But the book does bring to light significant topics about the state of software, from legal liability, licensing of computer programmers, consumers rights, and more, that are imperatives.

It is clear the regulations around the software industry are inevitable and it is doubtful that Congress will do it right, whenever they eventually get around to it. Geekonomics shows the effects that such lack of oversight has caused, and how beneficial it would have been had such oversight been there in the first place.

To someone reading this review, they may get the impression that Geekonomics is a polemic against the software industry. To a degree it is, but the reality is that it is a two-way street. Software is built for people who buy certain features. To date, security has not been one of those top features. Geekonomics notes that software manufacturers have little to no incentive to build security into their products. Post Geekonomics, let's hope that will change.

Geekonomics will create different feelings amongst different readers. The consumer may be angry and frustrated. The software vendors will know that their vacation from security is over. It's finally time for them to get to work on fixing the problem that Geekonomics has so eloquently written about.

Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Geekonomics: The Real Cost of Insecure Software from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Sorry! There are no comments related to the filter you selected.

SLASHDOT SUX0RZ (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22130338)

_0_
\''\
'=o='
.|!|
.| |
book review: goatsenomics [goatse.ch]

Factual Error! (2, Funny)

dj_tla (1048764) | more than 6 years ago | (#22130356)

It's spelled Britney Spears.

Re:Factual Error! (4, Funny)

Hatta (162192) | more than 6 years ago | (#22130370)

And you're willing to admit you know this?

Re:Factual Error! (4, Funny)

dj_tla (1048764) | more than 6 years ago | (#22130462)

I'll be honest, I Googled it. But not doing your research is the kind of carelessness that produces insecure software! ANALOGIED

Re:Factual Error! (3, Funny)

Hatta (162192) | more than 6 years ago | (#22130608)

I don't buy that. How would you have known to google it in the first place if you didn't already know it was incorrect?

But I'm just teasing anyhow, you can stalk all the pop starlets you want, I don't judge.

Re:Factual Error! (1)

Jansingal (1098809) | more than 6 years ago | (#22131316)

Thats a really really bad analogy,and even worse logic.

We need secure software because of the repercussions of poorly written code.

Misspelling the name of a desperate singer in search of publicity has no repercussions.

Re:Factual Error! (0)

Anonymous Coward | more than 6 years ago | (#22130496)

It's spelled Britney Spears.

No, it's Britney Spheres.

Re:Factual Error! (1)

Edie O'Teditor (805662) | more than 6 years ago | (#22130748)

I prefer Britney's Pears. Well I don't really, she's a fuckin moose.

Re:Factual Error! (0)

Anonymous Coward | more than 6 years ago | (#22130998)

It's Britney, bitch.

Does this spell doom for Teh Lunix? (0)

Anonymous Coward | more than 6 years ago | (#22131002)

If we are looking at the cost of bad software, where does this leave Teh Lunix?

Seeing as how Munich is now a living testament to the disastrous limitations of using Teh Lunix, will this book be the final nail in the FOSS coffin? Or is this just another "TEH OMG!!11! TEH FOSS ROCKZORZ AN TEH MIKKKR0$$$L0TH SUXXORZ!!111!!1" book nobody will ever bother reading?

Re:Does this spell doom for Teh Lunix? (0)

Anonymous Coward | more than 6 years ago | (#22131488)

The likelihood that you are just trolling is high, but still. That was incomprehensible.

Re:Factual Error! (1)

Jansingal (1098809) | more than 6 years ago | (#22131272)

I take that as a compliment for the guy :)

Shows the difference between slashdot and tmz.com

The truth is there is nothing factual about her. It is all hype.

Re:Factual Error! (1)

GHynson (1216406) | more than 6 years ago | (#22131428)

Phuc Britney!!!! I Did,..

ENORMOUS BALLS WARNING (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22130368)

Caution! Jason Turner's enormous balls could be swinging at your face right now. Please assume the correct safety position with your head between your knees and Jason Turner's enormous balls should pass directly through your house, smashing down external and internal walls, and directly but safely over your head. I repeat, Jason Turner's enormous balls are aiming directly at your face, but by following these steps you could save yourself fatal injury or, at the very least, a serious feeling of inadequacy. After the inital contact with Jason Turner's enormous balls, telephone the emergency services immediately, before inspecting the house for structural damage, as heat from Jason Turner's enormous balls has been known to cause spontaneous fires in furniture, severe shock in pets and small animals and spontaneous orgasm in women, especially ones with larger breasts (DD-cup and up are specifically categorized as 'high-risk' by the Jason Turner's Enormous Balls Reaction Taskforce).

Remember, the sooner you act, the greater chance you and your family have of avoiding Jason Turner's enormous balls. Stay smart, stay safe, and BEWARE THE BACKSWING!!!

reading slashdot? (0, Flamebait)

homer_s (799572) | more than 6 years ago | (#22130372)

we live in a society that tolerates 20,000 annual alcohol-related fatalities (40% of total traffic fatalities) and cares more about Brittany Spear's antics than the national diabetes epidemic.

Not to mention reading slashdot, going to the movies, etc, etc.

Re:reading slashdot? (0)

Anonymous Coward | more than 6 years ago | (#22131388)

Not sure why this is modded Flamebait. The quoted text sounds more like the old /. troll;
"How can you be reading this when [insert atrocity here] is happening in the world right now."
Kind of takes away from the review (that I haven't bothered to read).

Software is under the eyes of regulators (4, Informative)

jorghis (1000092) | more than 6 years ago | (#22130382)

Software written for most industries where human lives could conceivably be on the line IS under the watchful eyes of regulators. As an example, if you are going to write software that goes into an airplane you can expect to have your work audited by the FAA. Similar circumstances exist for most other industries where a software failure could cause loss of human life or similar catastrophes.

Re:Software is under the eyes of regulators (1)

nullchar (446050) | more than 6 years ago | (#22130622)

Anyone know who regulates the software that controls traffic systems such as traffic lights or railroad crossings? Additionally, who regulates the software that controls municipality services such as electricity, natural gas, potable water, and waste water treatment?

It varies by industry (4, Informative)

davidwr (791652) | more than 6 years ago | (#22130736)

In general, computer software for mission-critical devices would be regulated by the same agency that regulates the accompanying hardware.

Think FDA, FAA, NRC, etc.

Now, systems that are nominally non-critical but which in fact are used as infrastructure may be unregulated and subject to the very problems described in the book.

For example, most smart cell phones aren't engineered for untra-security. If I am a terrorist and I know ACME Electric Company uses the Plinko 100(TM) cell phone to communicate with its field operators, I can hire some cyber-criminals to schedule an attack on their phones at the same time as I set off a few bombs that take out a few major transmission lines.

If ACME realized its phones were mission critical and used a hardened or at least fault-tolerant communications infrastructure, it would be a lot harder for me to knock out their communications when they need it most.

The problem isn't insecure computers per se. The problem is relying on them without understanding the risks and the consequences of failure.

Re:Software is under the eyes of regulators (3, Insightful)

kebes (861706) | more than 6 years ago | (#22130670)

Indeed. Analogies to bridges and cars only make sense for software that can endanger lives: medical systems, bridge-designing systems, vehicle-control systems, etc. As you point out, in all those cases, the software (as well as any designs the software spits out) will be verified in detail and validated. The software vendor will usually be bound by stringent contracts and will indeed be contractually and legally responsible for defects.

The rest of software, like word processors, and spreadsheets, and music apps, doesn't need that kind of stringent oversight. A better analogy in such cases is to other mundane things: books, binders, pencils. Poorly designed binders and pencils can lead to lost productivity in the same way that poorly designed software can. Those who care will go for the higher-quality product (which may require more money, either in initial expenditure or in staff expertise). Again, errors in books can certainly lead to lost productivity, but is there really any need for more "book security" and "book oversight" and "book regulations" to make sure that the contents of books are robust and error-free?

I submit that such oversight is not really necessary (again, except in issues of health and physical safety). Most people can tolerate the occasional annoyances of breaking pencils, typos in books, and crashes in software. Ideally people should be educated about risk (e.g. don't put important documents in a flimsy box, put them in a safe; similarly, don't put important data in a low-security computer, get a properly administered server), so they can make informed choices. But more laws and regulation? Not necessary.

Re:Software is under the eyes of regulators (5, Insightful)

HappySmileMan (1088123) | more than 6 years ago | (#22130722)

Again, errors in books can certainly lead to lost productivity, but is there really any need for more "book security" and "book oversight" and "book regulations" to make sure that the contents of books are robust and error-free?
I've yet to see a flaw in a book steal my, or anyone elses, credit card number, or delete all my other books, have you?

Think bad repair manuals (3, Insightful)

davidwr (791652) | more than 6 years ago | (#22130834)

Flaws in books can have disastrous consequences if someone depends on them to be flawless.

Imagine a repair manual for a gas stove that said "blow out pilot light, turn on gas, wait one hour, invite your friends over, and light a match." Sure, it might not steal credit card numbers but in the face of an ignorant and trusting user, it could prove fatal nonetheless.

Re:Software is under the eyes of regulators (3, Interesting)

kebes (861706) | more than 6 years ago | (#22130890)

I've yet to see a flaw in a book steal my, or anyone elses, credit card number, or delete all my other books, have you?
I mentioned 'books' as an example real-world object with errors, not a one-to-one mapping to software. (I'm always reticent to use analogies, since they inevitably break down so quickly.)

There are of course meat-space analogies for identity theft and data loss arising from faulty products (locks, paper shredders, photocopiers) or services (shipping errors, clerical errors, corruption). The point is not the analogy per se... the point is that faulty products and services in the real world lead to losses (of time, money, data, personal information, etc.) and to crime. We could reduce these losses by spending more money and effort on higher quality products and services, but there reaches a point where people just don't care anymore (either because they are ignoring the risk, or because the risk is low enough that it isn't worth the additional cost).

The same applies to software: we could make it much more robust, but is the added security worth the burden of more regulation, more overhead, and more money? In some cases, it is... but in many cases it really isn't. Software related to health, personal safety, and financial information should be regulated (in the same way that medicine and financial institutions are regulated). But over-riding laws mandating software security and software liability are not necessary. End-user education is overall more important (both to prevent real-world losses, and computer losses).

Re:Software is under the eyes of regulators (1)

Naturalis Philosopho (1160697) | more than 6 years ago | (#22131298)

So QuickBooks should be regulated because it's financial software, but Word, which can essentially run programs within it to copy your QuickBooks data over the internet to a thief shouldn't? I'm not for all kinds of additional regulations, but how about at least a gov't "crash test" rating for software? Then people could better make informed decisions about how safe their software really is and let the market sort it out. Right now most people are flying blind to the dangers that are out there to their data, and that makes computer security either something to be ignored or scary for them.

Re:Software is under the eyes of regulators (0)

Anonymous Coward | more than 6 years ago | (#22131106)

The Bible regularly deletes other books and redirects funds (via a botnet).

Re:Software is under the eyes of regulators (1)

pnevin (168332) | more than 6 years ago | (#22131262)

Isn't it being said, though, that software manufacturers are not carrying any more liability than the replacement cost of the software?

A publisher of a book can be held liable for mistakes. If you mistakenly publish an allegation that defames someone, for example, you're potentially up for far more than replacement value of the book.

Re:Software is under the eyes of regulators (1)

mrbooze (49713) | more than 6 years ago | (#22130814)

I once worked for a company that made software for blood banks, pharmacies, and surgical suites. I worked in the pharmacy division, and as far as I ever heard there was little to no government oversight of our product (this was back in the early 90s). However, the blood bank (and I believe the surgery) software packages were rigidly regulated. Even minor software patches had to be submitted to the government for auditing and approval.

But all desktop software is now identity-critical (2, Insightful)

lennier (44736) | more than 6 years ago | (#22131356)

The problem is that with the rise of 1) mass e-commerce, e-government and Internet banking, and 2) Internet-enabled desktops, now EVERY piece of conceivably internet-facing software installed on a consumer desktop carries the risk of exploitation, criminal intrusion and identity theft.

Yes, a security hole in a web browser won't directly cause loss of *life*. However, what it *can* do by allowing a trojan in is:

a) Drain all your life savings from your bank
b) Place illegal pornography on your computer, leading to serious prison time
c) Propagate spam, worms, viruses and botnet epidemics
d) Activate your webcam remotely and film you in your bedroom
e) Directly financially support criminal organisations

Those are now serious enough consequences - and given a single security hole in a mass-produced product, easy to reproduce on a mass planet-wide scale - that ALL developers of even the most trivial desktop software need to start thinking in terms of the kind of hard security requirements of banking, military, avionics and medical gear.

But they're not, because they haven't caught up with reality.

Re:But all desktop software is now identity-critic (1)

lennier (44736) | more than 6 years ago | (#22131398)

I should have added:

e) By installing a keylogger (if you're a telecommuter with a VPN, or if you reuse passwords between home and work systems), potentially gain access to internal proprietary corporate networks, with the ability to conduct industrial espionage or control enterprise automation systems or SCADA networks

Getting in ahead of the crowd... (3, Funny)

Kalriath (849904) | more than 6 years ago | (#22130386)

Just to get in the troll everyone is going to use, even though it's pretty much a load of bollocks:

"This book could be summed up in three words: 'don't use windows'"

I suppose that should be suffixed with some 'tard thing like "lol!!111!!1one"

Re:Getting in ahead of the crowd... (1)

Guppy06 (410832) | more than 6 years ago | (#22131152)

""This book could be summed up in three words: 'don't use windows'""

Microsoft can afford to defend themselves against a few liability lawsuits. Can Linus?

Re:Getting in ahead of the crowd... (1)

Jansingal (1098809) | more than 6 years ago | (#22131352)

>>""This book could be summed up in three words: 'don't use windows'""

That is silly.

go into places that use unix/linux and you will see people who also don't know squat about writing secure code.

A good coder can make windows secure.
A slacker can ensure that SecureBSD is insecure.

Bashful Kidney (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22130408)

Hi - I have a problem. I can't piss in front of other people, any advice?

Re:Bashful Kidney (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22130560)

Stand behind them.

Re:Bashful Kidney (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22130570)

Yeah - take the gerbil out of your ass, you fucking fag.

Re:Bashful Kidney (0)

Anonymous Coward | more than 6 years ago | (#22131300)

Google for "paruresis" and read up.

Re:Bashful Kidney (1)

Jansingal (1098809) | more than 6 years ago | (#22131386)

....and the point of you sharing that piece of your health is????????????

Nothing's going to change (4, Interesting)

Bearhouse (1034238) | more than 6 years ago | (#22130438)

Few people (rightly so) would tolerate Boeings or Airbuses that fell out of the sky through faulty software.

And yet, as a former coder then vendor, I always found it hard to get people to pony up for better education for programmers, analysts, project managers, or better coding tools, exhaustive testing protocols, whatever.

Now as a consultant, I face the same struggle getting people to be serious about backups, redundancy/eliminating single points of failure...

As long as it's not their head on the block, even senior managers will most often favour commercial expendiency over prudence. This in the face of many high-profile disasters that cost a lot more to put right than they would have done to do properly.

It's a gamble (2, Insightful)

davidwr (791652) | more than 6 years ago | (#22130884)

If it costs 10x as much to fix a problem than prevent it, but for every $100 you spend on prevention you only prevent 1 failure, you are in the hole $10. That's rational math at work.

If you are a greedy-bastard manager and you expect to be in your position for only a few years, all you care about is the failures that will come back to haunt you. You don't care if spending $5M now will save $1M in expenses over the next 5 years but save an additional $20M 10 years down the road. By then you and your greedy self-interested wallet will be out of harms way.

On the other hand, if you are a human manager with a conscience, you'll look at things long-term and either ante up now or make sure the problem is addressed before it is too late.

Re:Nothing's going to change (1)

Jansingal (1098809) | more than 6 years ago | (#22131430)

>>Now as a consultant, I face the same struggle getting people to be serious about backups, redundancy/eliminating single points of failure...

shows how irrational people are.

Go back and read _Free to Choose_... (4, Insightful)

jejones (115979) | more than 6 years ago | (#22130476)

Regulation is a means by which the established companies keep possible competition from developing. MS can pay for that overhead from pocket change; can Open Source developers?

MOD PARENT UP (1)

db32 (862117) | more than 6 years ago | (#22131264)

How did this get flagged as flamebait? This is exactly the kind of crap regulation does. Do you think for a minute that regulation in software is going to do squat against the giant coffers of corporate America that can afford to pay out fines and such? Now what happens when someone uses an Apache server for something critical, and it turns out an Apache error caused the failure...now who is going to get shafted? The regulation idea is a nightmare waiting to happen with a huge chilling effect. Let us also ponder who might be in charge of said regulation... I mean...government regulation would be managed by government right? Anyone remember Sen Internet Tubes Stevens take on technology?

I'm sorry but regulating something like this is almost criminally stupid. I agree with there needs to be better consumer protection, and I don't think companies should get away with "you can't blame us if you actually use the product you purchased from us and it doesn't work". No other industry can say "you can't sue us if the product you purchased from us does not do what it was intended to do". That doesn't take more regulation to fix.

as the review says (4, Insightful)

ILongForDarkness (1134931) | more than 6 years ago | (#22130488)

"Software is not sufficiently engineered to serve as a foundation" [for society] - I agree whole hardily. Things are getting better but we still have very little idea whether what we code "works" or not, let alone is secure. For example: a software vendor will say we have 80% path coverage. Great, now tell me: do you have 80% path coverage because only that 80% was deemed risky, or because writing tests for the remaining 20% was deemed too time consuming (or worse your test/dev team weren't skilled enough to write tests for those paths)?

In my experience there is so much feature creap in software projects that there always seems to be that last feature that needs to get squeezed into the next release at the last moment and there isn't time to test. "lets just hope that 10k line module works and is secure. Even if it's not, we can always release a SP after we have the product on the market". It is even to the point where major software companies (MS comes to mind) have a concept of Zero Bounced Bugs. That is the point where the bugs getting fixed equals the bugs being found. If no "major" bugs and you've reached ZBB you ship. Now I can see you can't wait forever to ship, but there is this inherit acceptance of flaws in software that you won't see in say bridge building.

Re:as the review says (1)

gotzero (1177159) | more than 6 years ago | (#22130512)

The software at my employer gets manhandled by so many people that by the time it is done it never even has the same mission as when it is started. My business division gets burned time and again after all the requests from the front line get bumped out of the release candidate, and the ground troops are stuck with something that is a hinderance. I hope some people I report to at least hear about this book...

Re:as the review says (4, Insightful)

jorghis (1000092) | more than 6 years ago | (#22130586)

I always thought the bridge building analogy was a little bogus.

Bridge building isnt really all that complex, there is a hell of a lot more going on in a software product of any real magnitude than in a bridge. Sure, there are a few things like wind you have to take into account, but there really arent as many variables in bridge building as there is in software development.

In addition to that, software has to be exactly perfect, with a bridge you can just say "screw it, lets reinforce/add supports/whatever here, here, and there just to be safe" and you are good to go. (I know I am oversimplifying to some degree, but you see my point) It is possible to give yourself a lot more room for error.

Re:as the review says (2, Insightful)

mcpkaaos (449561) | more than 6 years ago | (#22130738)

Bridge building isnt really all that complex

(I know I am oversimplifying to some degree, but you see my point)

Have you ever stopped to wonder if you are actually over-complicating software design rather than over-simplifying the analogy?

Re:as the review says (4, Insightful)

moderatorrater (1095745) | more than 6 years ago | (#22131038)

He's not, and here's why. In building and designing a bridge, you're not going to have your boss walk in halfway through the construction and tell you that you need to use this new concrete that only comes from LargeHard(c). You're not going to build the bridge so that you can take it from a two lane bicycle bridge to a 12 lane, double decker toll bridge with a minimum of work. You're never going to have someone walk over the bridge and promptly say, "sorry, this river is actually 50 feet wider, and I don't like the color, can you change that?" Feature creep is the biggest killer of productivity and security.

Another reason is that you have too many people building a bridge for the majority to be badly built. You have the engineers, the construction company, the foremen and the works are looking at the bridge. Are all these people going to be qualified to catch an error? No, but enough of them will be qualified enough to catch an error that it's unlikely to be a problem. On the other hand, we have software, where there are lines of code that have never been seen by anyone but the original programmer.

Re:as the review says (4, Insightful)

Naturalis Philosopho (1160697) | more than 6 years ago | (#22131380)

Oddly enough, you just made one of the best arguments I've heard to date for regulation and licensing of software designers and engineers. If we can't trust people to make rational decisions, then we may very well have to regulate them into it.

Re:as the review says (1)

Jansingal (1098809) | more than 6 years ago | (#22131456)

dude, talk to civil engineers working on government project, you will see how wrong you are.
My sister in laws brother worked for a very large state agency and she left on agony over such burocracy, project mismanagement, and more.

Re:as the review says (1)

ILongForDarkness (1134931) | more than 6 years ago | (#22130788)

I work in the medical field (radiation treatments). The vendors have triple redundancy in the software (three workstations have to agree on the position of components), + hardware backup (analog computer anyone? :) ). Agreed software is more complicated, it can even be said that software requires more intellectual capital (you get smart people sitting at a desk all day thinking), versus a lot of other engineering (where a vacuum cleaner sales man can come up with an idea and grab readily available parts to make a FlowBe say :) ). Again this would be oversimplifying because a lot of the software industry just crazy glues other peoples stuff together too (ie. you don't make your own DBMS you use MySQL, you don't make your own GUI from the ground up you use X or Win32).

Maybe a better analogy is something like a pre fly by wire airplane. At any rate, perhaps there isn't as much engineering as far as risk analysis goes into software because it is deemed to not have serious consequences to its failure. The exceptions like ABS firmware, flight control etc. get really tight engineering, but your web-browser no one cares.

Re:as the review says (4, Interesting)

PitaBred (632671) | more than 6 years ago | (#22130840)

I take it you've never actually taken any Engineering classes. A bridge really is pretty damn complex. It requires materials knowledge, static force calculations, dynamic force calculations, as well as weathering and other concerns, not to mention consideration of failure modes, etc. You don't give yourself any room for "error", you give safety tolerances for the people driving over the bridge and to account for imperfect materials, as well as exceptional conditions (earthquake, tornado, whatever).

Designing a serious bridge is a LOT more difficult than 90% of software projects out there. You have a base you can build on of tried and true designs, but from scratch, it's not very easy.

I say this as someone who works with computer administration, programming and database work professionally, but got I a minor in Engineering. I know what goes into it.

Re:as the review says (1)

ILongForDarkness (1134931) | more than 6 years ago | (#22130956)

Yeah I was going to say much the same thing. You also have soil condition, and seasonal changes etc etc. I can't count how many times I've heard software vendors say: what you have program X version 1.45 installed? That's the problem you need to roll back to 1.3. They mandate (especially with "complicated" software) the platform, hardware, software right down to the patch level. You can't do that in engineering a lot of time, sure you can tell the customer that the location isn't the greatest etc etc. But you have to work with what they ask for, or tell them it can't be done. You can't tell them well sorry Ford you need to re-design the wiring plan for the car to accomidate the shape of the part I want to use for my component.

Re:as the review says (1)

mdielmann (514750) | more than 6 years ago | (#22131158)

Designing a serious bridge is a LOT more difficult than 90% of software projects out there. You have a base you can build on of tried and true designs, but from scratch, it's not very easy.
This was also my thought. People expect a lot from an industry that has only been around for about 70 years. If we had the history of bridges, with all it's successes, failures, and practical designs that came from them, maybe programming would be in a better state. But I think we're at the point, right now, where we're just starting to build the equivalent of bridges that are vital to major traffic, but still haven't formalized the rules for how best to do that. This is also why I somewhat fear regulation of programming. There's still a lot of learning going on about what counts as good solutions, and a lot of the typical errors could be caught with better compilers/IDEs/code-checkers. After all, engineers don't have to test each batch of rebar that goes into a bridge, why should it matter to your typical programmer? But that programmer needs to know more of the details, too.

Re:as the review says (1)

SAN1701 (537455) | more than 6 years ago | (#22130968)

Even more, any 3-year-old child can perfectly understand what a bridge does. It's obvious, unambiguous, clear. You only have to see it. Now, try to explain to the kid what an ERP does. Compare the functional requirements of a bridge to those of any medium-sized commercial software and find which one is more complex, or which one will have more changes during the project lifetime.

Fact is, we have a distinct science/engineering/craft/whateveryoucallit here. Analogies are pointless.

Re:as the review says (1)

Kazrath (822492) | more than 6 years ago | (#22131434)

A three year old can also see the finished product of the next great Elmo game. What you have indicated does not even apply to the conversation. The finished, intended results of most applications is very simple and easy for a novice computer user to understand. Just like everyone understands that a bridge provides solid "footing" over a waterway or cliff side.

A comparison that is adequate to your statement would be to indicate "Hello World" is an application and sticking a popsickle stick over a rain run off is the same thing.

Re:as the review says (1)

sholden (12227) | more than 6 years ago | (#22131096)

We have thousands of years of bridge building (and failing) worth of experience. And they still collapse - which might be some indication that it's not as simple as you imply.

Bridge building (1)

mangu (126918) | more than 6 years ago | (#22131248)

Bridge building isnt really all that complex

Yeah, what could possibly go wrong? [google.com]

Re:as the review says (1)

Jansingal (1098809) | more than 6 years ago | (#22131406)

>>Bridge building isnt really all that complex,

What, the bridge to your bathroom?

you have absolutely no idea of what you are talking about, zero.

do u realize how many scientists, engineers, etc., it takes to build a large bridge?

Re:as the review says (1, Informative)

Anonymous Coward | more than 6 years ago | (#22130724)

hardily=heartily
creap=creep
inherit=inherent

237 words, 1.27% error rate. Pretty good for a coder.

Re:as the review says (1)

c0d3h4x0r (604141) | more than 6 years ago | (#22131384)

whole hardily

You mean whole-heartedly.

I hate it when people butcher common sayings and phrases. Didn't you even think long enough to realize that the way you were writing it made no grammatical or conceptual sense?

Don't feel too bad though... there was a guy I used to work with who always said, "for all intensive purposes" (instead of "for all intents and purposes"). That was ten times worse than what you just did.

Well, excuuuse me... (4, Informative)

Chemisor (97276) | more than 6 years ago | (#22130498)

Companies don't spend much time on security because features are what the customers want. If you want security and unlimited liability, by all means ask for it. Of course, it will cost you extra, due to the need for security audits and the outrageous cost of liability insurance, but you can certainly get it. If you pass a law to require perfect security and liability, the cost of software will rise even higher than it is today. Take your pick.

Blame the MBA's (1)

warren_spencer_1977 (1124617) | more than 6 years ago | (#22131000)

In the early '90s, I was in high demand as a software engineer who could build high-availability systems on OpenVMS and Unix. Then WinDoze started leaking in, and my bosses, and their bosses, starting saying things like "Why should I build this new app on OpenVMS when I can get a Windows box for $2k and it comes with a free web server?"

The answer, of course, is Reliability, Availability, Securability (RAS).

But no, ever mindful of immediate costs and features, and completely bind to the 5-year costs, they forced us to change to WinDoze. And they're still demanding feature improvements and cost reductions instead of RAS. Firing those pin-heads and giving us our tools back would go a long way towards improving the disaster that is today's software development environment. In fact, you can tar & feather 'em for the remaining multitude of sins they've foisted upon the software world. Yeah, out-sourcing is a great way to build secure software.

I can't wait (3, Funny)

Anonymous Coward | more than 6 years ago | (#22130510)

To get a loan for my $50,000 PC which requires $300/month insurance to operate.

I hope to pass my operators test so I can get my license.

Re:I can't wait (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22130706)

Which will only run Micrsoft software, since all other competitors have been regulated out of existence; especially open source software.

Don't forget IBM and mainframe vendors (1)

davidwr (791652) | more than 6 years ago | (#22130912)

IBM and other mainframe- and mission-critical-embedded-systems vendors know a lot more than MS about how to do it right ... for a price.

what about OSS? (5, Interesting)

quest(answer)ion (894426) | more than 6 years ago | (#22130514)

what, a whole book review on software development, and not a single mention of open source? how did this make it onto slashdot?

OSS cracks aside, it would be nice to see if the book talks about that side of things at all; the impression i got from the review is that there's not much distinction drawn between software licensing and development models, and that it's all sorta lumped in together.

so if, as the book seems to suggest, software development were regulated more closely, who would be accountable, or audited, or whatever, for an OSS project with heavy community involvement that's seeing commercial applications? or with an OSS project that gets implemented as part of a for-profit piece of software?

i'm curious, because i have less than zero experience in how this stuff actually works, but it seems like it would be a weird situation. anyone have any insight?

The obvious solution (0, Troll)

Malevolent Tester (1201209) | more than 6 years ago | (#22130516)

Is to waterboard developers until they stop helping terrorists and criminals.

Re:The obvious solution (1)

TimeZone (658837) | more than 6 years ago | (#22130618)

Boy, you weren't joking around with your username.

TZ

Software Engineers (0)

Anonymous Coward | more than 6 years ago | (#22130518)

This is where the real 'Software Engineers' come into play.

A licensed professional is responsible for the bulk of the software development work, and can be held responsible jointly and severally in a court of law for any software defects resulting in loss, or injury.

For most software, it's ok to let the code monkeys loose at it. You pay your money, you take your chances (excel bugs anyone).

For mission critical stuff, you can't let just any highschool drop-out come programmer tackle it. REAL university degrees, and REAL experience are demanded.

Code monkeys will always have a future, but software engineers will generally be the ones to count on if software quality and reliability enter the equation.

Re:Software Engineers (1)

LordLucless (582312) | more than 6 years ago | (#22131040)

Yup...now just find me one client (who doesn't already do so) who is willing to cover the additional expense of hiring the more qualified people to not only design, but write the whole thing, pay them for extra time to test more thoroughly, and for the liability they're assuming.

There's just one reason why insecure software abounds: because doing it right is expensive, and few people want to pay. Those that do want it (aviation systems, nuclear reactors, etc) do pay for it, and do get it.

Who will advocate change? (5, Interesting)

nullchar (446050) | more than 6 years ago | (#22130532)

The software vendors will know that their vacation from security is over.
It would be nice if a book like this could change the software industry. But realistically, what industry will lobby their respective governments for this change? Obviously the established software companies will not advocate change. And, IMO, obviously the open-source community has little to gain with extra regulation and imposed cost on a Free and often voluntarily produced product.

I say the market itself will solve the problems with software security. New companies or new software products will only replace existing ones if the new ones are better. And like the book mentions, "better" is often measured in features. However, if enough damage is done with the current software flaws, some of the new features will include better security.

Example: Company A is sued by Customer B when Attacker C exploits a hole in Company A's software resulting in a financial loss for Customer B. Like the book mentions, Customer B usually has no legal grounds to sue. However, if this happens multiple times, Customer B may get wise and ensure proper contracts when entering new agreements.

These contracts could be required by customers when dealing with both closed source and open source companies. Buying a support contract from Sun for MySQL _could_ include certain software security requirements. And if Sun does not support this service, a business opportunity exists for another company.

Re:Who will advocate change? (1)

bgman (1059448) | more than 6 years ago | (#22130708)

"New companies or new software products will only replace existing ones if the new ones are better. " Yeah, like vista! Obviously, written by someone with extensive knowledge of the software industry.

Re:Who will advocate change? (2, Insightful)

nullchar (446050) | more than 6 years ago | (#22130750)

Heh, and how many people/companies are really replacing XP with Vista?

Re:Who will advocate change? (1)

bgman (1059448) | more than 6 years ago | (#22131168)

Well, almost everyone buying a new computer. Or should I write, anyone stupid enough to buy a new computer that runs windows.

Re:Who will advocate change? (0)

Anonymous Coward | more than 6 years ago | (#22131458)

OSS could be left alone, it tends to mirror changes in prop software. linux adds new features faster than any other software, it also adds new bugs just as fast.

The blame lies with the consumers not the companies, if people wanted stability and security over new features they would pay for it. even in the OSS world people use linux over bsd

What-anomics? (1)

techpawn (969834) | more than 6 years ago | (#22130578)

Oh Christ! I hate made up words like that. They make me think of Reaganomics and those "FUN" days.

Preventing malicious attacks (0)

Anonymous Coward | more than 6 years ago | (#22130588)

Expecting the general public or politicians to somehow get concerned about abstract software concepts such as command injection, path manipulation...


This is absurd: does Firestone prevent a knife from flattening their tires? Does MasterLock prevent someone from using bolt cutters on their locks?


Trying to implement software that will prevent a malicious attacker is a losing battle and not worth spending money on -- look at all the money spent by the RIAA on software-based copy protection. That money is better spent in court prosecuting the crackers.

Re:Preventing malicious attacks (1)

nullchar (446050) | more than 6 years ago | (#22130718)

That money is better spent in court prosecuting the crackers.
How does spending money in court better the society of which software is a foundation?

Just like disease makes immune systems stronger, attackers make [future generations of] software stronger.

flat tires and broken locks (1)

davidwr (791652) | more than 6 years ago | (#22130932)

There is a market out there for run-flat and solid-rubber tires.

There is also a market for bolt-cutter-proof locks.

Of course, there are ways to defeat them, but they require more effort than a knife or a set of bolt cutters.

You get what you pay for.

Hm-m-m-m... (1)

Alpha830RulZ (939527) | more than 6 years ago | (#22130602)

Bad software costs us 180 billion dollars a year? That would be about $600 per person in the US. Per year. I call bullshit. Unless you are going to claim that Mozilla is costing my family money because it allows me to waste time on /., this just doesn't make a shred of sense.

Re:Hm-m-m-m... (2, Funny)

zotz (3951) | more than 6 years ago | (#22130674)

Dude! You need to take remedial Geekonomics! ~;-)

all the best,

drew

Re:Hm-m-m-m... (1)

Alpha830RulZ (939527) | more than 6 years ago | (#22130962)

I dunno. I took four years worth of the real kind, with a healthy does of statistics and accounting along the way. It seems hyperbolic to me to claim that an average family of 4 people, with a median income of somewhere around $65k a year (US Census) is contributing $2400 of that to bad software. That's about 5% of after tax income.

Re:Hm-m-m-m... (3, Interesting)

blahplusplus (757119) | more than 6 years ago | (#22130980)

"... Bad software costs us 180 billion dollars a year? That would be about $600 per person in the US. Per year. I call bullshit."

I disagree. Add up all the time spent re-installing windows, cleaning PC's, deleting or countering spam, etc, etc. I think they are right on target, spam, spyware, buffer over-runs, worrying about your popular website being hacked and extorted by crime.

A few points:

1. Organized crime takes advantage and exploits / extorts companies (the kid who made the milliondollarhomepage was threatened with extortion).
2. The capacity for economic espionage is quite large.
3. Then there is 'just for kicks' aspect of causing havoc.
4. Bad people who don't like us attack our networks/software/etc.
5. Orwellian trojans (i.e. governments, criminals, or corporations of the world infecting your computer with rootkits, i.e. we already have one example: Sony).

Also corporations who are criminals such as Mediadefender, which was hacked

http://blog.wired.com/27bstroke6/2008/01/interview-with.html [wired.com]

OK then (1)

davidwr (791652) | more than 6 years ago | (#22130994)

I'm going to claim that Mozilla is costing your family money because it allows you to waste time on /.

Welcome to Slashdotaholics Anonymous.

The Next Medical Malpractice? (1)

SRA8 (859587) | more than 6 years ago | (#22130694)

OK, so now that doctors are operating at near-zero profits, malpractice lawyers need a new profession to plunder. Wonderful.
Luckily, its much easier to switch out of software than out of medicine (given that one has invested 8+yrs to a career in medicine.) So the smart folks switch out, leaving the weaker folks to create more buggy programs. A race to the bottom!

My favorite example... (2, Insightful)

flabbergast (620919) | more than 6 years ago | (#22130808)

The book tells of how Joseph Bazalgette, chief engineer of the city of London used formal engineering practices in the mid-1800's to deal with the city's growing sewage problem.
Why is it that any time someone talks about software engineering they always bring up bridge/house/skyscraper building? Yes, Joseph Bazalgette used "formal engineering practices" to build London's sewers, but where did these formal practices come from? Why yes, through trial and error. Thousands of years of trial and error. Use concrete. Yes, it makes sense looking back because it worked, but what if it didn't work? What if the concrete failed? Or, What if he used clay pipes instead? Then we'd be saying "[insert name here] used formal engineering practices to deal with the city's growing sewage problem. Some guy before him failed miserably though." We simply haven't built up the software engineering toolbox yet. Software hasn't even been around for 100 years! But we're learning, and if you look in specific industries like medicine, banking, and avionics spring to my mind, they all spend billions of dollars to make sure their software works correctly because being correct for them is worth the cost.

TAG IT MICRO$OFT (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22130826)

that's what this is all about, after all

OT: Drunk driving (3, Insightful)

operagost (62405) | more than 6 years ago | (#22130848)

Now the bad news -- we live in a society that tolerates 20,000 annual alcohol-related fatalities (40% of total traffic fatalities) and cares more about Brittany Spears' antics than the national diabetes epidemic.
I love analogies, but I'm going to have to go way OT here and set you straight. In the USA, drunk driving is NOT tolerated. After years of onerous regulations, infringements on drivers' (and sometimes passengers') rights in the form of sobriety checkpoints, and ridiculously low BAC requirements (now commonly .08), we still have fatalities due to drunk driving.

But this isn't because we don't care.

Obviously, all those things I listed show that people do care; however, they are going the wrong things to address the problem. We have allowed special interests like MADD, who are modern-day temperance societies, dictate these changes to us with little review or oversight. It has been statistically proven [ct.gov] that fatalities do not decrease with a .08 BAC law, yet 15 states have passed such laws and MADD continues to pressure more. Sobriety checkpoints were begrudgingly allowed by the courts in the 1980s and 1990s to address the drunk driving "emergency"; but since judicial decisions don't have a sunset, and no one wants to challenge a policy that protects "the children", this infringement on our personal rights continues. The federal government infringed on states' rights in order to force the drinking age to 21 in the USA, even though Canada (with age limits of 18 and 19) has shown that drunk driving could be greatly reduced without infringing on the rights of young adults. Now MADD wants to require breathalyser interlocks in all new motor vehicles; ignoring the privacy rights, expense, and technological issues raised by such draconian policies. Think about how many miles passenger cars travel in a year, and decide in practical terms how many fatalities are practical and acceptable. Think about other oppressive regulations you could impose if safety were truly paramount: reducing the speed limit to 25 MPH, requiring 15 MPH bumpers, requiring driver retesting annually, etc. Rationalizing these kinds of laws in absolute terms such as "for the children" and "if it saves one life" makes no sense as we deal in statistics and weight everything in the balance every day. Life is truly precious, but we live in an evil, dangerous world-- not a rubber room.

Maybe we need to do more. But remember that there will always be people who insist on doing the wrong thing, and finding a way to do it.

Re:OT: Drunk driving (2, Insightful)

Fulcrum of Evil (560260) | more than 6 years ago | (#22131176)

It's worse than that - 20,000 alcohol related deaths doesn't really mean anything. If anyone involved in an accident has measurable alcohol in their system, it's alcohol related. If you're looking for the number of DUI style fatalities, it's probably around 3000/yr, but we don't know because nobody tracks that. But yeah, everything else you said is right - the 3000 deaths are committed by people who blow .15 or more and often have multiple DUIs - lowering the BAC limit only serves MADD's agenda, which is prohibition. If you want to stop drunk driving, raise the limit back to .10 and imprison people who get multiples or cause any sort of injury (and keep their license/ban them from owning a car).

Fire the Lawyers (1)

Steve Florkey (657112) | more than 6 years ago | (#22130854)

The reference to Ralph Nader's "Unsafe at Any Speed" is a good one -- both ways.

Giving them both their due, neither cars nor software are perfect. Both could stand improvement. I don't see anything in this world that couldn't use a little improvement.

On the other hand, "Unsave at Any Speed" unfairly characterized Chevrolette's Corvair as poorly designed when the real problem was that many Corvair owners took no responsibility for routine maintenance. The Corvair has been called the poor man's Porche because it was a well balanced car that would perform well if its tires were properly inflated.

In the same way, much of today's software is amazingly good, especially considering the cost to acquire FLOSS. Most of the software used by people who use /. can be updated at regular intervals (like keeping the tires inflated), and most of us take advantage of those updates to keep our systems clean.

Joe Sixpack wants to surf his p0rn; he doesn't want to "waste time" with those pesky software updates. If his tires run flat he'll just buy new ones. Now let him go where he wants to go!

When was the last time we held car manufacturers liable for damage caused by potholes? Do we expect car manufacturers to keep us safe from the consequences of driving over nails or off a clif?

Yes, everything could stand some improvement, especially those silly shrink-wrap or click-wrap license agreements. I still don't see how the software that is not guaranteed to do anything useful has to be treated like the crown jewels. But that does not seem to be the focus of "Geekonomics." Let's work on reducing the targets for malware while we thank those who provide the software that works as well as it does.

regulation, licensing, liability; choices (1)

bcrowell (177657) | more than 6 years ago | (#22130900)

The /. summary talks about three completely different things: regulation, licensing, and liability. Regulation seems completely nutty to me; legislators don't have the expertise to do it right, and if they do it wrong they could easily, e.g., strangle the open-source movement in the cradle. Licensing historically has has very little to do with safety or quality; in my state, IIRC, hairdressers are licensed, and it's basically a way of reducing competition in the labor pool so that the hairdressers who lobbied for the licensing requirement can make more money. Liability already exists, and has nothing to do with government regulation. If the software in your car malfunctions and you end up a paraplegic, you certainly can sue the company that wrote the software.

I think the big problem is that the way the software market works, buyers tend to make a lot of bad choices. Often that's because there just aren't that many choices; the MS monopoly means that many people don't perceive any other choices besides windows as being viable. Sometimes buyers make bad choices because they aren't well enough educated about software to know what to look for. People are also reluctant to change once they're locked in to a particular piece of software, even if it's bad. Government intervention isn't going to change any of this.

We don't need this (1)

Xzarakizraiia (751181) | more than 6 years ago | (#22130916)

I'm a little surprised to find myself saying this, but I think that the free market will be able to sort this one out. Regulation is already in place to keep airplanes from falling out of the sky; if companies are losing money because of poorly-designed software, that should be enough of an incentive to purchase more secure software.

Manufacturers? (1)

cmcqueen1975 (1224394) | more than 6 years ago | (#22131018)

Why keep referring to "software manufacturers"? Calling what software engineers do "manufacturing" is a broken analogy, because creating software is really about _design_, not manufacturing. Manufacturing is the easy bit at the end where you burn CDs or distribute on the Internet.

The public is hoplessly dependent... (2, Insightful)

Digital_Mercenary (136288) | more than 6 years ago | (#22131020)

"Now the bad news -- we live in a society that tolerates 20,000 annual alcohol-related fatalities (40% of total traffic fatalities) and cares more about Brittany Spears' antics than the national diabetes epidemic. Expecting the general public or politicians to somehow get concerned about abstract software concepts such as command injection, path manipulation, race conditions, coding errors, and myriad other software security errors, is somewhat of a pipe dream. "

Pipe dream... not quite...
It just hasn't led to catastrophic loss of life...yet... when it does thats when we'll take notice... right now most of us are living week to week on our paychecks trying to get ahead... think of the public as what Morpheus talked about in the matrix...

"...You have to understand, most of these people are not ready to be unplugged. And many of them are so inured, so hopelessly dependent on the system, that they will fight to protect it."

When a 6 block radius of New York City is turn into dust, thats when we'll take notice... at least for a few weeks.

-dml337ira (Resident ground Zero)

Next Up: Dupenomics (0)

Anonymous Coward | more than 6 years ago | (#22131028)

"First the good news - in a fascinating and timely new book Dupenomics: The Real Cost of Slashdot Dupes, Anonymous Coward clearly and systematically shows how Slashdot Dupes are a problem of epic proportions, both from an economic and safety perspective. Currently, Slashdot readers have very little protection against Slashdot Dupes and often the only recourse they have is the replacement cost of the media. For too long, Slashdot Editors have hidden behind a virtual shield that protects them from any sort of liability, accountability or responsibility. Dupenomics attempts to stop them and can be deemed the software equivalent of Unsafe at Any Speed. That tome wanted us against driving unsafe automobiles; Dupenomics does the same for Slashdot Dupes."

This was not a dupe.

My first car was a corvair. (1)

shoor (33382) | more than 6 years ago | (#22131046)

I never read "Unsafe At Any Speed", but I remember it as the book that first made Ralph Nader famous. How much impact did that book actually have anyway, aside from terminating production of the corvair.

The first car I ever bought was a '62 Corvair. That was when I was in the Navy and stationed in Japan (I bought it from another GI). I paid $75 for it and it definitely had a problem with exhaust getting in the cab. I always drove it with the windows down. One thing that I recall was a time when I gave a Japanese bar girl a ride in it and she hesitated because it was a corvair. Even she had heard of "Unsafe At Any Speed". But then, she was one of the more thoughtful bar girls. That corvair was a great car to drive though with its air-cooled engine in the back. I've never had a car since that could corner like that baby.

So, how much influence really can we expect a book on software safety to have? I'm all for educating the public, and I'm not saying the author is wasting his time writing it. Just because I'm cynical doesn't mean I say don't try.

Liability laws are insane -- another take (1)

Lost+Found (844289) | more than 6 years ago | (#22131056)

Here's another take that argues against liability laws: http://lwn.net/Articles/247933/ [lwn.net]

$180B compared to how much productivity (1)

peter303 (12292) | more than 6 years ago | (#22131174)

Farming, manufacturing has waste and other write-offs. What kind of percentages are wee talking about for various industries? 5%? 10%?

You will love Mr Rice's opinions on open source (4, Informative)

Helevius (456392) | more than 6 years ago | (#22131204)

This Amazon.com review mentions Mr. Rice's opinions on open source:

Geekonomics reviewed by Richard Bejtlich [amazon.com] :

As far as open source goes (ch 6), the author makes several statements which show he does not understand the open source world. First, on p 247 the author states "While a binary is easy for a computer to read, it is tremendously difficult for a person -- even the original developer -- to understand." This is absolutely false, and the misunderstandings continue in the same paragraph. Reverse engineering techniques can determine how binaries operate, even to the point that organizations like the Zeroday Emergency Response Team (ZERT) provide patches for Microsoft vulnerabilities without having access to source code!

Second, on p 248 the author states "The essence of open source software is the exact opposite of proprietary software. Open source software is largely an innovation after-the-fact; that is, open source software builds upon an idea already in the marketplace that can be easily replicated or copied." On what planet?

Third, on p 263 the author states "[O]pen source projects are almost always threatened by foreclosure," meaning if the developer loses interest the users are doomed. That claim totally misses the power of open source. When a proprietary software vendor stops coding a product, the customers are out of luck. When an open source software developer stops coding a product, the customers are NOT out of luck. They can 1) hope someone else continues the project; 2) try continuing the project themselves; or 3) hire someone else to continue developing the product. Finally, if the author is worried about open source projects not having an organization upon which liability could be enforced, he should consider the many vendors who sell open source software.


David Rice responds on his blog [geekonomicsbook.com] .
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?