back to article Demand for safety kitemark on software stepped up

The government and industry ought to do more to promote online safety, according to an influential panel of MPs. Politicos on the Science and Technology Select Committee called for the expansion of Get Safe Online and similar efforts, and for more prolonged awareness campaigns geared towards dispelling fears and encouraging …

COMMENTS

This topic is closed for new posts.
  1. Flocke Kroes Silver badge

    Can we start by teaching Noddy level security to banks

    1) I can have some confidence that https://halifax.co.uk/ is my bank. Anything like https://halifax-online.co.uk/ requires additional scrutiny, but that is exactly what they have done.

    2) I can reduce the attack surface by disabling javascript, flash and java while shopping, but the few sites I found that did not require javascript now do.

    3) I actually found a new site that did not require javascript. After I confirmed the order, I had to enable javascript to get to a verify by visa page. That page was from a third party site I had never heard of, so I assumed I had a secure connection to a phishing site.

    Please can we cancel all banker's bonuses until they fix these basic security disasters. (What I suspect will happen is we will get some tax-payer funded adverts saying that only software with a Microsoft logo is secure, and a law requiring that all software used by the government must have that logo.)

    1. Lamont Cranston
      Thumb Up

      Quite.

      First time I got the Verified By Visa window, I assumed it was a scam, as I'd been unaware of it until then.

      1. Will Godfrey Silver badge
        Unhappy

        @Lamont Cranston

        Verified by Visa IS a scam

    2. BristolBachelor Gold badge
      FAIL

      Not Verified by Visa

      I don't get this very often, and each time it is more than 1 month since the last time. This means that my password has timed out, and I need to create a new one.

      Here's the rub; all the details that I need to provide to change my password to a new one are exactly the same details that I had to provide to the online store to make my purchase. Ergo if I can make the purchase, then I can reset the password on any Not Verified by Visa scheme!

      <sarcasm> So my time spent wasted in their little box really helped make me secure </sarcasm >

      Oh, the onther thing is that each time it does it, it doesn't allow any of the old passwords, so I have to create another one.

      1. Wayland Sothcott 1

        Shifting the blame

        They do this to make it your fault if you get robbed. It's like Chip 'n' Pin. The bank can make a mistake if someone forges your signature, but if someone discovers your pin then that must be your fault because they are uncrackable.

    3. Matthew Collier
      Thumb Down

      SecureSuite is a phishing site, no? ;)

      It sure does act like one. Succinctly put here: http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam/

      Halifax once had the temerity to tell me, the first time I encountered SecureSuite.co.uk, was that "it is actually Halifax Secure", which is clearly bollocks! I too, like in the link, did most of those checks, and came to the conclusion it was probably a phishing site, and had trouble believing Halifax that it wasn't (in the end, they convinced me, because they managed to find a link, buried deep in their own website, which linked to it).

      I doubt things have improved much, and I notice that all the major card companies seem to use them these days.

      It's still shit though!

  2. burnard
    Facepalm

    Computer Competancy

    Easy solution to all this is to force new PC buyers to take a short competancy test. Just simple things like "look at these two emails, which is from your bank and which is a fake". What is a virus, in simple terms. Things like that.

    Let's keep stupid people off the internet and off IT helpdesk phones!

    1. BristolBachelor Gold badge
      FAIL

      FAIL!

      You have just failed your test. If you looked at the email, it automatically ran some god-forsaken Adobe busting exploit that installed the banking trojan on your PC....

      This used to be easy until just clicking a link could install any number of things on your PC (or Mac) behind your back without you knowing. When big companies fall to these exploits (including firewalls, email scanners, corporate AV, group policies, no root, etc.) then your average PC buyer stands little chance.

      I'm sorry to say that the only way to be safe is to be completely paranoid and never do (or look at) anything fun on a computer :(

      1. Chemist

        "If you looked at the email"

        Not on my system mate

      2. Vic

        > If you looked at the email, it automatically ran

        That depends on how you look at it.

        When very paranoid[1], I use "less". If that doesn't let me see what I want, I don't want that email.

        Vic.

        [1] Yes, yes, I'm usually pissed at that point.

      3. The Flying Dutchman
        Stop

        When I look at any email...

        ... it will not run absolutely anything whatsoever, since my mail client ignores any scripting the mail may contain, and doesn't open attachments by itself either. And no, it's not some antiquated unix mail client that runs in a terminal window, it's a contemporary GUI based program with all the bells and whistles required, and still in active development.

        Guess...

        (of course, I avoid webmail like the plague)

    2. Anonymous Coward
      Anonymous Coward

      the test is here

      http://www.opendns.com/phishing-quiz/ which I circulated to a group of highly educated researchers with Phd's in stuff and engineers and students and economists

      - we had 3 people get all 14 sites right,

      1 got 12/14

      2 got 11/14

      and the rest sadly don't dare admit how many wrong they got!

      I have one member of my family who has lost 2 x £3500 to an online bank phish, eventually re-imbursed by the bank but obviously we pay for that in the end.

      'Tim, Nice but Dim' ARE the internet as at least half of online Facebookers have below average online intelligence

      1. Andy ORourke
        Joke

        Yeah right

        I'm not going to fall into youre trap of enticing me to a malware ridden phishing site with the promise that I can prove just how aware I am of Phising scams :-)

      2. Chemist

        Re: http://www.opendns.com/phishing-quiz

        But how many people did your survey cover ?

        1. Anonymous Coward
          Anonymous Coward

          a dozen people - we're a small research group looking at online security for the european citizen and 9 of my colleagues weren't Phishing Ninjas. it's dismal. almost time for the Iranian 'safe internet' with no contentious sharp pointy or evil bits approach...?

          here's a great 10 minute talk from Finland which puts things into context

          http://www.ted.com/talks/mikko_hypponen_three_types_of_online_attack.html

          sorry for another *obviously fake link!* :-)

          1. Chemist

            Re : a dozen people

            Thanks for that, pity it was so small.

            Having done this quiz I guess one problem is that it isn't against the clock so I had plenty of time to scrutinize the pages and particularly the URLs. In some ways it was easy to spot the phishing sites but verifying that a genuine site was genuine was harder - spot the phish and you're done but on the 'good' sites it took more searching to convince me that there wasn't some trick.

      3. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    "and encouraging common sense..."

    And there is where it will fail.

  4. yossarianuk
    Joke

    "and encouraging common sense"

    At last the government is suggesting using Linux ..

  5. Greg J Preece

    "The committee wants a single place where punters can get basic security advice, stripped of confusing technical jargon"

    That'll be shit advice, then.

    The way to stop people being afraid of the net, and of the jargon, is to teach them how it actually works, not baby-talk them around what is increasingly required knowledge. IT is used as much as any of the core literacies in school these days, possibly more so, as it's used to access and enable other disciplines, rather than standing on its own, so let's make IT/computing in schools a mandatory subject like maths, and teach them how this stuff actually works.

    You can tell people that "bad e-mails might come to your inbox", but if they understand, even at an overview level, just how shit e-mail is, then they'll show it the appropriate amount of trust.

    1. Just Thinking

      let's make IT/computing in schools a mandatory subject

      It pretty much is. Trouble is, it covers Office and not much else in a lot of schools.

  6. A J Stiles
    FAIL

    Better Idea Innit

    I have a much better idea: Require for any software sold or given away in the UK and intended to run on general-purpose hardware to be accompanied by the complete machine-readable Source Code and Build Instructions.

    It needn't come with the right to distribute copies, if the software publishers want to make money selling software; just the right for users to know what is running on their machines, and if necessary alter it to suit their individual circumstances.

    Not having the Source Code has done absolutely diddly-squat to prevent the rampant piracy of Windows and Office, nor has it made IIS more secure than Apache (which powers more than twice as many sites as IIS). Having it, on the other hand, could have drastically reduced the severity of the malware attacks we have seen.

    Also, the Source Code *is* a guarantee: it is a guarantee that the software, when run on a computer which is working properly, will do exactly what the Source Code says it will do. (This might not be the same as what you wanted it to do, but that is another matter.)

    Remember, someone's going to invent a decompiler anyway one day. It's only a matter of time before they do.

    1. Anonymous Coward
      Anonymous Coward

      How's that going to help?

      I mean it's not going to stop the bad people doing stuff is it and it's not going to help my old mum stop getting phished is it?

      I'm not being funny but I just don't get your point unless your point was I use Linux that I compiled myself so I'm never going to get a virus? If that was it then these measures are hardly aimed at you are they?

      "Also, the Source Code *is* a guarantee: it is a guarantee that the software, when run on a computer which is working properly, will do exactly what the Source Code says it will do."

      Only assuming you compiled the source code into an executable yourself, I mean some baddy could sell you the latest anti-virus software, you can then check the source code and say "yep, that's all good" only to find that once you install the pre-compiled binary files the program turns out to be something completley different! Also, I mean sorry, the source code for a simple program would be beyond the reach of mere mortals, imagine having to review the source code for any operating system you care to mention??

      1. A J Stiles
        FAIL

        How it's going to help

        It's going to help because it will mean that any sufficiently-clueful third party will be able to fix faulty software, not just the original vendors.

        For instance, Symantec could release a fix for a truly egregious bug in Windows that Microsoft were doing nothing about. And, knowing just how much standing they would lose if Symantec fixed a bug for them, Microsoft would take a hell of a lot more care in the first place.

        Also, it would put a stop to the widespread practice of writing crap code because you don't expect anybody else ever to see it. Did you see the very first Open Source versions of Mozilla or OpenOffice.Org? They were *full* of schoolkid errors (OO.org 1.x wouldn't even build on any system with a word length != 32 bits).

    2. M Gale

      Usually under the Toy Unix...

      If you have the source, you don't need no steenking binaries. GCC is pre-installed or available on just about every distribution and if the disk or package is nicely arranged, installation is a quick "./install.sh" or something.

      Of course your granny still can't read it, but others can and they'll make a loud enough noise if anything is wrong. Whether always delivering software as source would help defend against malware or give Microsoft the ability to sue anybody they like with the excuse "everyone has our software, you must have read our source and violated our intellectual property with subsequent works" is another debate though.

  7. Psymon
    Flame

    It all sounds suprisingly good

    I do like the idea of kite-marking software, simply embarressing the software company into complying with the standards that were set out for the given platform they have chosen to code for would be a huge boon in overall safety.

    As a sysadmin, this has been the bane of my life, and the primary reason the windows platform has been such an easy target. Even going back as far as XP SP2, in the right hands it was a pretty secure platform. With internet security zones, and a draconian group policy lock-down, you could make a windows box pretty resiliant.

    Until that is, you tried to use any 3rd party software. At which point, you then found yourself turning off every safety feature because the programmer had decided it would be easier to write his config data into the program file folder, or worse system32.

    Adobe might actually pull their finger out and fix their software. As for Spotify, the guy that thought it was a good idea to install the executable in the roaming appdata folder of the users profile needs to be shot. Repeatedly.

    When using Linux do you have to log in as root, otherwise your web browser crashes? The UAC should cause immediate panic and a feverish antivirus scan. Instead we've been collectively conditioned by poorly written software to just say 'meh', and blindly click continue.

    This is the crux of the matter.

    1. SYNTAX__ERROR
      Headmaster

      Very good spelling checkers...

      are available for popular browsers such as Firefox.

      That is all.

  8. GettinSadda

    So, what exactly is covered by this? I understand that MS Office would be covered, as would Windows, but what about Firefox? It's not being "sold within the EU".

    How about if my company is contracted by a customer to write them a system for managing their inventory - does that count as "software sold within the EU"? How about if the software is not written by a separate company, but by a different department of the same company? What if the programmers that wrote the code are contractors to the "customer" company?

    What counts as a "program"? Does every shell script I write count? Even if it is for myself? What about Javascript? PHP? HTML?

    How do you get this kite-mark? Do you have to submit your code for approval to some company that will test it and award the kite-mark? If so do I need to sent each update to them to? So if a security problem is discovered in "approved" code do I then need to pay yet again and wait how ever long for the fix to be approved before I can send it to my customers?

    And you do you prove that you have a kite-mark? Are you assuming malware writers won't simply lie? Or are all of our programs going to have to be signed? If so, will computers sold in the EU have to reject un-signed code? Such as Linux?

    1. M Gale

      This is interesting.

      If you're publishing FOSS, you're not selling software. You're selling service and support, usually.

      Linux exempt? Could be entertaining, and quite damn right too given how it's made and published.

  9. Coofer Cat
    FAIL

    Oh goodness...

    If government services are to be "convenient and secure by design", then absolutely every single one of them needs reworking. Have you tried doing your tax return? Can you even remember your username, let alone the password you can't change? It's absolutely guaranteeing you *have* to write down your Unique Tax Reference, your username, password and maybe the email address you used to register, otherwise you'll never manage to actually do next year's tax return.

    I for one, can't wait to see what the "convenient and secure by design" initiative comes up with!

    1. J.G.Harston Silver badge
      Flame

      HMRC Site should be shot

      Argh!! Not only do I have to remember a user+pass conbo I only ever use ONCE A YEAR, but the comments section invalidates almost the whole non-alphanum character set.

      "The income from this property is split 50%/50% between:

      Fred (details)

      Jim (details)"

      Sorry, invalid characters encounted in comments field. Please remove them.

      Grrr. What's the point of doing online submissions if you can't actually submit the details you can on a paper form.

  10. Eponymous Cowherd
    Unhappy

    Software "kitemark"?

    [Finally, and most controversially, MPs want to see "safety standards on software sold within the EU, similar to those imposed on vehicle manufacturers"]

    Fine. So long as the punters are willing to pay for that.

    The "kitemark" suggests some kind of approval process by an outside body. This will cost money. Lots of money. The Microsofts, Oracles, Adobes will be able to afford this because of the volumes they ship, but this kind of requirement will kill small, innovative, developers.

    And, after all that, it probably won't improve anything. Testing software for vulnerabilities is a bit like Catch 22. You can test for a vulnerability if you know about a particular attack vector. How do you test for a vulnerability you (or anyone else) doesn't know about? The "Kitemark" can only be as good as those doing the testing and it is more than likely that whole swathes of "kitemarked" software will fall victim to the next zero day attack.

    Then what happens? The software, despite being "kitemarked" has proved vulnerable. As now, the developer will fix the vulnerability, but will then have to re-submit for testing at more expense.

    Other considerations: Software, unless bespoke, is licensed, not sold. Is this relevant? Can Free be considered "sold for nothing? If so then wave goodbye to free software. If not, then buy my fully tested and approved "Hello World" app for £50 and get my super photo editor for free.

    1. John F***ing Stepp

      It has been awhile

      In re Software "kitemark"?

      Back in the 90s, in the states, they wanted us to put in a little verifying marklet for all sold software.

      This would have caused the company I worked for to go broke rather quickly had the proposed legislation passed and pretty well been the bane of all small software shops.

      I still hold a grudge about this and have not bought a Disney, Sony product or damn near anything made or produced by the a**holes that thought this scheme up*.

      If you are working for a small shop then they might be going after your job.

      *This is pretty much why I don't care if the pirates take Disney et al to the cleaners; they don't care about me, I don't care about them.

  11. Derk
    Thumb Up

    A rather good idea

    Back in the 1970's and 80's EMC testing in the form of BS800 was viewed as being "optional" by so many OEMs. Then came compulsory regulation in the form of 89/336/EEC. Now you had to comply with international standards. Don't comply? Withdraw your product from the market or face huge fines. Yes it was a boom time for test houses. But now all products must comply with EMC and safety standards or you can't go to market. The hobbyist can still make his noisy electronics, but the moment he tries to sell it to Joe public, the law kicks in. Why oh why can a similar scheme be set up for software? Even if a rating system was brought in, it would be better than nothing. Do you want to buy A+ security rated software or D-? Test houses don't need to be run by the government, just to be regularly audited and "calibrated" as NAMAS do now. Then software would have to be written to comply with internationally approved standards, which are regularly reviewed and improved.

    The rest of the engineering world HAS to comply with standards? Why not software?

  12. Ru
    Facepalm

    Educating users is never going to work

    See the example above for a phishing site test that even security experts aren't necessarily going to score full points on. Security education cannot, will not and has never worked for most people. Security needs to be wholly deterministic and transparent to the user; if at any point a consumer must make a judgement call, then there is a potential security loophole that can and will be exploited.

    It would be super if consumer software and operating systems were sold with some sort of notion of merchantability or fitness for purpose, but does anyone seriously think this will ever happen?

  13. Frumious Bandersnatch

    kitemark can't work

    Several commenters have already made similar posts, but I'll just throw out a few objections of my own...

    1. Sheer volume. There are 100,000's, if not millions of pieces of software out there. How are you ever going to certify each one?

    2. Barriers to entry. Only the very biggest companies can afford certification, making it harder or impossible for small producers to compete.

    3. "No warranty" boilerplate and liability. GPL says "there is no warranty for this free software" and it's also often repeated in other docs. Most proprietary software also has the same "no warranty, not even a guarantee of fitness for purpose" kind of language. This is incompatible with kitemark-like schemes and it could open up the producer to some sort of liability.

    4. Alternative: bug bounties. Money spent on certification would be much better spent paying people to find bugs. It also gives users much more confidence that the makers are serious about software quality.

    5. Alternative: certify processes, not products. Although it's overkill, at least the ISO 9000 standards have the right idea (IMO) by certifying that you're following good practices and not making guarantees of product quality/safety.

    6. Impostors/policing: If you have a software kitemark and you teach users to associate it with quality/safety, isn't this just another way for conmen to trick you? You'd need a massive software signing infrastructure to certify each piece of software--you can't just rely on stickers saying something is approved/certified. Signing all software is completely impractical, even for the likes of Microsoft, so what chance does it have for a voluntary/semi-regulatory body?

    7. Reputation: how do you build up brand trust with a voluntary system like this? Each bug or security lapse erodes not only the credibility of the software producer, but also the certifying agency. Do you really want to tarnish the established kitemark "brand" like this?

    1. Derk
      Happy

      Re Kitemark can't work

      1. As happened with electrical products there was a period of grace, 2 years to get your kit in order, the UK even got an extension for a couple of extra years. Which means that new code released after a certain date has to comply. Code released prior to the implementation date did not have to comply. Change your old code/product then it has to be tested.

      2. Same argument was used for electrical products. Didn't work. If fred in his shed has real faith in his product, he will invest or get investment in his product. EMC certification can cost between £500 to £Thousands to test, but you can use self certification, but you must have documentary evidence of your tests, a technical construction file. If your product is caught out, you must defend it or withdraw your product from the market place.

      3.A rating system, even the kite mark being denied for free software.

      4. If you have a standard to comply with, your money and time are better spent on that.

      5. ISO9000 parts 1 & 2 show you have traceability of your parts and processes, good, but it does not stop you putting out crap products, but the software is wonderfully documented. There is already the TickIT scheme for software development.

      6. Policing? As with the EMC standards, Trading standards police it now. And of course it has not been unknown for competitors to test the other blokes product to see if it really complies. The Germans were very good at this, test the other companies product, if it fails, its withdrawn from sale or loses its certification.

      7. It does not have to be the "Kitemark" so many products these days have to comply with a whole raft of EN standards. Before I start a product design, I first investigate all the safety and EMC standards I the product must comply with. There are many, and if I don't the customer does not get his CE mark. Added to that, the product must comply with the RoHS directive and the WEEE directive, if its automotive then add in theELV directive.

  14. Marco van Beek
    Thumb Up

    CE Marking

    I have long believed that what we need is an equivalent to CE Marking for software. It starts very simply. You have to conform fully to whatever standards you claim to comply with. If it does, the whole product gets a recall. We need to address these issues at a higher level that a single user complaining. We need Trading Standards to be able to issue prohibition notices for "faulty" products. When I buy a phone that says it is IMAP compatible, that should mean it fully complies with the standard, not some marketing department's definition. We need to be able to return used software as "not fit for purpose". And as far as cost is concerned, self certification means just that. As long as someone at Mozilla can put their hand on their hearts and say that Thunderbird or Firefox is 100% standards compliant, then that is all it needs. It will mean better testing and better interaction. And even better, I do not have to buy a product any more to complain about it.

    It is the grown up thing to do, and given how reliant we are on software these days, I want some accountability. It could be implemented tomorrow if the EU actually did something useful.

    1. Vic

      > It starts very simply

      If it were simple, do you think no-one would have done it?

      > You have to conform fully to whatever standards you claim to comply with

      Really? Do you realise that *most* code is not entirely standards-compliant, and deliberately so.

      Years ago, I worked on a V.34 modem implementation. The standard required the call to be dropped in a number of circumstances; we reckoned to have about a 2% chance of getting the connection if we coded strictly to the standard. That's why no-one did; we put in re-tries. Everyone did. But under your rule, every modem would have to be recalled and replaced with something barely functional.

      Got a software firewall? Most of them drop unwanted packets, rather than send RST as required by RFC793 (which opens you up to rapid port-scanning, and is a bad idea ). Under your rule, no-one would be permitted to sell such firewalls.

      > It is the grown up thing to do

      It most certainly is not. It's the plaintive cry from someone who's been bitten by crap software, but hasn't costed out the change from "good" code to "zero defect".

      Vic.

  15. cosymart
    FAIL

    Does this mean that software will work!?

    Come on here lets get real. What other product would you buy that is routinely supplied half finished? Car sir? Just bring it back in 2 weeks time to have the headlights fitted....

    Latest book? Sorry but the author has not quite finished the last chapter, come back next month and we will staple the last few pages in......

    Even better: just pay £*** and get the latest version, this time it will actually do what it was meant to do when it was first released last year. What a rip off.

  16. Vic

    Oh, good grief.

    We already *have* safety qualification for software. It's covered in IEC 61508.

    There are situations where it is absolutely required.

    But anyone calling for this sort of thing just has no idea of the extra cost implications of SIL qualification. It's reasonable to expect 2 to 3 orders of magnitude more expense for any code you buy.

    So that £50 game? It's now £50,000. Are you still going to buy it?

    Zero-defect coding *is* possible, but makes little sense outside of aerospace and munitions development.

    Vic.

    1. Anonymous Coward
      Anonymous Coward

      Ignorance is bliss

      I would hazard a guess that those who think blanket software certification is a good idea are people who have never had anything to do with software development or testing, and certainly not any experience in developing safety or mission critical software..

      Some background info. The company I work for is ISO 9000 and TickIt certified. We undergo a 6-monthly audit by BSI. This ensures our standards and procedures comply with the requirements. It goes a long way to ensure that the software we produce is of a very high standard.

      We also produce some certain software that does go through a testing and certification process (for the US FDA). This, as Vic points out, makes the software exceedingly expensive. This is fine for safety critical software being purchased by governments / military, etc. But do you really want to be paying a 4, or even 5, figure sum for a word processor or, desktop OS (windows). Do you really want to be paying £1000's for your next smartphone, smart TV, Games console, etc? All have operating systems, all, therefore, contain "sold" software and would need to be subject to certification.

      Then there is what you can actually certify the software to run on. Any piece of software running on a general purpose computer relies on the software infrastructure that computer provides. You can, therefore, only reliably certify a certain piece of software to run on a particular operating system (e.g. MS Windows 7 Professional, NOT Home, Ultimate, etc), with a particular service pack and with no (or strictly defined) updates and hotfixes.

      Change ONE library, service or resource of the underlying system that the certified software is running on then that certification is invalid. That puts you in a nasty "Catch 22"". You cannot apply the critical security patch to your OS because your certified, kitemarked, application would detect the change in its startup checks and refuse to run

    2. Corporate Mushroom

      re. Oh, good grief.

      Fortunately any expense would be far lower than that, not least because the MPs have confused safety and security. Even if the MPs weren't talking out of their backsides, anyone developing to IEC 61508 (or any of the other safety standards) should follow a hazard identification before they start, and for the vast majority of software this would clarify that development to a SIL is not required and no further expense would be incurred.

      Having said that, if this idea does go anywhere I can imagine MPs passing legislation that requires all software to undergo independent security testing to ensure "safety" with no regard to whether it makes any sense for the software product in question.

  17. Semaj
    Thumb Down

    Kite Mark

    The problem with the kite mark idea is that software really isn't like the kind of product you buy in a shop. There's still going to be nothing stopping a lone dev putting out their own things they've made as a hobby on the net and there's nothing stopping companies from developing their own internal systems and that is a good thing.

    I'd say a developer is more similar to a builder. There are cowboys who will do a shit job for a large amount of money and there are better people who have ethics. You get people building their own walls and sheds. Some of these are awful and fall down and some are ok. You even get big building companies making huge developments with the guarantees that they will not crumble in a year.

    The only viable solution I'd say if to regulate us in the same way as builders. I know they have certifications so we should have similar. MS have their partner thing for companies - that's the kind of thing I'm talking about but something platform agnostic would be even better.

    1. Anonymous Coward
      Anonymous Coward

      Can be done

      "The only viable solution I'd say if to regulate us in the same way as builders. I know they have certifications so we should have similar."

      This can, and is, available now. TickIt and ISO 9000 certification ensures the quality of your development practices and procedures.

      This works well for bespoke software as potential customers see our certification as a big plus in choosing us over our competitors. Not so good for regular sold / licensed software as the end consumer doesn't know the software was developed by a certified developer. You are not permitted to put the ISO9000 or TickIt logos on the finished product as these apply to the development process, not the finished product, though I think it would be good to be able to place a "Developed by a TickIt certified developer" logo on the finished product..

      As has been stated elsewhere, certifying individual software titles is completely unworkable.

  18. Derk

    Ground hog day, week, year

    All the objections I see posted here, are the same ones I saw back in 1989 for EMC compliance, and again in 2004 for the RoHS and WEEE directive. Guess what? Projects and products didn't get more expensive. It was implemented without all the wailing and complaining seen here. Old products stayed non-compliant, new ones had to comply. So what is the difference when a person sets out to write a block of code that must comply with a standard as opposed to one that does not? Not a lot I'm sure. The engineer involved just needs to have read and understand the directive involved.

    re ignorance is bliss, If your code complies with the standard in the first place, why would you need to change one Library, service or resource? Is the product (as usual) not finished? not really fit for purpose? Another that will do as we need to hit a dead line?

    The sooner there is some form of compliance the better! It is we the consumer who has to suffer with all the shite software out there from all sources!

    1. Just Thinking

      @Derk

      Have you ever been involved in developing a complex software application? Checking that each "block" of code complies with a standard - well it helps (eg you can eliminate SQL injection by systematically sanitising user input) but it is only a fraction of the story.

      Its like testing EMC compliance by testing each component in isolation. Great, the PSU, power cable and motherboard don't radiate anything at all. Connect them together and plug it in, it will be fine.

      re ignorance is bliss. You miss the point, a fundamental point about why this would be so difficult. My software might be perfect on a particular version of Windows. Next patch Tuesday when some part of Windows changes (nothing to do with my perfect software), well it will probably be ok but who knows?

      Not disagreeing with the general point that there is a lot of crap software around. Sturgeon's law applies, as with anything.

    2. Anonymous Coward
      Anonymous Coward

      Underlying Dependencies

      "So what is the difference when a person sets out to write a block of code that must comply with a standard as opposed to one that does not?"

      This has nothing to do with certifying an individual application. Many developers do comply with certain standards (we use ISO9000 and TickIt and will be moving to TickIt+), but that will not and cannot guarantee how a particular program will behave in the field once it encounters the diverse and varied platforms that it will need to run on.

      "If your code complies with the standard in the first place, why would you need to change one Library, service or resource?"

      You wouldn't, but the owner of the computer the "certified" program is running on might change it or, more likely, it could be changed as part of an OS service pack or update.

      "The sooner there is some form of compliance the better! It is we the consumer who has to suffer with all the shite software out there from all sources!"

      That's perfectly fine, just as long as you are willing to:

      a) take the financial hit

      b) be happy with less innovative and fully featured software (each feature is a risk)

      c) be happy with all software coming from big players like Microsoft as small players won't afford it.

      The choice is yours. Rich, fully featured, innovative software at reasonable prices (often free) with lots of choice in the marketplace, with the knowledge that it will sometimes fail, or bland poorly featured yet expensive software from a few big players, that will, almost certainly, still fail, but somewhat less often.

  19. M Gale

    Also can be read as...

    "We want to tax the ability to create software and make it look like we're doing something even though we'd probably fuck it up completely and leave you no choice but to go along with it anyway."

    Really sure a Kitemark is necessary, or do you think Microsoft are going to give you malware, WGA notwithstanding? They and other established firms are the only people who will be able to afford the certification process, and how far do you think the requirements will go once the Daily Mail gets involved?

    The whole industry run like Apple's App Store but even more expensively does not leave a good taste in my mouth.

  20. Anonymous Coward
    Anonymous Coward

    can we have kitemarks for MPs as well please?

    before they are allowed to speak on a subject, there must be some accreditation to show people that they understand the issue, and didn't just read a newspaper article while traveling between multiple houses or cleaning moats. It's as bad as politicians/others pontificating about salaries and bonuses but not publishing full details of their own arrangements. Not every issue can be reduced to a simple soundbite (or kitemark, in fact).

  21. Why Not?
    Thumb Down

    They can't even manage to check silicone in Bulgarian Airbags

    The issue is mainly companies failing to manage other peoples money & data properly.

    You can't verify each piece of software or website by definition its very changeable (Clue is the soft bit in the name).

    You can however manage the money & the Data.

    Make the Bank's fully responsible for losses, that means them paying back money they have had STOLEN FROM THEM immediately, ITS NOT IDENTITY THEFT, ITS NOT YOUR PROBLEM. I have waited months when they have taken money out of my account because they were defrauded by their other customers.

    If I go overdrawn can I tell the bank its their fault and can I keep the money for 6 months for free?

    Sack anyone in power that screws up, fine companies that disclose data from inaction. Make them pay compensation to those inconvenienced by their incompetence. Nothing makes a big company perk up quicker than executive level embarrassment or loss of profit.

    We would then get a secure method of operating bank accounts, maybe offer paper / branch confirmation of large transfers?

    If you want to take out a loan, phone account etc, you have to do so providing either money up front or by validating your address & Identity.

    Anyone who trusts one group of publicly available information as a valid method of identification is an idiot. Banks might then afford two or three factor Authentication and still distrust that.

    Then limit the amount of data that can be stored without a Kitemark.

    List the storable data and if the software tries to store personal information other than that then people should worry. My Name,Address, phone number, DOB & Mothers maiden name are a matter of public record.

    But if all banks require card present, hardware encoded communications for transactions it becomes a lot less of an issue. You won't be able to set up the direct debit or pay the bill.

    FOLLOW THE MONEY!!!

This topic is closed for new posts.

Other stories you might like