back to article Software patching must work like car safety recalls, says US cyber boss

Software made unsafe by dependencies should be fixed without users needing to interact with the source of the problem, according to US National Cyber Director Chris Inglis, who serves in the Executive Office of the President. Speaking to The Register at the Black Hat Asia conference in Singapore on Friday, Inglis said that …

  1. Martin Gregorie

    An interesting viewpoint from Mr Inglis

    Interesting, only because he seems not to understand the existence of Open Source and its implications.

    In particular, as we've seen recently, there seems to be significant amounts of abandonware in popular shareware repositories and, worse, it is linked in as required component(s) of packages supported by other, unrelated, developers. It would be nice to know if Mr Inglis even knows that this sort of linkage exists and just who, if anybody, does he think should bear the legal responsibility for fixing buggy abandonware in such a calling sequence.

    Seems to me there are four main questions that need answers:

    1) what responsibility should the shareware repository owner have for providing tools that allow an author to determine who wrote shareware that his code depends on?

    2) Should they refuse to accept code that's not fully documented and accompanied by a properly maintained set of unit tests with enough coverage to fully validate the shareware's operation with valid, invalid and out-of-range inputs?

    3) should the abandonware author be legally responsible for removing code that they've decided not to support any longer? Who inherits this responsibility if the author dies?

    4) What liability should fall on a shareware author whose product depends on buggy code written by a 3rd party and that may or may not be maintained?

    1. Version 1.0 Silver badge

      Re: An interesting viewpoint from Mr Inglis

      "If the automobile had followed the same development cycle as the computer, a Rolls-Royce would today cost $100, get a million miles per gallon, and explode once a year, killing everyone inside." - Robert X. Cringely

      1. This post has been deleted by its author

    2. heyrick Silver badge

      Re: An interesting viewpoint from Mr Inglis

      1, It's a rat's nest. Logically it is the authors responsibility to know what they are using in their project, but if a dependency depends on something they depends on something... It's a mess. Plus it is also a moving target, an update might completely change how something works under the hood, and it won't be noticed as long as it works the same way.

      Personally, I think a coder ought to damn well know what their code is actually doing and using before inflicting it upon the world, but I don't envy them sorting out that mess. But see point 4.

      2, If the repository wants to kill itself stone dead, sure. But do note the number of buffer overruns and parse failures and such in commercial closed source software. Let's see the unit test results for those, eh?

      3, Absolutely not. Just because an author has given up on maintaining something does not automatically mean it is broken or has no value or purpose. To require people to remove unsupported stuff risks slaughtering a good point about open source (that being that the source is available should you want to tinker).

      It also risks important consequences if an author decides to cease supporting something and removes it, immediately buggering up everything that depended upon it.

      4, Ideally, responsibility should fall on the author to be aware of what his code is using. However, if one wishes to have programmers be held to the same standards and liabilities as car manufacturers, then I'm quite certain that one will be happy to pay programmers the same as people who design cars, and also perfectly willing to pay the same price for new software as for a new car. And no free updates, you have to buy each new version.

      Because all that testing and design and crash test dummies? That's expense after expense. Not even remotely in the same category as this one guy in Montana that maintains something important in his spare time, for free.

      Of course, all those whingers are fully able to obtain the source and contribute. Might be more useful than dreaming up ridiculous laws, but then, doing so requires mental acuity and competence. Proposing crap laws is something that any idiot could scribble on a napkin while on an expensive taxpayer funded working lunch.

    3. Anonymous Coward
      Anonymous Coward

      Re: An interesting viewpoint from Mr Inglis

      Open Source doesn't have much of a defined process to address this and it needs one.

      However, I think that some of your questions are questionable at this time.

      I would suggest a more gradual approach. For example, create a repository of abadonware, starting with authors who can no longer be reached via their contact information or who, once reached, state that they've abandoned the project. Then ask the community whether anyone is willing to take responsibility for them.

      At least then you have a baseline to start with.

    4. JJamesR

      Re: An interesting viewpoint from Mr Inglis

      I'm not sure if I've misread the article or your reply, but to me the article is saying this is about making the vendor take responsibility of the open source they use in their products, not the devs of the open source. My take is that the vendor would have two choices: work with the original author to get a vulnerability fixed or fork it and fix it themselves.

      To me, this would seem a win for the original devs, as it actually gives incentive for vendors to support and fund devs of the open source software they use, rather than grab it and run.

      1. Anonymous Coward
        Anonymous Coward

        Re: An interesting viewpoint from Mr Inglis

        "My take is that the vendor would have two choices: work with the original author to get a vulnerability fixed or fork it and fix it themselves."

        Both of those require them to spend money, what they were trying to avoid by using open source.

        It's also a case of, someone else will fix it.

    5. W.S.Gosset Silver badge

      You've misread the article -- he's not talking about FOSS

      > Inglis wants vendors to take responsibility

      Vendors. Not unpaid open-source devs.

      1. Anonymous Coward
        Anonymous Coward

        Re: You've misread the article -- he's not talking about FOSS

        Yet...

    6. EnviableOne Silver badge

      Re: An interesting viewpoint from Mr Inglis

      "Interesting, only because he seems not to understand the existence of Open Source and its implications."

      No, it seeks to enforce that they obey the terms of the licence (eg apache licence clause 7 final sentence that says :"You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.")

  2. Snowy Silver badge
    Facepalm

    Software patching must work like car safety recalls, says US cyber boss.

    Does he mean in the way a significant number fail to get recalled?

    1. FirstTangoInParis

      Re: Software patching must work like car safety recalls, says US cyber boss.

      Would be nice if I could get updates for my car. Entertainment system has bugs that really could do with fixing.

    2. stiine Silver badge
      Facepalm

      Re: Software patching must work like car safety recalls, says US cyber boss.

      Sure, just drive OneDrive to Redmond and they'll fix it for you...

      1. Chloe Cresswell

        Re: Software patching must work like car safety recalls, says US cyber boss.

        I have a recall on my car.

        I have a notice listing all the dealers, the closest is over 2 hours drive away.

        The recall? The manual lists the setting for the rear door child locks incorrectly, the on and off settings are reversed. The markings are correct on the door.

        The outcome of the recall: I get a notice to drive 4 hours to a dealer and back to _replace a page in the manual_.

  3. Claptrap314 Silver badge

    Ever here of FOSS? Even once?

    When cars are routinely available for FREE, we can start to talk about some semblance of comparability between the markets.

    Guess what: if someone gives you something for FREE, expect that they will be FREE of any liability. EVERY SINGLE FOSS license has such a clause. (The "Beer License" does not appear to meet the requirements to be a license in the legal sense.)

    So, either this guy is a massive idiot (as are those who take him seriously), or he's talking exclusively about the commercial market. Let's assume he's talking about the commercial market. Okay, now there is some possibility that he's not..wait. He's talking about log4j. FOSS.

    Some village has had its average IQ bumped. Send this one back.

    1. This post has been deleted by its author

    2. W.S.Gosset Silver badge

      Does no one actually read what's actually IN the article? Even once?

      As above, he's not talking about FOSS.

      > Inglis wants vendors to take responsibility

      Vendors. Not unpaid open-source devs.

      1. Anonymous Coward
        Anonymous Coward

        Re: Does no one actually read what's actually IN the article? Even once?

        When phone manufacturers start support patching for more than <0 to 3> years minimum then he'll have achieved something positive.

        It is never going to happen though.

  4. sreynolds Silver badge

    So what he is saying is that government is ultimately resposible?

    First they bailed out the big banks for their fuck ups. Too big to fail. So when some for profit company uses the software of someone that does this for a hobby, are they honestly expecting someone to give up their livelihood to support the for profit company?

    Do these people really have any idea? Imagine, lets say that someone open sourced the design for a device that generated a huge amount of gas the at could have been used for inflating an airbag. Sure there was a design flaw that she was not aware or, one that would fire metal shrapnel with suck force that it could penetrate the skull of the driver. Is the designer to blame?

    1. W.S.Gosset Silver badge

      CONFIRMED: people do not actually read the words; they just keyword and extrapolate

      As above, twice, he's not talking about FOSS.

      > Inglis wants vendors to take responsibility

      Vendors. Not unpaid open-source devs.

      1. Anonymous Coward
        Anonymous Coward

        Re: CONFIRMED: people do not actually read the words; they just keyword and extrapolate

        That's the good reason.

        Then there's the real reason.

        The ultimate aim of software corporation lobbyists is to abolish FOSS competition. Making it illegal if unpatched is a simple solution.

        It's all about profit.

  5. Arion

    There's one critical point that Mr Inglis has missed. Cars and software are very different things. If he'd narrowed it down like "Software to manage critical safety functions of cars" should work like car safety recalls, or "Software to manage medical devices", or "Software to manage financial data where the financial exposure exceeds $100,000 per month", he might have had a point.

    Tarring avionics software with the same brush as a suduku app on my phone with the same brush is a disservice to the industry, the economy, and to the information age.

    A US national cyber director should be familiar with the concept of risk; the product of the impact, and probability of an issue in software, and issues with my suduku game should be treated the same way as car safety recalls.

    Now in fairness, this isn't a US specific problem; we have this problem in the EU as well with the likes of the cookie law; laws written by politicians and lawyers, without the insight of engineers and subject matter experts who better understand the problem that needs to be solved.

  6. Will Godfrey Silver badge
    Unhappy

    Hmmm

    Perhaps the gentleman would like to define precisely who he regards as the 'Vendor'.

    1. DevOpsTimothyC Bronze badge

      Re: Hmmm

      If you sell a product (or a licence to it) then you're the vendor. If if you give it away and also offer a support contract, guess what, you're also the vendor (for all of the people/companies who buy the support contract.

      Basically if you create a product and then take money for it then you're a vendor

      1. OhForF'

        Re: Hmmm

        You skipped the important part regarding FOSS:

        If i give it away with a license that says you can use it at your own risk without any compensation to me am i still the vendor?

        1. jmch Silver badge

          Re: Hmmm

          If i give it away with a license that says you can use it at your own risk without any compensation to me am i still the vendor?

          No

        2. DevOpsTimothyC Bronze badge

          Re: Hmmm

          Sorry I wasn't obvious enough with the "If you take money for it you're a vendor". I didn't think I needed to add "If you have not taken money for it then you're not a vendor".

          For the avoidance of any doubt. If you were employed to write code, IF you retain ownership you're the vendor. If you do not retain ownership or similar rights then you're also not a vendor. Most employment contracts I've seen have clauses along the lines of "Anything you create while employed are the property of the employer"

  7. Terry2000

    Because I said it should work that way

    It is always darkly humorous when fools proclaim "The world should work the way I think it should"!

    It is less funny of course when said fool has real power to do real harm in society. Still as idiots with an opinion go I suppose this one is less dangerous than most. And he did stop short of putting the NHTSA in charge of developing regulations for software distribution. So that is something.

    I believe the best response is to tell him because the price of diesel fuel is currently so high it is impractical to implement recalls at this time. Maybe when gas gets under $0.99 / gallon we can develop a regimen to distribute software fixes by truck.

  8. Blade918rr

    At last. been saying this for years

  9. Anonymous Coward
    Anonymous Coward

    Critical life supporting infrastructure systems. TAKE RESPONSIBIITY for the crap you peddle.

  10. TeeCee Gold badge

    Like car safety recalls.

    1) Customer(s) complain/die/are injured.

    2) Authorities investigate and find fault.

    3) Volkswagen[1]The manufacturer swears blind that the fault isn't safety critical in itself.

    4) Authorities decide not to issue a recall.

    Is that the process we want?

    [1] Sorry, easy mistake to make. Apparently, if your car is apt to suddenly stop for no reason in the midst of high speed traffic or have much of its brake system cease working, it's not a recall issue if it's a VW. For some reason[2] VW are also the tightest bunch on the planet for getting a spot of goodwill out of toward fixing common faults in their cheapshit componentry.

    [2] Directors' bonuses are way more important than customers has to be favourite. See also: Dieselgate.

  11. Anonymous Coward
    Anonymous Coward

    We're Almost There Already

    It is happening - cars are becoming as unmaintainable as phones as the amount of electronics and Google or Apple junk software increases - Just look at all the serious bugs in Teslas that are unfixable - not to mention the age old universal problems of car electronic locking and security systems that no-one bothers to recall and fix - just like insecure passwords.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like