back to article US cybersecurity chief: Software makers shouldn't lawyer their way out of security responsibilities

What's more dangerous than Chinese spy balloons? Unsafe software and other technology products, according to America's Cybersecurity and Infrastructure Agency (CISA) Director Jen Easterly. During a speech at Carnegie Mellon University on Monday, Easterly said technology providers must prioritize security in their products over …

  1. gerryg

    fine words butter no parnips

    I remember a million years ago reading a book called "Pascal programming with style".

    The foreword contained a rhetorical request to express a preference for a programme that was correct first time or one that had been fixed 100 times and was known to be correct.

    It has always been acceptable for a closed source, software-for-money business model to ship the product and wait for the bug reports then decide which ones were going to be addressed. This isn't so far away from the story that Sinclair shipped Spectrum computers they knew to be faulty and then reshipped the returns to new customers except that somehow that was seen to be unacceptable.

    I have sat through close to twenty-five years of using (now) openSUSE and not being given features because they didn't yet exist, didn't work properly or because to implement them meant a security risk (e.g., CD-ROM drives in user space back in 2002). It was always about security.

    On;y this evening I was reading a discussions about improvements to ext4 and what they meant for filesystem security. I've avoided the intense discussions about xxxBSD versus Linux kernels because I don't understand but happy in the knowledge that somebody cares.

    Where, anywhere, in the closed source world are these painful (in every sense of the word) discussions taking place? Who care that one arm of government is bleating about what other arms of government have allowed to happen?

    I remember and took part in the intense warfare over UK government policy proposals on using open standards and the amount of resource poured in by close source companies trying to resist.

    The solution has always been to insist on open standards and interoperability and let software do what software does best. Somehow policy makers have never quite delivered

    1. Gene Cash Silver badge

      Re: fine words butter no parnips

      It has always been acceptable for a closed source, software-for-money business model to ship the product and wait for the bug reports then decide which ones were going to be addressed

      No, it's not been acceptable... it's just there's not much choice. Do you buy Oracle's shitty buggy product or SAP's shitty buggy product? There's been no way to hold their feet to the fire except to not buy it, in which case you're not a customer and they JDGAS.

      1. Charlie Clark Silver badge

        Re: fine words butter no parnips

        The "choice", or lack of it, is conditioned by the exemption of strict liability for software. Now, it's possible to run some thought experiments as to what would happen if a large corporation did become the target of a class action suit and whether, if this led to bankruptcy, the software would ever get fixed. But surely, that's a debate that should be had in the first place?

      2. gerryg

        Re: fine words butter no parnips

        You could choose not to use it. Would you put your valuables in a safe that didn't close properly? Since when has crossing your fingers and hoping been a strategy?

        1. Anonymous Coward
          Anonymous Coward

          Re: fine words butter no parnips

          Since when has crossing your fingers and hoping been a strategy?

          When did Microsoft start selling software again? Roughly around that time.

        2. Killfalcon

          Re: fine words butter no parnips

          Half the problem is that the savings made by shipping bad products are spent on marketing.

          SAP and Oracle may be terrible but if you need something that does that, what else are you going to do? Buy something that doesn't have an ecosystem of salesmen trying to sell it? Something that doesn't have expensive certs driving DBAs to try and justify?

          How do you even find out about other options? How do you get the beancounters and execs to get on board? They have no information to work with, no way to even know other options exist.

          It's just an uphill struggle. Probably a worthwhile one - but it would be so much better if the market wasn't rewarding this set of priorities.

          (side thought: this is why good mobile games are almost impossible to find now. The horrible over-monetised ones are the only ones that can afford to advertise, so you never see anything except overly monetised skinner-boxes)

        3. Charlie Clark Silver badge

          Re: fine words butter no parnips

          Have you ever bought a knife or a cup of coffee in America? Knives must come with a warning that sharp blades can cause injuries and cups of hot liquid must have a warning that hot liquids can cause injuries. Both warnings, and a heap of others (including for microwaves and tumble dryers), were decided by courts on the back class action suits brough because of the concept of unlimited liability in America. So, if you do buy a safe that doesn't close properly, you can indeed sue the manufacturer. But you just can't do this with software products because of the exemption.

    2. fg_swe Silver badge

      Really ?

      Open Source which is too complex to be reviewed has proven to be full of exploitable bugs. See OpenSSL.

      A lot of insecurity comes from the "moar is betta" line of thinking. The more LOC, the better. In reality, the more code, the more long-term bugs.

      Also see KISS and the seL4 MicroKernel.

      1. Anonymous Coward
        Anonymous Coward

        Re: Really ?

        It really does come down to greed.

        Primarily on the customers part - they simply want more, and they want it now.

        On the vendors part, it's a lack of self control to give it to them, and laziness in the marketing department, that won't learn to sell "works properly" as an invaluable feature.

  2. jake Silver badge

    Something to remember ...

    ... is that the kids who graduated Uni/College and got into the corporate/government computer and networking world back when computers started becoming ubiquitous on desktops all over the corporate world are now roughly in their late 50s.

    Note this is managers, users, coders, programmers, systems folks, everyone.

    They started commercial computer work with Windows 2.x and DOS 4.0 (or thereabouts), and have become conditioned to the Redmond Way ... In their minds (and the generations following) it's supposed to be shoddy code, it's supposed to not be secure, it's supposed to break at the least convenient time, it will crash at random, updates will make things worse, over time it gets bigger and worse, if you turn it off and back on again it might fix it (maybe; try it again) ... these are all enshrined in the corporate attitude.

    So why bother building clean, elegant code that just works when the underlying OS doesn't support such a concept? There is no point.

    Those of us who started coding in the 60s or earlier are just left shaking our heads. Can you imagine what the reaction in Corporate America would have been if DEC or Burroughs or Sperry or IBM had made just one release that was as buggy as the code that is run as a matter of course on modern computers? Or worse, the drek in "the cloud"? The company's stock would have tanked, they would never have been trusted again, heads would have rolled ... ugly wouldn't even begin to describe it.

    But these days? Navigating through crap, buggy, crash-prone bullshit has become business as usual. Because THAT'S HOW COMPUTERS ARE SUPPOSED TO WORK! Ask any manager. Or coder under 50. (Thankfully there are still a few real programmers out there in each generation.)

    I have no answers. I'm not sure there are any.

    1. An_Old_Dog Silver badge

      OS/360 had plenty of bugs

      Read "The Mythical Man-Month" by Frederick P. Brooks, and look for the phrase, "throwing it over the wall". (OS routines keeping security-relevant data structures and buffers in the individual user's memory R/W space, vs in the OS's space.)

      1. jake Silver badge
        Pint

        Re: OS/360 had plenty of bugs

        ITYM "throwing it over the fence".

        That wasn't an OS/360 bug, per se. Rather, it was the programmer(s) introducing security issues as a result of bad planning by management.

        (Unless I'm misremembering ... I haven't read TMMM in probably 30 years. It's on my read list now ... thanks for the reminder! Have a beer.)

        1. Doctor Syntax Silver badge

          Re: OS/360 had plenty of bugs

          IIRC it was about whether to place some function in H/W or S/W, the context being discussion on how to make best use of limited system resources.

          1. An_Old_Dog Silver badge

            Re: OS/360 had plenty of bugs

            In the case of the OS/360 vulns, it was programmers being given, partway through the project core-memory budgets. The easiest thing they could do to shrink the amount of core they used was put the I/O buffers, etc., into the user's R/W memory space. Which they did. This included the I/O request buffers. Exploit goes thusly: BadProgram requests I/O for a region to which it has valid access, OS goes and checks access, and approves it, but before the O/S can do the I/O, BadProgram changes the parameters of the I/O request to a region it does not have valid access to. OS "already checked and approved" access, and later executes the changed I/O request.

      2. Scoured Frisbee

        Re: OS/360 had plenty of bugs

        Recently deceased I'm sorry to say. The University is doing a memorial is this weekend if you want to attend the virtual event, or have already registered for the physical event. Quite a fellow.

        https://cs.unc.edu/brooks

    2. fg_swe Silver badge

      Yeah, Ageism

      I am below 50 and have been able to look back at the ALGOL mainframes, because they had great security features (memory safety of some sorts). I also created a memory safe and efficient language, marrying the best of C++ and Java. I see the problems of C and Unix. I have also seen horribly buggy mainframe hardware in the 2000s. The pressure of the market competition and the pressure from the financiers...

      See my posting history.

    3. jgard

      Re: Something to remember ...

      Mate, you don't half talk a load of rubbish.

      "They started commercial computer work with Windows 2.x and DOS 4.0 (or thereabouts), and have become conditioned to the Redmond Way ... In their minds (and the generations following) it's supposed to be shoddy code, it's supposed to not be secure, it's supposed to break at the least convenient time, it will crash at random, updates will make things worse, over time it gets bigger and worse, if you turn it off and back on again it might fix it (maybe; try it again) ... these are all enshrined in the corporate attitude.

      So why bother building clean, elegant code that just works when the underlying OS doesn't support such a concept? There is no point."

      OK, let's see what boxes this ticks:

      1) laying on the usual, generalised anti-microsoft sentiment.

      2) stating your own very personal and subjective opinions about Microsoft as fact, of course this helps you bask in the glow of self-generated admiration of just how amazing you are.

      3) ensuring those opinions you passed as facts are so vague and general that they can't be fact checked - therefore buttressing the confirmation bias of other MS bashers who share your beliefs (not facts).

      4) demonstrating you have no idea about modern MS products, e.g. "it will crash at random", really? What 'crashes' at random? Have you used MS products in the last 20 years? You're just wrong.

      5) brazenly making shit up to falsely support a false narrative that everybody these days accepts crap software, because MS are crap and have enforced their standards of mediocrity on to the collective corporate attitude. Total BS.

      6) providing irrelevant info dripping in false equivalence: "Those of us who started coding in the 60s or earlier are just left shaking our heads. Can you imagine what the reaction in Corporate America would have been if DEC or Burroughs or Sperry or IBM had made just one release that was as buggy as the code that is run as a matter of course on modern computers? Or worse, the drek in "the cloud"? The company's stock would have tanked, they would never have been trusted again, heads would have rolled ... ugly wouldn't even begin to describe it." Really? You are comparing:

      i) the high-end, rare and expensive tech of yesteryear (when hw and sw were designed and created specifically for each other) which did a very specific job, with:

      ii) software running on mass market (i.e 100's of millions) of commodity pieces of technology (PCs / laptops etc), each of which can have any combination of third party hardware AND any combination of poorly crafted software, written any of the ten's of thousands of software houses around the world.

      You're not even comparing chalk and cheese, it's more like shit and satsumas.

      7) Claiming it was better in your day, that they were real techies and today's techies are just can't-give-a-shit, complacent simpletons, lacking the smarts and ethical approach of your generation: "But these days? Navigating through crap, buggy, crash-prone bullshit has become business as usual. Because THAT'S HOW COMPUTERS ARE SUPPOSED TO WORK! Ask any manager. Or coder under 50. (Thankfully there are still a few real programmers out there in each generation.)" Not only is this complete BS, it's so frigging patronising and insulting. I'm one of those idiots under 50, and neither me, nor any other techy under 50 I know, resemble your lazily assembled straw man. I have written loads of software that lives depend on, critical stuff, so I understand why quality matters. Hey, some of it even ran on Windows! You really are one massive condescending a hole, so please just stop with the patronising BS, NO ONE thinks that, apart from you.

      BTW. I now mostly use Mac OS and Linux on desktop, but I have used Windows desktop for 30 years. I hate Windows now it has turned into an advertising/tracking/data-mining system and will not use it unless I am absolutely forced to. However, I get far more lock ups / panics on either Mac OS or Linux than I ever have on Windows. And if we're talking servers, Windows if properly managed, is these days absolutely rock solid.

      Someone as expert as yourself will of course know that Dave Cutler was the brains and driving force behind Windows NT. You'll also know that he was poached from DEC, where he led OS development on: RSX-11M, VAX/VMS, VAXELN and MICA . Did he suddenly become complacent when joining MS? Not from what I've read! But he was working on a product with vastly different FRs, used for vastly different purposes, aimed at a vastly different market. And toughest of all, he had to contend with supporting any of several quadrillion possible combinations of hardware and software.

      I'm no fan of Microsoft, but I'm a fan of the the truth, and what you've spewed here is just rubbish, and lazy rubbish at that. Not only is it full of stuff you made up and pass off as fact, it shows a real disrespect towards others, and is thoroughly patronising. Thank God I don't have to work with you.

  3. DCdave

    As bad as having a monthly fix for security and other issues is...

    it's actually one of the better models out there, compared to the obfuscate and/or deny everything that many companies operate.

    1. Strahd Ivarius Silver badge
      Facepalm

      Re: As bad as having a monthly fix for security and other issues is...

      especially when you are aware that for the OS on servers, maintenance is usually done on a quarterly basis, otherwise the business that uses the application hosted on these servers is complaining too much:

      - it is the end of month period, don't touch anything!

      - it is the beginning of month period, don't touch anything!

      - it is the middle of month period, don't touch anything!

      - it is the weekend, we are running weekly tasks, don't touch anything!

      - and so ad infinitum

      I remember a case a few years ago at a bank where we had to update something on domain controllers.

      We were not allowed to update all the DC at the same time, and no more than 1 per month.

      So with 6 DC it took 6 months, and a critical business project that required the update got late...

      (it was the same people that prevented the update to be done over the monthly maintenance weekend that complained that we made their project late, of course)

      1. Doctor Syntax Silver badge

        Re: As bad as having a monthly fix for security and other issues is...

        - it is the year end, don't touch anything!

        The date is 29th of December, 1999...

        1. Anonymous Coward
          Anonymous Coward

          Re: As bad as having a monthly fix for security and other issues is...

          Oh yes, it's almost Y2K, don't touch anything..

          I had a colleague working at the BBC that specific night to keep things going, despite "us techical people" actually managing to hit a deadline not all went as smooth as hoped (which, too, was expected).

          1. Doctor Syntax Silver badge

            Re: As bad as having a monthly fix for security and other issues is...

            In the situation I was remembering we'd had the accountants do all the UAT on the new hardware (old H/W wouldn't support the Y2Ked version) so the obvious time to switch over was when the office was shut down over the long break. So rather than go with the signed off, known Y2K compatible version, they insisted on running the first 2 months of 2000 with a known incompatible version. It didn't go entirely as badly as feared (thanks to the vendors going above and beyond by dialling in several times to fix database errors*) but it didn't go well.

            *Small S/W houses have a different attitude to customer service.

  4. Anonymous Coward
    Anonymous Coward

    Hardware, software it is all what will sell

    -who cares if it doesn't work? not anyone who matters.

    This has been computing since it became a business and that is where the problem come from.

    If you want computing to be trustworthy and reliable then remove the liars from control.

    You can make as many laws as you like, these will change nothing because the law is a lie too.

    I want the flying car and robot butler I was promised but they tell me "there is'nt any money in it." and whilst money and business men get to choose then what we get is what makes them money.

    There used to be real optimism in this field but since the physicists moved out and the subject was dummed down/optimised for maximum profit it has just been about money.

    It would be nice if the curtain was drawn back to reveal the flim flam men in control but that only happens in fiction.What is more likely is that business will continue to by maintaining the status quo and anyone who attempts to change that will be branded a malcontent at the very least.

    They own you so do as you are told not what is right, money is the only thing that matters in this world, right?

    1. fg_swe Silver badge

      Proper Regulation

      The question is, can there be useful regulation, which will make systems more secure ?

      Innovation, efficiency, security must be balanced. It does not help to set up a soviet-style bureaucracy because of security issues.

      One idea would be that government mandates Payment-For-Exploits for all systems in wide use. For example, SAP would have to pay whitehat hackers for finding bugs in SAP/R3. Microsoft would have to pay for bugs found in Windows. Then the question arises, how large is the finance pool to be paid out to security researchers ? Maybe 3% of sales revenue ?

      Of course, companies must also be forced to make these systems available to qualified researchers. So IBM would have to make their mainframes available to skilled software engineers. Same with SAP/R3, Oracle ERP, Windows Server and so on. Inevitably, some sort of state bureaucracy must administer this. It must be staffed by skilled and motivated civil servants. Could NSA, BSI or CESG do this ? Possibly, if we want to make the fox the master of the henhouse ;-)

      Widely used FOSS software would have a state-paid exploit payout pool for the same effect. So USG would cough up 30 million p.a. for Apache Exploit Research ? How would Japan, SK, Britain, France contribute ?

      Maybe the software tycoons have a constructive idea on the matter ? (Seriously)

      1. JohnTill123
        Devil

        Re: Proper Regulation

        For Microsoft, how about 103% of sales revenue instead of 3%? Let's make SURE the motivation is sufficient.

  5. Mike 137 Silver badge

    Driving change or more mood music?

    Yet again this problem has been publicly and officially aired, but effective solutions have so far not emerged. But as software now underpins almost all engineering disciplines, such change is becoming ever more essential. Currently, if the wheels fall off your car at high speed due to faulty bearings liability can clearly be assigned, but if the onboard software causes it to crash, assignment of liability is still ambiguous. On a less lethal scale, if a "cloud service" goes titsup and your business loses a huge contract as a result, all you are typically entitled to by contract is a small credit on your subscription. Then of course there's the "cyber risk", for which liability is effectively non-existent. As far back as 2016 a submission to the US Commission on Enhancing National Cybersecurity summarised the position and suggested possible solutions, but eight years on (a lifetime in IT) these, and many similar proposals, have apparently had little or no effect on official thinking. Let's hope that the message will now get transformed into concrete action that actually delivers improved standards -- that's long overdue.

    1. fg_swe Silver badge

      Compare Other Regulation

      I.T. Systems are becoming more and more critical to the life and well-being of a nation. This will probably mean that some software projects will come under Government Scrutiny. For example, it will no longer be the sole authority of Microsoft to develop Windows and government security engineers will be part of the development organization. Same for Android, iOS, Oracle, SAP, Apache, Python and so on.

      In embedded systems (rail, aerospace, medical, automotive) this is already an (imperfect) reality. See V-Model, ISO26262, DO178, IEC 61508, DIN EN 50128, FDA Medical Safety Regulations.

      CESG already monitors Huawei source code, this model could be extended to other widely used software. Firefox, Linux Kernel, Apache, libc, gcc, iOS, MacOS, WNT, MS Office, libreoffice, ...

  6. fg_swe Silver badge

    Great Systems Security

    + seL4 microkernel

    + CompCert proven correct compiler

    + Rust and other efficient memory safe languages

    + AppArmor, SE Linux, LSM sandboxing

    + MIG-V CPU https://hensoldt-cyber.com/mig-v/

    + Spark Ada

    + PC Lint, PolySpace static analysis

    + Wirth-developed Systems (Modula-2, Oberon): elegant, robust, KISS

  7. G.Y.

    An old idea https://www.schneier.com/blog/archives/2011/09/an_interesting.html looks good to me (I wish it were mine, but ....)

    (original text: https://queue.acm.org/detail.cfm?id=2030258 )

  8. Grogan Silver badge

    Go ahead, you jumped up pricks. try to hold software devs responsible for security issues in software. You better learn to write your own software then, because you're not going to have any that doesn't cost tens of thousands of dollars to license because of the liability. It will ensure that only the likes of Microsoft and Oracle will have the resources to assume that risk.

    Fucking Americans... the reason nobody can ever have nice things.

  9. Medixstiff

    "And she suggested that the government hold companies liable for selling vulnerable products that criminals and nation states later exploit in cyberattacks."

    The biggest exploiters of this being the US themselves? I wonder how quickly she would be disappeared if she tried saying this to the faceless men at certain US government agencies?

    "Making software "secure-by-design," and thus putting the liability on the vendors to sell safe products out of the box instead of pushing that responsibility on to consumers and businesses, is a drumbeat that CISA has been pounding under Easterly's leadership."

    See my previous point, or how about when the same country wanted Apple et all to build in back doors, but make it safe at the same time?

    What I will find interesting is when AI starts going through code and then starts using the same lines of code because they "just work" and are the most efficient ones to use, will someone sue about using their IP and if so, will someone grow a brain and put into law, that AI generated essential code is exempt form copyright violations, so the world can move forward and away from previous coders dodgy or lazy coding practices?

  10. Big_Boomer

    Nothing new!

    This is just business as usual. Cheap engineering/coding and use your customers as Beta Testers. Since having new product for the sales people to sell is the #1 priority and quality of the product is #99 (if you are lucky) then it is going to continue like that indefinitely. It's what you get with Accountants, Lawyers, and Sales people making up 99% of almost any company Board. Engineering and coding cost money and are a drain on company resources and are therefore to be ruthlessly cut and squeezed, all whilst paying exorbitant wages to the sales people who are the only ones who make the company money. Look, it's right there on their spreadsheets!! And when they can't get enough cheap engineers/coders boy do they howl about how unfair it is that they can't get their latest shiny-shiny to market. Nothing will ever change until there is a fundamental shift in the make-up and attitudes of boardrooms across the world, and the chances of that happening are zero point zero recurring. Greed is King!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like