Security experts debate if markets or legal liability will ensure secure software

Seems extreme to me. We all know that is someone wants to hack you one way or another they will. Rather than focusing on the software vendor why not pursue the criminal that causes the problem? Probably because the obvious solution doesn't allow anyone to profit.

And where would the liability end? Ultimately everyone would complain that the OS vendor made a buggy OS and the third party developer is not responsible because Microsoft (or whoever) didn't make a better OS, leaving holes that nobody else can patch. It would become a never ending blame game. It wouldn't be long before everyone would be required by law to have antivirus, kind of like insurance is required to drive now. Then AV would cost $500 per year. There is no end to the corruption this would cause.

 

Liability is an after-the-fact measure and in many cases it's cheaper to push out a product quickly and pay the penalty than to spend more time developing a secure product.

That's not great protection.

 

Also true.

 

Let's not always blame the consumers. I'm sure "consumers" didn't ask for an App Store in Chrome or uTorrent, a torrent client in Opera, etc.

 

lol I've seen people ask for torrent clients in Chrome. Users usually have no idea what they want.

 

This is very true. If they knew what they wanted there would be no "Consumer desire for unnecessary features". If consumers desired the features they would be necessary. I thought that opening line was a little strange when I read it. They are biasing the article from the beginning.

 

I want a built-in ad/tracking blocking system in Chromium. Is it too much to ask? Is it?!

 

That ^^^

Plus it's really hard to build secure software. It touches every single point in the process, from architecture to writing to compiling to testing to rewriting. It's a huge expense to fix insecure code after the fact, and it's a huge expense to train programmers to write secure code in the first place.

 

I wonder if it really is so difficult to build secure software. I think a lot of programmers just don't like to build secure software.

If they actually cared they'd either come up with a secure architecture (Chrome/ IE) or a secure language (Firefox Rust) - the main reason programming languages like Ada aren't used is because they're a bit more annoying to use. Why are they more annoying? Because they actually make you write secure code.

 

It is difficult to build secure software, especially when the complexity of the project increases too much. I'm not sure that it's OK to use generic affirmations about programmers

The reasons for choosing a specific architecture aren't always up to the programmer, and a secure language is not always the right choice for a project (i.e. a real time signal processing application).

 

Well... it's not really supposed to be easy, is it? lol

True to an extent. Using Ada again as an example due to C/C++'s popularity Ada did not evolve as they did and is only really as capable in the 2012 revision.

But if I were going to slap on a chunk of attack surface and claim it made someone secure I'd do my best to keep it secure.

 

The details of writing software are above my head. But this is a fairly recent guide describing safer code writing

http://www.darkreading.com/database...s-best-practices-for-writing-secure-code.html

I think one of the problems is that writing code requires security in every level of development. It's not just the guys sitting in cubicles typing scripts to fulfill an assignment. The non-technical management that decides the assignments & timelines for rolling out new software have to be convinced that it should be slowed down or include security measures in each step.

 

Right - the largest tradeoff when choosing to write secure code is time/ money. SafeCode focuses more on architecture, which is also nice.

 

On the original subject:
Security experts debate if markets or legal liability will ensure secure software
Neither are capable or qualified to try. The market is about profit and income. Security is secondary, hence the contuining dominance of AVs and detection based solutions. Any security app or OS that could defend against future and unknown threats wouldn't need continous updating and wouldn't be dependent on the vendor for constant support. That kills their future income. They have no incentive to release such a solution.

The legal system is so far behind the reality of the internet to the point that they aren't qualified to try to regulate any of it. Most of the time, they can't tell if illegal content like child porn was downloaded by the user or stored there by a trojan. They're no different than the market. It's all about the money with them as well.

The statement about consumers desire for features missed the mark, but not by that much. It's not features they want. They want a PC that lets them do as they please, install anything they please, go where they please, etc, with no consequenses for their actions. Not possible.

Introducing liability into computing can only lead to one thing, PCs that the user no longer controls.

 

I agree to a certain extent. Greed is probably a factor. I think another reason the legal system is so far behind reality and consumers don't demand security is because security is so technical. Law makers are experts at law, not security. And consumers just want to, say, photoshop the family photos. They're too busy & uninterested to know much more. I don't think the average Joe wants to eschew the consequenses, I think he's just ignorant of them. People want applications that do what they want without needing any technical expertise to use them safely. Law makers want to control technologies that they don't understand. That's not possible but you have to be technically saavy to recognise that.

So it is ignorance of security by the masses, not really willful disregard for it. [cue the motivational music] Maybe the next generation will have a better collective understanding of technology- it's hard to graduate from high school these days without having been exposed to computers. My daughter was surfing the net before she learned to read. Having it be part of your life like that has to lead to better understanding.

 

In spite of statements to the contrary, the legal system is not interested in helping the common persons security or privacy. This is a surveillance society. Anything that protects the user from such snooping interferes with that surveillance. You don't have to look any further than recent laws and court decisions regarding intellectual property and piracy claims for the proof. Lawmakers either don't understand or care about the consequences of the bills they pass but it hasn't slowed them down. Privacy, like laws and justice are nothing more than purchased commodities for those with the money to afford them.

As for the next generation, I don't see any improved understanding or greater concern from them as a whole. Having something be a part of your life from early youth doesn't equate to a better understanding of it. IMO, it leads to taking it for granted. I don't see any natural scepticism (or whatever you might call it that would tell them that something is wrong or a scam) from them. AFAICT, the opposite is true. Example:
A couple days ago on a multiplayer game I enjoy, I guy a regularly team up with was complaining that someone hacked his game account. As much as I could with the insane chat filter they have, I tried to get details from him. In the end, I found that he'd given the other guy the password. The guy said he had access to the better weapons and would put some in his account. That same password also gave him access to the payment areas, and possibly his parents credit card info. This kind of stupidity seems to run rampant in that game. I doubt that it's much different in others. What kind of market or liability laws can possibly help against this kind of stupidity?

Back on the liability issue, if this ever becomes reality, it can only lead to one thing, PCs and internet devices we don't control, running apps we don't want. It leads to approved software and operating systems, losing the ability to run apps that aren't approved, and a complete loss of privacy and control over the data on those systems. I'll disconnect from the web before I use such a system.