Poorly written software is at the root of all of our securityproblems

[Robert Myers]

You can find the claim in the subject line as the top-rated risk at

http://www.csl.sri.com/users/neumann/insiderisks08.html#220

I found that link from the useful (moderated) newsgroup comp.risks.

I found my way to that newsgroup at the suggestion of a former
government official who probably got tired of my repeated comments
about US incompetence and laziness with regard to information
security.

How important you think the integrity of the Internet (and the
financial system) should be may be culturally-dependent.

If you live in the gunslinger mentality of so much of the former
Warsaw pact, the solution to any security problem might well be
another round of vodka shots.

Russia, for example, is ranked 117 on the world corruption audit

http://www.worldaudit.org/corruption.htm

The country I have repeatedly slighted by implication is well up the
list, not so very far below, say, Costa Rica.

The United States has nothing to brag about in that department, as it
is almost at the end of the list of First World countries, just two
slots below the UK.

In any case, software integrity is a *very* big problem. If you are
trying to argue otherwise, my guess is that you don't think integrity
is all that important.

Robert.

 

[Robert Redelmeier]

You can find the claim in the subject line as the top-rated risk at
http://www.csl.sri.com/users/neumann/insiderisks08.html#220
I found that link from the useful (moderated) newsgroup comp.risks.

Are you having us on? Have a look at the context: the author (a Homeland
Security civil servant) is arguing for National Security Research and says:


While progress in any of the areas identified in previous
reports noted above would be valuable, I believe the `top ten'
list consists of the following (with short rationale included):

1.Software Assurance - poorly written software is at the root
of all of our security problems

2.Metrics - we can't measure our systems, thus we cannot manage them

3.Usable Security - information security technologies have not
been deployed because they are not easily usable

4.Identity Management - the ability to know who you're
communicating with will help eliminate many of today'
online problems, including attribution

5.Malware - today's problems continue because of a lack of
dealing with malicious software and its perpetrators

6.Insider Threat - one of the biggest threats to all sectors
that has not been adequately addressed

7.Hardware Security - today's computing systems can be improved
with new thinking about the next generation of hardware
built from the start with security in mind

8.Data Provenance - data has the most value, yet we have no
mechanisms to know what has happened to data from its inception

9.Trustworthy Systems - current systems are unable to provide
assurances of correct operation to include resiliency

10.Cyber Economics - we do not understand the economics behind
cybersecurity for either the good guy or the bad guy.


The claim you quote with such authority is nothing but an off-hand
comment -- perhaps true, perhaps not, but definitely not supported.
And not worth quoting outside a Leno-esque setting.

If you live in the gunslinger mentality of so much of the former
Warsaw pact, the solution to any security problem might well be
another round of vodka shots.

Oh dear. How do you know? Have you been there? There are huge
differences between the countries there were coerced into that
organization. Or do you claim Estonia is the same as Croatia?

As for the gunslinger mentality, it build much of the United States
from which you derive great benefit whether you like it or not.

And even if vodka were sometimes, someplace a solution, does not mean
that is it always and everywhere the solution. Statistics cannot be
applied backwards. Statistics are descriptive, not prescriptive.

Russia, for example, is ranked 117 on the world corruption audit
http://www.worldaudit.org/corruption.htm

So what? However well-intentioned, these sorts of things are flawed:
1) It is difficult to measure relevant factors
2) The weighting of these measurements reflects only one set of values
3) The ordinal presentation hides the sizes of differences

You are also missing a link -- even if corrupt, why does that make
the software poorly written? Why do you believe corruption is
greater than imcompetence? "Never attribute to malice that which
can reasonbly be explained by simple incompetence" [Napoleon]

In any case, software integrity is a *very* big problem.
If you are trying to argue otherwise, my guess is that you
don't think integrity is all that important.

It may well be a big problem. Unfortunately, your case is full
of holes. With friends like you, security does not need enemies.


-- Robert R

 

[Robert Myers]

Are you having us on?  Have a look at the context:  the author (a Homeland
Security civil servant) is arguing for National Security Research and says:

   While progress in any of the areas identified in previous
   reports noted above would be valuable, I believe the `top ten'
   list consists of the following (with short rationale included):

   1.Software Assurance - poorly written software is at the root
       of all of our security problems

The claim you quote with such authority is nothing but an off-hand
comment -- perhaps true, perhaps not, but definitely not supported.
And not worth quoting outside a Leno-esque setting.

The purpose of my post was to point others toward more reliable
sources of information than wild claims by people who like things just
the way they are, not to offer authoritative assessments. Whatever
you may think of my opinion about software, it is an opinion that is
widely-shared.

Oh dear.  How do you know?  Have you been there?  There are huge
differences between the countries there were coerced into that
organization.  Or do you claim Estonia is the same as Croatia?

It is a widely-recognized reality that some of the most clever
programming, and also some of the most malicious, is coming from the
former Warsaw pact.

Russia, for example, is ranked 117 on the world corruption audit
http://www.worldaudit.org/corruption.htm

So what?  However well-intentioned, these sorts of things are flawed:
1)  It is difficult to measure relevant factors
2)  The weighting of these measurements reflects only one set of values
3)  The ordinal presentation hides the sizes of differences

You are also missing a link -- even if corrupt, why does that make
the software poorly written?  Why do you believe corruption is
greater than imcompetence?  "Never attribute to malice that which
can reasonbly be explained by simple incompetence" [Napoleon]

If you are in a culture where high-risk behavior is the norm, you will
have a different conception of what is reasonable behavior. Sebastian
has already informed us that it is not worth his while to be careful
and presented a rationale for his calculated carelessness. I can't
imagine any of my correspondents from Scandinavia talking in a similar
fashion. Even a Wall Street jockey would not be likely to be so
incautious. In the litigation-happy US, such off-hand commends could
backfire in a serious way.

It may well be a big problem.  Unfortunately, your case is full
of holes.  With friends like you, security does not need enemies.

It comes as little surprise that you have a low opinion of me and want
to make that known. I can't imagine that anyone else who follows
these forums would be more surprised than I am.

Robert.

 

[Robert Myers]

 > [Robert Myers written nonsense snipped]

Yet another off-topic post by RM (off-topic on both groups he crossposted).
Yet, He just wrote, he will not continue the discussion, yet he
continues it. How predictable...

Then the post is filled with rambling about buch of unrelated things,
peppered with some poor attempts at ad hominem, all intermixed with
demonstration with very poor understanding of the matter he tries to
discuss. Whether he tries to discuss realities of former Warsaw Pact
countries, software security, software integrity, risk estimation, his
jedgement shows similar level of cluelessness.

(Besides, sorry Mr. Myers, i'm not Russian, so wrong shot, troll)

First of all, cowboy, you decided to resurrect this topic in a
completely unrelated thread about Intel's compiler. So long as the
discussion began in these groups, that's where the discussion should
end.

Secondly, it is clear from the logic of my post that I did not believe
you to be Russian, only from a former Warsaw Pact country whose
position on the corruption list I located a bit below Costa Rica
(which I am sure must produce *some* of its foreign exchange through
legal means with unlaundered cash).

Thirdly, I care no more what you think of me than what Prof.
Redelmeier thinks of me. The fact that many misuse statistics and
draw false conclusions from them the way you do is no defense for
you. You don't understand what you are doing and you defend it by
heaping up misinformation and abuse.

Fourthly, the proper manner of formal address is Dr. Myers.

Robert.

 

[Robert Redelmeier]

Fourthly, the proper manner of formal address is Dr. Myers.

Touchy, touchy. I'm presuming PhD 'cuz MDs have little knowledge
of fluid dynamics. Although there are some interesting problems
around shear minimization for heart valves and arterial grafts.

-- Robert R

 

[Bill Davidsen]

[Robert Myers written nonsense snipped]

Yet another off-topic post by RM (off-topic on both groups he crossposted).
Yet, He just wrote, he will not continue the discussion, yet he
continues it. How predictable...

Then the post is filled with rambling about buch of unrelated things,
peppered with some poor attempts at ad hominem, all intermixed with
demonstration with very poor understanding of the matter he tries to
discuss. Whether he tries to discuss realities of former Warsaw Pact
countries, software security, software integrity, risk estimation, his
jedgement shows similar level of cluelessness.

(Besides, sorry Mr. Myers, i'm not Russian, so wrong shot, troll)

First of all, cowboy, you decided to resurrect this topic in a
completely unrelated thread about Intel's compiler. So long as the
discussion began in these groups, that's where the discussion should
end.

Actually, this is far enough off any relation to Intel that moving the
discussion with a "Followups-To" somewhere else would be appropriate. Don't take
that as an endorsement of (or disagreement with) Mr Kaliszewski's other points,
but on the suggestion that this is no longer relevant to Intel, I believe he is
right.

 

[Robert Myers]

Touchy, touchy.  I'm presuming PhD 'cuz MDs have little knowledge
of fluid dynamics.  Although there are some interesting problems
around shear minimization for heart valves and arterial grafts.

Formal address where informal address is commonly used is hostile.
That being the case, I'm going to insist on the socially-correct
honorific.

Had you been paying attention, you'd know a lot about my educational
background.

Robert.