While I understand the appeal of forcing people to Not Do Bad Stuff ™, there is really no way this legislation is going to be effective. At best, it’s going to be a pointless series of checklists that waste money, increase overhead for small companies, don’t actually improve security, and concern the legal team more than the software team. At worst, it’s going to be a series of checklists specifically crafted to do all of those things, with the intention of protecting large, entrenched companies who can afford a big legal CYA team from small competitors who can’t.
We know how to get pretty much perfect security. The problem is, the way we do it (fully formally verified everything) is orders of magnitude more expensive than writing normal code, which is why only a fraction of a percent of a percent of extent code is written this way. It would be impossibly expensive to have any computerized products if we actually required any true guarantee of security. So, instead, they’re going to half-ass (or very-small-fraction-ass it) and accomplish nothing worthwhile.
I really, really hate the current state of consumer crapware security, but the best thing for it is to bite the bullet and hold out for a few more years. Security is getting better and cheaper all the time, and customers are starting to catch on to how much these products suck. Over time, security will actually improve, a state of affairs that is far removed from anything this bill could actually hope to achieve.
Security isn’t actually all or nothing, and there is a whole spectrum between complete formal verification and loose cannon coding with no standards. Security is a game of probability, and each additional measure helps to decrease the odds that your system will be breached.
Similarly, it seem premature to have decided what this measure will or will not do, given that it’s only just been introduced, and hasn’t gone through the committee vetting process yet. Give it some time, and evaluate it when it’s out of committee and up for a floor vote. If you feel strongly about it, lobby your representative to vote in a way consistent with your interests.
Writing the code in Ada with checks on with a microkernel or slim OpenBSD with no dumb remote options isn’t orders of magnitude more expensive. It cost anywhere from no more to a little more than what’s common in most case studies. Even Altran/Praxis doing Z specs and SPARK Ada for systems claims a 50% premium is common.
So, safish OS, safe language, and no unnecessary backdoors = prevents most of current problems. Also, thanks to niche demanding quality, there’s also plenty of tools for doing this cost-effectively.
Well, I’m looking forward to openbsd 6.1 with the first rpi support. I’ve been brushing up on how to write secure services following the openbsd examples with privsep, pledge while also using memory safe languages which at the very least add bounds checking like myrddin.
I am hoping one day I can deliver some high quality connected products, it is something I care about quite a lot.
The free market means race to the bottom in price, so corners are cut. The first corners producers can cut are invisible or at least behind the scenes ones such as security. If everyone were Mr Robot security would be number one in all products, not price, smaller bezel, brushed aluminium, more megapixels, plays minecraft/angry birds/flappy bird and all sorts of other avian related entertainment that definitely isn’t looking at my contacts and photos, has facebook so that I can essentially provide companies with a non stop feed of my life and what diseases I think I might have and upload drunken pics of me doing gang signs and duck face (that isn’t going to come back and bite me at my next job interview).
Government regulation is required because consumers just aren’t Mr Robot and they just never will be.
While I understand the appeal of forcing people to Not Do Bad Stuff ™, there is really no way this legislation is going to be effective. At best, it’s going to be a pointless series of checklists that waste money, increase overhead for small companies, don’t actually improve security, and concern the legal team more than the software team. At worst, it’s going to be a series of checklists specifically crafted to do all of those things, with the intention of protecting large, entrenched companies who can afford a big legal CYA team from small competitors who can’t.
We know how to get pretty much perfect security. The problem is, the way we do it (fully formally verified everything) is orders of magnitude more expensive than writing normal code, which is why only a fraction of a percent of a percent of extent code is written this way. It would be impossibly expensive to have any computerized products if we actually required any true guarantee of security. So, instead, they’re going to half-ass (or very-small-fraction-ass it) and accomplish nothing worthwhile.
I really, really hate the current state of consumer crapware security, but the best thing for it is to bite the bullet and hold out for a few more years. Security is getting better and cheaper all the time, and customers are starting to catch on to how much these products suck. Over time, security will actually improve, a state of affairs that is far removed from anything this bill could actually hope to achieve.
Security isn’t actually all or nothing, and there is a whole spectrum between complete formal verification and loose cannon coding with no standards. Security is a game of probability, and each additional measure helps to decrease the odds that your system will be breached.
Similarly, it seem premature to have decided what this measure will or will not do, given that it’s only just been introduced, and hasn’t gone through the committee vetting process yet. Give it some time, and evaluate it when it’s out of committee and up for a floor vote. If you feel strongly about it, lobby your representative to vote in a way consistent with your interests.
Writing the code in Ada with checks on with a microkernel or slim OpenBSD with no dumb remote options isn’t orders of magnitude more expensive. It cost anywhere from no more to a little more than what’s common in most case studies. Even Altran/Praxis doing Z specs and SPARK Ada for systems claims a 50% premium is common.
So, safish OS, safe language, and no unnecessary backdoors = prevents most of current problems. Also, thanks to niche demanding quality, there’s also plenty of tools for doing this cost-effectively.
Well, I’m looking forward to openbsd 6.1 with the first rpi support. I’ve been brushing up on how to write secure services following the openbsd examples with privsep, pledge while also using memory safe languages which at the very least add bounds checking like myrddin.
I am hoping one day I can deliver some high quality connected products, it is something I care about quite a lot.
Another case of government forcing you to pay them to protect you from yourself
The free market means race to the bottom in price, so corners are cut. The first corners producers can cut are invisible or at least behind the scenes ones such as security. If everyone were Mr Robot security would be number one in all products, not price, smaller bezel, brushed aluminium, more megapixels, plays minecraft/angry birds/flappy bird and all sorts of other avian related entertainment that definitely isn’t looking at my contacts and photos, has facebook so that I can essentially provide companies with a non stop feed of my life and what diseases I think I might have and upload drunken pics of me doing gang signs and duck face (that isn’t going to come back and bite me at my next job interview).
Government regulation is required because consumers just aren’t Mr Robot and they just never will be.