Category: Conferences

Liability for bugs is part of the solution

Recently, Howard Schmidt suggested that coders be held personally liable for damage caused by bugs in code they write. The boldness of this suggestion is exceeded only by its foolhardiness, but its motivation touches an important truth — alot of code stinks, and people are damaged by it.

The reason good programs (which means those with fewer bugs) do not drive poor programs from the market lies in the information asymmetry characterizing the software market. As discussed by Ross Anderson [PDF], the market for software is a “market for lemons“: sellers know more about the quality of their product than do buyers, leading buyers to assume the worst, lest they (in their optimism) be taken to the cleaners. Higher-quality products are thus driven from the market, leaving a market of lemons.

Solutions to this suboptimality include the use of guarantees — presumably, a car dealer willing to warranty a vehicle for many months has reason to believe it is not a lemon, and evaluation schemes: an automaker who can point to a “5-star rating” by an independent evaluator presumably can command a higher price.

Legal liability is also an appropriate remedy in that the possibility of getting hammered by a jury provides an incentive to be truthful about product quality, but my point is that it is only part of the mix.

In the case of software, guarantees are rare but not unheard of, and some evaluation schemes wind up being captured by vendors.

Independent researchers who identify SW vulnerabilities also act as evaluators of a sort — if, that is, all SW is subject to the same amount of scrutiny. It isn’t, of course, which is why rigorous research into methods of predicting software quality is critical. Andy Ozment is doing good stuff [PDF] on this.

Hopefully, continuing research and greater data availability will allow us to have a more compact and tractable for non-geeks version of this (from instead of a shrink-wrap license:

Software Facts

Name InvadingAlienOS
Version 1996.7.04
Expected number of users 15

Modules 5 483
Modules from libraries 4 102

% Vulnerability

Cross Site Scripting 22 65%
Reflected 12 55%
Stored 10 55%

SQL Injection 2 10%

Buffer overflow 5 95%

Total Security Mechanisms 284 100%
Authentication 15 5%
Access control 3 1%
Input validation 230 81%
Encryption 3 1%
AES 256 bits, Triple DES

Report security flaws to: ciwnmcyi@mothership.milkyway

Total Code 3.1415×109 function points 100%
C 1.1×109 function points 35%
Ratfor 2.0415×109 function points 65%

Test Material 2.718×106 bytes 100%
Data 2.69×106 bytes 99%
Executables 27.18×103 bytes 1%

Documentation 12 058 pages 100%
Tutorial 3 971 pages 33%
Reference 6 233 pages 52%
Design & Specification 1 854 pages 15%

Sun Java 1.5 runtime, Sun J2EE 1.2.2,
Jakarta log4j 1.5, Jakarta Commons 2.1,
Jakarta Struts 2.0, Harold XOM 1.1rc4, Hunter JDOMv1

Compiled with gcc (GCC) 3.3.1

Stripped of all symbols and relocation information.

When vendors know we know what they know, they won’t act so much like used car salesmen, particularly if it’d get them hauled into court.

Edited at 2342 CST 10/20/2005 to add author ID at top, and missing paragraph tag

Blue Hat Report

The other thing I did at Microsoft last week was I participated in Blue Hat. Microsoft invites a selection of interesting researchers to come to Redmond and present a talk to a variety of people within the company. Blue Hat is organized by Kymberlee Price, who works with Andrew Cushman, and they did a great job as hosts.

Thursday was the executive sessions, speakers gave truncated versions of their talks, once in the morning, and once in the afternoon. There were a very senior group of folks in the room, up to people like Jim Allchin, Brian Valentine, and a lot of other names that I recognized, but don’t remember.

Andrew Cushman did a great job of framing the talks, explaining why they were selected, and the reasons that they were important. The audience was engaged, and a couple of times, people turned and asked “Why do we do that?” of the person responsible for a feature that was being (ahem) presented in a new light.

The speakers, myself, and Dan Kaminsky got to have a lunch session with Jim Allchin, and a few other Microsoft folks. Jim talked about new features in upcoming products, and got our thoughts on how Microsoft is doing, and how they could do better.

There’s lots more after the break.

Continue reading

Small Travel Annoyances

I’ve slept in three different hotels in the last ten days or so, and noticed a number of things that (seemingly) could be done a lot better.


  • The first is voice mail spam. I get no warm fuzzy from picking up a pre-recorded voice mail welcoming me to the hotel. But I do get to waste my time listening to it, and figuring out how to delete it to make the god-damned blinking red light go away. I’d have simply unplugged the phone, but the Hilton phone was attached into the wall. So, no value, intrusive, and annoying. (Also wasted my time at the Sheraton.)
  • Excercise rooms which have card-access control, no attendant, and hours. If I get back to the hotel at 1 AM and want to burn off dinner, I don’t need an attendant to use an exercise bike or a stairmaster. I’m a bit more sympathetic to locking me out of weight rooms or pools.
  • More obviously valuable is Hilton’s nifty new clock. It has a bright, readable display, radio(?) pre-sets that have useful labels: news, rock, jazz, classical and “MP3/line-in.” It has the words “alarm off” on the display in big letters. It has clear instructions, on the front, for setting the alarm. There’s clearly a lot of thought that went into it. So why is it in a list of travel annoyances?

    The panel is black data on an orange background. I’d guess that 80% or more of the screen was glowing. Which means, even at its dimmest, it was too bright. I threw a pillow over it, and used the alarm on my cell phone.

    (There’s an analog here to Tufte’s data ink principle, and that is to minimize the number of pixels which glow. I want my room to be pitch-black until I want to be awake.)

  • Hotels which hand out your room number when you’re booking a taxi. The Fairfield Mariott I was in did this, and said it was to ensure the right person got the right taxi. But they also gave your name. So what gives? Many women travelers are very sensitive to the privacy and personal security risk of having their room number given out. Especially when it’s broadcast over a radio.
  • Finally, none of my hotels had comedy Comedy Central on the TV. I mean, come on, is it that much more? Make it a pay option, and give me Simpsons and Jon Stewart.

Codecon 2006 Call For Papers

February 10-12, 2006 San Francisco CA, USA

codecon is the premier showcase of cutting edge software development. It is an excellent opportunity for programmers to demonstrate their work and keep abreast of what’s going on in their community.

All presentations must include working demonstrations, ideally accompanied
by source code. Presentations must be done by one of the active developers of
the code in question. We emphasize that demonstrations be of *working*

We hereby solicit papers and demonstrations. Papers and proposals due: December 15, 2005, Authors notified: January 1, 2006

Today, I Publicly Praised Microsoft

On the “Meet the Bloggers” panel at the Detroit IT Security Summit, I publicly heaped praise on Microsoft for their investment in security, the results of which include some really cool tools in Visual Studio 2005.

Also on the panel, Ed Vielmetti brought up a really good point that I hadn’t heard recently, that of FAA after-incident reports, and how they contrast to the head-in-the-sand approach the computer industry takes. I think such after-incident reports are needed to help temper any liability system that might get built.

Shmoocon 2006

Today is the last day to get the stunningly low $75 rate for Shmoocon in Washington DC Jan 13-15, 2006. Remember to bow to Bruce’s firewall (largish video download).

I understand this years con will culminate in a deathmatch between a new, armed Shmoo robot and the speaker who gets the worst ratings. The speaker will get a wireless keyboard, a user-level shell, and a copy of the machine-code manual for the driod’s weapons subsystem.

(Thanks to Richard Bejtlich for the reminder.)

"Protecting Society By Protecting Information"

Today, I’m at the National Institute of Justice’s National Conference on
Science, Technology, and the Law, and am participating in a
panel on “Balancing Information Sharing and Privacy.” I’ll present “Protecting
Society By Protecting Information: Reducing Crime by
Better Information Sharing
” (Or get the
powerpoint slides. I don’t
know why Powerpoint makes all the speaker notes that ugly orange.)

How to structure a privacy message so that cypherpunks look at me funny the audience doesn’t reject it out of hand is one of the things that I learned from working with Austin at Zero-Knowledge. (See next post.)

Balancing Information Sharing and Privacy Concerns


I’ll be at the National Conference on Science, Technology and the Law, A National Institute of Justice Conference sponsored by the National Clearinghouse for Science, Technology, and the Law, September 12-14, 2005, St. Petersburg, Florida. I’m on a panel with a great group of folks on “Balancing Information Sharing and Privacy Concerns.” We haven’t put up a panel description, but the conference is focused around:

Given the explosion of scientific evidence litigation coupled with the “CSI Effect,” scientists, law enforcement, laboratory personnel, judges and lawyers are overwhelmed by the amount of information required to educate them to meet these legal challenges. Recent studies have also demonstrated a need for more scientific information and education for jurists and attorneys.

I really enjoy going to conferences which are outside my specialities, the opportunity to learn that that presents, and so I’m looking forward to the whole conference.