therning.org/ magnus

Almost three years ago Bruce Schneier posted a blog entry on Computer Security and Liability. Since then he has repeated his opinion several times; one of the more high-profile occasions was in front of the House of Lords. Some people agree, others disagree.

Until just a few days ago I disagreed with him on this particular issue. After the four learned hosts of LugRadio brought up the issue in episode 3 I had another think and I’ve now changed my opinion. I am now in favour of holding companies financially liable for damages resulting form security vulnerabilities in software products.

The software business is interesting because there’s a very obvious asymmetry in what is known about a product between the people who write and sell software and the people who use and buy software. Bruce Schneier has touched on that as well in his post on Security Lemons. Basically the buyer of software knows nothing of the ilities of what they are being sold, so there is very little to hang an informed decision on.

I think that introducing financial liability for software producers should take into consideration whether a buyer can make an informed decision before buying or not. This means that in cases where the buyer has full access to the sourceⁱ there will be no financial liability on the developer. It would be enough to offer all source code under an NDA to a buyer before the deal is finalised. Basically liability would be the price a software vendor has to pay to keep the buyer in the dark regarding how secure the product is.

1. Note that the source doesn’t have to be free as in having all four freedoms granted by e.g. the GPL.[back]

Dolio wrote an excellent comment on space leaks for the previous post. I’ve read posts on haskell-cafe before that mentions the concept but I’ve never bothered to ask. Thanks for clarifying the term!

Dolio’s comment made me think of something I heard during a lecture on OO at university, with the risk of paraphrasing slightly:

It helps a lot to know how a C compiler works while programming C.

In my mind this means that the language is “leaky” in a similar sense to how Joel’s law of leaky abstractions. I suppose a programming language is little more than an abstraction of the machine underneath or, in the case of most languages, of the compiler/interpreter of the language.

Now of course I’m left wondering if “leakiness” can be measured, can languages be ordered based on it? Maybe there are two dimensions to “leakiness”, how early you need knowledge of the layer below and how deep knowledge that knowledge has to be. My gut tells me you can’t program in C for very long without needing some compiler knowledge but I’m not sure just how deep that knowledge needs to be. My gut also tells me I can blissfully hack along in Haskell for quite a while before needing to know how things like laziness actually works, and again I don’t know if the knowledge needs to be deep or notⁱ.

Yes, I’ve been in a somewhat philosophical mood lately (some would say it’s a procrastinating mood ).

1. My problem is really that I feel I know a fair bit about how compilers and interpreters work for imperative languages like C, while I’m new to lazy functional languages like Haskell.[back]

After reading some posts in my haskell category of blogs I read I found myself wondering the following:

• Is cdsmith wondering what the difference is between “requirement phase” and the “implementation phase”?
• When Bryan talks about space leaks, what does he mean? Is the garbage collector in GHC broken?
• Antii-Juhani’s description of trampolines and the need for them is the best I’ve seen so far. When will we see the need go away?

How many emails have you received at work that contain the body:

Adding Bob to the discussion.

Well, if your place of work is anything like mine it happens regularly, and if you’re anything like me you cringe every time. All of a sudden I have to remember that any replies should be checked to make sure Bob receives them. Due to how email works adding Bob on one thread of the discussion doesn’t mean he’s automatically involved on all threads. Then Alice is added… then Ian… It’s obvious this doesn’t scale.

It highlights that email isn’t suited for this type of usage. It works fine for one-to-one communication, it also works fine in collaborative environments where a large portion of the involved are interested in the majority of the discussions (like mailing lists, with an archive). However, it doesn’t fit for ad-hoc communities, short-lived communities that form around one single discussion and then is dispersed. That is, email doesn’t work that well in enterprises.

So, what could a solution look like?

I suppose some light-weight mailing list server with archiving would do. The only caveat is that every email has to go through it, because every email is either a part of a discussion or a potential start of a new discussion. I guess that makes it a new kind of animal, some combination of mailing list server and MTA. Does such a beast exist already?

Another possible solution I see is an extended Google Mail for the enterprise. Think about it! Put all company email on a Google Mail box. They are already offering Googel Mail to companies, and if they are a little smart about it they don’t actually create individual copies of mails sent to several internal email addresses. (Something equivalent to a symlink would do.) Then just add a feature that takes a discussion and adds a user to it. That is, it takes every email in the discussion and adds the user as a recipient. From then on the added user sees the full discussion in their inbox and he/she would be included on every response from then on.

Warning! This is a bit of a rant. If you don’t like reading that sort of thing you should probably stop now.

This started the other day when I tried paying my first credit card bill. I ended up ringing LloydTSB’s phone bank just to sort it out. After being held by the hand through the whole ordeal I tried to point out to the lady that these steps were far from obvious and that they should do something about it. She responded with “it’s really quite easy once you know how to do it”. I pressed on and received a “one can always click around a bit and find out how to do it”. I wasn’t very impressed. I suggested that they ought to add a recipient automatically for settling credit card bills. The lady at LloydsTSB replied, with a very serious voice, “we can’t assume that our customers want to pay their credit card bills over the internet”. I responded, with slight disbelief in mine, “then they don’t have to click that particular link”. She didn’t seem to be convinced their customers possess enough intelligence for that though.

Of course I know it was futile trying to push through improvements by talking to what can’t be called much more than a helpdesk. However, I couldn’t let go of it so easily. I sent the following message through the internet banking system:

I just paid my first credit card bill. I decided to do it over the internet. Given the instructions on the back of the bill I thought it’d be easy, “select ‘Transfers & Payments’ and follow instructions on screen”.What I ACTUALLY had to do was:

1. Choose the account I wanted to pay the bill from.
2. Select ‘Transfers & Payments’.
3. Choose to add recipient.
4. Type in ‘lloydstsb’ and search for the company.
5. Go through a rather long list of companies and find the one that matched my credit card type and number.
6. Enter a reference, which in fact was my credit card number.
7. Go back to ‘Transfers & Payments’ fro the account I wanted to pay from.
8. For the rest I could follow instructions on screen.

Far from as easy as the instructions on the bill suggest. I actually gave up and rang PhoneBank for help.

Suggestions for making it easier:

• automatically add a recipient for the credit card, or
• add more complete instructions on the back of the credit card bill

I hoped that this route might actually lead me to someone with at least an iota of intelligence within the company. Earlier today they dashed my hopes by sending me this email:

Dear Mr Magnus

Thank you for your e-mail about paying a bill online.

I’m sorry to hear that you had difficulty setting up a payment on your account. I have listed below step by step instructions on how to set up and make payments to your credit card.

• Select the account you wish to pay the money from, this will be highlighted in blue,
• Select ‘Transfers and Payments’ from the options menu on the left hand side,
• Choose the option ‘Click here to add new recipient to your list’ located in the middle of the web page,
• Select ‘pay a bill’,
• In the ‘Find company’ field enter the card type that you hold, for example, if it was Lloyds TSB it would be ‘LTSB’ or ‘LLOYDS TSB’,
• Choose the relevant card from the list and you can check you have the correct one by matching the first six digits of the card number.
• Enter 16 digit reference number on the front of the credit card,
• Re-enter the number,
• Click ‘Add to my list’.

The payment arrangement should now be set up. To pay your credit card, click on the relevant option from the ‘Transfers and Payments’ screen.

The resulting rant lasted the better part of my lunch hour. It’s a good thing I have patient and understanding colleagues

Being somewhat involved in OpenSource and therefore used to constant improvements of “products” I find it very strange when I come across a commercial company that displays such a dis-interest in improving their customers’ experience. Doesn’t it make financial sense for a bank to improve their online banking system? Are they not interested in making their customers satisfied and make sure they stay? I mean it’s not like LloydsTSB is the only bank in England. I wouldn’t be too surprised if they all are equally bad at this sort of thing, but I refuse to give up. I intend to have relationships with companies, especially with companies that play an important role in my life, like banks. I believe in constant improvement, on all levels in life, and I’ll keep on bringing that into the relationships I have.

I heard somewhere that a hero sees the world, not as it is, but as it ought to be. If that’s true then I plan on being a hero for the rest of my life.

RyanAir’s planes now have advertisements on the outside of the over-head compartments further confirming my feeling that they’re a bus company.

I still mourn FlyMe’s demise!

$140+ Million

Yes, “dollar, one hundred and forty, plus, million”. Why do people think that it’s better to use symbols when it’s easier said in words?

During the trip to Sweden I’ve had a few thoughts I thought I’d “put out there”.

The Americans really ought to raise a statue honoring Hitler. Yes, I’m (almost) serious. I don’t think USA would be as strong as it is today if it weren’t for the brain drain from Europe to America that Hitler caused. I also can’t help thinking that it’s a shame they didn’t go to Canada instead…

Haskell is a great language, the only bad thing about it is it’s strength. Recently I came across some code using HXT. Haskell allows creation of something that can almost be called mini-languages due to it allowing the programmer to create new in-fix functions. This means that in many cases Haskell forces me to read documentation on a library/toolkit before being able to even guess at the meaning of some functions. I like it and get frustrated by it at the same time

Way back in the day many countries found it necessary to separate the church and the state. Maybe we’re ready to separate the “market” and the state now? I get something dreamy in my eyes when thinking of a future where politicians don’t govern based on their own, often short-term, financial gain.

Martin forgets one important thing, my being a computer professional doesn’t mean I can fix every computer in the world.

Everyone was talking about tricking an ATM into believing $20 bills were $5 bills. There’s even a clip from CNN on YouTube. But why isn’t anyone pointing out what a bad idea it is to make maintenance functionality fully available via the same UI that customers use?