Re: Let's do some coding :-)

[Jonathan S. Shapiro]

All: I am responding only to a valid discussion topic here, not to the
general Troll that contained it.

On Wed, 2005-10-26 at 22:47 +0200, Alfred M. Szmidt wrote:
> ,----
> | Emperor Alfred says: well, it's okay to be naked in public. Just
> | ignore it.
> | 
> | Hey, if you are an exhibitionist, go for it. Just don't connect to
> | the public network, because when you do you create pain for everyone
> | else in the world. Freedom comes with responsibility.
> `----

The quoted statement above was a response to Alfred's suggestion that it
is okay at some point to simply ignore known architectural security
issues and get on with shipping a system. I hope that Alfred was simply
repeating a widely held view. I do not know if he actually believes this
view himself.

The following is my *personal opinion* on the view that he repeated. It
is a very strong opinion, and reasonable people might disagree with my
view.

In my opinion, ignoring known architectural security flaws in this way
is NOT okay. In fact, I believe that this view is profoundly unethical,
and that software architects should be held legally liable for damages
when they adopt this view, and in certain cases that they should be
imprisoned if they act on it.

When an end user puts a known-insecure system on the net, they might as
well put up a sign that says "please come use my machine to hack the
next guy". This is bad, but the end user often doesn't know about the
problem and doesn't have the expertise to fix it. The end user is
responsible, but because (a) they do not understand the consequences and
(b) there is no practical alternative, it is difficult to blame them or
hold them practically accountable.

When a system architect says: "let us just ignore some of the
architectural security vulnerabilities and get on with it", this has
implications. One of the implications is that a very large number of
machines will be installed that will provide flexible platforms for
attackers to use.

In contrast to the end user, the system architect is *very*
knowledgeable about the consequences of this behavior, and *is* in a
position to fix it. If they make this decision knowingly and
intentionally, they have made an *active* decision to create and support
a threat to the world at large. At best, this is socially irresponsible
behavior. I believe that software architects should be held to
reasonable and professional standards of diligence, and that they should
be legally liable if they fail to act according to these standards.

This does not mean that software must be perfect. First, we don't know
how to achieve this, and second, problems must be prioritized because we
have finite resources to solve them. Also, we cannot hold people liable
for shipping crap until it is concretely demonstrated that something
better is possible. But *after* we demonstrate that, we should not
continue to tolerate the shipping of crap -- this is how we should
determine what the standards of diligence should be.

The specific part of the "just ignore them and ship it" suggestion that
makes me absolutely furious is the implication that software designers
should have no responsibility for negligence. When this type of decision
is made in the context of life-critical systems, it goes beyond
negligence and may become a contribution to death.

I do not know if Alfred holds this view or not. I hope that he does not,
and my anger on this subject is not directed at him. It is directed at
people who knowingly choose this irresponsible path, and in doing so,
become collaborators in committing very real harm to a vast multitude of
people.

My hope for the Hurd is that it will significantly raise the
expectations and demands of users concerning what is a minimally
acceptable standard of excellence. If you will pardon a funny way to say
it: Hurd needs to set a new standard for crap. (Just do not quote me out
of context on that). And yes, I actually believe that it is possible for
Hurd to do this.


shap