It will be hard to codify what exactly would make the software company liable.

The most obvious scenario is a flaw in the code which lets an attacker in. But what if the flaw is actually in an open source library that the software uses? Who is liable in that case? What if the software company releases a patch but the end user doesn't update?

Then we look at configuration. There are tons of configuration options for a typical enterprise software application. Companies will usually release a reference or recommended configuration, which end users will customize to fit their environment. What if someone configures the software in a way the developer never intended?

Will software makers start requiring expensive service contracts to ensure their product is deployed and configured in an approved way?

I commend the administration for releasing this guidance. But I also realize anything that makes it through congress and their lobbyists will probably have little to no teeth.

and what might be more critical is the "finished product" and it is up to whoever distributes that "finished product" to ensure the pieces of it are secure (whether it is GNU or BSD or some commercial or otherwise proprietary code or whatever).

What was interesting from the framework document was this (pg. 26 of the PDF) -

Yea I saw that! Very interesting and sounds like a good idea. Companies have insurance for their brick and mortar infrastructure so why not their digital?

There was a recent article about USPS employees getting hacked because they visited a phishing site instead of the real site. USPS claimed they could go after google because the phishing site appeared in a search for the name of the site. Are search engines going to be liable for malicious users that game their algorithms? At what point are the end users expected to know what they are doing?

https://federalnewsnetwork.com/pay/2023/01/usps-hardens-online-security-after-fraudsters-steal-employees-paychecks/

I guess a similar "old school" scenario would be scammers that call up people pretending to be a legit operation and getting the person to send money.

is by using the so-called "social engineering" tactics - through use of scam/bogus emails that spoof being from legit sites and manage to get PII and/or passwords to systems.

I know companies like Comcast have been able to embed their red "Xf" (Xfinity) logo into the subject lines of their mail correspondence which distinctly differentiates their legit correspondence from scammers using a spoofed Xfinity address. If more corporate tech and even financial companies (due to the increasing proliferation of online payments of bills like credit cards) could try similar when corresponding with their subscribers, then it would help reduce some of the scam crap.

OpenBSD is one of the few works that is well crafted. The rest is a fright. Not a matter of "if" but "when" it's hacked.

Insurance is not a great substitute for good design and construction. It's hard enough to get standards for building, electricity and others (Look at what happened in Turkey) but it's often substituted.

At much greater expense than doing things right in the first place. People (or software managers) demand features faster than they can be securely implemented.

And, of course, a major vector of hacks is social engineering. People just trust things and people they should not trust. How you gonna educate them all?

Weakest link ruins your operation.

Best of all:


Last Knoppix (Debian) image I downloaded had no systemd.
It's not that I am an old-timer resistant to this new-fangled stuff (OK, I am ) but it's anti-Unix philosophy by being "all things in one gigantic ball of yarn".

or off microSDs or USB sticks or even floppies.

I am running Raspbian (now being dubbed "Raspberry Pi OS" ) on a Raspberry Pi4 (kit that I assembled) to run a program that displays weather data from my weather station captured from a little sniffer device.

Back when I was running SETI, the NetBSD had a SETI CLI client on it that contributed WUs for my team. Did similar with an old SPARCstation running Red Hat 5.0.

I haven't run any *nix in ages. Knoppix and SystemRescueCD come to mind.

Will do so as I eventually get new hardware.
Did you get a RPi4 "official" or a clone?

I got a RPi-1 and doubt it will be a collector's item. I am not a collector, except for stuff that even the computer museum won't take. They sure are fussy.

and they didn't have it for the SPARC. SETI crunching was slow as molasses on that machine but it worked (I ran it headless).

I also ran an Alpha Workstation with Red Hat 5.1 for Alpha.

I got a CanaKit Pi 4 8GB but do still have my older model "Pi 2 B" in a bin in a closet. Was running SETI on that too.

I'm kidding. I enjoy watching/listening to people to into deep philosophical battle over systemd.

I do understand the point of anti-systemd folks to an extent, but man, it sure does make a lot of things easier. But then again, I'm just young whippersnapper who doesn't know any better.

Throw away years of crafting init scripts? Bahhh.
Wonder when systemd will have a GUI like Microsoft.

Just having fun.
But to old-timers, it's like rewriting your python programs
IN PERL!!

Have a fun day.

I view whatever OS as a tool to do whatever it is I am doing. One thing is that I didn't really get into any linux management on scale until systemd was pretty much on most the stuff I had to touch. Although, before that I was using linux on a much more limited scale since I started back in the early 2000's, but that's different. But sometimes I get into some old stuff and I'm like "man, what the hell is going on here?"

I am pretty much entirely into apps, whether they're runnable binaries or behind a webserver.

So, I never see lower level than that.

And I seriously don't spend as much time as I should on the apps.

I take ba-zillions of photos, and just reviewed today's batch.
At the end of the day, I barely get past some level adjusting and a tad of sharpening, and that's it.
I used to use the amazing xv program, (we are talking 80's) which, IIRC, was the first to let you adjust the light levels on a curve.

I should be using one or more of digikam, photivo, darktable or RawTherapee on the raw files.
Photography takes a lot of time. Long walks.

Good exercise.

The government should put bounties on security bugs for Open Source software, with a targeted messaging campaign toward college students.

...sound a lot like holding gun manufacturers responsible for damage caused by users of their guns.

Good luck getting Republicans to get behind that idea, since the one so easily extends to the other.

Speaking for myself, I can separate buggy software from "user error", i.e. social engineering attacks. Is the analogy more one of "defective guns"?

And aren't gun makers more careful in the design of their weapons than software makers? Of course, weapons are almost always simpler. (I worked in aerospace. Some are damn complex).

Getting software makers to deliver more secure products is necessary, though HOW is a big question. I am reminded of Microsoft allowing direct access to everything via its web browser, when nowadays, browsers are sandboxing. That took how long? Ten years? More?

HOW? Well, I believe that "shrink wrap" warranties ("We disclaim EVERYTHING if you open this package." ) have been thrown out. Not sure how or when. Probably in courts. That's progress?

Well, "software ate the world" and try asking or demanding that it be well-crafted seems impossible at this time. Perhaps the bully pulpit will help. Hate for things to drag through the courts. (like certain other things discussed on DU)

Getting users to wise up? Good luck with that.

According to the Consortium for Information and Software Quality, poor software quality cost US companies $2.08 trillion in 2020. These losses span all business sectors and include costs from operational failures, unsuccessful projects, and software errors in legacy systems.


According to Cybersecurity Ventures, cybercrime costs alone will reach $10.5 trillion annually by 2025, and the US will shoulder at least one-third of that cost.



https://raygun.com/blog/cost-of-software-errors/

ever reduce the threat of cyber-attacks. Other than the fact that there are nefarious national entities that are interested in attacking software platforms, there are loads of other characters that can't resist attacking software, to see if they can 'break it', to get into things that they shouldn't be getting into.

This exploration can be of benefits, mainly in discovering glitches in the software that no one else thought of, or holes in the logic that no one thought of. So much of this software is brand new to the world, never before has been developed or thought of before, so the world is wide open, and I think that stifling this area, this area of creativity will dampen the spirit of development of new and/or enhanced software to do other things not previously possible or thought of.

Strengthening perhaps the laws of nefariously damaging software and/or getting into data bases to look at or grab data illegally would probably be the key, for the industry today is governed more by self-ethics, self-control of don't go/don't get into data bases or systems that you aren't supposed to.

And by the way, sure these little Mom and Pop operations should be able to protect their computer systems, but this can be very expensive. And a lot of carriers of computer traffic already offer some sort of monitoring to watch out for nefarious software/etc., so where are the gaps that the Feds are seeking to address? You don't want to stifle the creative spirits that created the Computer Age, but you do want adequate, affordable security. One that the users won't be hesitant to use, and one that is easy to administer/easy to use/set up.

One of the best security measures I've encountered was a little calculator device, that issued a six-digit pin number every 30 seconds or so, that happened to exactly match the six-digit pin number that the particular data base that you were trying to access. Thus, if your logon attempt w/ your six-digit pin number matched the current six-digit pin number generated by the data base (both devices were synchronized to begin with), then you got in.

However, this was expensive and thus, probably the main reason it didn't fly. There are other security measures such as eye and/or palm readers too, but these were mostly for data centers and such, way too expensive for the average person on the street/average user.

And the most glaring hack of recent times, the Solar Winds attack, was on system monitoring and control software designed to protect systems.

https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know

For the "little people" life is tough enough, with creeps using SEO to masquerade as "Epson Printer Support" (or HP or whatever) on Google search results. They get you to download remote system management software and take over your system.

You know, people say that the internet is "free" but tell me how a $90 monthly bill is "free". ISP's should be providing more, like "paid" (paywalled) services, and not just some free movies now and then, and some modicum of protection, not just warehousing your searches in order to feed you ads and build a profile (most don't or say they don't).

An aerospace company I correspond with has filters on every web access and piece of email for malware. Admittedly, Apple and Microsoft have malware detection at the operating system level that's quite complex once you read up on it (It's not advertised a lot) but you have to keep up with constant updates to the software. And you have to do some handstands to sideload non-store software, a big PITA for developers and users of open source software.

The truly paranoid answer is to boot up a TAILS operating system (https://tails.boum.org) from DVD or USB stick, and when you are done, everything goes away. When you reboot, you get a new clean operating system (it allows for persistent storage of your data)

Recommended for whistleblowers, reporters, more people each day as repressive laws are passed by morons in state legislatures.

I just wish that they would remove the image from their front page of new Russian citizen Edward Snowden.

But most people, and certainly small businesses can't really go this route.

There otta be proxies out there, preferably free or cheap, for average people. (one of my blue-sky plans that never took flight) And ISP's otta be doing a lot more. In the case of spying on customers (are you listening, Verizon?) a lot less.

Silicon Valley and other tech meccas have plenty of Dems they can “persuade” to oppose anything that would increase their liability and reduce profits.

There is software out there that is made to test a system’s vulnerabilities. This provides valuable information to the tester. Are they liable if someone misuses it?

I'm curious what they have in mind. I hope they have technical people working on the specifics that are feasible and reasonable. For example, if a company doesn't properly utilize or configure the system, then that's clearly the victim companies fault, no? Now I can understand going after a company that knowingly ships out a system that is flawed, but what if there is some really obscure difficult to find bug that is exploited? What if the issue is in a library that is used?

Not opposed to the idea of this when it comes to clear negligence, but the devil is in the details.