How to fix untrustworthy software?

Posted on May 23, 2013 by trustcontroller

We, apparently, cannot do much, but those who developed it can actually do something. What they currently do follows one of three uncomplicated patters. As you loose in two out of three cases, read and learn.

The winning (for us) case is a simple one: if the software is untrustworthy then it has to be redeveloped and made trustworthy. Which means that developers have to return to their digital drawing boards and coders to their worn-out keyboards. If there is a legacy software, it must be re-opened and fixed.

As it seems like a lot of work, companies are rather reluctant to follow this path. Actually, there is only one company that I have heard of: Microsoft. Seriously, Microsoft. You may not like them (I do not), but I have to admit that they had guts to re-do the whole crappy software. The problem is that they spent a lot of money and they are unable to capitalize on it. Which means that in the first case we may win, but the company may loose.

The second case is a particularly popular one. Instead of fixing errors, the company wraps the software into the sandbox and promises that the sandbox (or a firewall, or virtualisation) will make the package trustworthy. The outcome: the quality of the original bit of software rapidly deteriorates while the whole focus is put in making the sandbox even more complicated.

Eventually, we have an untrustworthy software in an untrustworthy sandbox. At which stage the company offers us another sandbox to wrap up the existing sandbox. Seriously, we should have known better, but we always fall for this trick. The currently fashionable sandbox is called ‘the cloud’. Did you fell for it? I thought so. And you are in a good company.

The third case is popular mostly for the corporate software. It follows the popular phrase: do not ask – do not tell. Managers do not ask about the trustworthiness of the software because if they knew they would have to make a decision. Employees learned hard way not to trouble the management so that they patch the software with policies and processes instead. Everything works well, but those pesky customers do not want to play the ball and leave for a competition. Fortunately the competition quickly upgrades its software and their managers do not want to know of any trouble so that the ball keeps rolling.

What can you do? That’s easy: recognize trustworthiness with your trust. Which means: use only trustworthy software and be prepared to pay for it. Sounds deceptively easy, isn’t it? Why aren’t we doing it already? Where’s the catch?

Here is the catch: can you tall a trustworthy software from an untrustworthy one by just looking at the box? No? You are not the only one? Software is a promise, not a product, and it is hard to inspect the promise at the point of sales. But there is a way. Use Trust-O-Meter. It actually works. It is not complicated. Give it a try.

Posted in technology, trust governance, Trust-O-Meter | Leave a comment

Business case for trustworthy software

Posted on May 16, 2013 by trustcontroller

Seriously, is there one? I struggle to find it. However, it is not a frivolous matter: if there is no business case for trustworthy software then there will be no commercial trustworthy software. So, if you know of one, please let me know.

This question of a business case essentially boils down to the nature of the software industry. Is it an industry similar to bridge building, with detailed expectations, stringent norms and personal responsibility, with designers and builders sitting below the bridge during the stress test? Or is it like an insurance industry: selling non-specific promises only to weasel themselves out of any responsibility when you actually need them?

I know that we know the answer: it is like an insurance industry. We all know it. The exception: software companies do not even pretend to promise anything. They do not even pretend to accept any responsibility. It is all clear, black on white, in a 6 point Times, on the bottom of the 13th page of your licence agreement. Did not read it? Your fault.

Software industry is an anomaly among industries, and it will remain such if we do not complain. No software house will ever regret having one user less, but there are many that will regret not having thousands or millions. Money speaks.

Note that my harsh words apply only to the general-computing, game-office-and-network fare of software. There is a large industry of automotive software and dedicated financial software that actually accepts certain responsibility for their products. It is probably because auto-makers and banks actually read licence agreements and actually complain.

What is it that you can do? First: use free open source. Seriously. It is free, it has plenty of functionality and it is not concerned with its business case, because it is free. Actually the majority of the Internet runs on open source. Try for yourself.

Second: reward trustworthiness. I mean: pay for it. If you see a trustworthy paid-for chunk of software do not complain that it is expensive. Do not try to steal (i.e. appropriate) it. If you do so, you destroy trustworthiness.

Third: do not lock yourself in. Do not let others lock you in. If only you can, reject proprietary standards. Which means that if you get disappointed with any bit of software you can move on. Which means that those who want to be trustworthy must keep trying.

Posted in trust governance, trustworthiness | Leave a comment

One big damning multiplier

Posted on May 13, 2013 by trustcontroller

I do not think I could have written it better, so I decided to quote Bloomberg Businessweek (May 6, 2013) verbatim. I hope I will be forgiven.

Peter Drucker, the celebrated management theorist, certainly thought that the CEO-to-rank-and-file multiplier mattered. Starting with a 1977 article and until his death in 2005, Drucker considered 25-to-1 or even 20-to-1 the appropriate limit. Beyond that, he indicated, it’s bad for business. In his view, excessively high multiples undermine teamwork and promote a winner-takes-all, “did-it-because-I-could” culture that’s poison to a company’s long-term health”

What it is all about? Bloomberg calculated the ‘multiplier’, the ratio of the CEO pay to the average non-managerial worker for the S&P 500 companies. It is only the approximation of the real thing, but it is telling nonetheless. The average is slightly above 200, and the maximum score is about 1800. Good-bye Drucker. Hello, greed.

A fish rots from the head down. That’s apparent and no amount of teamwork exercises and positive self-learning books will change it. If we cannot do something with the apparent greed of our so-called corporate leaders, then it is only our pipe dream to have trustworthy business.

I wonder whether this ratio will be the best index ever to measure trustworthiness of the company. The simple Trust-O-Meter indicator that lets us anticipate years in advance how the company will progress. Or decline. Which is more likely, considering the multiplier.

Posted in companies, news, Trust-O-Meter, trustworthiness | Leave a comment

The inversion of reachability

Posted on May 9, 2013 by trustcontroller

‘The inversion of..’ is a popular phrase, specifically among software developers. If you are not the one slavishly bound to your workstations, you probably never heard of the ‘inversion of control’, the new fashion in software. I hope that the ‘inversion of reachability’ will make a similar career among information security professionals.

What is reachability? It is an increasingly popular risk assessment trick. In computer network security it means that if one computer becomes compromised, the attacker has access to all the computers that are reachable from the compromised one. So, it is not enough to consider the front-line protection, but it also worth considering what will happen once the front-line breaks.

The basic security rule is simple. The more reachability is there, the easier it is to compromise the network. The more partitioned the network is, the less reachability is there and the network seems to be more secure, even if the front-line has vulnerabilities. And harder to navigate. And slower.

Enough about reachability. TERM is using what can be called the inversion of reachability. We do not consider the frontal, top-down attack that has to go through several computers to reach the target. We consider the possibility that the back end, the foundation, the leaf of the dependency tree is untrustworthy. Thus the weakness we consider always comes from the bottom. From the soft underbelly of the system.

Actually, in this respect TERM nicely complements normal risk analysis. Risk flows from the front all the way to foundations of the system. Trustworthiness flows from foundations to the front. They complement each other. Reachability and its inversion meet. Which is exactly what we need.

Posted in model, risk management, TERM | Leave a comment

CESG new classification policy

Posted on May 2, 2013 by trustcontroller

I went to the InfoSecurity Europe , a yearly gathering of noisy information security vendors, restless wannabe security managers and youngsters collecting shiny gadgets. There was a usual clatter of companies that promise to improve trust, to eliminate the need for trust and to deliver if only you trust them. Normal, I would say.

Anyway, I stopped by the CESG booth. For those not living here, CESG stands for “Communications Electronics Security Group” and is responsible for securing governmental information systems. Quite a task, quite a responsibility, quite a level of trust they command and usually warrant.

While at the stand, I picked the “New Government Classification Policy (April 2013)”. An interesting reading: instead of three levels of protective markings there will be .. surprise .. three levels. They will be called: (1) Official, (2) Secret and (3) Top Secret. Disclosure: the document itself does not have any protective markings, so we do not go to jail.

The only problem is that in the next section of the same document those levels are called (1) Official, (2) Official-sensitive and (3) Secret. So: Secret or Official-sensitive? Secret or Top secret? If I incidentally bump on the document marked as Secret does it mean level 2 or level 3? How would I know if CESG does not seem to know?

Why is it important? Normally we do not deal with governmental documents (barring tax returns and voting papers), so the error does not seem that important. However, the protective marking of documents defines the levels of trustworthiness that is required to access those documents. If the marking goes ballistic, assessment of trustworthiness may follow. And this may be a disaster. So it is not just a typo, this is a problem.

By the way, it is always worth knowing who is the untrusted party. It is clear from the same policy document: governmental information must be protected from “threats such as hactivism, journalists and criminals”. For years I got used to the fact that apparently ‘hacker’ and ‘criminal’ means the same to governmental officials. But now I learned that ‘journalist’ and ‘criminal’ are equally untrustworthy and dangerous. Ouch. Murdoch, beware.

Posted in conference, government, trust | Leave a comment