Re: [SystemSafety] Fwd: Re: OpenSSL Bug

From: John Knight < >
Date: Thu, 10 Apr 2014 17:31:02 -0400


Perhaps we could request the assistance of the insurance industry.

There have been instances where insurance has been a useful weapon in the security battle. If I remember correctly, the CERT at the SEI has ventured down that path.

Insurance against significance losses due to a security breach might be expensive but probably less than the cost that organizations such as Target are now facing.

Of course, insurance would not be issued unless a comprehensive audit were performed.

When applying for insurance, the use of C would be treated as a preexisting condition, and losses attributable to software written in C would be excluded.

On 4/10/14, 5:11 PM, C. Michael Holloway wrote:
> On 4/10/14 4:25 PM, Peter Bernard Ladkin wrote:
>> Oh, there are obvious ways. Suppose we made it a crime, punishable by
>> hanging, drawing and quartering, to release in any form for use by
>> the public code that is not "type-conform".
> My best guess is that before all of the readers of this list pass from
> the earth, the use of certain programming languages will be outlawed
> in at least some civilized countries. Just as the use of asbestos is
> banned in many jurisdictions because its harmful effects are deemed to
> outweigh its benefits, so too will the use of (for example) C be banned.
>
>> Isn't it far better for us computer scientists to agree what "type conform" means, to admit that
>> non-type-conform SW has caused endless problems, and to demonstrate progress in addressing the
>> scourge of non-type-conformity before the politicians decide to intervene?
>>
> My inclination is to think that the history of other disciplines
> suggests that intervention of politicians (or at least lawyers and
> juries) is more likely to be necessary than not. Also, I am much less
> sanguine than PBL of the likelihood that a gathering of computer
> scientists could agree on anything, much less on a definition of "type
> conform". The history of conversations on this list (and its
> predecessors / siblings) suggests that agreement is exceedingly rare.
>
> --
> /*cMh*/
>
> *C. Michael Holloway*, Senior Research Engineer
> Safety Critical Avionics Systems Branch, Research Directorate
> NASA Langley Research Center / MS 130 Hampton VA 23681-2199 USA
> office phone: +1.757.864.1701 /often forwarded to/ +1.757.598.1707
>
> The words in this message are mine alone; neither blame nor credit
> NASA for them.
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety_at_xxxxxx



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Thu Apr 10 2014 - 23:31:16 CEST

This archive was generated by hypermail 2.3.0 : Mon Feb 18 2019 - 11:17:06 CET