Re: [SystemSafety] Fwd: Re: OpenSSL Bug

From: Christopher Johnson < >
Date: Fri, 11 Apr 2014 08:53:48 +0000


Hi John

Here is a recent paper Ive been working on about cyber insurance there are multiple initiatives and multiple barriers to the development of this market.

All the nest,
Chris.

From: "John edu>" <jck_at_xxxxxx Organization: University of Virginia
Date: Thursday, 10 April 2014 22:31
Subject: Re: [SystemSafety] Fwd: Re: OpenSSL Bug

Perhaps we could request the assistance of the insurance industry.

There have been instances where insurance has been a useful weapon in the security battle. If I remember correctly, the CERT at the SEI has ventured down that path.

Insurance against significance losses due to a security breach might be expensive but probably less than the cost that organizations such as Target are now facing.

Of course, insurance would not be issued unless a comprehensive audit were performed.

When applying for insurance, the use of C would be treated as a preexisting condition, and losses attributable to software written in C would be excluded.

On 4/10/14, 5:11 PM, C. Michael Holloway wrote: On 4/10/14 4:25 PM, Peter Bernard Ladkin wrote: Oh, there are obvious ways. Suppose we made it a crime, punishable by hanging, drawing and quartering, to release in any form for use by the public code that is not "type-conform". My best guess is that before all of the readers of this list pass from the earth, the use of certain programming languages will be outlawed in at least some civilized countries. Just as the use of asbestos is banned in many jurisdictions because its harmful effects are deemed to outweigh its benefits, so too will the use of (for example) C be banned.

Isn't it far better for us computer scientists to agree what "type conform" means, to admit that non-type-conform SW has caused endless problems, and to demonstrate progress in addressing the scourge of non-type-conformity before the politicians decide to intervene?

My inclination is to think that the history of other disciplines suggests that intervention of politicians (or at least lawyers and juries) is more likely to be necessary than not. Also, I am much less sanguine than PBL of the likelihood that a gathering of computer scientists could agree on anything, much less on a definition of "type conform". The history of conversations on this list (and its predecessors / siblings) suggests that agreement is exceedingly rare.

--
cMh

C. Michael Holloway, Senior Research Engineer
Safety Critical Avionics Systems Branch, Research Directorate
NASA Langley Research Center / MS 130 Hampton VA 23681-2199 USA
office phone: +1.757.864.1701 often forwarded to +1.757.598.1707

The words in this message are mine alone; neither blame nor credit NASA for them.




_______________________________________________
The System Safety Mailing List systemsafety_at_xxxxxx

_______________________________________________
The System Safety Mailing List systemsafety_at_xxxxxx
Received on Fri Apr 11 2014 - 10:54:14 CEST

This archive was generated by hypermail 2.3.0 : Thu Apr 25 2019 - 13:17:06 CEST