ITworld.com
  Search  
ITworld Home Page ITworld Webcasts ITworld White Papers ITworld Newsletters ITworld News ITworld Topics Careers ITworld Voices ITwhirled Changing the way you view IT

Software Sucks On Purpose

 ITworld 01/30/2008

James Gaskin, ITworld.com

Why is software so bad? We legally exempt software companies from any accountability for bad software they write, so they have no incentive to write better software. Users, not software companies, pay the price for bad software.

Let's dig deeper than the typical "software sucks" banalities of the Ribbon in Office 2007, nagging "are you sure?" dialog boxes from Vista, and brain-melting error messages from just about every software application out there. Dig down to the endless patching and the constant battle to plug holes developers leave in their software. Dig down through the End User License Agreements that let vendors off the hook for everything imaginable. Dig down through your annoyance at paying real money for software that should still be in alpha testing.

On this topic
23 XML fallacies to watch out for
Sun needs to fix what's broken at MySQL, users say
Sun to acquire MySQL for $1 billion
The Apache Modules Book: Application Development with Apache
Event Stream Processing and Event Driven Architectures
Software Security: Building Security In
Get practical tips, IT news, how-tos, and the best in tech humor.

Dig deep enough and you find that the U.S. Government exempted the software industry from liability for, well, just about everything. The software companies you buy from, according to our government, are free to sell us any pile of putrid programming and not only can we not sue them, we can't get our money back.

Thanks, Government.

30,000 and counting. That's the number of known software vulnerabilities according to a security expert friend (he's the CTO of a network vulnerability testing company, so he keeps up with those details). Lousy programmers and "ship it fast" software companies can't be touched, because in 1997 the Clinton White House said in a paper called "A Framework for Global Electronic Commerce" that "Innovation, expanded services, broader participation, and lower prices will result in a market-driven arena, not in an environment that operates as a regulated industry" (pg 137 in Geekonomics, details below).

In other words, the White House told the software business they can do whatever they want. In fact, the report added, "Existing laws and regulations that may hinder electronic commerce should be reviewed and revised or eliminated to reflect the needs of the new electronic age" (Geekonomics, pg 138).

Most of us don't work on huge systems of interest to the White House. For us, the software business has the EULA, or End Use License Agreement. Legally, these are called "adhesion contracts" because the terms stick: buyers have no room for negotiation. Take it or leave it, period. Worse, software isn't sold but "licensed" meaning software companies restrict our rights even further. The courts have deferred to the software companies in almost every single case when users tried to sue to attach liability to bad software.

The one case where the government successfully sided with users, or in this case victims, was against Multidata Systems International after the software controlling their radiation therapy medical devices caused several deaths. The FDA (Food and Drug Administration) filed an injunction in 2003 to force them to fix their software. (FDA Seeks Injunction Against Multidata Systems Intl.)

Think for a moment about how software touches all portions of our lives, and impacts public health and safety. In every case save one, software companies have not been held liable for their mistakes. No accountability, no oversight, and no redress for victims of sloppy software means vendors have no reason to improve.

The FDA lost the battle to regulate blood bank software in 1994 to ensure AIDS-tainted blood didn't get into the main blood supply. Beyond the high profile AIDS threat, mis-matched blood kills people in less than 20 minutes. The FDA demanded some new rules for software life-cycle testing and accountability. Industry pushed back, and the FDA lost that battle.

If the wrong blood is given, you can sue the hospital, but not the software that gave the hospital the wrong information. Think about that the next time you or a loved one needs blood.

Geekonomics parallels the software industry today rejecting accountability with the Detroit auto manufacturers in the 1960s. Car companies said user error caused all the traffic deaths, not cars with bad tires, bad brakes, no seatbelts, and steel dashboards waiting for crash victim's heads. Regulators demanded a safety rating system, and crash test dummies were developed to measure the crashworthiness of autos. Now every car has a crash test rating for every potential buyer to read and compare to other cars.

When you crash, aren't you glad you have seatbelts and airbags? Thank the regulators, not the auto companies. Wish you had a "security hole" rating on software you consider purchasing? Today, you are the crash test dummy for insecure software.

Speaking like an economist, author David Rice told me, "Spending money to patch bad software means that money is not spent on other things, like innovation."

Programmer Certification

When Mitzi cut my hair the other day, I noticed her license from the State of Texas certifying she took a proscribed course of training and passed impartial tests administered by the state. She must continue to update her training, just like doctors, lawyers, engineers, and a wide range of other licensed professionals, including, believe it or not, mule jockeys.

I walked out and saw a plane flying overhead. A major carrier jet, a huge plane with hundreds of passengers, flew only because of its software. No programmer involved in the design, construction, or testing of that airplane has ever passed an impartial test certifying that programmer's ability. Not even the ability to make "Hello, world" appear on a screen after a successful compile has been objectively tested.

Try to balance those facts. To certify my hair gets cut professionally, the government provides oversight and regulation on the person wielding the scissors. To protect millions of people flying in airplanes every week, the government oversees and regulates absolutely no programmer training or qualifications. Bad haircut protection? Extensive. Bad programming protection? Zero.

Let's ignore "bad" programming like stupid error messages. Let's look at the continued release of software updates containing multiple security holes. Let's look at software on the market years after zero day exploits hit the streets. Let's see what redress companies have when software patches claiming to fix security holes in fact leave those holes open: none.

There are more than 800,000 global standards, according to Geekonomics. How many apply to software construction? None.

Engineers are licensed, follow a code of ethics, and are accountable for their mistakes. Programmers are none of those. Next time a programmer tries to claim the title "software engineer" laugh loudly. The State of Texas specifically forbids programmers using the title of engineer, because they are the only state to impose licensing on programmers (Geekonomics, pg 297). Since there is no licensing process in place yet, there are no software engineers.

Holding Software Accountable

When will the balance between software vendors and users get more fair? One hopeful sign is the recent move by Cisco, Pitney-Bowes, and Caterpillar, among others, to change the status quo and reject billable hours by law firms serving them and demand flat rates. Cisco's general counsel mentioned this in a recent speech to Northwestern University's School of Law (Lerer, The Scourge of the Billable Hour) . Will Caterpillar soon have the courage to tell Cisco they will no longer accept software from Cisco without guarantees it works and Cisco accepting some accountability when it doesn't? That would be a nice turnaround.

Geekonomics takes its name as a way of indicating the author applies economic principles to the study of the software industry. For an economist, markets work when people make decisions in their own best interest. Yet when the self interests of one group, such as the software industry, hurts others in the market, this is an imbalance called a "negative externality."

Let's count up some ways sloppy software hurts others. Insecure software enables hackers to attack, users must patch and repatch the software without any financial compensation from vendors, and applying new patches allows software companies to change their licensing rules. If your software seriously sucks, you can't sue the provider for incompetence or selling you a worthless product, because the government granted them a "get out of jail free" card.

How can we put these conflicting interests back in balance? If vendors pay no penalty for lousy, insecure software, they have no incentive to change. Government regulation generally means taxation of some kind. Could we fine software vendors for insecure software like we fine polluters for poisoning our air and water? Who could we trust to judge what is or isn't secure and apply appropriate fines?

Easier would be to let the lawyers "help" the situation. If an alarm company sells you an alarm that doesn't work, you can get your money back, and may even be awarded damages in some situations. What if you could sue firewall software vendors for leaving known exploits open? What if you could force that vendor to pay for cleanup after a break-in, like you can force an alarm company to make things right after their product fails?

Software vendors, given special dispensation to help develop their products and the market, have abused their privileges. Setting lawyers on them may be distasteful, but you can't send choir boys to fight barbarians. The way software vendors have abused us, it will be "turnabout is fair play" letting lawyers abuse them.

When the legal system adjusts to a changing world, things get messy. There will be some frivolous lawsuits, some weird laws passed by Congress, and right wing talk radio will go crazy. But after a few, well, many years, the legal system will catch up, and the relationship between software vendors and users will be more equitable. Rice told me, "It took 30 years of court cases to bring about strict product liability for products like automobiles."

Users must take some responsibility for this mess. When we complain about software to vendors, they dangle a new version with a few new features in front of us, and we fall for it every single time. Hope springs eternal, and software users always hope a new version will fix the problems in the old version while adding something new and fun. We must stop that, and demand better, not more feature-laden, software.

Let slip the dogs, or lawyers, of war. It's time we stood up for ourselves and demanded better, more secure software, and held vendors accountable. When we pay money, we expect a working product, whether it's a physical item or software.

Our leader for this fight should be Howard Beale, the tragic star of the movie Network. Released in 1976, Network surprised everyone as Howard Beale ordered us to stick our heads out of the window and yell, "I'm as mad as hell, and I'm not going to take this anymore."

References:

If you want 323 more pages of detail on these issues, check out the book Geekonomics: The Real Cost of Insecure Software by David Rice (Addison-Wesley), 978-0-321-47789-7 ISBN-10: 0-321-47789-8

Geekonomics blog

Slashdot book review

James E. Gaskin writes books (16 so far), articles and jokes about technology and real life from his home office in the Dallas area. Gaskin has been helping small and medium sized businesses use technology intelligently since 1986. Write him at readers@gaskin.com.




Sponsored Links

Multi-Core Test Results In Virtualized Servers
Check Out The Latest Xeon® Performance Results. Virtualized Servers vs. Non-Virtualized Servers.
FREE virus, spyware & adware scan
Find the malware your AV missed with the Sophos Threat Detection Test.
Replace your mainframe 4GL and save with Spectrum Writer.
Powerful, easy 4GL. Custom reports. Export files for PC programs. Web reports. Download free trial.
Improving the View with IP Videoconferencing
New videoconferencing technologies are poised to benefit the enterprise.
Used and Refurbished HP ProCurve Switches
Lifetime Warranties, Professional Testing & Shipping on all HP Equipment Purchases!
» Buy a link now

Advertisements
Sponsored links
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Top 5 Reasons to Combine App Performance and Security
KODAK i1400 Series Scanners stand up to the challenge
Locate Hidden Software on business PCs with this free tool
Home  Application Development
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   Industry Standard   Infoworld   ITworld  
JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

DEMO   IDG Connect   IDG Knowledge Hub   IDG TechNetwork   IDG World Expo  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.