[SystemSafety] Fwd: Re: OpenSSL Bug

John Knight jck at virginia.edu
Thu Apr 10 23:31:02 CEST 2014 

Perhaps we could request the assistance of the insurance industry.

There have been instances where insurance has been a useful weapon in 
the security battle.  If I remember correctly, the CERT at the SEI has 
ventured down that path.

Insurance against significance losses due to a security breach might be 
expensive but probably less than the cost that organizations such as 
Target are now facing.

Of course, insurance would not be issued unless a comprehensive audit 
were performed.

When applying for insurance, the use of C would be treated as a 
preexisting condition, and losses attributable to software written in C 
would be excluded.

-- John

On 4/10/14, 5:11 PM, C. Michael Holloway wrote:
> On 4/10/14 4:25 PM, Peter Bernard Ladkin wrote:
>> Oh, there are obvious ways. Suppose we made it a crime, punishable by 
>> hanging, drawing and quartering, to release in any form for use by 
>> the public code that is not "type-conform".
> My best guess is that before all of the readers of this list pass from 
> the earth, the use of certain programming languages will be outlawed 
> in at least some civilized countries.  Just as the use of asbestos is 
> banned in many jurisdictions because its harmful effects are deemed to 
> outweigh its benefits, so too will the use of (for example) C be banned.
>
>> Isn't it far better for us computer scientists to agree what "type conform" means, to admit that
>> non-type-conform SW has caused endless problems, and to demonstrate progress in addressing the
>> scourge of non-type-conformity before the politicians decide to intervene?
>>
> My inclination is to think that the history of other disciplines 
> suggests that intervention of politicians (or at least lawyers and 
> juries) is more likely to be necessary than not.  Also, I am much less 
> sanguine than PBL of the likelihood that a gathering of computer 
> scientists could agree on anything, much less on a definition of "type 
> conform".  The history of conversations on this list (and its 
> predecessors / siblings) suggests that agreement is exceedingly rare.
>
> -- 
> /*cMh*/
>
> *C. Michael Holloway*, Senior Research Engineer
> Safety Critical Avionics Systems Branch, Research Directorate
> NASA Langley Research Center / MS 130 Hampton VA 23681-2199 USA
> office phone: +1.757.864.1701 /often forwarded to/ +1.757.598.1707
>
> The words in this message are mine alone; neither blame nor credit 
> NASA for them.
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140410/046d7197/attachment.html>

More information about the systemsafety mailing list