[SystemSafety] Fwd: Re: OpenSSL Bug

Christopher Johnson Christopher.Johnson at glasgow.ac.uk
Fri Apr 11 10:53:48 CEST 2014


Hi John

Here is a recent paper I’ve been working on about cyber insurance – there are multiple initiatives and multiple barriers to the development of this market.

All the nest,
Chris.

From: "John edu>" <jck at virginia.edu<mailto:jck at virginia.edu>>
Organization: University of Virginia
Reply-To: "knight at cs.virginia.edu<mailto:knight at cs.virginia.edu>" <knight at cs.virginia.edu<mailto:knight at cs.virginia.edu>>
Date: Thursday, 10 April 2014 22:31
To: "systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>" <systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>>
Subject: Re: [SystemSafety] Fwd: Re: OpenSSL Bug

Perhaps we could request the assistance of the insurance industry.

There have been instances where insurance has been a useful weapon in the security battle.  If I remember correctly, the CERT at the SEI has ventured down that path.

Insurance against significance losses due to a security breach might be expensive but probably less than the cost that organizations such as Target are now facing.

Of course, insurance would not be issued unless a comprehensive audit were performed.

When applying for insurance, the use of C would be treated as a preexisting condition, and losses attributable to software written in C would be excluded.

-- John

On 4/10/14, 5:11 PM, C. Michael Holloway wrote:
On 4/10/14 4:25 PM, Peter Bernard Ladkin wrote:
Oh, there are obvious ways. Suppose we made it a crime, punishable by hanging, drawing and quartering, to release in any form for use by the public code that is not "type-conform".
My best guess is that before all of the readers of this list pass from the earth, the use of certain programming languages will be outlawed in at least some civilized countries.  Just as the use of asbestos is banned in many jurisdictions because its harmful effects are deemed to outweigh its benefits, so too will the use of (for example) C be banned.


Isn't it far better for us computer scientists to agree what "type conform" means, to admit that
non-type-conform SW has caused endless problems, and to demonstrate progress in addressing the
scourge of non-type-conformity before the politicians decide to intervene?



My inclination is to think that the history of other disciplines suggests that intervention of politicians (or at least lawyers and juries) is more likely to be necessary than not.  Also, I am much less sanguine than PBL of the likelihood that a gathering of computer scientists could agree on anything, much less on a definition of "type conform".  The history of conversations on this list (and its predecessors / siblings) suggests that agreement is exceedingly rare.

--
cMh

C. Michael Holloway, Senior Research Engineer
Safety Critical Avionics Systems Branch, Research Directorate
NASA Langley Research Center / MS 130 Hampton VA 23681-2199 USA
office phone: +1.757.864.1701 often forwarded to +1.757.598.1707

The words in this message are mine alone; neither blame nor credit NASA for them.



_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE<mailto:systemsafety at TechFak.Uni-Bielefeld.DE>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140411/27ff9c8d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Cyber Insurance Feb 2014 CWJ.pdf
Type: application/pdf
Size: 353321 bytes
Desc: Cyber Insurance Feb 2014 CWJ.pdf
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140411/27ff9c8d/attachment-0001.pdf>


More information about the systemsafety mailing list