Secrets for Software Developers

In one of the world's great ironies Wikileaks is offering help to the big makers of software to try to set them straight on how their softeware is being hacked.  This is fantasy, farce, and irony all rolled into one.

If anyone believes the intelligence services of the world have discovered something the vendors of software do not already know, hold up your hand.  The fantasy part is that the vendors not only know, they have known for years, that their software is full of holes that allow hackers in.  They just haven't done anything about it.  All you have to do is be involved in a few of these cases to know that the vendors are well aware of what is wrong with their software but they take their good old time fixing it.  In some cases, forever, or as long as they can avoid liability for the outcomes of the problems they have created.

The farce is that the vendors really care about the holes an intelligence service has found.  As a simple case, I worked with the U.S Cert on a couple of findings of vulnerabilities in some of our favorite software.  The Cert is not allowed to force a company to make changes and cannot announce a problem until the fix is in for it.  This makes sense, only where there is action to make a fix.  Some of the vendors were waiting a year or more to fix something that needed to be fixed urgently.  To them, this was "due diligence" since the developers don't have to worry about liability for anything they do.  Our legal system exempts them from making a product with known faults and not correcting those faults even though it causes harm.  Contrast that with the auto industry where recalls are common.  When did a software vendor ever recall anything?  They issue a new patch - in a few months - and are "dismayed" when people don't install it.  The burden is always on the user.

The irony lies in the ability of some intelligence services to exploit things that the vendors say they did not know about.  Excuse me, but this is what they get paid for.  They are supposed to find ways to get intelligence, and the fact that they might be good at it is not a bad thing.  Wikileaks has not been quick to point out how the Russians and Chinese have been attacking systems in the free world, subjecting them to some criticism that is deserved.  But there is probably a better reason for that than we know.  If Wikileaks did start publishing the internal files of Russia or Chinese intelligence agencies, they would be on the Internet for only a few minutes after they did it.  The irony lies in the fact that Wikileaks has been openly publishing damaging information on the United States, yet is allowed to continue its operations.   Not many people in the U.S benefit from that.  Now Wikileaks is trying to show that it is benevolent, offering to help out the vendors.  There is enough irony in that to fill a book.