Sean, your argument is vacuous. You admit that there are so many bugs and security windows that lawyers would get rich and the software industry would be destroyed if we start holding software companies responsible for their bugs. You further declare that there are so many bugs that malpractice insurance cost would bankrupt all but the largest software houses. Are you and your ilk so shallow that you believe that e-commerce will continue to grow utilizing such an unreliable and insecure software foundation?
Son, My Company was helping design and writing on-line real-time operating systems before you were probably born. When we designed, (not after we coded and tested) operating systems we had three unvarying rules: 1. No user shall ever be allowed to violate the operating system code. (Both hardware and software protection were used). 2. No user shall ever be allowed to access any other users data without tacit permission or user stupidity. 3. System software MTBF (mean time between failures) were required to be measured in months or years. If we could not assure that our design would satisfy these three rules, we dumped it and started over.
We Beta tested our software with consoles for free usage spread over the UC and Stanford labs and dorms as well as in engineering offices and homes. Our users were students bent on breaking our system by bringing it down or taking it over. The two IBM Class A time-sharing operating systems that we (An outside IBM ten man firm) designed, coded, and tested, was utilized by business, government, and over eighty universities worldwide for over twenty five years with no recorded penetrations of the operating system or by code breaking into another users data. The first live paying user test at the IBM operating Center in San Francisco operated 24/7 for three and a half weeks with hundreds of simultaneous users before the first OS bug was found. It did not bring down the system. It affected only one user. We, the designers and developers, were contracted to stay aboard for over a year to teach our IBM employee replacements and to act as the front line troubleshooters. The OS had less that a million lines of machine language code and was thus manageable for the long-long term.
That, young man, is how you produce a largely bug free OS product and achieve reliability, security, and trustworthiness among your users.
IBM paid us to write and publish our tenets, design principles, and techniques. We lectured and presented papers. These were the classes and professional papers that your generation seems to have slept through. Or are you just fundamentally flawed and irresponsible?

Signed, An old codger that used to be proud of his profession.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/47/9840#9840