Category Archives: Software

Quis custodiet ipsos medici?

Internet security is in a position similar to that of safety in the medical industry. Many doctors have an opinion like this one, quoted by Kent Bottles:
“Only 33% of my patients with diabetes have glycated hemoglobin levels that are at goal. Only 44% have cholesterol levels at goal. A measly 26% have blood pressure at goal. All my grades are well below my institution’s targets.” And she says, “I don’t even bother checking the results anymore. I just quietly push the reports under my pile of unread journals, phone messages, insurance forms, and prior authorizations.”

Meanwhile, according to the CDC, 99,000 people die in the U.S. per year because of health-care associated infections. That is equivalent of an airliner crash every day. It’s three times the rate of deaths by automobile accidents.

The basic medical error problems observed by Dennis Quaid when his twin babies almost died due to repeated massive medically-administered overdoses and due to software problems such as ably analysed by Nancy Leveson for the infamous 1980s Therac-25 cancer-radiation device are not in any way unique to computing in medicine. The solutions to those problems are analogous to some of the solutions IT security needs: measurements plus six or seven layers of aggregation, analysis, and distribution.

As Gardiner Harris reported in the New York Times, August 20, 2010, another problem is that intravenous and feeding tubes are not distinguished by shape or color: Continue reading

What we can learn from the Therac-25

What does Nancy Leveson’s classic analysis of the Therac-25 recommend? (“An Investigation of the Therac-25 Accidents,” by Nancy Leveson, University of Washington and Clark S. Turner, University of California, Irvine, IEEE Computer, Vol. 26, No. 7, July 1993, pp. 18-41.)
“Inadequate Investigation or Followup on Accident Reports. Every company building safety-critical systems should have audit trails and analysis procedures that are applied whenever any hint of a problem is found that might lead to an accident.” p. 47

“Government Oversight and Standards. Once the FDA got involved in the Therac-25, their response was impressive, especially considering how little experience they had with similar problems in computer-controlled medical devices. Since the Therac-25 events, the FDA has moved to improve the reporting system and to augment their procedures and guidelines to include software. The input and pressure from the user group was also important in getting the machine fixed and provides an important lesson to users in other industries.” pp. 48-49

The lesson being that you have to have built-in audit, reporting, transparency, and user visibility for reputation.

Which is exactly what Dennis Quaid is asking for.

Remember, most of those 99,000 deaths a year from medical errors aren’t due to control of complicated therapy equipment: Continue reading

What about the Therac-25?

Someone suggested that Dennis Quaid should be reminded of the Therac-25 “if he thinks computers will reduce risk without a huge investment in quality, quality assurance and operational analysis.” For readers who may not be familiar with it, the Therac-25 was a Canadian radiation-therapy device of the 1980s that was intended to treat cancer. It had at least six major accidents and caused three fatalities, because of poor software design and development.

Why should anyone assume Dennis Quaid doesn’t know that quality assurance and operational analysis are needed for anything designed or controled by software? The man is a jet pilot, and thus must be aware of such efforts by aircraft manufacturers, airlines, and the FAA. As Quaid points out, we don’t have a major airline crash every day, and we do have the equivalent in deaths from medical errors. Many of which could be fixed by Computerized Physician Order Entry (CPOE).

Or ask the Mayo Clinic: Continue reading

Windows Considered Not Ready for the Desktop

R. McDougall takes the high ground for open software:
0. Premise: free and open software will stay indefinitely. Full stop. You may argue eternally, but free software is the ultimate disruptive technology, moving up from the low ground, replacing complicated and ill-fitting proprietary alternatives at every turn, such as web-browsers, e-mail clients, video players, office software, etc., which at one point cost money, but now most people find that they can no longer justify spending money to buy an upgrade for more “Clippy the Happy Assistant”. Proprietary software will only be able to stay relevant by searching out ever more niche applications, or by massive expenditure on research in high-end applications for which it will take time for the ideas and algorithms to filter down to the greater community, and thus a brief window of profitability will remain. Software patents are nothing but a destructive force to retard innovation, and with more and more of the technology and legal communities realizing this basic fact, software patents are about to go away forever.
I think he’s being a bit optimistic about software patents, but no more so than Windows advocates claiming that open software is a flash in the pan. Then he gets into the undeniable stuff, chief of which is:
1.1 History’s greatest playground for malicious software. With unpatched machines on the internet taking only minutes to become infested with viruses, or become a slave bot for massive illegal spamming operations, Windows is a blight on the Internet’s infrastructure.
And it keeps getting better. He says he wrote it just as a game, but it pretty much spells out why I don’t use Windows, plus why Windows is a menace to the Internet.

Checks on Checks, or Shipping and Shipping Software

Paul Graham points out that big company checks on purchasing usually have costs, such as purchasing checks increase the costs of purchased items because the vendors have to factor in their costs of passing the checks.
Such things happen constantly to the biggest organizations of all, governments. But checks instituted by governments can cause much worse problems than merely overpaying. Checks instituted by governments can cripple a country’s whole economy. Up till about 1400, China was richer and more technologically advanced than Europe. One reason Europe pulled ahead was that the Chinese government restricted long trading voyages. So it was left to the Europeans to explore and eventually to dominate the rest of the world, including China.

The Other Half of “Artists Ship”, by Paul Graham, November 2008

I would say western governments (especially the U.S.) subsidizing petroleum production and not renewable energy is one of the biggest source of current world economic, political, and military problems. Of course, lack of checks can also have adverse effects as we’ve just seen with the fancy derivatives the shadow banking system sold in a pyramid scheme throughout the world. It’s like there should be a balance on checks. Which I suppose is Graham’s point: without taking into account the costs of checks (and I would argue also the risks of not having checks), how can you strike such a balance?

He doesn’t neglect to apply his hypothesis to SOX: Continue reading

Microsoft Ditches VBA for Security?

For some time I’ve been noting Dan Geer’s point that Microsoft faces a dilemma: stick to backward compatibility including many security vulnerabilities, or fix the holes and lose backwards compatibility. Looks like they’ve done the latter with Office:
Most of the whining comes because Office 2008 does not include Visual Basic. In some respects, this is welcome change because Office never should have had Visual Basic. VBA is what enabled the Macro Virus. Furthermore, Office 2009 (for Windows) is not going to have VBA, either.

However, not shipping VBA in Office 2008 means that people who want to have cross-platorm documents that are pseudo-applications have to deal with it in 2008, not 2009. That’s worth complaining about.

Microsoft Has Trouble Programming the Intel Architecture, by mordaxus, Emergent Chaos, 16 Jan 2008

The poster immediately goes on to sneer at OpenOffice for allegedly not being able to do things Office can do (without ever mentioning specifics) and at Keynote because everybody uses PowerPoint (while acknowledging that “Keynote rocks — it got Al Gore both an Oscar and the Nobel Prize”).

When Microsoft can manage to annoy even slavish users like that by breaking backwards compatibility, MSFT has a problem. No doubt no VBA in Office isn’t the last straw, but it isn’t the first, either.


Mastery and Secure Coding

Brooks extended:

Each thing we are trying to push for in secure coding these days requires mastery, Cardspace, static analysis, threat modeling, web service security, and friends are very deep individual domains, and when applied to an enterprise they get wide as well. Let me underline that – to deploy any of the current cutting edge stuff in software security at scale, requires technical depth and deployment width. This automatically limits your resource pool of who can deliver this stuff.

So what I have seen work well is using a decentralized, specialist team approach with a very specific agenda and goals. Note the team can be very small, 2 or 3 people even if they are empowered.

Go Wide and Deep, Incrementally, Gunnar Peterson, 1 Raindrop, 10 JJan 2008

Not only can’t you make a late project on time by throwing people at it, you can’t really make a project secure by throwing people at it.


Cisco Open IOS

cisco.gif In quite a change from 2.5 years ago, when Cisco went to great lengths to try to prevent Michael Lynn from revealing details of Cisco’s code, Cisco is opening its software:
Since its debut more than 20 years ago, IOS has largely been a closed, proprietary, tightly guarded jewel in Cisco’s lockbox. But the company’s ambitions to make the network the platform for all IT operations and become a software force are in turn forcing Cisco to give up a little in return – like making IOS more than just a platform for Cisco-developed services.

“It’s a significant step forward for us,” said Don Proctor, senior vice president of Cisco’s newly formed Software Group, at last week’s C-Scape 2007 analyst conference. “Software turns out to be a key way that we can do what [we’ve] been talking about for some time, which is link business architecture to technology architecture in a meaningful way.”

Cisco opening up IOS, Looks to make software third-party friendly, Network World, 12/12/07

Wow, who could have imagined that technology architecture could be related to business architecture? Continue reading

Linus on Schedulers vs. Security as Numbers vs. Opinions

linus_torvalds.jpg Thus Spake Linus:

Schedulers can be objectively tested. There’s this thing called "performance", that can generally be quantified on a load basis.

Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers.

So the difference between them is simple: one is "hard science". The other one is "people wanking around with their opinions".

Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel, by Linus Torvalds,, Monday, October 1, 2007 – 7:04 am

Linus Torvalds, inventor of Linux and thus originator of its associated industry, continues:

Continue reading

Bananas and Apples: Another Monoculture

banana-bunch_d.gif Yes, we will have no bananas, again:

Most commercial growing facilities handle just a single banana type — the one we Americans slice into our morning cereal.

How much time is left for the Cavendish? Some scientists say five years; some say 10. Others hold out hope that it will be much longer. Aguilar has his own particular worst-case scenario, his own nightmare. "What happens," he says, with a very intent look, "is that Panama disease comes before we have a good replacement. What happens then," he says, nearly shuddering in the shade of a towering banana plant, "is that people change. To apples."

Can This Fruit Be Saved? By Dan Koeppel,, June 2005

Cavendish is the variety of banana eaten the world around. "Quite possibly the world’s perfect food," says Chiquita. But perfection comes with a price if it leads to monoculture. And that’s what we’ve got with bananas: every commercial Cavendish banana tree is grown from cuttings of the original tree, and so is genetically identical. Banana monoculture has borne the fruit of disaster before.

Growers adopted a frenzied strategy of shifting crops to unused land, maintaining the supply of bananas to the public but at great financial and environmental expense — the tactic destroyed millions of acres of rainforest. By 1960, the major importers were nearly bankrupt, and the future of the fruit was in jeopardy. (Some of the shortages during that time entered the fabric of popular culture; the 1923 musical hit "Yes! We Have No Bananas" is said to have been written after songwriters Frank Silver and Irving Cohn were denied in an attempt to purchase their favorite fruit by a syntactically colorful, out-of-stock neighborhood grocer.) U.S. banana executives were hesitant to recognize the crisis facing the Gros Michel, according to John Soluri, a history professor at Carnegie Mellon University and author of Banana Cultures, an upcoming book on the fruit. "Many of them waited until the last minute."

Denial in the face of a clear and present ecological danger. We’ve seen this before.

Continue reading