RE: Should Microsoft be Liable for Bugs?

[InfoSec News <isn () c4i org>]

Forwarded from: Jason Coombs <jasonc () science org>
Cc: mbernard () nbnet nb ca

> For example; The FDA and Health Canada "strongly-encourages"
> Pharmaceuticals to validated the computers and systems that are use
> to develop drugs.

Quality Assurance in the computer business is much easier than in the
pharma business.

Scary thought, huh?

Malicious software looks exactly like any other software: it's simply
machine code instructions (or script instructions/byte code meant for
an interpreter/virtual machine runtime).

What do malicious amino acid and nucleic acid sequences look like? You
guessed it, they look exactly like us.

There's just no technical difference between a modern pharmaceutical
and a human being. The way that QA works in the pharma business, we
are all vulnerable to computer-based attacks that specifically target
nucleic acid and amino acid synthesizers for the purpose of inserting
malicious sequences (malicious genes, malicious aminos) that pharma
companies have only one chance to detect in order to prevent serious
harm: before they ship their product.

A variety of lab tests are possible for optimal security in a pharma
factory, including a simple weight measurement of the resulting
biochemical compound -- the engineers know in advance what the precise
weight will be of each sample of each correctly-constituted drug. But
do they weigh each sample before shipping it out? Doubtful. They
definitely cannot perform any destructive testing on each sample, so
the security control boils down to one simple thing: preventing ALL
executions of unauthorized code in the CPUs that control the
synthesizers. Period. With a 100% success rate. No vulnerabilities.

There is good reason to believe that in the present computing
environment it is only a matter of time before a computer virus or
other malware is designed to infect a particular brand of
DNA/RNA/amino acid synthesizer control computer, instructing that
computer to insert malicious sequences in the synthesized biological
end product. Converting itself, if you'll forgive the whimsical musing
of science fiction, from an infectious computer contaminant into a
biological one.

The frustrating thing is that we, as an industry, are still mired in
the immature growth phase of argue, argue, argue, defend our own
interests, defend, defend, defend, and this immaturity is driving us
to seriously consider outlawing full disclosure... If we have any
common sense left, we'll stop our self-interested bickering and
tug-o-war struggles over control of little bits of software code
"intellectual property" (are you listening, SCO ? MS ?) and acquire a
little perspective. When the first person dies from a contaminated
pharmaceutical, somebody better break the law (and violate their
employment contract) and post the details of the exploit to
full-disclosure or I'm going to hold them personally responsible when
my family member becomes victim #2.

Thoughtfully,

Jason Coombs
jasonc () science org

-----Original Message-----
From: owner-isn () attrition org [mailto:owner-isn () attrition org]On Behalf
Of InfoSec News
Sent: Wednesday, September 17, 2003 7:32 PM
To: isn () attrition org
Subject: Re: [ISN] Should Microsoft be Liable for Bugs?


Forwarded from: Mark Bernard <mbernard () nbnet nb ca>

Dear Associates,

This is a frustrating problem the recreates itself on a seemingly
weekly basis.

For years now the software industry has regulated itself doing a
pretty decent job and then came along M$. Everything has changed and
will continue to change, increasing the integration and inherent
dependencies of business systems with business processes perhaps its
time for our industry to evolve as well.

For example; The FDA and Health Canada "strongly-encourages"
Pharmaceuticals to validated the computers and systems that are use to
develop drugs. The validation process although designed to 'control'
the environment is very flexible allowing differences in
configurations so long as they are recorded and validated. The
validating process must include a formal change management
process/document management. The practice in truly ISO or Deming's TQM
and its sadly missing from software development in general.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.