Don't rush software security by passing laws

Bruce Schneier writes:
If we expect software vendors to reduce features, lengthen development cycles and invest in secure software development processes, it needs to be in their financial best interests to do so. If we expect corporations to spend significant resources on their own network security -- especially the security of their customers -- it also needs to be in their financial best interests.

Liability law is one way to make it in those organisations’ best interests. If end users could sue software manufacturers for product defects, then the cost of those defects to the software manufacturers would rise. Manufacturers would then pay the true economic cost for poor software, and not just a piece of it. So when they balance the cost of making their software secure versus the cost of leaving their software insecure, there would be more costs on the latter side. This would provide an incentive for them to make their software more secure.
Bruce - I support your general reasoning, but please don't call for governments to pass laws in this respect. We all know what kind of laws they're going to come up with. They're going to be onerous, they are going to be stupid, and they're going to impose a bureaucracy that will raise entry costs so that it will become nearly impossible to start up a small software business without a serious amount of venture capital to begin with.

It's good to call for the culture to change, but the requirement for change should come from the users. No one likes insecure software. No one likes when their computer is hijacked. Microsoft has done some serious progress in the security area lately - IIS6 is much more secure than IIS5; Windows XP was more secure than 2000, and Windows Vista is still a good deal more secure than XP.

This is evidence that market pressures are working. People are already deciding what software to use on the basis of what is more secure. The more reliable, more secure, more trustworthy options are prevailing. In 10 years, the landscape in software security will be much better than it is today, and the standards will have become higher; progress is already taking place. What we DON'T need is legislation to rush this change and destroy the software market by transforming it into a highly regulated industry till kingdom come.


How to fix capitalism, denis's way

I make the following claims:
  1. In capitalism, the most reliable way out of the misery of wage labor is to start your own business.
  2. In social capitalism, the government pretty much closes off this path by making the life of a small business owner miserable. They impose endless bureaucratic obstacles, and then they proceed to confiscate the income you and your business desperately need to survive.
  3. All this damage is rationalized as necessary for the government to promote that cherished "fair distribution of income". In effect, the government destroys economic opportunity, stifles everyone's progress, and then tries to make it look as though it's doing something good for everyone.
  4. The way to fix capitalism is not for the government to stumble around trying to ensure a "fair distribution of income". Instead, the solution is to provide a fair distribution of opportunity.
  5. A way towards a fair distribution of opportunity would be to remove the insensible burdens placed on everyone who tries to escape the wage labor treadmill by starting their own business.
  6. The majority of bureaucratic burden on small businesses would be removed by repealing the income tax in all forms and replacing it with a sales tax that's much simpler to administer. An exceedingly large proportion of work that goes into running a small business is spent following procedures whose only objective is to enable the government to measure and take away your income. If there is no income tax, the need for the majority of red tape in a small business goes away.
  7. The remaining part of bureaucratic burden would be removed by removing regulation where unnecessary. This is especially egregious e.g. in professions where regulation serves mainly as a barrier of entry for newcomers. For example, the government decides that there are already "enough" hair salons, so it makes life difficult for young hairdressers who want to start their own salons, protecting the previous generation that already has them. The new hairdressers are therefore effectively forced to work for the established ones, who treat them badly and pay them a pittance. That's a stark violation of the fair opportunity principle, and it stems from the damaging belief held by some members of the government that they can "decide" what's "best" for everyone.
Governments are filled with people who are as stupid or stupider than everyone else, and so are in no position to make decisions about other people's lives. Everyone would be much better off if most of them just stopped trying.


Shoot the homeless!

Ron Garret just posted what he thinks is his rebuke to Henry Hazlitt's Economics in One Lesson. I reproduce here my reply.

The strong words are a rhetorical ploy. I use it because I think that looking at the problem from this harsh point of view puts things into perspective. I wouldn't actually shoot people. I'm too wishy-washy and teary-eyed for that.

Rather, I believe in empathy; but I also believe in its counterpart. It's important to know when a situation calls for empathy and when it calls for no mercy. The unfortunate fact is that many don't. This is a source of suffering.

So here's my response, as addressed to Ron.

Hazlitt is right: "But the solution is never to reduce supplies arbitrarily, to prevent further inventions or discoveries, or to support people for continuing to perform a service that has lost its value."

I'll answer your question: "Really? Why not?"

  • To reduce supplies arbitrarily is to do damage: it is to throw away good work that was already done, to deny the benefit of this work to the population, to make everyone a bit worse off, to prevent progress.
  • To prevent further inventions or discoveries is to do damage on such a scale that it is difficult to even comprehend. This cuts off all of the possible futures in which the human condition could be vastly improved through technological progress, to replace them only with those possible futures that make use of no new inventions and discoveries, which is to replace them with status quo, which is to perpetuate human suffering. This is evil.
  • To support people for continuing to perform a service that has lost its value is to place these people on a dead-end track, to make their lives pointless, it is to give up on their potential. It is stupid because resources are being expended to provide an unnecessary service, and it is tragic because the potential of these people is being wasted.
Note that Hazlitt is not arguing that nothing should be done to help these people. Unless he writes that somewhere else in his book, in a part which you did not quote, it is you who is beating the straw man. I can suggest a number of ways to improve such people's lives which are consistent with Hazzlit's paragraph you attacked:
  • One is to pay such people to do nothing. Retirement comes early. No resources have to be wasted performing an unnecessary task, and the people can spend their time doing something else that actually makes their lives fulfilling.
  • Another is to pay for such people to be trained to do something else. This is better than early retirement in that their potential is not wasted. I think most tax money is wasted, but education and research are fields where more spending on good programmes is always a good investment.
Finally, I know that you're too wishy-washy, teary-eyed, soft-hearted and in general not man enough to agree :) but I still think that the best solution to solve poverty in the long term would be to simply shoot everyone who cannot sponsor their own living nor find a kind sponsor who would. People in general have a tendency not to plan and think about the future. Shooting a few hopeless cases for the results of their poor planning would really set a good example and motivation for everyone to take good care of themselves, and it's hardly likely you'd see many more beggars and homeless people around in a few years. If it is made public policy that everyone needs to take responsibility for themselves "or else", then you'd see that everyone would.

It wouldn't even be necessary to do the shooting if there were not as many suckers like you who get all teary-eyed about people playing victims, refusing to see how this role is usually a choice more so than an externally imposed situation.

I want to have one of these!

An electric car with stunning looks that accelerates to 100 kph in 4 seconds and goes 400 km before recharging?

Oh yeah!

Tesla Roadster. I want one.

Check out their site, it's quite impressive.

The Chevrolet Volt Concept doesn't look half bad either. I hope we're going to see it on the road - soon! (Via Ron Garret)


Voting machines containing 'secrets'

Bruce Schneier posts about a Florida judge who so denied the request of a defeated election candidate to inspect the source code of a voting machine's software:
"For this Court to grant Plaintiffs' motions would require this Court to find that it is reasonably necessary for the Plaintiffs to have access to the trade secrets of Defendant, Election Systems & Software, Inc., based on nothing more than speculation and conjecture, and would result in destroying or at least gutting the protections afforded those who own the trade secrets."
My response:

How many "trade secrets" is it that you can actually have in an election machine? How is that interface any more complicated than displaying a few buttons and recording the results in some format?

It looks to me like the complexity of the software in those machines should equal something that can be done in a few weeks' time by any capable programming student.

There are no trade secrets in there. There can't be; there isn't room for any.

If the manufacturer of those machines claims that there are secrets requiring protection, there can be only one type of secret - the sinister type. And that is all the more a reason to be suspicious and investigate the technology.

A manufacturer of such machines should be open about the internals and willing to prove their quality - not trying to hide the innards. What have they got to hide?

Italy urges global execution ban

Interestingly, I'm not the only person who felt disgust when Saddam Hussein was executed.

I oppose the death penalty, but on the other hand I do believe that, if there is to be justice, and Saddam Hussein needed to be executed, then this courtesy should be extended to George W. Bush, as well.

On the other hand, there is still ample time for that. I hope at some point in the future the U.S. recognizes the international criminal court, and then it would be fitting for George W. Bush to be tried there. Seeing that Europe is somewhat more humane when it comes to punishment, execution is unlikely, but at least he should be put away for life.


Penalizing companies and people for bad behavior

Boris Kolar recently posted this proposal in a comment to my post on bottom trawling.
I propose the following solution: give people a real "no" vote. Give them the ability to anonymously "steal" from companies they don't like.
I think this idea is worth discussing. Allowing people to penalize companies (AND other people! remember that a corporation has all the rights of a natural person), for what they consider to be their bad deeds, would probably lead to a mixture of (A) better behavior, (B) increased effort on improving the company's public image, and (C) increased effort on silencing critics and hiding truth.

While A (improvement) is certainly desirable, and B (more PR) might be tolerable, the C effect is certainly destructive. Which one of these effects would prevail would have to be observed through an experiment.
How about the following rules:
- the total amount of money a person can "steal" from corporations is limited by a fraction of his personal tax liabilities
No. You know I'm against the income tax, so this won't fly with me. Let it be a fixed amount per person. And let the penalty money be destroyed (given back to the central bank for reissue), NOT transferred. The penalty must be motivated by a pure punishment motive, not in any direct or indirect way as financial gain, otherwise abuse will be rampant.
- tax liabilities of a corporation are (1 - k * ci / (ci + ts)) where k is an empirically determined constant, ci is corporate income, ts is total amount "stolen" from corporation
With no income tax, the penalties would have no tax-related impact.


George W. Bush - a psychopath

This checklist is amazing. (If at first the checklist fails to load, press F5 or try navigating to it through here.)

It probably very much depends on the assessor, but according to my judgement, George W. Bush displays almost all of the listed psychopathic characteristics. I gave him 38 points out of 40. A score of 25-30 or more supports a diagnosis of psychopathy. Average scores in prisoner population are about 22, and average scores in normal population are about 5.

This might explain why different people see this president so differently. (There is still a substantial proportion of US population that appears to support Bush, for some reason.) I'm thinking the difference might be that some people lack the fundamental capability to 'read' people. According to recent articles in New Scientist, about 2% of the population cannot recognize a face - not even faces of people they've known a lifetime. It stands to reason that a larger percentage of the population would recognize faces but would have trouble interpreting the person - establishing an accurate mental model of what the person is like, rather than just hearing what he says and taking it at face value. (My mother, for example, has trouble understanding sarcasm. She's known me and my dad for the better part of her life, and she can't tell when either of us is being sarcastic; she takes it seriously. I reckon there are many more people like that out there.)

I hated Bush since before he was elected president. I knew he was a detestable person from the first few times I saw him. I felt despair as if a great tragedy had befallen the United States when he was elected. Yet, when I was confronted with some who supported him, I couldn't really argue against him persuasively, because essentially, my argument was that he is a detestable person. It was subjective.

Yet, now I learn that his behavior supports a diagnosis of psychopathy.

So now, knowing everything that happened since 2000, one might argue that this subjective impression from 6 years ago wasn't so subjective after all, now - was it?