[trustable-software] First time poster; Long time reader

John Ellis john at ellis-and-associates.com
Thu Nov 10 11:06:54 UTC 2016


All,

Good morning. My name is John Ellis and I'm finally coming out of the
shadows to introduce myself. Apologies for lurking since the founding of
this group. When Paul first talked to me about this, I had great visions of
Horatio-like debate, and Socratic discussion. Then, I saw the caliber of
you folks and your writings and decided to stay in the shadows. Humbled and
at times, too chicken to comment.

That all said, I have been an avid reader since the beginning. I understand
the goals and the roles folks have articulated and in general, I agree.
However, to fully jump into the group, here are my rambling (apologies in
advance) thoughts that in some cases, cover points you all raised weeks and
months ago.

One. I am a firm believer that all companies that produce software-enabled
products (whether hardware or cloud), need trustable software. HOWEVER, I
also believe there is a gradient of need with those that build hardware
like cars, trucks or nuclear reactors, needing trustable software earlier,
and faster then others. Again, not to say others don't need it. But that
the need is far greater, and more impactful for this collection of hardware
companies.

But here's the rub. Those companies are controlled by boards and executive
management that have ZERO idea of what software is and cannot tell the
difference between trustable and something else. This then leads to
exceptionally poor decision making in terms of financial investment or/and
purchasing.

The perfect example of my point is the automotive industry. They claim to
get the need for secure software (note, they don't use the word "trustable"
- at lest not yet). However, they are not doing the necessary financial
restructuring to support the statement. By that I mean putting into place
the necessary and financial changes to support continuous software
development, updates, analysis etc. Not a single OEM is doing the necessary
steps with the exception of Tesla.

I fear that this situation will remain until such time as we have a change
in leadership at one of the big 10 auto companies. By that I mean a change
from a car-centric executive to a non-car executive who understands
software, service and their corresponding business models. Whomever does
that move will (imho) be best positioned to win.

So ... the kicker for me is that while you all can have (and have had) the
most amazing technical discussion on building trustable software, I fear
that this excellent technical advance will be met by this massive concrete
wall called "management." So I would advocate that in part, one of the
goals of this group HAS to be education of those who have no understanding
of software. And THAT is a hard thing to do simply because there is such
little "infrastructure" in terms of executive training on software. (BTW -
this is a HUGE gripe of mine. We wouldn't think of hiring executives who
don't understand the basis of accounting and finance, and yet, software is
as equally a critical skill and we don't even think twice of punting on
that requirement.)


Two. The recent Marai botnet attacks against both Brian Krebs [1[ and
DynDNS [2] highlight a fundamental issue in terms of trustable software
(including the design of the internet - which I will leave for now). Bruce
Schneier's article "Security Economics of the IoT" [3] highlights an
exceptionally frightening world. That is, a world where there are no
natural market dynamics that can be relied on to "fix" the insecurity
issue. Thus, Bruce believes this means a government approach is required.
And that scares the shit out of me. Simply because I don't believe those in
government "get" this issue either and so I'm not confident they could
proscribe a path forward.

This is why I think the group that Paul has pulled together is so utterly
important. We have to be the genesis of change and a group that can point
the way forward on the path to trustable software. The technical AND the
business aspects of trustable software.


Three. I speak an awful lot in terms of keynotes and panels. Since the
founding of this email list I make reference to it whenever there is a
question on security or software or "how do we move forward?". I have a set
of cards for folks that I need to pass to Paul to welcome folks to join us.
What Paul has committed to in terms of a public "presence" will be quite
helpful so that I can simply point people to an easily known list-name and
they can then choose to apply for admission or not.


Many thanks for reading this far. Apologies again for lurking this entire
time. With this post, I am now "fully committed' to active discussion on
the topic.

While I live in the states, I happen to be in London this week for a
combination of vacation and work. Therefore, I will be joining you all for
dinner tonight in Epsom. Look forward to putting faces to the names and
engaging in lively debate with drinks.

Cheers.

jte

[1]
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
[2] http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
[3[ https://www.schneier.com/blog/archives/2016/10/security_econom_1.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.veristac.io/pipermail/trustable-software/attachments/20161110/f9a6402d/attachment.html>


More information about the trustable-software mailing list