All posts by Code Curmudgeon

I've been working in Software Development at Parasoft since 1992 - which in my opinion is before the epoch (my measure being the first real use of the web). I've been involved deeply in creating software, creating software tools, and helping customers address their software problems including automotive, cybersecurity and embedded. The views and opinions expressed herein are those of the author and do not necessarily reflect the views of anyone else on the planet. Caveat lector. You can follow me on twitter @CodeCurmudgeon, Google+, Static Analysis for Fun and Profit, Facebook, and LinkedIn.

Software Safety Keynote EuroSPI 2016

I was honored this week to have the opportunity to present a keynote session at EuroSPI 2016. The title of my presentation was “Software Safety and Security Through Standards” and I discussed one of my favorite soapboxes. That is the idea that software development is often less disciplined than it should be, but it doesn’t have to be. We can and should develop software as an engineering discipline.

One of the key ways to start down this path is to implement coding standards properly. Too many are trying to use coding standards late in the process as a way to find bugs, rather than a way to flag improper methods of coding early on. While the former is cool, the latter is far more valuable.

The adage that “you can’t test quality in a product” is well known, but for some reason in software we think that you can indeed test quality into an application. The same goes for application security, perhaps even doubly so.

In order to break out of the current cycle of code, deploy, fix, redeploy we have to start doing things differently. We have to build a more mature software development process and static code analysis is the way to build upon the body of knowledge and best practices available.

Slides are below. Let me know if you have comments, questions, suggestions. And thanks to everyone at EuroSPI and ASQ for putting on a great conference and allowing me to participate. These are great organizations to get involved with if you’re serious about software quality. I encourage you to check them out.

Keynote at EuroAsiaSPI2 2016 Conference

If you’re going to be in Europe in September, I’ll be speaking at the EuroAsiaSPI2 2016 conference in Graz, Austria on September 15th.

EuroAsiaSPI2 is also known as European & Asian System, Software & Service Process Improvement & Innovation. The EuroAsiaSPI² conference presents and discusses results from systems, software and services process improvement and innovation or SPI projects in industry and research, focusing on the gained benefits and the criteria for success. This year’s event is the 21st of a series of conferences to which international researchers and professionals contribute their lessons learned and share their knowledge as they work towards the next higher level of software management professionalism.

I’ll be speaking on Software Safety and Security through Standards

Abstract:
Software has moved from the desktop in just about everything we touch. From smart thermostats to infusion pumps to cars software is pervasive and growing. These so-called “things” from the Internet-of-Things are increasingly carrying more logic and with it a larger risk of failure. Many of these devices are using in safety critical areas such as medical and automotive where they have a particular potential for bodily harm.

Most companies that have been building devices rightly view current software development as an almost insane group of cowboys and chaos. But there is hope, software CAN and MUST be treated an engineering practice. Coding standards move us from the build, fail, fix cycle back into a design, build, deliver cycle with high quality, safety, and security.

As it turns out, these same standards also provide benefits in the areas of cybersecurity, doing double duty. We will explore how standards help us move from finding bugs to building more robust software, how to prevent problems in the first place by proper coding, and how to leverage the efforts of others by using common accepted industry standards such as MISRA to achieve this goal.

To attend you can register here.

Understanding Open Source Licenses

Open source projects come with a wide variety of license types. Some of them even conflict with each other. They include things like restrictions against commercial use, a requirement to distribute the source code, proper attribution, and more. If you’re using several different open source projects, it becomes an administrative headache to make sure you’re in compliance with the various licenses involved. Some projects even have multiple license choices and you need to understand which of the license you should choose and which you can ignore.

In order to minimize the risk and the effort to enforce compliance, it’s worth looking at the license associated with an open source project before adopting it. Some of the pitfalls include:

Pitfalls

Ambiguity: Some licenses can be ambiguous because they are drafted without benefit of professional legal advice. Make certain the terms fit the conditions necessary to your business. Just because a lawyer didn’t draft them doesn’t mean you can’t seek legal advice before using a project, so do it. This sounds like a lot more work than it actually is, because you don’t have to review every type of software license for every project you’re coding. You only have to review every license type that you want to use. Once you’ve accepted for example the MIT license (currently the most popular open source license) you’re ready for all projects that use open source components with that license.

Jurisdiction: Some licenses have a jurisdiction that may be inconvenient – for example if they software is governed by EU laws and you’re an American company this can be problematic if legal issues arise, whether around intellectual property or liability. In some cases, some licenses have omitted jurisdiction info leaving you open to challenges in venues that may be costly or difficult for your business.

Unintended open source: Some licenses such as the GPL require that all derivative works have the same restrictions as they do, meaning that you can be forced to open source your project if you use them. If you’re working on proprietary software this isn’t a viable option.

Patentability: While not all licenses conflict with traditional intellectual property rights such as patents, some of them do. If intellectual property (IP) is important to your business make sure the software licenses you use don’t restrict your rights.

Copyright: There was a court case a few years back over whether or not the owner of an open source project can enforce their rights against someone who uses their project. On appeal it was determined that they can. In other words, violating an open source license can be legally actionable in the United Sates – see Jacobsen v. Katzer.

License Types

Below are examples of some of the most common open source licenses in use. More detail can be found at https://opensource.org/licenses and advice on the different types of licenses can be found at http://choosealicense.com.

GNU GPL: Comes in many versions, currently GPLv3. This is called a “copyleft” to differentiate it from “copyright”. Using this license means that you must share the source code to your own work using the project under the same terms as the original project, for example making your own code available. Includes an express grant of patent rights from the contributors. Used by Bash and GIMP. This works well if your own project doesn’t get distributed, or if you don’t mind open-sourcing your own work.

GNU LGPL: Similar to GPL above, but makes a distinction between “based on” and “uses” to determine whether or not you have to share your own source code. “Uses” means you don’t have to share the code while “based on” means that you must.

Apache: Comes in multiple versions – currently v2.0. It’s a permissive license that lets you do pretty much whatever you want with the code as long as you don’t hold the contributors liable and provide attribution. Also contains an express grant of patent rights from the contributors. Used by Android and Apache.

MIT: Simple license that lets you do anything you want with the code. The only limitations are that you must provide attribution and you cannot hold the project or contributors liable. Currently very popular, used by jQuery and Rails.

Summary

In summary, vibrant active open source projects with reasonable licenses that are compatible with your business can be a great asset. Take the time before committing to a project to make sure that its licensing will work for you.

Get Your Free WiFi From Elvis

man dressed like Elvis in front of Welcome to Las Vegas sign
Want some free WiFi?
Ah, the lure of free open WiFi! Who can resist? Avoid flakey signal from your smartphone, get faster access and avoid data usage caps. But there is no such thing as a free lunch. When Elvis offers you free WiFi it’s best to think twice, because when someone offers free WiFi it comes with a cost, usually your privacy and security.

It might be a coffee shop who expects you to buy coffee, or a hotel who wants you to stay there instead of down the street. Or maybe the hotel has decided they can additionally sell advertising to you while you’re using the “free” WiFi to make a little extra money. Like the Elvis impersonator you should know what you’re really getting into. If think you’re getting your picture taken with the real Elvis, then perhaps you deserve what you get, especially in cases where the provider is taking the role of the huckster and offering something for “free” (as in puppy) when the hidden cost is your privacy.

With open or free WiFi the risks are always there in the form of unknown others on the network. I have found as I travel that hotel WiFi for example is a constant source of machine probes and attacks. Luckily my computer is well configured and I see the attempts. In spite of that I take the paranoid view and have avoided and free WiFi for over a year, until last week that is.

I was at the IQPC sponsored ISO 26262 Functional Safety conference in Berlin speaking on automotive cybersecurity. The WiFi performance in Berlin was no worse than others both at the hotel I was staying at and the conference hotel. By which I mean that it’s aggressively mediocre at about 1.5 Mbps. This would be reasonable performance for a 2G cellular network, but seems slow for WiFi. Now the reason I’m using it is that the cellular speed I get when roaming around the world is even slower – about 128kbps. So here I am making poor security decisions based on slow network performance. There’s a lesson to be learned there and perhaps a whole article about how we make poor security decisions.

And this is where this hotel stands out different than others, at least hotels in the USA. The attacks didn’t immediately start as I’ve seen at others, for example the Hilton in Long Beach, CA. (Yes, I’m purposely shaming their insecure public WiFi) But after working for a few minutes several of my web connections started failing when they refreshed. There were complaints about needing to re-login to Outlook, Google and other apps that require authentication.

Hotel MITM 1 of 3 So I started poking by clicking the little lock icon in the URL and as it turns out they were failing because the certificate for https was suspicious.

Hotel MITM 2 of 3As you do in these situations, I took a look at the certificate by pressing the “show certificate” button. In this case the certificate was supposed to be for Office 365,MITM safe office.com but instead it was signed by… wait for it… the hotel!!! Essentially they were doing a man-in-the-middle (MITM) attack. This means they were pretending to be Microsoft by self-signing a root certificate and saying “Microsoft is who we say it is”.

Hotel MITM 3 of 3

Probably this was for some silly injection of advertising or some other annoying but not necessarily evil purpose. Remember Lenovo doing this on their computers recently? In that case it was widely published and got a cute media name “Superfish“.

For Superfish the purpose was to put ads into your browser. Lenovo pre-installed it on a bunch of their computers, presumably for some additional revenue. The problem is that once you break down the certificate trust chain with this kind of attack, you leave the user at great risk. Someone can steal their credentials and really spy on any supposedly secure communication they have. This is to say nothing of having extra ads put onto your computer.

For the record, self-signing root certificates is only acceptable in a development or testing situation. Putting untrusted certificates in the wild is dangerous since no one can rely on them. Worse yet is pretending to be a certificate authority and jumping in the middle of a transaction or communication that the users think is secure. Not only is this unethical, but it really should be illegal.

Lesson learned again… Don’t use free WiFi and always pay attention to your URL lock icon.