“The clarity of David’s argument and the strength of his conviction are truly inspiring. If you don’t believe the world of software affects the world in which you live, you owe it to yourself to read this book.”
–Lenny Zeltzer, SANS Institute faculty member and the New York Security Consulting Manager at Savvis, Inc.

“Geekonomics stays with you long after you finish reading the book. You will reconsider every assumption you have had about software costs and benefits.”
–Slava Frid, Gemini Systems, CTO, Resilience Technology Solutions

“Information Security is an issue that concerns governments, companies and, increasingly, citizens. Are the computer systems and software to which we entrust our sensitive and critical information, technologies that are out of control? David Rice has written an important and welcome book that goes to the heart of this issue, and points to solutions that society as a whole needs to debate and embrace.”
–Nick Bleech, IT Security Director, Rolls-Royce

“If you are dependent upon software (and of course, all of us in the modern world are) this book is a fabulous discussion of how and why we should worry.”
–Becky Bace

The Real Cost of Insecure Software

•   In 1996, software defects in a Boeing 757 caused a crash that killed 70 people…

•   In 2003, a software vulnerability helped cause the largest U.S. power outage in decades…

•   In 2004, known software weaknesses let a hacker invade T-Mobile, capturing everything from passwords to Paris Hilton’s photos…

•   In 2005, 23,900 Toyota Priuses were recalled for software errors that could cause the cars to shut down at highway speeds…

•   In 2006 dubbed “The Year of Cybercrime,” 7,000 software vulnerabilities were discovered that hackers could use to access private information…

•   In 2007, operatives in two nations brazenly exploited software vulnerabilities to cripple the infrastructure and steal trade secrets from other sovereign nations…

Software has become crucial to the very survival of civilization. But badly written, insecure software is hurting people–and costing businesses and individuals billions of dollars every year. This must change. In Geekonomics, David Rice shows how we can change it.

Rice reveals why the software industry is rewarded for carelessness, and how we can revamp the industry’s incentives to get the reliability and security we desperately need and deserve. You’ll discover why the software industry still has shockingly little accountability–and what we must do to fix that.

Brilliantly written, utterly compelling, and thoroughly realistic, Geekonomics is a long-overdue call to arms. Whether you’re software user, decision maker, employee, or business owner this book will change your life…or even save it.

The Alarming Cost of Insecure, Badly Written Software...

and How to Finally Fix the Problem, Once and for All!

Six billion crash test dummies: why you’re at greater risk than you ever imagined.

You pay the price: why consumers are legally and financially responsible for the mistakes of software manufacturers.

Broken windows: how software promotes epidemic cyber crime and threatens national security.

Who runs the show?: Why software manufacturers fought against the U.S. Food and Drug Administration’s attempts to protect the U.S. blood supply.

Protecting national infrastructure: real incentives for transforming software manufacturing.

Surviving the information superhighway: practical, must-read advice in a world of insecure code.

Preface xiii

Acknowledgments xix

About the Author xx

Chapter 1: The Foundation of Civilization 1

Chapter 2: Six Billion Crash Test Dummies: Irrational Innovation and Perverse Incentives 19

Chapter 3: The Power of Weaknesses: Broken Windows and National Security 73

Chapter 4: Myopic Oversight: Blinded by Speed, Baffled by Churn 131

Chapter 5: Absolute Immunity: You Couldn’t Sue Us Even If You Wanted To 179

Chapter 6: Open Source Software: Free, But at What Cost? 243

Chapter 7: Moving Forward: Rational Incentives for a Different Future 273

Epilogue 321

Notes 325

Index 341

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 9 Ratings

Eloquently shows the dangers and expenses of insecure software - 2008-01-21
Reviewer Rating:
First the good news -- in a fascinating and timely new book Geekonomics: The Real Cost of Insecure Software, David Rice clearly and systematically shows how insecure software is a problem of epic proportions, both from an economic and safety perspective. Currently, software buyers have very little protection against insecure software and often the only recourse they have is the replacement cost of the media. For too long, software manufactures have hidden behind a virtual shield that protects them from any sort of liability, accountability or responsibility. Geekonomics attempts to stop them and can be deemed the software equivalent of Unsafe at Any Speed. That tome warned us against driving unsafe automobiles; Geekonomics does the same for insecure software.

Now the bad news -- we live in a society that tolerates 20,000 annual alcohol-related fatalities (40% of total traffic fatalities) and cares more about Brittany Spears' antics than the national diabetes epidemic. Expecting the general public or politicians to somehow get concerned about abstract software concepts such as command injection, path manipulation, race conditions, coding errors, and myriad other software security errors, is somewhat of a pipe dream.

Geekonomics is about the lack of consumer protection in the software market and how this impacts economic and national security. Author Dave Rice considers software consumers to be akin to the proverbial crash test dummy. This combined with how little recourse consumers have for software related errors, and lack of significant financial and legal liability for the vendors, creates a scenario where computer security is failing.

Most books about software security tend to be about actual coding practices. Geekonomics focuses not on the code, but rather how insecurely written software is an infrastructure problem and an economic issue. Geekonomics has 3 main themes. First -- software is becoming the foundation of modern civilization. Second -- software is not sufficiently engineered to fulfill the role of foundation. And third -- economic, legal and regulatory incentives are needed to change the state of insecure software.

The book notes that bad software costs the US roughly $180 billion in 2007 alone (Pete Lindstrom's take on that dollar figure). Not only that, the $180 billion might be on the low-end, and the state of software security is getting worse, not better, according the Software Engineering Institute. Additional research shows that 90% of security threats exploit known flaws in software, yet the software manufacturers remain immune to almost all of the consequences in their poorly written software. Society tolerates 90% failure rates in software due to their unawareness of the problem. Also, huge amount of software problems entice attackers who attempt to take advantage of those vulnerabilities.

The books 7 chapters are systematically written and provide a compelling case for the need for security software. The book tells of how Joseph Bazalgette, chief engineer of the city of London used formal engineering practices in the mid-1800's to deal with the city's growing sewage problem. Cement was a crucial part of the project, and the book likens the development of secure software to that of cement, that can without decades of use and abuse.

One reason software has significant security vulnerabilities as noted in chapter 2, is that software manufacturers are primarily focused on features, since each additional feature (whether they have real benefit or not) offers a compelling value proposition to the buyer. But on the other side, a lack of software security functionality and controls imposes social costs on the rest of the populace.

Chapter 4 gets into the issues of oversight, standards, licensing and regulations. Other industries have lived under the watchful eyes of regulators (FAA, FDA, SEC, et al) for decades. But software is written removed from oversight by unlicensed programmers. Regulations exist primarily to guard the health, safety and welfare of the populace, in addition to the environment. Yet oversight amongst software programmers is almost nil and this lack of oversight and immunity breeds irresponsibility. The book notes that software does not have to be perfect, but it must rise to the level of quality expected of something that is the foundation of an infrastructure. And the only way to remove the irresponsibility is to remove the immunity, which lack of regulation has created a vacuum for.

Chapter 5 gets into more detail about the need to impose liability on software manufacturers. The books premise is that increased liability will lead to a decrease in software defects, will reward socially responsible software companies, and will redistribute the costs consumers have traditionally paid for protecting software from exploitation, shifting it back to the software manufacturer, where it belongs.

Since regulations and the like are likely years or decades away, chapter 7 notes that short of litigation, contracts are the best legal option software buyers can use to leverage in address software security problems. Unfortunately, most companies do not use this contractual option to the degree they should which can benefit them.

Overall, Geekonomics is an excellent book that broaches a subject left unchartered for too long. The book though does have its flaws; its analogies to physical security (bridges, cars, highways, etc.) and safety events don't always coalesce with perfect logic. Also, the trite title may diminish the seriousness of the topic. As the book illustrates, insecure software kills people, and I am not sure a corny book title conveys the importance of the topic. But the book does bring to light significant topics about the state of software, from legal liability, licensing of computer programmers, consumers rights, and more, that are imperatives.

It is clear the regulations around the software industry are inevitable and it is doubtful that Congress will do it right, whenever they eventually get around to it. Geekonomics shows the effects that such lack of oversight has caused, and how beneficial it would have been had such oversight been there in the first place.

To someone reading this review, they may get the impression that Geekonomics is a polemic against the software industry. To a degree it is, but the reality is that it is a two-way street. Software is built for people who buy certain features. To date, security has not been one of those top features. Geekonomics notes that software manufacturers have little to no incentive to build security into their products. Post Geekonomics, let's hope that will change.

Geekonomics will create different feelings amongst different readers. The consumer may be angry and frustrated. The software vendors will know that their vacation from security is over. It's finally time for them to get to work on fixing the problem that Geekonomics has so eloquently written about.

Important Topic Dragged Into Excessive Tangents - 2008-01-17
Reviewer Rating:
In the interest of full disclosure, I work for a large multi-national software company and of course this book appealed to my professional interest.

Before my purchase I explored using the "Look Inside" feature and decided to order. The statements on the cover, the reviews and promises of "How to finally solve the problem" were promising and I was excited to receive my Amazon package.

The first chapter is a lengthy discussion on concrete and it's use in the London sewer system. Interesting but off topic. I assume that this was to set the stage for the rest of the book. As another reviewer noted, and seemed to enjoy, the book is a series of constant references and metaphors for software. Unfortunately, Mr. Rice spends large portions of the chapter explaining the details of the metaphor, not how it relates to software. The use of metaphors is usually to help make a point without having to explain all the nuances of the metaphor. If this is needed, it is usually better to just explain your point and leave the metaphor out.

This entire book at around 360 pages, feels very early on like a one-hundred-pager that has been stretched to it's length purely for the sake of making the book longer. The chapter dealing with US law is a bore and not neccesary to the author's argument. Talking about software and how it could be affected by the law would have saved my time and his.

The last few chapters finally start to talk about software and Mr. Rice finally starts getting to the point, but he relentlessly references his early chapters. When doing so, instead of just saying "As discussed in Chapter 2" he insists on "As discussed in Chapter 2: The start of the boredom and my thoughts on the US Interstate with a vague reference to how roads and cars are like software", needlessly adding to the pain of reading.

One other nit-pick about the formating: There is use of sidebars throughout the book, which normally I am fine with. Unfortunately, they are usually right beside the original text, and end up being duplicate reading (another lengthener?). They fail to help illuminate the point, possibly because the first 80% of this book only dances around the point.

Overall, this book was disapointing. The overall point is good and I do agree with the author, but this was a painful read. To read this book was like talking to that one guy in the office that can't take a hint that you need to go and continues the conversation for his own benefit.

Save your $30.00 as one line can sum up the argument here and save you from having to read a painfully monotonous book (spoiler alert!): Software producers currently take no legal obligation for their products and a mixture of legislation and the court system should be used to keep them in check.

Lots to Think About - 2008-01-05
Reviewer Rating:
Anyone that knows me at all can tell you that I am not a fan of Fear, Uncertainty, and Doubt (FUD) in making the case for effectively managing risk. As a professional in the information security business, it is all too easy to use FUD as the "easy way out" when trying to convince people of the severity of vulnerabilities and so on. I am pleased to say that David does not employ this tactic in his book. He makes a very reasoned case, building it with example after example of how poorly software is constructed and how deep the rabbit hole goes in software manufacturers' efforts at liability avoidance.

So far, the reviewers of this book are all "security people". Please know that there are caveats to such reviews - namely, we are always looking for the "aha" publications that tell the rest of the world what we have known for a while now. This is one of those, and it may very well be the first I've really enjoyed while trying to put myself in the shoes of the "average computer user" in the world today. My usual way of doing this is by asking myself "Will my mom understand this?" I'm very pleased to report that my mom could in fact "get" the big picture David is painting here - namely, that software is something we are relying on as a critical part of society today, and it is just as fundamentally flawed as the early sewer systems he describes early in the book.

What's great about this book, aside from the points already articulated by the other reviewers, is that it takes a problem we all know exists (most software is crappy) and forces you to look at it from a number of different angles. How many books do you read in a year that actually cause you to ask yourself questions? Probably very few, I'd guess. This is a book that challenges you to think about things differently; for instance, a Windows system crashing is not just a "Blue Screen of Death" on your home PC, it's now a critical system controlling a local power grid that just went down. It's not just a poorly-written piece of Web server software, it's a perfectly viable avenue of electronic data theft. And by the way, this little problem affects every one of us. Bravo, David, you've done a great job here. I tend to agree with Richard Bejtlich that a "vulnerability tax" is somewhat infeasible, but at least we're having some interesting conversations. Change usually stems from these, and change is exactly what's on the menu.

Comprehensive - 2008-02-25
Reviewer Rating:
This book offers one of the most comprehensive and rational arguments for fundamental changes to the way software is developed and made commercially available. In addition, the author provides several alternatives for these fundamental changes the business of providing software along with a recommended approach that is practical and thoughtful.

Should read if ... - 2008-06-14
Reviewer Rating:
Nutshell review - Should be required reading for all software developers and managers of software development teams. An excellent insight into the problems and consequences of insecure and poor quality software.

Browse Similar Topics

Top Level Categories:
Networking
Security

Sub-Categories:
Networking > Security
Security > Networking