[H-GEN] Selections from RISKS DIGEST 19.57

Raymond Smith raymonds at uq.net.au
Tue Jan 27 18:21:31 EST 1998


Two articles from the recent RISKS DIGEST that are relevant to HUMBUG
members. The full digest can be found at "ftp.sri.com".

I was thinking of replying to the first article as it could be seen as an
attack on free software. Can anyone remember an instance of a "trojan,
virus, or timebomb" being hidden in GPL software by another programmer?

The second article is particularly relevant to all those who are
developers on this list. I believe that within a decade there will be
tighter controls over the qualifications of professional
programmers/Software Engineers, through membership of ACS/IEAust and
government regulation.

Raymond Smith

---
raymond at humbug.org.au


---------- Abridged message ----------
Date: Mon, 26 Jan 1998 14:48:42 -0800 (PST)
From: risks at csl.sri.com
To: risks at csl.sri.com
Subject: RISKS DIGEST 19.57

------------------------------

Date: Thu, 22 Jan 1998 21:43:24 -0500
From: John Wilson <jowilson at mtu.edu>
Subject: Possible Netscape source code risks

As many of you already know, Netscape is releasing the source code to
Communicator 5.0 by the end Q1 1998.  I wonder how many Trojan horses will
have to be dealt with then.  "Oh, look, the latest version of Netscape
... click here."  Possibilities include tracking software built in the
browser, routines to copy personal information, including credit card
numbers, as well as the more "mundane" risks of simple file deletion/disk
wiping.

Netscape plans to make new versions out of developer improvements as well --
which leads to the possibility of disgruntled developers slipping in nasty
things into so-called bugfixes.

--John Wilson -- jowilson at mtu.edu

------------------------------

Date: Mon, 19 Jan 1998 18:55:46 -0500 (EST)
From: Don Gotterbarn <gotterba at Access.ETSU.Edu>
Subject: Re: Software Engineering Code of Ethics

Putting the Best Face on it--the real crisis.

An eighteen-year-old with no computer training declares herself to be an
experienced software engineer.  Many large expensive software projects are
never implemented or implemented in way that cause significant errors.

This state of affairs has been characterized by the cosmetic phrase
"Software Crisis".  This phrase is cosmetic in the same way as describing a
programming mistake I am responsible for as a "bug" is cosmetic.  Bugs just
seem to crawl into software-I am not responsible.  The "software crisis" is
a state of affairs that just is.  If we remove the cosmetics from the phase
"software crisis" we reveal the truth which might better be described as the
"software engineering crisis".  This crisis is best characterized by a
satisfaction with a Capability Maturity Model level 1 approach to software
development and the assertion that Software Engineering is still an immature
discipline with no standards.  Life is easy when there are no expectations
and standards.  Fortunately, software professionals are no longer willing to
use this make-up.  Software Engineering has a significant impact on society
and ought to adopt professional standards.

The IEEE Computer Society and the ACM established a Joint Steering Committee
for the Establishment of Software Engineering as a profession.  One task
force they established, the task force on Software Engineering Ethics and
Professional Practices (SEEPP), was to document the ethical and professional
responsibilities and obligations of software engineers.  The task Force
membership was international, spanning 15 time zones, with representation
from industry, the military, academe, and the legal profession/ The Task
Force has developed a Code for a sub-specialization within the
constituencies of both organizations and for the profession itself.

But the Code is much more than that.  The goal of the IEEE-CS/ACM Steering
Committee was to Professionalize Software Engineering.  Software engineering
as a discipline has particular idiosyncratic needs, as described in the
details of the Code.  The success of this effort to articulate the
professional responsibilities of software engineers has already been
recognized. The Texas Board of Professional Engineer's Licensing Committee,
in a recent meeting that addressed the subject of professional registration
of software engineers, recognized software engineering as a new discipline
with its own foundations and unique body of knowledge.  They also expressed
high regard for the Code of Ethics and Professional Practice.  Specificity
of practice is the key to the elaborated Code.

The discussion by the Texas Board of Professional Engineer's Licensing
Committee is but one example of significant discussions outside of the
professional societies about the status of Software Engineering.  The
attempt to address concerns about the quality of software products and the
talent of the software engineer on a local, regional, or national basis is a
mistake. The professionalization of software engineering requires a Code
that is international and that can be adopted by professional organizations,
industry, and individual professionals.  The Software Engineering Code of
Ethics and Professional Practice straddles the ACM/IEEE-CS gulf, and differs
enough from both the ACM and IEEE's more general codes to attract attention
from non-organizational types (like industries).  >From the evidence, the
Code seems to have accomplished both of these goals.  The Code has received
support from numerous countries including Australia, Canada, Czechoslovakia,
Egypt, Germany, India, Ireland, Netherlands, United Kingdom, United States,
and Uruguay. Most items of the Code surveyed had better than 95%
support. This indicates that the Code enjoys an international consensus.  It
also has received support from numerous industries, from large
multinationals to small software development firms.  The Software
Engineering Crisis is in pact due to a failure to stand up for professional
practices and accept responsibility for our work.  The Code can function as
an ethical charter for the profession. Such a Code can be used to aid in
decision making and as a means to educate the public, managers, trainees and
practicing professionals about professional standards and professional
responsibility.  The joint support of this development effort by the ACM and
the IEEE-CS shows the public that different organizations within the same
industry can cooperate, and makes it easier for professionals to understand
what their obligations are.  The general acceptance of the Code also
provides an explicit standard of good software practices against which
current practices can be measured.

The Code (www-cs.etsu.edu/seeri/secode.htm,
www.computer.org/tab/seprof/code.htm, and www.acm.org/serving) has been
forwarded to the leadership of the ACM and the IEEE-CS.
For further information contact Don Gotterbarn at gotterba at etsu.edu .
Computer and Information Sciences, East Tennessee State University
Box 70711, Johnson City, TN  37614-0711   1-423-439-6849 

------------------------------

Date: 1 Apr 1997 (LAST-MODIFIED)
From: RISKS-request at csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
 if possible and convenient for you.  Or use Bitnet LISTSERV.  Alternatively,
 (via majordomo) DIRECT REQUESTS to <risks-request at csl.sri.com> with one-line, 
   SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
   INFO     [for unabridged version of RISKS information]
=> The INFO file (submissions, default disclaimers, archive sites, .mil/.uk
 subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from
 http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
 The full info file will appear now and then in future issues.  *** All 
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks at CSL.sri.com with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
 ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
   [volume-summary issues are in risks-*.00]
   [back volumes have their own subdirectories, e.g., "cd 18" for volume 18]
 or http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
 The ftp.sri.com site risks directory also contains the most recent 
 PostScript copy of PGN's comprehensive historical summary of one liners:
   get illustrative.PS

------------------------------

End of RISKS-FORUM Digest 19.57 
************************

----------------------- HUMBUG General List --------------------------------
echo "unsubscribe general" | mail majordomo at humbug.org.au # To Unsubscribe



More information about the General mailing list