MP3 - iTunes

Is software inherently buggy and insecure, or is it imperfect because software companies have little incentive to make it less vulnerable? That's one of the central questions discussed on today's show.

The following is a lightly edited transcript of my interview with David Rice, author of Geekonomics: The Real Cost of Insecure Software.

RICE: The real cost of insecure software isn't so much the financial outlay, although it's significant. It's everything we can't do because of it. And so the real cost isn't necessarily what you pay, it's what you give up in order to get it. From an economic perspective it is disastrous because you're spending to say in place. And when we look at how software cuts across so many different aspects of civilization, the expenditures we put out in order to protect software from exploitation is massive. That means there's lots of things we can't do.

GORDON: So when I'm in a paranoid state of mind I get to thinking the security industry has sort of a vested interest in unsafe software and perpetuating the problem. Is that a crazy thought?

RICE: I don't think it's necessarily overly-paranoid. It's maybe the pragmatist view. Security vendors don't sell security. They sell products. And it's their hope, as well as it's your hope, that those products will actually do something to hinder the attacks. And to a degree they have -- we can say well, without firewalls, without antivirus, where would we be? That argument has some merit but when we look at the overall trend, 2006 was deemed the year of cybercrime. This is after at least a decade of massive expenditures in terms of buying new firewalls, better and greater intrusion protection systems, and better and greater and more pervasive antivirus. And we still have these problems, and in fact these problems have only gotten worse. Vendors will sell you the things they think will sell very will and they think will do a certain amount of good. Every year there is a new suite or products that come out. Why? Basically the vendors are trying to make their quarterly numbers. Whether or not it actually protects you remains to be seen.

GORDON: On the other hand I do wonder whether the problem of software security is so vexing that ultimately it's not completely fixable. We would like to make hurricanes go away, but we can't.

RICE: With software, we're not dealing with mother nature. We're doing it to ourselves. We create the software. We don't necessarily have to throw massive amounts of technology at the software issue to try to correct it. We do need to look at the incentives of the software manufacturers. They're not trying to make a product that hurts us,but in fact they are. They don't have a strong enough incentive to make a better product that can avoid what are really highly foreseeable activities on the part of malicious entities out on the Internet.

(Rice favors a tax on buggy software. We'll ask him why on the next Future Tense.)