Our biggest problem is not the lack of books explaining in detail the fragility of our software-driven world; it is the fact that nobody reads them. Of course, every so often one of those titles rises to the top of The New York Times bestseller list, some celebrity adds it to their list of favorite books, the author takes a year promoting the book in a few talk shows here and there, and might even give some sold-out conference talks outside their home country. They might even make a living out of said book. But as soon as a new shiny gizmo appears on the horizon, all the concerns raised by their work fade into obscurity, the state of the world degrades a bit more, and we are back in the starting blocks scratching our armpits and screaming like monkeys.
This has happened quite a few times in our modern literary history. We can enumerate some examples: “Cybersecurity and Cyberwar: What Everyone Needs to Know” (2014) by Peter W. Singer and Allan Friedman; “Click Here to Kill Everybody: Security and Survival in a Hyper-connected World” (2018) by Bruce Schneier; “The Art of Invisibility” (2017) by the late Kevin Mitnick; “Code Version 2.0” (2006) by Lawrence Lessig; “The Age of Surveillance Capitalism” (2019) by Shoshana Zuboff; and finally the subject of this month’s Library article, David Rice’s 2007 “Geekonomics: The Real Cost of Insecure Software”.
The catchy title surfed over the popularity of a 2005 bestseller called “Freakonomics: A Rogue Economist Explores the Hidden Side of Everything” by Steven Levitt and Stephen J. Dubner, which has since evolved into a complete franchise including more books, films, podcasts, and who knows what more.
The -onomics suffix has since become a common fixture of any book, software, website, or think tank that brings into the layman realm the complexity of our modern world. Hence, we have now Leadonomics, Quickonomics, Clearnomics, Priceonomics (“In Data We Trust”), Growth-onomics, Eco-nomics (pay attention to the dash in the name), DBnomics, Date-onomics, Stronomics (whatever that is), IBM Turbonomic, Egg-onomics (love the pun), and other idiocies. Do not worry, we will not rename this magazine “Programmeronomics” or anything like that, no matter how big the temptation is.
“Geekonomics”, then, provides an insightful yet frightening view of the fragility of the world in 2007. Let us think about that for a minute: this book was released before the 2008 financial crisis, before the iPhone, before Uber and Airbnb, before Cambridge Analytica, before Zero-Trust architectures, before the pandemic, before ChatGPT. I know for a fact that many younger readers of this magazine were barely able to read when this book came out.
So, here we are in the future, 18 years later after the publication of this book, and yes, our world has visibly deteriorated (not only environmentally, but politically, socially, and economically), and this situation is, to a large degree, driven by software.
The author, David Rice, worked in the US government (for what it is worth), taught at James Madison University, and served as Executive Director of The Monterey Group, a consulting firm of which I could not find any current references. He was hired by Apple in 2011 to lead their security efforts, where he is still employed at the time of this writing according to his LinkedIn profile.
“Geekonomics” exposes and develops five major ideas.
First, that software is a public hazard; this includes, but is not limited to, web applications running with PHP 5.0 that never got any serious security review since 2004, like for example this little-known thing that nobody uses called Facebook.
Second, that security is an afterthought in the software market, and let us be honest; we have all witnessed some manager dropping security reviews or activities because of budget constraints.
Third, that end-user license agreements or EULAs are a cancer. As Microsoft states in the OEM Windows 11 EULA,
Disclaimer. Neither Microsoft, nor the device manufacturer or installer, gives any other express warranties, guarantees, or conditions. Microsoft and the device manufacturer and installer exclude all implied warranties and conditions, including those of merchantability, fitness for a particular purpose, and non-infringement.
Fourth, that cyberattacks and downtime are costing us lives, freedom, work, and sanity (the author prefers to use the more business-palatable expression “billions of dollars” to explain catastrophe after catastrophe, but the core idea is the same.)
Fifth, the author reminds us that there are other sectors that do have regulations, like, you know, the automotive or health industries, as explained in the section titled “A Matter of Trust” of chapter 4:
Trust matters when it comes to systems; physical, digital, or otherwise. And mistrust in infrastructure has significant consequences. Trust derives from consistent stable performance, which in turn is derived from standards of design, construction, and skill.(…)
There also happens to be considerable oversight, standards, and regulations placed on each of these elements. Car accidents certainly happen and will continue to happen regardless of standards and regulations, but the safety odds are with the drivers. On the Internet, the odds are decidedly against software users.
Finally, the author proposes some concrete solutions to have a more secure software ecosystem, like introducing legal liability for software defects (using the framework of Tort Law as a basis) and actually implementing economic incentives for companies to have to start giving a shit about security.
Needless to say, it seems like this book was never published. Like it does not exist. People read this book, nodded in approval and shook their heads in dismay, left five stars on Amazon, and went back to play with their nerf guns across cubicles.
I have often denounced in the pages of this magazine the shameful and cowardly complicit action of many of my peers in this state of things. I do not see hordes of software developers dropping their cozy jobs in questionable organizations involved in privacy violations, massacres, corruption, or software defects; I do not see them joining worker unions, supporting their peers who have been laid off; I do not see them denouncing in public the atrocities committed thanks to the very software they have been tasked to write.
Approving this collective pact of mediocrity and ignominy, programmers who have had their ethic neuron surgically removed through PlayStation abuse, scream the famous mantra “let us not talk politics here” all over the world, jumping yet again into a heated debate on Reddit about “tabs versus spaces” or “Rust versus Go”.
As a member of the software industry, each one of us has an ethical duty to release privacy-sensitive, secure, and maintainable code. In that order. “Geekonomics” will certainly give you enough arguments to convince your manager and to get that security budget approved. And if they do not, I hope you will know what to do next.
In other words, TL;DR: Please give a shit.
Cover photo by the author.