Information Security
Bioterrorism, cyberterrorism, and natural and man-made assaults on critical network infrastructures – such as the Internet, telecommunications services, and electric power grids – are just a few of the areas that worry everyone in our post-9/11 world. In each of these areas, technology can be used as both a weapon to breach safety and security as well as a tool to prevent damaging impacts. How do we determine what kinds of security measures to initiate and do our choices reflect models of social utility and optimization? Who is responsible for developing the technology and who is responsible if it fails? Carnegie Mellon’s work in this area is being led by Ashish Arora and Rahul Telang who work alongside a campus-wide community of scholars, including Carnegie Mellon’s Cylab, to study a variety of information security topics.
Full disclosure: Who’s responsible for software vulnerability reporting?
We now live in an age of “patchware.” Software manufacturers routinely release products that draw the ire of customers because they are only “almost right.” Then, at some later time – or sometimes many later times – patches are released to shore up the vulnerabilities.
Carnegie Mellon researchers Ashish Arora 
and Rahul Telang have been trying to answer the question of how the public should be informed about these vulnerabilities. It’s obviously a complex issue. If you tell everyone right away, you reveal the vulnerability to someone who could exploit it. The other side suggests that vulnerabilities reported when found will force manufacturers to release better products, not patchware.
It’s an area that has drawn the attention of everyone from the White House to companies whose vulnerabilities have been exposed. Case in point: at a recent hacker convention a Cisco vulnerability was exposed. Fearing that someone would take advantage of this vulnerability before it could be fixed, the company sued not only the discloser, but the conference as well.
In this new arena, public policy, IT, security, and social responsibility converge.
|
IMPACT: Since no one is immune from attack, does everyone have the responsibility to identify vulnerabilities to everyone else? Or, are software companies within their rights, even though they released a flawed product at the outset, to interdict such reporting? This research will help establish a common ground for discussion. |
How much real quality is there in software design?
Carnegie Mellon researchers Ashish Arora, Rahul Telang and Jonathan Caulkins have been examining the “role of the patch” in software quality, specifically looking at the question: if a patch can be issued after release, how does that affect the development decisions pertaining to software quality in the first place? Does the pressure to launch on time affect software quality? And, if so, what incentive can be applied to encourage software manufacturers to not release “buggy” products?
