UCITA still haunts IT
Computerworld - WASHINGTON -- It's been called a time bomb, code capable of disabling software, and some users fear its use could become pervasive if the controversial software law UCITA succeeds.
The Uniform Computer Information Transaction Act (UCITA), due for a renewed push for state-by-state adoption next year, lets vendors include code to trigger a shutdown if, for instance, a user's license has expired.
It's a type of code that poses operational and security issues for IT, said Ken Tyminski, chief security officer at Prudential Financial in Newark, N.J. A time bomb, or a software restraint, is a potential bug that can be triggered without warning, sending business systems crashing. Or it can be activated maliciously and give hackers a back door to your network.
"That, to me, is very, very dangerous for the [insurance] industry and companies at large," Tyminski said. In response, Prudential is ensuring that its vendor contracts prevent any use of these systems.
This type of code "can cripple the business, and it can do it in a method where there has been absolutely no due process, there has been no chance at remediation, no chance at explanation," he said.
The mere existence of restraint software or time bombs also raises security issues. Robert O'Connor, director of network integration services at Pennsylvania State University in University Park, warns, for instance, that a disgruntled former vendor employee could trigger such a system. "I don't trust anything like that," he said.
This concern about software restraints in a section of UCITA called "electronic regulation of performance" underscores the ongoing fears that users have about this complex software licensing law.
UCITA's authors, the National Conference of Commissioners on Uniform State Laws, tried to appease opponents by removing a "self-help" provision that would allow a vendor to remotely disable software in a contract dispute. But that change simply shifted attention to other parts of the law.
For example, the Institute of Electrical and Electronics Engineers Inc. in New York claims that UCITA's provisions give vendors the right to build in back doors, creating a potentially dramatic shift in software licensing.
"The industry is pushing very hard to turn it into a mainframe licensing model, where you will pay for your software on a year basis," said Alan Plastow, president of the International Association of IT Asset Managers in Akron, Ohio. "That requires the use of automatic restraints or it requires the use of a metering process."
But users aren't jumping on board. Also, Microsoft Corp. has said it has no plans to use embedded self-help features.
The use of software restraints won't help vendors win contracts with large enterprises, said Steve McHale, an analyst at IDC in Framingham, Mass. But such techniques could be attractive to vendors of pricey programs, such as engineering software systems.
Critics also assail UCITA because it protects vendors from liability. The Center for National Software Studies, formed earlier this year, is examining the problems with software quality and is working on a set of recommendations. UCITA's liability-limiting provision gives vendors little incentive to worry about the consequences of mistakes, said Alan Salisbury, who heads the Camp Springs, Md.-based center.
Read more about Gov't Legislation/Regulation in Computerworld's Gov't Legislation/Regulation Topic Center.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- Capabilities You Need in an IP Address Management Solution A mismanaged IP space can cripple an otherwise healthy network. Take a moment to understand what you need in an enterprise-ready IPAM solution.
- IPv6 Fundamentals IPv6 is needed to sustain the growth of the Internet. The transition from IPv4 will require planning and likely some degree of support...
- Optimize IT Performance & Availability: Four Steps to Establish Effective IT Management Baselines More than ever before, your company's ability to grow hinges on IT performance and availability. Download this how-to report on establishing IT baselines,...
- Accelerate your innovation with IBM Bluemix™ Join us for a webcast introducing the new IBM BluemixTM. IBM Bluemix (www.bluemix.net) is a developer oriented Platform as a Service (PaaS) environment...
- Maximizing Availability for the Modern Data Center Check out this information-packed resource center for help in maximizing the availability of your data center - from overcoming challenges to choosing the... All Gov't Legislation/Regulation White Papers | Webcasts