UCITA still haunts IT
Computerworld - WASHINGTON -- It's been called a time bomb, code capable of disabling software, and some users fear its use could become pervasive if the controversial software law UCITA succeeds.
The Uniform Computer Information Transaction Act (UCITA), due for a renewed push for state-by-state adoption next year, lets vendors include code to trigger a shutdown if, for instance, a user's license has expired.
It's a type of code that poses operational and security issues for IT, said Ken Tyminski, chief security officer at Prudential Financial in Newark, N.J. A time bomb, or a software restraint, is a potential bug that can be triggered without warning, sending business systems crashing. Or it can be activated maliciously and give hackers a back door to your network.
"That, to me, is very, very dangerous for the [insurance] industry and companies at large," Tyminski said. In response, Prudential is ensuring that its vendor contracts prevent any use of these systems.
This type of code "can cripple the business, and it can do it in a method where there has been absolutely no due process, there has been no chance at remediation, no chance at explanation," he said.
The mere existence of restraint software or time bombs also raises security issues. Robert O'Connor, director of network integration services at Pennsylvania State University in University Park, warns, for instance, that a disgruntled former vendor employee could trigger such a system. "I don't trust anything like that," he said.
This concern about software restraints in a section of UCITA called "electronic regulation of performance" underscores the ongoing fears that users have about this complex software licensing law.
UCITA's authors, the National Conference of Commissioners on Uniform State Laws, tried to appease opponents by removing a "self-help" provision that would allow a vendor to remotely disable software in a contract dispute. But that change simply shifted attention to other parts of the law.
For example, the Institute of Electrical and Electronics Engineers Inc. in New York claims that UCITA's provisions give vendors the right to build in back doors, creating a potentially dramatic shift in software licensing.
"The industry is pushing very hard to turn it into a mainframe licensing model, where you will pay for your software on a year basis," said Alan Plastow, president of the International Association of IT Asset Managers in Akron, Ohio. "That requires the use of automatic restraints or it requires the use of a metering process."
But users aren't jumping on board. Also, Microsoft Corp. has said it has no plans to use embedded self-help features.
The use of software restraints won't help vendors win contracts with large enterprises, said Steve McHale, an analyst at IDC in Framingham, Mass. But such techniques could be attractive to vendors of pricey programs, such as engineering software systems.
Critics also assail UCITA because it protects vendors from liability. The Center for National Software Studies, formed earlier this year, is examining the problems with software quality and is working on a set of recommendations. UCITA's liability-limiting provision gives vendors little incentive to worry about the consequences of mistakes, said Alan Salisbury, who heads the Camp Springs, Md.-based center.
Read more about Gov't Legislation/Regulation in Computerworld's Gov't Legislation/Regulation Topic Center.
- Agility & Scalability for Oracle EBS R12 and RAC on VMware vSphere 5 This white paper outlines extensive performance and scalability testing of Oracle EBS applications on a Vblock™ Systems with vSphere 5.
- Oracle and VCE: The Next Step in Integrated Computing Platforms In this ESG Lab review you will learn how a VCE system driven by Oracle, delivers the perfect blend of high performance and...
- Migrate Oracle Apps from RISC/UNIX to Virtualized x86 Ready to move Oracle to a virtualized environment? This brief explains how true converged infrastructure can help you migrate from a RISC/UNIX environment...
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Gov't Legislation/Regulation White Papers | Webcasts