 Ja, guten Morgen. Ich bin froh, dass die Audienz hier so viele Audienz hier ist. Dieses Gespräch ist, ich muss noch ein paar Erfolgsmanagement machen, weil letztes Jahr habe ich einen anderen Gespräch über die TCP Minimisation und es wäre ein bisschen technisch wie ein Programmer. Das Gespräch war geklärt, also habe ich es wieder versucht, dieses Jahr. Aber ich wollte nicht die Assumtion erinnern, also habe ich einen anderen Gespräch gehandelt. Das war der, der akzeptiert wurde und ich habe es jetzt real quick vorbereitet. Es ist mehr wie ein Gedankenprozess, statt einer strukturierten Präsentation. Ich hoffe, es wird helfen. So, ich beginne. Es gibt viele Werte, um die Konklusion zu kommen, aber ich werde Sie hier vorkommen. Ich beginne relativ früh in meiner Karriere und ich habe mich entschieden, dass ich keine Software aufnehmen kann, wo ich live bin, wie medicine devices, nuclear power, Militär, aber dann habe ich jemanden, der einen Code für nuclear reactors hat, und er hat gesagt, es ist wirklich, wirklich leicht. Also, wenn die Menschen, die ein Limit haben können, dann würde jemand anderes das tun. Das ist nicht supposed to be a generalisation. Ich habe auch jemanden, der nicht so ist, aber es gibt diese Personen. Also, das Problem, ist, dass man ein Programm lernen kann. Es ist nicht wirklich ein Kurs, sondern man geht einfach um und testet die Limit. Das bedeutet, dass man diese Limit nicht wissen kann, weil das ist, was man finden will. Das bedeutet, dass alle Menschen, die Limit haben, immer auf der Grenze arbeiten. Wenn die Menschen Software schreiben, dann gehen sie, dann ist es nicht so, dass die Technologie, die da aus der Grenze rollt, nicht nur gut verstanden ist, sondern es sind diese Technologien, die die Person verstanden hat. Das ist ein Problem. Das ist ein Problem. Das ist ein Problem. Das ist ein Problem. Das ist ein Problem. Das ist ein Problem. Das ist ein Problem. Das wird noch mal verstärkt. Dann wünschen wir, dass die Software, die beschrieben ist, besser gemacht wird. Aber das ist nicht was, was passiert. Was passiert ist, dass wir größere Software schreiben und die Limit arbeiten. Ich glaube, das ist kein Problem. Das ist ein Problem. Das ist ein Problem mit Menschen. Das ist was, was die Evolution uns macht. Wir müssen das lernen, um zu beurteilen. Ich habe eine Theorie. Die Theorie ist, dass die Menschen, die Menschen, sie sehen, dass die Umwelt ein Optimisation-Prozess ist. Und sie schauen für die höchsten Punkte. Und sie tun das nicht in eine sehr präzise Weise. Sie müssen Assumtionen machen. Wenn es kalt ist, dann holen wir das Radier, und dann warte, bis es so kalt ist. Dann holen wir das Radier wieder. Das ist nicht nur mit Radier, sondern auch mit Fahrern. Wir haben eine Map. Wo ist die Limit? Wo müssen wir zurückgehen? Wir ignorieren es, weil, obwohl es nicht sehr schön ist, aber auch die Chance der Speed, wir accelerieren, und dann holen wir das Radier wieder. Wenn wir in ein Diktionär oder im Telefonbuch schauen, machen wir eine Assumtion, wo es ist, und wenn es zu weit ist, gehen wir zurück. Wir haben eine Assumtion, dass die Map hier ist. Wir haben hier some smooth transitions, called gradient descent. Sie versuchen immer, wenn es zu weit ist. Die erste Chance, ist, wenn es zu weit ist. Wenn ich nach vorne gehe, kann ich zurückgehen. Es funktioniert nicht gut, wenn man zu weit ist. Das ist das Gleiche. Das zweite Problem ist, dass man nicht zurückrollen kann. Das ist auch etwas, das wir haben in der Software-Development. Es ist so, dass es diese Probleme gibt, dass man wieder verlässt, und dann verlässt man, wieder zu gehen, oder eine Diktion zu drücken oder eine Gaming-Adiktion. In der Software-Development oder der Projektmanagement haben wir schon so viel investiert, dass wir jetzt zurückgehen. Die Sicherheit ist nicht der Gleiche. Es kann vielleicht so sein, aber das ist nicht. Das ist probably das foundationalen Problem in der Zeit, in der man nicht zurückgeht, weil die Data ist weg. Die Komplexität ist auch ein Gradient. Es fühlt sich wie ein Gradient, aber es ist wirklich nicht. Es fühlt sich wie, dass wir alles auf Kontrolle haben, und wenn wir nicht realisieren, können wir nicht zurückgehen. Es ist auch ein Data-Away, es ist auch ein Studio-Gradient. Das ist der Punkt, und das ist zu spät. Die Konklusion ist, dass die Komplexität evtl ist. Wir realisieren es zu spät und wir haben es zu schnell und wir müssen etwas gegen das tun. Der Kosten wird für unsere Kunden, professionell oder für unsere User und auch für unsere Zukunft. Das ist warum du sehr rarely findest, ältere Software-Developers, die für uns sehr glücklich sind. Das ist der erste Gedanke, der mich in diese Richtung legt. Der zweite Gedanke ist, für das ich den Kanunmanifesto ausnehme, aber das war der originalen Announcement. Der Installement hat gesagt, wir machen Unix-Programme, aber wir werden nicht das selbe wie Unix, und wir werden alle die Komvenien machen. Das ist ein sehr nasses Wort. Aber das ist der Prozess, die viele Leute haben, oder wir können das mal adden. Was ist missigend, ist ein Korrektiv. Was ist das, was ich so lege? Was ich so lege? Was ich so lege? Was ich so lege? Was ich so lege? Was ich auch lege? Was ich sehr lege? Was ich peakte? Was ich so lege? Was ich sowohl lege? Was ich so lar busche? Was ich so lege? Was ich lege? Was ich lege? Was ich carter das Ich habe die Realisation, dass, wenn ich die Projekte schaue, es nur ein Checkout war. Auf meinem eigenen Web-Serve habe ich ein GDB-Init, ein Konfiguration-File für den Knudie-Bagger. Das heißt, z.B. die Programme, wenn ich eine Double-Gift mit diesen Parametern geben möchte. Und ich schaue da, dass ich nicht Port 80 benutze, sondern dass ich noch Port 80, 50 benutze. Und GDB hat einen Tag angefangen, und ich will nicht mehr dieses GDB-Init-File nehmen, weil es in einem Foto ist, dass das nicht aufgenommen wurde. Und das ist eine Sache, um etwas zu korrekt nach dem Deed. Es realisiert, dass unser Konfiguration-File so powerful geworden ist. Es ist ein Sicherheitsrisiko, und so haben sie es einfach nachgedacht. Sie haben es geschlossen. Und das ist, dass es mehr gebrochen ist, und es war sehr erneut für mich. Man kann einen automatischen Weg geben, aber das ist, was ich vor der ersten Zeit realisiert habe. Ich war ein paar Jahre ago, und ich wusste nicht genau, wann. Es war ein similarer Fall mit Wim. Er ist ein Editor, der ich sehr oft benutze. Man kann etwas, wie in einem Kommentar, die letzten drei Files, man kann ein paar Konfig-Files setzen, z.B. ein Tab-Stop vor. Aber der Parzer hat ein Sicherheitsproblem, so dass es möglich ist, um ein Files zu schaffen, dass es möglich ist, wenn es in Wim geöffnet ist. Das ist nicht das, was sie mit dem Featuren wollen, aber das ist das gleiche Problem in Grün. Man kann dieses Problem generalisieren. Die Generalisation ist gut, aber nicht im Software. Wir haben dieses Beispiel hier. Z.B. wir haben ein CSV-File mit Trouble-Tickets. Wir sind interessiert in den vierten Column. Es sieht so aus. Ich möchte den vierten Column summen. Zuerst benutze ich Cut. Wir haben Unix. Es filteriert, und die erste Lange muss weg. Mit der ersten Lange, kann ich eine andere Lange benutzen. Dann muss ich das computerieren. Wenn es nicht eins ist, ist es eine Strecke. Dann ist es klar, dass der Cut nicht ein Problem ist. Es ist ein Problem mit dem Tail. Der Tail pässt nicht. Aber die PC fährt spektakulär. Das bedeutet, dass die PC programmiert ist. Z.B. könnte die Akamann-Funktion sein. Dann wird die PC von unserer Strecke versorgt. Es macht Sinn, hier ein Konzept zu introduzieren. Cut-Tail und Tail pässt nicht. Aber die PC fährt nicht. Das habe ich gedacht. Ich habe gedacht, dass ich darüber reden könnte. Es ist nicht effizient. Es gibt ein paar Dinge, die die Unterscheidung betreffen. Wir formulieren es so. Die Software ist unerwartet. Die Inputen sind nicht zu unerwarteten Behörden. Das sind die randomen Inputen. Schade, dass es unerwartet ist. Wir können sagen, dass wir eine WK benutzen. Wir haben kein Problem, wenn es ein Thread ist. Das sieht besser aus. Aber es ist unerwartet. Es ist nicht unerwartet. Es ist ein anderer Form. Es ist unerwartet. Man kann die Kote und den OS-System ändern. Ich muss jetzt die Kote, die ich in die Kommand-Line betrachte, checken. In der Industrie ist das ein Problem. Die Gaming-Industrie hat jetzt Interpretationen gebraucht. Es gibt Interpretationen in den Gaming-Industrie und die Business-Logik, nicht die AI, aber kleine Skripte. Sie können diese kleine Logik in der Skript-Langage schreiben. Die Skript-Interpretation ist Lua. Es ist unerwartet. Es kann nichts tun, dass man es nicht mehr erlaubt. Es kann keine Schuhe, keine Files eröffnen. Man kann das erlauben. Ich muss jetzt nicht mehr über das Thema denken. Ich habe es nur zuvor geliefert. Das ist nicht mein Problem. Aber ich denke, das ist etwas, was wir in general über das Thema denken. Und bevor wir uns die Programme verlesen, ist das eine andere Art der Unverschämtheit. Bevor die Unverschämtheit war, dass die Input nicht aus einer unerwarteten Ausgabe produzieren kann, aber jetzt kann das Programm das produzieren können. Das ist ein Problem. Ein Thema über die Unverschämtheit ist, dass die Programme nicht aus einer unerwarteten Ausgabe produzieren können. Die PC kann eine Verkaufzeit werden. Die AWK kann andere Dinge machen. Die GNU-AWK kann keine Schuhe eröffnen. Die AWK kann ein OS-System schreiben. Es ist nicht ein Problem. Aber jetzt ist das nicht harmlos. BESCH kann auch Open Sockets eröffnen. Ich weiß nicht, wie viele von euch das wussten. Das geht weiter. Nach der AWK kam Pearl. Pearl kann Eval machen. Das ist eine der größten Schuhe, die man in den OS haben kann. Man kann auch Browser sehen. Wir schauen an NetScape. NetScape hatte die Wahl between useful and harmless several times and always chose useful. Ich weiß nicht, wer das Flasch-Plugin erinnert. Aber vor allem, dass alle die realen Spieler hatten und das Acrobat-Plugin existiert. Und all das war scheiße, weil das alle native Code war, das alles, was die US-Systeme machte. Das war sehr useful, aber auch sehr gefährlich. Das war eine Wahl, die sie gemacht haben. Der eigentliche Ziel ist, dass man nicht einfach die Programme zwischen euch erinnern, dass das ein realer Problem ist und was ein solches Programm kann. Die nächste iteration war, dass wir alles in JavaScript machen. Das sah besser als erstes. Aber JavaScript war dann mit genug Reihen und Privileges zu machen. Das war ein realer Harm. Und dann kam es heraus, dass die meisten Menschen schon die重要en Daten im Browser haben und das ist genug, um ein realer Harm zu erinnern. Das musste also korrekt werden. Chrome erinnert die Adblocker in order zu protekten gegen andere Dinge. Und wir haben die gleichen Probleme. Jetzt unter Windows, ich weiß nicht, wer sie benutzt. Wir haben das Problem mit Microsoft jetzt. Die einzige Funktion ist, die Programme in dem System zu listen. Und es ist nicht so, wie es hier geht oder die Größe des Scrolls. Aber wie viele Plugs es gibt. Und das sind alle Optionen, wie Plug-ins können in das System holen. Und niemand hat einen Überblick, weil es zu viele gibt. Und das ist ein Problem. Sie sagen, wenn das Bug nicht so wichtig ist, dann werde ich es später fixen, was eigentlich nie bedeutet. Also versuche ich, die Terme Bug-Wave zu erstellen. Das kommt aus der Verkaufsindustrie. Das ist ein Pan. Aber es hat sich noch nicht erstellt. Das ist ein Dumpf, wo Bugs immer gestorben sind. Und ich habe das Bug-ID von 15 Millionen das ist eine 1,5 Millionen, das ist eine schlechte Idee. Aber zumindest habe ich einen. Es ist nicht besonders schlecht. Es ist nur ein open Tracker, so dass ich es erstellen kann. All das Firefox Bug vom 2003 hat ein ID im meantime. Und wenn wir auf die Nummern schauen, können wir sehen, dass es exponentiell größer ist. Und es ist nicht so wie die Bugs. Es geht away. At some point ich habe zwei große Events, wo Bugs zu großen Events sind, wenn es ein neues Release ist. Also ist das, wenn du alle die alten Bugs schaffst am TSB und auf den MS sermon liegt. Das ist das Wachstum. Das ist das Wachstum. Das ist ein Wachstum. Ein Wachstum. Das ist ein Wachstum. Das ist ein Wachstum. Das war eine Unimportant bugs will never be fixed so everyone calls all their bugs important so they get fixed so now the important bugs are not fixed anymore because it's too many so now people call their bugs security bugs so now we have a wave of security bugs and now the heckling begins is it really a security bug is it just a crash yeah and the point of all this is that this is an unholy alliance of another trend so companies see that there is so many bugs that the goal cannot be to get rid of them all instead they establish metrics and they say well we are doing fuzzing in itself not a bad idea but it's not for finding all bugs it's just the first step on a long road but it's a nice metric that you can get out of this so we did this in this test and now we don't really know if it's better or worse than before and now there's bug bounty which I personally find is bullshit that's so the PR public relations people can say well we do something this works and that's bullshit and the rest of the industry just did mitigations we are not closing the bugs but we are make it we make it more difficult to exploit them and now I have to eat my hat because actually it's working but there are side effects I don't know if I have time for anecdotes because I time is tight so I once met the guy who handles the Internet Explorer bugs and I met him because I filed 50 bucks and he said well 35 I knew before and I said what so the guy looked like golem in a cave he was 30 and looked like end of 60 and he said well there come so many bugs in here we have no chance of closing them we are just collecting them this got better by now and Microsoft is not doing nothing these are only examples so this is all of the companies nobody is really closing bugs anymore and then there was an other thing I can't couldn't talk about for years but now I can because they published it themselves and they noticed that they had a lot of memory exception bugs because the heap wasn't really freed and now they build something where it wasn't freed but put into a list and then it runs over the stack and looks for pointers that point into this list and does not free that so it's a terrible hack I would be ashamed to talk about this but Microsoft uses this for a metric now and the chrome people said well this looks amazing and that's the state of the art how the industry works now the problem is bugs are only accepted as a security problem if there is an exploit that's not in every industry but in many if you don't have an exploit it's not accepted as a serious bugs only accepted security bugs are ever fixed so bugs just lie open because you couldn't prove that it is a proper bug and because they are fixing things by making exploiting more difficult it's more and more difficult to really prove that it's a bug that doesn't mean that no bug is ever closed because apparently some programmers have have some honor and they nobody wants to build the bridge in genua that then sometime breaks down catastrophically but there are excess kate of problems in reality but for me what follows is that reactive security does not work I'm saying that for long time now that with viruses and malware it doesn't really work like that I'm calling antivirus software snake oil and yeah we and the whole approach that we just deliver and they test it and then we fix the bugs that doesn't work there is a by now a proverb you are delivering software if the update is working and yeah that doesn't that's the state of the art in industry so we as developers what are we doing so there are several ideas the fdp idea that's the liberal party in germany the market will solve this well that didn't work people still buy it then there is the cdu another party a conservative party in germany we apply our people's honors and that didn't work then the department of the interior safety we use snake oil also didn't work and the twitter idea we throw shit and just yeah make people bad then there's the apply approach that the catholic church uses so not the market will solve this but Saint Peter and we use the honor system and yeah that works a little bit so what are we doing first I thought maybe we should you divide explorative software development from goal-oriented software development so learning exploratively is a good thing but you shouldn't use that approach for really developing software and so I'm talking with the companies please give the people time for learning otherwise they will learn it while doing and while working on your product but I can talk a lot about this until I get turn blue it doesn't work so far so I think we can easily say be be creative with what you do not how you do it so a company should develop new things be innovative be creative but then they shouldn't use some experimental datatech and then lose the data because it wasn't finished yet I think there's not just one root cause so that many components have to be looked at individually first is lack of knowledge I don't know that this code was shit and I didn't know how to do it better and then there's what I call wrongful ignorance we didn't find people because I think if you want to and you pay people well then you will find people this I think this is just an excuse many people say like couldn't do it we just had bad people I wasn't my fault I think it's just an excuse and there's real incompetence I had a customer recently it doesn't look like like an excuse it looks like a best practice but I think it's an excuse recently I had a customer they said they do a platform for energy trade critical infrastructure they said like we using the cloud we can't host this ourselves it's it's too expensive I don't get it I think we have a cascade of excuses that we push in front of us and the approach I want to follow now is that we try to implement a metric of a legacy factor it's not about how bad the software is but how much it will influence my software negatively if I have this as a dependency so how much negative effect if I get this into my code problem if we have this as a metrics as a metric and it's a successful metric then people will cheat the system and optimize the metric and not for the actual goal so because of that it's kind of hard but there's a role model that is actually quite working that's CVSS common vulnerability scoring system where where we have a measure of how problematic bugs are people try to define a metric it works well in the industry people accept this the people love it it roughly works like this like risk assessment historically you see how likely it is and how much damage it will do is this is this hard to exploit do you need an account for this does it work across a network and how much can break if if this is exploited like you can delete data you click a number of boxes and then you get a score for it I think it's a good thing we need a risk score like that but not for bugs maybe it's easier for bugs although this has problems in detail but actually we need a kind of risk score either for management or for the developers themselves these are two separate problems I think it's more goal-oriented to stick with the developers because until now I have never actually witnessed that a management will say we need to do this and it's not not just meant for PR reasons so if you help people realize that they're doing actually making a mistake we can actually change things it's a multidimensional problem and one of the dimensions I came up with security holes of course it's a problem with that security holes in the in the project it's an open field of research you can say we have found 10 bucks so the code was insecure maybe but we don't know if we found all the bugs in the code the rest of the code might just be superb and this was just just a fluke and it's maybe not a good metric here in the industry they try to do static code analysis and look for code smells it's a thing that many companies are trying right now success rate is not really high I observe that people are using such a tool that generates 10 billion warnings and people gradually reduce sensitivity of this tool that they have reasonable values and developers get the filtered data and say it's all positive and the project is still running but so they don't want it to look like it's failed but it's not working it's a good dimension but we cannot implement as well I wouldn't know how okay I try to give examples here for illustration extremes are Q mail and send mail is a good example there both are MTAs transfer agents server programs that transfer emails Q mail has been built with the goal to have a secure software modeled after initial design and send mail has been built and retroactively fitted with security measures and you can see that up until this day Q mail has been released in 1993 and there has never been a patch and I'm using it up until this day because they have never been problems really that's one end of the spectrum and on the other side that means that you don't get any new features that's a double double-edged sword it's a spectrum old legacy code that no one really wants to manage unless they're paid for it and even with the people who are paid to do it they ran away second dimension is that you can think about is this still maintained actively well you can see this with open source projects you can see this well there other software it's more difficult with patches but you don't know if they are actually changing things or how much it's not really clear how to how to value this if the software doesn't get any updates doesn't mean it's shit it might just mean it's complete it's really really rare but tech is an example for that by Donald Knoff he wrote it and it's done there are a few patches from time to time but they change a few bits somewhere but it's basically complete my example here was jpeg jpeg and it hasn't needed any updates didn't have any security issues doesn't mean it's a bad software so it's not it's easy to say that the software is bad if there are no patches anymore this metric is also very difficult so how we doing this good question I just said that already on the other hand if you update the software often it's not a good sign either I have a customer who's got a third-party software that is released via github and he gets five updates each day and it's and they all say their releases and sometimes they break you can never really tell if the software is good because when you're finished investigating that 20 new versions already it's also not good either another dimension is dependency hell you all know this if you have developed software in your life it's a crass example with JavaScript they had some public blunders when modules were recalled where it turned out that some transitive dependencies in almost all projects you would need to use this in a transitive manner so you need to sum this metric up the extremes of the spectrum are on the one hand cloud lock in hell where you do not see the dependencies just some kind of pipeline with some output at the end and automated resolution of dependencies during build and getting software from the internet and the other extreme is qmil without any dependencies it just uses the C runtime and dependencies and that's basically it there's also spectrum here that could be used for metric but there are many dimensions as I said next dimension is code quality it's a bit like security but I want to generalize this because among other things because it's a strong correlation between many bugs and bad security all security problems are also bugs so if you have many normal bugs or many bugs of which we don't know that they are security issues then it's usually a sign that there's a lot of insecure stuff it's important as a metric even though it might not be a bad security as I said the trend is static code analysis and detection of code smells I would actually be in for in favor of 100% code coverage but it's also difficult because there are different ways to measure this because what you do if there are more than one statement in one line what's the quality of testing it's not that easy but we should start thinking about it my suggestion would be from the reasons I stated before that if you if you have the bugs that get known for each year each year you can extrapolate and switch on compiler warnings very very few manufacturers actually doing this is really scary and many people who have pipelines in the cloud don't really see is how many warnings there actually are it's one of the most important metrics that US developers have don't throw away compiler warnings not with a pragma statement but next dimension what kind of expectation does people have and I realized that I think in LibEx 2 that's a software to read metadata in images like GPS coordinates which Lens was used and that's more or less well defined how the standard has to look there's an open source library and there were a lot of bugs in there so so then the author of this software just wrote then well well then just don't use this on untrustworthy files so he never had the expectation to have that a software is safe so the people used to say software and just assumed yeah I think he took care of that so so I think the thing we could do is to do is just to write to annotate the software with what the expectations on this software are and I think that's very important another thing is that people create features that sound like security and that's something I saw with Microsoft very often as a feature called network access protection so went there for threat modeling and what do you then they said no no it's not a security feature and then I said well then maybe the name is a little confusing but things like this happen so that because there's a disconnect between the people make the project and choose the name and do the marketing yeah there's also graduations here there's explorative software so every open source software that I published is open explorative it's not meant negatively because the best way to learn how to program so I understood something after the first time I implemented and it doesn't mean that the implementation is good that's what I'm trying to do but it's important to communicate this this code was explorative might mean that maybe it's well well used and maybe you can trust it but the approach was explorative or there's a scenario where the guy left you see the sometimes and big cooperation so there's this piece of code but we don't know who wrote his but we know who wrote his but he doesn't have any time anymore for this or it's just retired all these things can happen but it's important that you communicate this because people who use this they don't know this or the best scenario I think if the if the guy who develops us is also the maintainer and the one who tries to commercially market it because he hasn't interest he's interested in that the software really works there's even more dimensions I'm sorry is such a complex problem there's also the problem that the guy who want to does this has the best intentions and uses the best techniques but could be that the specs he's he's doing that that the spec is really bad for example in XML says there's an entity expansion and we can use a very simple a dos exploit on any kind of XML parser so everyone added configuration where you could disable this but then you not standard conform anymore this happens a lot that that specs are bad I don't want to point at XML there's others who are not good same thing with Jason parsers people went around and opened a lot of recursion depth and all the parser exploded window message is the same on windows because that was in was invented before it was more than one user message bus in gelamoral occurs often in cloud installation and be corporations so if you do this over the database it's too slow so we add another message bus here and then everyone has access to the message bus can also spoof things and see all other data that goes through there so the idea itself is bad already so it's so if you if implemented this won't get better there's a different problem it's called lock in I don't know if this really fits in here but I think it's important enough that if we go around and distribute levels that we should look at this so for example some kind of library that does exactly what I want but it only runs in the Amazon cloud so dann my freedom of using what kind of platform I want to use is has been restricted but something you have to communicate in advance or in cryptographic code the assembler is hand-optimized for the for the architecture but if you're in a border if you're like power PC or even arm then it does just didn't work well that's not a hard dependency but it just restricts the user while we're at it I can also look at the resource footprint as oftentimes there's things like okay we have to sort but we only have 10 10 elements so we use bubble sort and then someone comes around adds more elements and then doesn't work anymore and that's also something you have to communicate with which which scales do we work with does this code work with but it also doesn't just affect the CPU or the RAM but also also an IO and hard disk space so the problem okay so let's assume these are the dimensions it's a little bit difficult to build a metric out of this because a good metric is between zero and one or zero and ten so you can compare but if I say we have to also look at the transitive dependency problem then I think we have to we have to get away from this metric or score problem another problem is if we have a metric then people will do gaming in order to cheat the metric and not solve the problem so I thought let's call it a legacy score but we can't really use score here so what else can we do and to what does the metric apply there's also different approaches could apply to the whole software computers kind of score for the software like for insurance they look at how probable is that I have to pay some kind of risk assessment or I can do it for per module so the manager says no that's too risky or even for the developer or even for per method so I looked around what what's the prior art what did people do before there's an established standard from 93 and it's called the geek code who knows the geek code that's for the older people among you the formatting was a little joke on PGP so the idea was to describe yourself yourself so GD means geek education sector and after das in kind of dimensions and a rating so for example S is the size and they put it in their signature and distributed in the username so everyone could have could imagine who the other who the other person on the end is so people just gave away information about themselves voluntarily but yeah the idea wasn't bad so let's try to implement the idea I had in such a kind of score and that's not really easy that's why my first started the this talk in German and I really would like to hear about your feedback and this is the draft I made and the idea is that the author of a library writes it in a comment and then you have some kind of dog whistle and the other the other can have a look at it and he'll have an idea about about the code this is very clear so who owns the code the worst case is you don't even see it you don't have a copy of it runs in the cloud somewhere this is kind of related but it's not exactly the same I have the code in a change in it or I can only read it or the source code got lost or the Huawei modelist the government can look into it of course this is kind of with a wink here but the idea is very attractive I think I'll implement this with my own code problem with these things is that you have to take into account that the limits are also realistic so there's people who do the same things for 20 years for example the guy who does this set library he did LZ4 before and he was only doing compression algorithms so you can assume he knows what he's doing but this goes down to beg I'm not really the guy who wrote it I just inherited it I just have to take care of it so was about the correctness that's another problem that reaches from me I will have proof that you can understand yourself and I'll have a proof but it's maybe hard to to to realize then about the box whether we can regularly do code out it so we try to fix the box and there's the people well it's not really a security problem it just crashes so people who don't really know what they're doing or are just evil and that's important to communicate so most people here at C minus or they don't even have a backtracker that's possible of course as well then I thought well maybe we also have to say what kind of design it was the basis of the development so it starts with well we clicked all buzzwords we have least privilege and everything and then as big jump to well we validate our inputs that's also quite good already but it goes down to bullshit blah blah like we have antivirus so I think it would be nice if we had this in our software something like a labeling system and the idea is the idea started when I bought a multivitamin packet in the US and there's a big table with the supplement facts well this vitamin has this in this percentage of the daily allowance and it says something like well vitamin C 5000% so it's bullshit obviously so you also have to know what you are reading when you're reading it but at least there is a way that we could try because it gives you more information and this down here author left our project event is more often than you would think than volatility this tries to attack this volatility problem that people release more often than you could test it properly but a good solution is not available really so what I personally would like most would be when it's when there are daily updates but you never notice any change because the software compiles before and after everything I used or still works so this is I think the optimal goal that you can reach the customer does not even notice if something was patched because it's still working so the spec I mentioned before that we have to mention there's a big spectrum also the spec is open short and understandable that's quite rare quite often it's behind a paywall and that's basically having no spec at all because an open source guy will not buy the ISO norms for a few thousand bucks just to check if the MPEG player that he just downloaded works properly so dann we have the dependencies that had to be transitive I just don't know how to apply this to the score if someone has an idea please contact me so how would that be in praxis I had made a few examples that would likely look like this so the problem is that the dimensions on both sides are very subjective for a few people it might be okay not having the source code as long as there is still maintenance so people who use windows for example for them it's totally okay not to have the source code but that also means that the score is not just a number so it must have a number for each dimension so this now looks like well like it's hard to read and it is but in unicode it showed that after doing this for a few days you get used to it and I think it's a rather good idea also thought about using a nice name for this I thought legacy code would be nice but sing already bought that also legacy co.de so I hope I now will receive a lot of good ideas what could be improved or maybe other ideas that don't include a score maybe the whole idea is wrong but I think we as an industry have to do something now and I think reactively working doesn't work and we have to think about how to work in the development process at and get at the people who decide what dependencies to use and that those people can make their decisions on a profound basis and also to give the developers motivation to do it properly so the developer can see well at this spot I don't have the standard that I want for myself so other than that we have the microphones for a q&a session and I also like to accept questions for mail thanks for the attention we use this quick break to thank everyone from the translation booths we like to have feedback you reach us via Twitter and we will continue with a q&a session there's a question from the internet are there projects from the real world where the problem of complexity was used it was solved correctly and where can we find it it's quite seldom there are there was few years ago a push where many people started to publish software and make make a statement about it being very small I'm one of those people but it turns out that there are other projects that are putting the label minimal on it but it's actually not for example recently there was an announcement by clone of system be written in rust and I'm a huge fan of rust and not a fan of system be so if there had been a replacement that we've been great but rust doesn't do small binary so the binaries that come out of this are big monsters it's minimal if if you consider the feature set but the end product is just huge the guy who wrote this can't do anything about this because it's a rust problem but and they are working on it but minimal is not complexity is not not an objective measure it's subjective I personally always liked the software by den Bernstein GD DNS and how code looks like that has small binaries it's a small field there aren't as many examples of well done software and software ist nicht komplex at the same time dann microphone 2 please thank you very much for those interesting ideas my question is a bit like is that newt to you do it if you want to is it too much cdu like what what keeps me from saying I'm m++ plus ist something like that that's indeed a problem and I'm not sure how and if you want to solve this but I think if you start to use this then there's some kind of pressure from the community that stops people from lying so my experience with the developers is that most people are good good people that don't want to do bad things they don't want to lie so if you give them an opportunity to show that it's not ready then then I think they'll do this except there's someone of course who can't really really correctly judge this you can't really get rid of this risk but but I think it's good step for people who start adding a dependency to their products to give them something to see well is this a series or is it just like a like a learning project so we have to deploy this we'll have to see hey this might go in the same direction as the question before this but maybe we could introduce a judiciary system in this so no development system from India will accept this if you say well the development team was in India do you think this is a good idea how to do this it's not about India it could also be Massachusetts but it's about that the team isn't the one who wrote it it's just someone now has to work with it because they needed a maintainer that's always a problem and that's there will always be we fraudsters but I hope that you can you can realize them because they they always chose the best option in every every segment that's something you have to try out to my exception my experiences that communities really help to to improve the standard so we just start start this and someone else says well this is important and we have to talk about this and that's a sign that if there's code that's being deployed and says how volatile is this and supervolatile isn't the highest score then maybe we can transport ideas this way okay maybe maybe we have to take a step back and think about how we make our project yeah I just thought about it if this is maybe similar to what the food industry is being forced to do they write in write up all the ingredients is and everything so maybe we should think about as a follow-up developing a software code and traffic light was the idea but I don't think you can break it down to a score because some parts of it this are subjective it's not the same with food because I have to trust the agency and they say that's the maximum if it's more than it's not good and then you start to bargain but if the software says oh we had this and that then you don't know this and they say okay that's that's a thing you have to leave for the end user because you don't want to do you want a disadvantage okamal because because people say why why there's no no core because that's not see is this better or not so there has to be open enough that's why I don't believe in judges or organizations that that that give away these labels because that's never worked well I think and it has to come from the community has to work in such a way that you have a feeling that oh I'm doing something better now I can write plus plus you know that's that's my hope I don't know if it'll work dann bitte noch mal mikrofon 2 I was missing one dimension that might fit here but maybe not because we are hands-on people how easy is it to contribute so how is it how easy is it to as a consumer or as a customer to use it and work on it yourself yeah that's right I try to picture this through the L I have the code and can change it but but the problem is that the one who is maintaining the code can't really judge this very well I don't think this will work up through such a score but you one can try it of course is missing IPv6 for you a bug or a not implemented feature that's one of the subjective questions to me personally it's a it's a bug there's no IPv6 but but a lot of companies say we don't use this anyway die Intention dass die Community das schon richten wird du hat CFSS als relativ positiv Beispiel dargestellt vor fünf Jahren war hardbleed in OpenSSL das hat ein CFSS bug von 5,0 gehabt und Bruce Meyer kommentiert auf ein Skala von 1 bis 10 ist das Wert 11 CFSS ging gerade bis 10 also ich seh nicht dass das so klappen kann und ich find's gut see that that'll work this way but because we don't have a standard what doesn't mean to what what does minimal mean there's two to factor authentication then then is any application with the two to factor without two factor automatically buggy and that's an open science question I don't have any good answers for this so this is still a field of research the hardbleed thing could have been solved by saying adding well what are we guaranteeing and if the guarantees are broken well then it's complete failure but now we have features that sounds like a security feature and if you ask for guarantees they say well none who uses this is well it's their own fault and we have to get away from this and I think this is only working if we can help people understand that they are writing the legacy from tomorrow people always pretend like legacy fell from the heavens no actually you are writing legacy just not from today but from tomorrow another question from the internet in your scoring scheme how do you think this will work for projects where there isn't even an owner who could write this well at one point when this is really deployed the absence of a label is a sign itself but that's gonna take time I mean it's just an idea I can't solve this if there's no one adding a label then maybe the community could decide this on GitHub maybe is some judicial system by the mob or by the by the crowd so these are rather coarse categories especially for enterprise it's hard to do you think this will incentivize developers to improve already existing software or is it rather from new software so what do I want to achieve so the goal is mostly to approach hobbyists because in the enterprise environment you have a completely different environment there's someone paying for all this and the one who's paying makes the decisions so you don't really have the option to go around and change the old code because there's a huge workload for things you have to do and there's a lot of optimizations so you don't really have the option to optimize old code so it has to be open source and in the past I didn't have much hope for this but open source has a lot of influence by now and maybe on open source side you don't see that so much but when you're around enterprise projects most big projects are internet based by now even appliances have internet and at least 60 to 80 percent are open source depending on what industry are in so open source has a huge influence now so when open source said well we have to become agile then the industry also did that so if we now say we can