James's Weblog

A couple of weeks ago I read about a scam anti-virus program sold by some no-name software company. The software reported false positives to induce hapless people into thinking that they were infected with something and to buy their useless product. A few days ago, Mark Russinovich of Sysinternals wrote about bogus spyware removers.

I’m so disgusted that I wonder if there should be a programming ethics board that allows programmers to become certified or licensed voluntarily. Shouldn’t people writing so-called anti-virus software take some form of Hippocratic Oath? Such a system wouldn’t be too different from the driver signing that Microsoft does, except it’d be a general system for individual developers, not for particular binaries. Hobbyists still would be able to create, distribute, and sell unlicensed programs, but anyone wanting to establish trust could advertise that they’re licensed. A signing authority could verify that licenses are active and authentic. Obtaining a license could require verification of developers’ personal information, allowing them to be identified and accountable if they break the code (pun intended). Qualification exams even could test for recognition of buffer overflows and other unsafe practices.

On the other hand, what would the punishment be? If the licensing fee is too low, it might be worthwhile for dishonest developers to obtain licenses just to break them. If the licensing fee is too high, no one would participate. And, of course, it’s unclear how to distinguish between intentionally malicious code and simply negligent code.