Re: motivating security, was Re: Every incident...
On 2/12/07, Edward Lewis <Ed.Lewis@neustar.biz> wrote:
Security is never something I should want, it is always something I have to have.
No-one wants "security", they want not-trouble. Similar to the point that no-one wants energy, they want warm rooms and cold beers. Perhaps we need a concept of "security efficiency"? Security has to resign itself to being
second-class in the hearts and minds of society. Security has to be provided in response to it's environment and not complain about it's lot in life.
(I realize that this post doesn't say anything about people "dying" - I've heard that in other contexts.)
Yup
Society holds individuals accountable for many forms of irresponsible
behaviour.
This is true, but individuals are not held entirely accountable. A reckless driver can cause a multi-car accident on an exit ramps and cause a tie up for the entire morning rush. Are the "victims" of this compensated? What about the person who loses a job offer because of a missed interview and suffers fallout from that?
And maybe it isn't recklessness. A failed water pump may cause a breakdown, followed by an accident, etc. Mentioned just to spread the analogy out.
The whole logic of modern computing is that everything migrates towards users. Why shouldn't security? After all, if people didn't let the nasties in, 'twould be very hard to start a botnet..
There's no need to make exceptions for
computer users. Make computer-owners/users pay in full for damages caused by their equipment with no discount for incompetence.
If that happened, then computer users would be the exception. I can't think of any situation in which an accident might occur and the one causing the accident pays in full to everyone. [snip]
True, but there are plenty of examples of either market (insurance) or government (regulation) solutions to problems where the individual's misfortune also falls on society. Arguably the bulk of the costs of malware proliferation is an externality - the benefits go to the enemy, but costs aren't restricted to the hacked. Not even close. I used to work for a gov't facility whose mission was science. They
had a serious telecommunications problem on their hands. Although it was important to solve, they funded science first - up until all the telecom problems became "too annoying" and money was allocated to solve the problem.
The appropriate analogy is the Great Stink of 1858. London had been suffering from not having sewerage for years, and poor people had been dying in droves from cholera, but nobody with the power to do anything about it cared enough until the Thames got so bad the committee rooms on the river side of Whitehall stank so much nobody would go in them. Then, wham, out came the chequebook, the compulsory purchase powers, and in came Joseph Bazalgette, with the result of an infrastructure used to this day.
At 14:59 +0000 2/12/07, Alexander Harrowell wrote:
The whole logic of modern computing is that everything migrates towards users. Why shouldn't security? After all, if people didn't let the nasties in, 'twould be very hard to start a botnet..
Regarding "letting the users in" there was a story on the news while we were meeting in Toronto. A woman put her child in her car while it was warming and then went back into the house "for 10 seconds." A thief jumped in the car, drove a while, crashed and fled the scene, stealing another car (that was also idling) to get away. The TV reports were very sympathetic to the woman and her husband (who was painted a hero for chasing down the suspect to the crash). A week earlier, in the DC metro area, there was a story about the police ticketing people for letting their cards idle unattended. The reason for the report was awareness of a new enforcement of the law that had been put on the books to stem auto theft in that county. One woman was ticketed having left some small children in the car while she went back into get one more item. The reporter asked "what if someone ran here and just drove off?" What I found interesting is the differences in the way the car owners were portrayed. It's not a US v. Canada thing, but just a point of view. Similarly, are the people who are running exploitable machines the cause of the problem or victims of those exploiting the machines? I don't mean to say that the car owners or computer users are free from blame. But holding a sentiment of just blaming users is not helpful. OTOH, if there was something the operators could clearly do to stop this, someone would have suggested it by now. (There are all them laws about snooping traffic, etc.) I thought I had a conclusion ... but I don't. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar "Two years ago you said we had 5-7 years, now you are saying 3-5. What I need from you is a consistent story..."
participants (2)
-
Alexander Harrowell -
Edward Lewis