motivating security, was Re: Every incident...
Edward Lewis
Ed.Lewis at neustar.biz
Mon Feb 12 14:06:32 UTC 2007
I've worked in security for some time, not that it makes me an expert
but I have seen how it is promoted/advertised.
On Feb/12/07, someone wrote:
>Consumers are cheap and lazy.
I think that is the wrong place to start. It isn't the consumer's
fault that they have a device more dangerous than they think. Look
at what the are being sold - a device to store memories, a device to
entertain them, a device to connect with people they want to talk to.
Everyone economizes on what they think is unimportant. A consumer
doesn't care for the software, they care for the person on the other
side of the connection. They care about the colors in the office,
the taste of the food, etc. So it may appear they "low-ball" that
part of the computer equation.
My point is that it is convenient to blame this on the consumers when
the problem is that the technology is still just half-baked.
>What they need is a serious incentive to care about security.
I find this to be a particularly revolting thought with regards to
security. Security is never something I should want, it is always
something I have to have. Not "need" but something I am resigned to
have to have. This is like saying "folks will have to die before a
traffic signal is put here" or "more planes will have to be taken by
hijackers before the TSA is given the funding it needs." Security
shouldn't wait for a disaster to promote it - you might as well be
chasing ambulances. Security has to resign itself to being
second-class in the hearts and minds of society. Security has to be
provided in response to it's environment and not complain about it's
lot in life.
(I realize that this post doesn't say anything about people "dying" -
I've heard that in other contexts.)
>Society holds individuals accountable for many forms of irresponsible
>behaviour.
This is true, but individuals are not held entirely accountable. A
reckless driver can cause a multi-car accident on an exit ramps and
cause a tie up for the entire morning rush. Are the "victims" of
this compensated? What about the person who loses a job offer
because of a missed interview and suffers fallout from that?
And maybe it isn't recklessness. A failed water pump may cause a
breakdown, followed by an accident, etc. Mentioned just to spread
the analogy out.
>There's no need to make exceptions for
>computer users. Make computer-owners/users pay in full for damages
>caused by their equipment with no discount for incompetence.
If that happened, then computer users would be the exception. I
can't think of any situation in which an accident might occur and the
one causing the accident pays in full to everyone.
>Insecure
>products might then be considered inappropriate for public consumption
>and that would be a powerful signal to the IT industry to change their
>ways. Maybe the market also finally would challenge the validity (or
>even existence) of std.disclaimer statements common in today's software
>licences.
I used to work for a gov't facility whose mission was science. They
had a serious telecommunications problem on their hands. Although it
was important to solve, they funded science first - up until all the
telecom problems became "too annoying" and money was allocated to
solve the problem. There are IT security problems. But there are
other priorities in life. Instead of complaining that IP security is
under appreciated, the case has to be made that the situation is more
serious than some other problem. If that case can't be made, than
may be IT security is not that big if a deal (to anyone other than
you).
Don't get frustrated, present a better case. And be prepared that
you still may not win. But never wish ill-will (as "serious
incentive" alludes to) on someone to prove your point.
BTW-This isn't meant to be a critique on one message. It's my
reaction to quite a few messages that are similar and to some
comments I have heard. Sorry if it seems like I'm attacking a single
messenger.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
"Two years ago you said we had 5-7 years, now you are saying 3-5. What I
need from you is a consistent story..."
More information about the NANOG
mailing list