motivating security, was Re: Every incident...

• Previous message (by thread): Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
• Next message (by thread): motivating security, was Re: Every incident...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've worked in security for some time, not that it makes me an expert 
but I have seen how it is promoted/advertised.

On Feb/12/07, someone wrote:

>Consumers are cheap and lazy.

I think that is the wrong place to start.  It isn't the consumer's 
fault that they have a device more dangerous than they think.  Look 
at what the are being sold - a device to store memories, a device to 
entertain them, a device to connect with people they want to talk to.

Everyone economizes on what they think is unimportant.  A consumer 
doesn't care for the software, they care for the person on the other 
side of the connection.  They care about the colors in the office, 
the taste of the food, etc.  So it may appear they "low-ball" that 
part of the computer equation.

My point is that it is convenient to blame this on the consumers when 
the problem is that the technology is still just half-baked.

>What they need is a serious incentive to care about security.

I find this to be a particularly revolting thought with regards to 
security.  Security is never something I should want, it is always 
something I have to have.  Not "need" but something I am resigned to 
have to have.  This is like saying "folks will have to die before a 
traffic signal is put here" or "more planes will have to be taken by 
hijackers before the TSA is given the funding it needs."  Security 
shouldn't wait for a disaster to promote it - you might as well be 
chasing ambulances.  Security has to resign itself to being 
second-class in the hearts and minds of society.  Security has to be 
provided in response to it's environment and not complain about it's 
lot in life.

(I realize that this post doesn't say anything about people "dying" - 
I've heard that in other contexts.)

>Society holds individuals accountable for many forms of irresponsible
>behaviour.

This is true, but individuals are not held entirely accountable.  A 
reckless driver can cause a multi-car accident on an exit ramps and 
cause a tie up for the entire morning rush.  Are the "victims" of 
this compensated?  What about the person who loses a job offer 
because of a missed interview and suffers fallout from that?

And maybe it isn't recklessness.  A failed water pump may cause a 
breakdown, followed by an accident, etc.  Mentioned just to spread 
the analogy out.

>There's no need to make exceptions for
>computer users. Make computer-owners/users pay in full for damages
>caused by their equipment with no discount for incompetence.

If that happened, then computer users would be the exception.  I 
can't think of any situation in which an accident might occur and the 
one causing the accident pays in full to everyone.

>Insecure
>products might then be considered inappropriate for public consumption
>and that would be a powerful signal to the IT industry to change their
>ways. Maybe the market also finally would challenge the validity (or
>even existence) of std.disclaimer statements common in today's software
>licences.

I used to work for a gov't facility whose mission was science.  They 
had a serious telecommunications problem on their hands.  Although it 
was important to solve, they funded science first - up until all the 
telecom problems became "too annoying" and money was allocated to 
solve the problem.  There are IT security problems.  But there are 
other priorities in life.  Instead of complaining that IP security is 
under appreciated, the case has to be made that the situation is more 
serious than some other problem.  If that case can't be made, than 
may be IT security is not that big if a deal (to anyone other than 
you).

Don't get frustrated, present a better case.  And be prepared that 
you still may not win.  But never wish ill-will (as "serious 
incentive" alludes to) on someone to prove your point.

BTW-This isn't meant to be a critique on one message.  It's my 
reaction to quite a few messages that are similar and to some 
comments I have heard.  Sorry if it seems like I'm attacking a single 
messenger.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

"Two years ago you said we had 5-7 years, now you are saying 3-5.  What I
need from you is a consistent story..."

• Previous message (by thread): Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
• Next message (by thread): motivating security, was Re: Every incident...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]