motivating security, was Re: Every incident...

Alexander Harrowell a.harrowell at gmail.com
Mon Feb 12 14:59:03 UTC 2007


On 2/12/07, Edward Lewis <Ed.Lewis at neustar.biz> wrote:
>
> Security is never something I should want, it is always
> something I have to have.


No-one wants "security", they want not-trouble. Similar to the point that
no-one wants energy, they want warm rooms and cold beers. Perhaps we need a
concept of "security efficiency"?

 Security has to resign itself to being
> second-class in the hearts and minds of society.  Security has to be
> provided in response to it's environment and not complain about it's
> lot in life.
>
> (I realize that this post doesn't say anything about people "dying" -
> I've heard that in other contexts.)


Yup

>Society holds individuals accountable for many forms of irresponsible
> >behaviour.
>
> This is true, but individuals are not held entirely accountable.  A
> reckless driver can cause a multi-car accident on an exit ramps and
> cause a tie up for the entire morning rush.  Are the "victims" of
> this compensated?  What about the person who loses a job offer
> because of a missed interview and suffers fallout from that?
>
> And maybe it isn't recklessness.  A failed water pump may cause a
> breakdown, followed by an accident, etc.  Mentioned just to spread
> the analogy out.


The whole logic of modern computing is that everything migrates towards
users. Why shouldn't security? After all, if people didn't let the nasties
in, 'twould be very hard to start a botnet..

>There's no need to make exceptions for
> >computer users. Make computer-owners/users pay in full for damages
> >caused by their equipment with no discount for incompetence.
>
> If that happened, then computer users would be the exception.  I
> can't think of any situation in which an accident might occur and the
> one causing the accident pays in full to everyone.
> [snip]


True, but there are plenty of examples of either market (insurance) or
government (regulation) solutions to problems where the individual's
misfortune also falls on society. Arguably the bulk of the costs of malware
proliferation is an externality - the benefits go to the enemy, but costs
aren't restricted to the hacked. Not even close.

I used to work for a gov't facility whose mission was science.  They
> had a serious telecommunications problem on their hands.  Although it
> was important to solve, they funded science first - up until all the
> telecom problems became "too annoying" and money was allocated to
> solve the problem.
>

The appropriate analogy is the Great Stink of 1858. London had been
suffering from not having sewerage for years, and poor people had been dying
in droves from cholera, but nobody with the power to do anything about it
cared enough until the Thames got so bad the committee rooms on the river
side of Whitehall stank so much nobody would go in them. Then, wham, out
came the chequebook, the compulsory purchase powers, and in came Joseph
Bazalgette, with the result of an infrastructure used to this day.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070212/8b863a59/attachment.html>


More information about the NANOG mailing list