Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Government regulation of computer security?

By wiredog in Internet
Sat Jul 28, 2001 at 08:24:43 AM EST
Tags: Freedom (all tags)
Freedom

A letter ( it will be here next week) to Jerry Pournelle raises some interesting questions about net security and government regulation of the same.


Given the inability of many people to keep up with the latest patches, and the increasing number of attacks, will the government have to regulate the security policies of software providers? Will Microsoft, Red Hat, Apple, FreeBSD, et. al. be required to ship products with certain security features? What would/should those features be? What might the penalties be for not shipping them?

I fear that the answer will be yes, the government will regulate software security. Maybe not this year, or next, but if software providers and sysadmins don't get their collective acts together it will happen. If some worm causes massive financial losses by mailing out confidential documents from some investment house, or if one of the worms takes down large portions of the net, the Congress and President will feel increasing pressure to step in and force software, or service, providers to implement strong security policies.

You see, the net is not an unlimited resource. Radio spectrum is a limited resource which is regulated by the government for the "common good". And, you see, there is only so much bandwidth available. It is used for personal communications, news, business transactions, sheer entertainment, and more. A serious worm attack could take down large parts of the net, (see this for one scenario) thereby cutting off the communications links of many communities. Some of those communities will howl and demand action. And, I fear, the government will take action.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
The net should be regulated by
o Organized Anarchy 53%
o Hailstorm dot nyet 1%
o The FCC 1%
o Rusty's cottage in Maine 26%
o Inoshiro 15%

Votes: 52
Results | Other Polls

Related Links
o letter
o here
o Jerry Pournelle
o this
o Also by wiredog


Display: Sort:
Government regulation of computer security? | 30 comments (26 topical, 4 editorial, 0 hidden)
This is an attack (4.66 / 6) (#2)
by slaytanic killer on Fri Jul 27, 2001 at 03:14:42 PM EST

I've heard that some large companies were starting to push for gov't regulation of security. This is an attack on smaller companies, because steps in this direction slow down innovation.

Security is incredibly difficult to get right, for most companies. It takes a lot of professionalism and persistence -- and professionalism is often the death of experimentalist hobbies like coding.

If you have something worth protecting, like confidential documents, then make sure you pay to protect them. That is precisely the idea behind insurance, that you pay a little now in case you'll need a lot of protection in the future. And perhaps tighten up laws against people who abuse the net. But band-aid regulation is not what the world needs right now; it will slow down experimentation and new technologies.

This is an attack, plain and simple. Let the market decide, not some congressman.

An alternative path (4.20 / 5) (#5)
by slaytanic killer on Fri Jul 27, 2001 at 03:26:16 PM EST

Security is a real problem, that affects more people than the user with the security hole. That is why a preferable alternative would be to let people be sued if they connect to the net and were grossly negligent about security, leading to net attacks. Small fines can be applied to those whose machines took some part in a massive DDOS, if they were negligent.

This would mean that ISPs could play a greater role in security, shielding users from some security issues, and occasionally probing the users' machines. OS manufacturers could promote better education on security.

But in the end, it is the user who must make an informed decision about how to use the net. Baseball bat manufacturers don't have to suffer under regulations because some use bats to beat people. And companies shouldn't run screaming because they were not careful with billions of dollars worth of consumer information.

[ Parent ]
Why is it... (4.55 / 9) (#3)
by trhurler on Fri Jul 27, 2001 at 03:16:57 PM EST

that the same people who are in favor of regulating all the things they don't understand well are terrified of regulation of the things they do understand? Are they really stupid enough to think government is good at regulation only of those things they themselves do not grasp?

Put another way, why not regulate the net, if you regulate everything else? Do you really think government knows more about radio than radio stations and radio station engineers? More about television than its practiitioners? More about food sanitation than those in the growing, processing, and/or packing industries? Of course not. The truth is, you want government to regulate the things you don't do, because that way you don't have to be an expert to keep from getting screwed - but you want everyone else to have to trust computer people not to screw them, because regulation would make your life less enjoyable.

I'm against regulation - but I'm honestly and consistently against it, because I think it is wrong and because I think there are better ways, instead of just against it because it would make MY life easier at everyone else's expense. You techie leftists out there, advocating regulation of everything BUT what you do for a living - and you're the majority of techies - are the WORST sort of hypocritical fucksticks.

--
'God dammit, your posts make me hard.' --LilDebbie

Well put. (3.75 / 4) (#4)
by mrgoat on Fri Jul 27, 2001 at 03:23:25 PM EST

Being for (governmentally) regulating everything is telling the government you'd rather be controlled than learn to work things yourself.

"I'm having sex right now?" - Joh3n
--Top Hat--
[ Parent ]

Regulation (3.66 / 3) (#8)
by ajf on Fri Jul 27, 2001 at 05:00:00 PM EST

Do you really think government knows more about radio than radio stations and radio station engineers? More about television than its practiitioners? More about food sanitation than those in the growing, processing, and/or packing industries?

It makes sense for the government to regulate radio and television, because the radio spectrum is a shared resource, and it works better if you don't have several stations trying to broadcast on the same frequency within a given area. It's not because the government "knows more", but society benefits from having someone responsible for allocating frequencies. It could instead be done by a non-government organisation, but that's not inherently better or worse than having the government do it.

As for food sanitation, there's a reason local authorities have health inspectors. People get food poisoning because the food was not prepared carefully enough. Food industry workers should know better, but sometimes they don't.

There's no benefit to society in protecting security-ignorant people from themselves. And as slaytanic killer said, you could hold people responsible for damage caused to others by their negligence.



"I have no idea if it is true or not, but given what you read on the Web, it seems to be a valid concern." -jjayson
[ Parent ]
Benefit (4.50 / 2) (#10)
by MrSmithers on Fri Jul 27, 2001 at 05:15:22 PM EST

There's no benefit to society in protecting security-ignorant people from themselves.

But.... The government does regulate many things that have a large financial impact on society. Just look at the SEC or the Federal Reserve. The 'net is becoming more and more a part of people's daily lives and more financial institutions have Internet presence. The sheer amount of $$$ that depends on the security of the Internet may encourage regulation.

Not that I would support such a move, but it would be consistent with current regulation.

There is of course of exactly who gets to regulate it, though. There is no cohesive world government, and even the mighty US (I'm being mildly sarcastic, BTW) might find it to be a beast out of its power to control.



[ Parent ]
Proofreading is nice... (4.00 / 1) (#16)
by MrSmithers on Fri Jul 27, 2001 at 06:21:02 PM EST

It's the question.

Err, the question of who gets to regulate it :)



[ Parent ]
Oh? (3.00 / 3) (#11)
by trhurler on Fri Jul 27, 2001 at 05:19:31 PM EST

There's no benefit to society in protecting security-ignorant people from themselves.
Of course there is. If I buy a car from you and a bank lends me money, and that bank's shoddy security leads to someone adopting my identity and ruining my credit rating, not only am I not at fault, I'm not even particularly ignorant - I'm one of the best educated people on the planet with respect to computer security - but there is NOTHING I could do to prevent this problem. Government regulation, according to big government types, is the answer.

I think they're wrong, but that's because I think regulation per se is wrong, and leads to bigger problems than it solves, whereas you're trying to say "my industry shouldn't be regulated, but everyone elses' should!" That's horse shit, and hypocritical, "selfish" bullshit at that. (I don't normally use selfish to mean a brute climbing a pile of corpses to victory, but that's the sense in which I mean it here. You are trying to justify regulating all the things that are convenient for you, and not the ones that aren't - to use the government, in other words, as a weapon to achieve your aims by force.)

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
On hypocrisy (3.00 / 2) (#13)
by ajf on Fri Jul 27, 2001 at 05:46:52 PM EST

You've read me wrong. Your reasoning would have me say you don't think there's anything wrong with murder because you don't like regulation.

I disagree with some government regulations in areas I have absolutely no personal involvement in.

I don't think possession or use of marijuana should be illegal, but I never touch the stuff. I don't think radio or television content should be regulated at all, though I don't work in the entertainment industry. (There are "anti-siphoning" laws regulating the pay TV industry here, for example, which prevent pay TV operators from acquiring broadcast rights to certain "significant" events - mainly sporting events such as football grand finals - without making the broadcast available to free-to-air broadcasters as well, which is just stupid. If you want to watch the game, buy a ticket and go to the ground, subscribe to the pay TV service, or go to a pub and watch it on their big screen.) I think censoring films and magazines is a waste of government money, but (apart from going to maybe as many films as you can count on a hand in a year) I have no vested interest in that industry either. And there are laws that don't benefit me, but I agree that their overall benefit is worth the personal inconvenience to me. Copyright, for example.

You're against regulation in general, while I'm against regulation when I think the rights it restricts are more important than the benefits it provides.

If I buy a car from you and a bank lends me money, and that bank's shoddy security leads to someone adopting my identity and ruining my credit rating, not only am I not at fault, I'm not even particularly ignorant - I'm one of the best educated people on the planet with respect to computer security - but there is NOTHING I could do to prevent this problem. Government regulation, according to big government types, is the answer.

In the scenario you describe, you would hold the bank responsible for their negligence, since it was their blunder that damaged your credit rating. I'm talking about the bank giving out loans to people who can't repay them, and the bank losing a lot of money as a result. That's their fault for poor business practices, and I don't believe the government should make it more difficult for all banks to provide loans because this one bank is run incompetently.

Then the question is, what happens to the people with deposits in the bank if it goes broke? I think government regulation is useful here if it's necessary to protect the economy, A sound financial system is vital to trade. Having banks collapse becomes bad news for everyone, whether or not they had the knowledge and opportunity to bank elsewhere.



"I have no idea if it is true or not, but given what you read on the Web, it seems to be a valid concern." -jjayson
[ Parent ]
Heh (2.00 / 1) (#17)
by trhurler on Fri Jul 27, 2001 at 07:21:51 PM EST

You do realize that FDIC is little more than a way for the government to exercise control over banks, right? If it ever had to pay out in any numbers necessary to "save the economy," it would go broke and be incapable of doing so. Further, the conditions under which it will pay out at all are so narrow that they essentially never occur. You're paying a heavy price in regulatory burden and centralization of the US economy in exchange for insurance against events that will never happen to you and which can only pay if those events only happen to a relatively few people. The lousiest "deal" imaginable, or close to it.

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
FDIC and the theory of regulation (5.00 / 1) (#19)
by slaytanic killer on Fri Jul 27, 2001 at 09:07:26 PM EST

The FDIC accepts banks through membership, in exchange for that regulatory power. That is why you often see the FDIC logo advertised on commercials; it basically is a guarantee of decreased risk, telling you that the bank is constrained in certain areas. You may take your chances elsewhere, and there are a lot of investments that are much riskier, but you have a choice.

After reading this thread, I looked on the net to refresh my knowledge of stuff. The theme I found is of organizations (banks, companies, etc) gaining increased power with the tradeoff of having more regulations. In the US' Good Old Days, a corporation had to prove that it was working for the public benefit. That was the way a company could be an abstraction that shields its founders from some kinds of litigation and other worries. As time went on, legislation was passed to treat companies as immortal individuals, and there was decreasing thought about the public good.

So, to decrease corporate regulation should also mean that companies should also lose a lot of rights they gained. Increased power comes with increased regulation.

It is not clear-cut to extend the same analysis to the internet. For the most part, the internet is basically speech. The data on the net should be construed as such, whether it stands for love letters or financial credits. (At this point we get into strange unresolvable Platonic arguments about whether that data becomes the thing it represents.) Since free speech has many benefits because it contributes to general happiness and growth, it enjoys certain protections against regulation. The opposite of corporations.

[ Parent ]
Not true (none / 0) (#27)
by trhurler on Mon Jul 30, 2001 at 12:09:18 PM EST

In the US' Good Old Days, a corporation had to prove that it was working for the public benefit. That was the way a company could be an abstraction that shields its founders from some kinds of litigation and other worries. As time went on, legislation was passed to treat companies as immortal individuals, and there was decreasing thought about the public good.
The idea of corporations as individuals descends from British common law, well predating the existence of the US, much less any of its laws. I'm not particularly happy about this little legal convention, but it is a lot older than you seem to think.
You may take your chances elsewhere, and there are a lot of investments that are much riskier, but you have a choice.
Put another way, I cannot possibly run a legal bank in the US without becoming an FDIC "member." Just go and look. Yes, in theory, it might be possible. There's a good reason nobody does it, and it isn't just because of risk.
For the most part, the internet is basically speech.
You, speaking as someone who uses the internet, can say so. However, "the internet" is not some vast public resource; virtually all of it is privately owned - by those same corporations you keep bemoaning. They built it, contrary to popular myth. They're responsible for virtually everything people think of when they say "the internet." About the only pieces they're not responsible for are a few protocols here and there, and even a lot of those are corporate work. If you think you can regulate businesses without regulating the internet, then "think" is in fact precisely what you are not doing.
Since free speech has many benefits because it contributes to general happiness and growth
Corporations contribute to general happiness and growth. Any claim otherwise is contrary to the most obvious and basic of observations of modern society. The fact that you may not like some of their other effects notwithstanding, almost all of the conveniences you take for granted are the result of corporations.

That said, "general happiness and growth" is just another way of saying "the public good," which is just another way of saying "the interests of those who have political influence," which is just another way of saying "the interests of whatever gang or gangs are in power at the moment." Rule by demagogues - which is the essential form of the rule of a mob. This doesn't sound so bad until you consider the way a mob reacts to being frightened, at which time you might wish for more protection than it offers.

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
Note.. (3.75 / 4) (#9)
by Sheepdot on Fri Jul 27, 2001 at 05:13:44 PM EST

There *are* those of us that agree with you. The left-leaners abound in higher numbers, however. But on k5 there appears to be some more of the consistent government-regulator-haters.


[ Parent ]
Once upon a time (4.60 / 5) (#15)
by Sikpup on Fri Jul 27, 2001 at 06:08:48 PM EST

"Do you really think government knows more about radio than radio stations and radio station engineers? More about television than its practiitioners? "

Once, yes. The FCC was actually once staffed with good engineers and technically knowlegeable people. Now it, just like the US federal government, is a corporate whore. Powell is in bed with the collasal media giants, following in congress's footsteps. It used to be that the FCC rule was 1 AM and 1 FM in a market. That limit is now 8 stations! Have you noticed lately that no matter what city you are in, you have the same small number of choices, often with the same DJ's?

Now its happened with TV. Granite broadcasting has overturned the duopoly rule, so now one company can own 2 TV stations in a market.

Same with cable market share. Is there anyone in a market where AT&T has bought out someone else (Media One, TCI, etc) that has seen improved service?

The FCC used to administer exams to make sure people were at least somewhat knowlegable about the systems they were working on. Now all the tests can be given by cram schools. As a holder of a large number of licences (General Telephone, 2nd Class Telegraph, amateur extra, gmdss operator/maintainer, radar and 6 month endorsements), I resent the devaluation that this has had on their value. (I'm sure that is true of early MSCEs, Cisco types, etc).

If the government regs had any teeth and were enforced by technically competent types instead of government beaurocrats, I wouldn't mind nearly as much. As long as uncle sam lies spread eagle for corporate bribes, keep him out of the regulatory business.


[ Parent ]
There's the rub (3.50 / 2) (#18)
by trhurler on Fri Jul 27, 2001 at 07:34:24 PM EST

You see, as long as Uncle Sam is a federal republic, which we all seem to think is a good thing, his interference in the economy is going to receive the attention of various pressure groups. If you want to end that, you have to end either the federal republic or else the regulation - there is no other option, and all these "finance reform" bills and "revolving door regulations" will not help at all. Why? Because there's too much money and too much power at stake - that's why.

By the way, the old 1 am 1 fm rule existed to serve business interests too. I don't know why you think the FCC used to be "virtuous"(by which I mean, rather sarcastically, "anti-corporate,") in some way; all it ever did was serve the interests of those with money and/or influence, perpetuating and furthering their interests, and that's all it ever can do(all any regulation really can do in the long run, in a federal republic.) If you want to eliminate government perpetuation of power and influence, you have to eliminate the means by which power and influence are wielded against government - which is to say, you have to take away government's special ability to grant wishes. Which is to say, you have to end all this economic meddling.

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
Here's some salve [ot] (none / 0) (#23)
by Wah on Sat Jul 28, 2001 at 01:04:56 PM EST

If you want to end that, you have to end either the federal republic or else the regulation - there is no other option, and all these "finance reform" bills and "revolving door regulations" will not help at all. Why? Because there's too much money and too much power at stake - that's why.

The current campaign finance reform legislation is eerily reminiscent of the "Drug War", founded on the idea that attacking supply will somehow deter demand in a free market. The Demand here is the money needed for public officials to remain in office. Telling millions of people about your message and trying to get them to support you is very expensive, especially when most couldn't care less. And even more especially when the means of communication are controlled by a group of people who use those medium primarily are a profit center.

I think the solution here is to take back some of the airwaves we have granted to these corporations solely for the purpose of political speech. It has, IMHO, become too expensive to be Free. Right now I'm thinking roughly an hour of primetime programming for the month of October during election years. If you can demonstate a 5% public support sentiment locally, you get a certain amount of that time. There's a lot more details in my head, but it gets kinda boring.
--
Some things, bandwidth can't buy. For everything else, there's Real Life | SSP
[ Parent ]

Not quite virtuous (none / 0) (#24)
by Sikpup on Sat Jul 28, 2001 at 02:30:15 PM EST

Just that they did what they were supposed to do, regulate communications, and did so in a manner that seemed to at least pay attention to society at large, instead of just $.

Now there is no concern for society, they have lost site of their real reason for being, and are just another revenue generator.

The FCC used to be staffed with engineers. Now its infested with lawyers and other social undesirables.



[ Parent ]
I couldn't tell you why, but... (none / 0) (#30)
by reverius on Tue Jul 31, 2001 at 04:19:53 PM EST

Your comment really shows how ignorant you are about regulation of industry. The point is not who knows more. Sure, companies know a hellova lot more about what they do than "the government"...

the point of regulation, however, is to keep the products and services of the companies in the best interest of the general public rather than in the best interest of profit.

The companies only care about the bottom line, and will screw over their customers (and anyone else) to make a buck. The government, by definition, is representative of the people and has to do what is in their best interest (although I realize a lot of the time it does not work this way)

Goodbye BeOS, You Shall Be Missed
[ Parent ]
Avoiding Government Intervention (3.50 / 2) (#12)
by dadams on Fri Jul 27, 2001 at 05:27:24 PM EST

To keep the Government from fiddling with things it knows nothing about, the market must learn to regulate itself.

Unfortunatly, there's currently no incentive for a company to make the claim that their product is secure. Only a handful of projects do this (off the top of my head OpenBSD, EROS, TrustedBSD, Immunix, SELinux), and they live up to the standards they set. Microsoft, RedHat, Sun, Apple, etc, need to be forced into a position where they make that claim and get burned when someone finds a hole. Only then will software houses take security seriously.



Simple (4.75 / 4) (#14)
by weirdling on Fri Jul 27, 2001 at 06:02:22 PM EST

Create a law that specifically denies restrictions on lawsuits in EULAs. Right now, buying a piece of software invariably includes an implied agreement to not sue the manufacturer for failure in fitness to purpose, security, acts of God, ad nauseum. If these companies were allowed to be sued for negligent errors on their part as any manufacturer of a meatspace item is, there'd be a lot less problems of this type, and the class action lawsuit would rid us of M$ overnight.

Once again, the solution is not regulation; it is the reduction in how a company can limit its liability such that they can be held accountable.

I'm not doing this again; last time no one believed it.
Gov can't organize us better than we can ourselfs (3.00 / 3) (#21)
by turtleshadow on Fri Jul 27, 2001 at 09:42:48 PM EST

I've been here before at this same junction with my colleagues trying to figure out what's best for our customers.

I'm extremely fortunate I work with a large IT company and we have extensive guidelines on what is "allowed" and what is verboten (aka bet your badge). Over time IMHO its become quite extensive and probably the best paranoia since my experiences with DOD. Better yet its part of the culture. We never forget; what we learn on customer A, we make sure C, D, E all get that patch.

I've long been an advocate of better ethics and certification polices of IT professionals.

I'd rather see less idiot proof software and hardware and more effort going into a what is needed; programs promoting SBIT (Small Business Information Technology).

Over the last 150 years in local economies of numerous Western businesses have been substained by the LOCAL Chamber of Commmerce. I'm not so familiar with Asia and Europe but assume the same for democratic societies

Not only is the Chamber a good place to people network but it also serves to promote needed business & community programs.
These types of programs are specifically geared to the average business owner to help file the correct forms, pool money for loans for capitol improvements, assist in understanding the labor and banking laws, etc.
Unfortunately the Technical Generations have done mighty little to assist these groups.

Have we they techies provided the following info; aka the killer pamphlets businesses seek?
  • 15 things to ask your ISP?
  • The 10 Hardest Questions of your System Administrator
  • 20 steps to developing a security policy
  • The 8 things you need to know about DCMA & software licenses
  • It's 1 A.M. do you know if your Database is safe?
  • How to instate a computer privacy policy and not get sued.

  • Some might say that's arming Pointy Haired Bosses worldwide with nukes. However its a pointy, actually balding, customer Small Business Outsourcing that pays my wage. Keeping them in business keeps me employeed. I'd rather not see them driven out of business by not knowing he couldn't sue M$ for the loss on that IIS problem X while the UNIX side of the house is all spit & polish.
    It floors me that the SBA types orgs are letting themselves get raped over ISDN, DSL, and Cable rates. I remember Grandpa recalling proudly of the day the town got Union Pacfic to route into town rather than around it. The power of the Grange was not to be disputed. I remember he recalled when the town bank was robbed they made damn sure the Banker paid the first year's salary of the new county sheriff.
      There wasn't Texas Rangers till towns insisted on laws.
      There weren't G-Men till the bankrobbers and new urbanized organized crime of the '20s & '30s.
      There weren't Sky Marshalls till the hijackings of the 60's.
      There wasn't a DEA till drug dealing became extremely profitable with ever destructive substances.
      There wasn't an NIPC till just recently when electronic fraud begun silently wiping out businesses.

    Humans do have a way of organizing that doesn't require a Gov Regulator or an accountant. Somehow that is being lost here.
    At this point I hope the Universities would reach out and sieze this opportunity, If they are too commericalized and busy building football arenas then perhaps its up to the high schools. These institutions do have the best chance to grab a sizeable Gov grant to develop a model program that could be then given out as a CD in Computer Stores, Libraries, Shopping Malls, Schools and of course the local Chamber of Commerce.

    AOLers think Fed Gov should fix this. To some extent it could, like where's the US ISP boarder patrol? Who ever is allowing raw 137,138 across the puddle ought to be educated. However 99.9% of problems are really a local problem as it impacts YOU.
    As in medicine true heath security comes from a good grasp of the facts and practicing well established safe protocols with partners.

    Turtleshadow

    I mentioned something topica on /. about security. (2.75 / 4) (#22)
    by Inoshiro on Fri Jul 27, 2001 at 10:53:05 PM EST

    Here is the comment (in response to "Renewed Crackdown On File Sharing"):

    For a moment there, just a moment, I thought ISPs had done something useful -- cracked down on filesharing built into OSes.

    How many systems are compromised because of a shared "C:" drive in Windows? How many windows VBS worms which spread over NetBIOS? How many SunRPC attacks? And even LPD..

    @Home did something useful when it started scanning for open NNTP servers, as well as SOCKS server. They also nicely block the "default" ports on BO an NetBus. Why can't they do something even better by blocking 111, 136-139, and 515 (incoming and outgoing)?

    No, this article is just about targetting people who use the unlimited like it is unlimited, which pisses off the ISPs ("Of course we don't actually mean what we say.").

    ISPs are a great choke point to reduce security problems by many measures. They could even portscan port 80 and disable insecure machines. As long as they're good about an EULA, the people who are secure wouldn't care (their machines are secure). And the people who are insecure would either become secure, or take their bad reputation to other ISPs.



    --
    [ イノシロ ]
    Regulation is Inevitable (none / 0) (#25)
    by Bad Harmony on Mon Jul 30, 2001 at 05:42:17 AM EST

    Whether it is by the government or a private group (Underwriters Laboratory), I believe regulations setting minimum standards for security are inevitable. The potential for damage to society from security flaws in mass-market software is just too great.

    The problem is that our existing software infrastructure is a house of cards. Security can not be applied as an afterthought, it needs to be designed in from the beginning. If I were making the rules, I would ban unsafe languages such as C/C++ and operating systems with nonexistent or inadequate security models. That eliminates 99.999% of the systems on the Internet.

    5440' or Fight!

    Underwriters Labs (none / 0) (#26)
    by wiredog on Mon Jul 30, 2001 at 08:34:25 AM EST

    It's sort of happening already. Some insurance companies charge lower rates to customers who use unix variants. Underwriters Labs is funded by the insurance companies (thus "underwriters") and sets good standards. I've worked in an industrial automation shop and we found out that having UL inspect our equipment did two things. The first was that it raised the upfront cost to make the equipment, thus raising the sale price. The second was that it lowered the operating cost of the equipment, mainly from lower insurance rates, thus making our stuff less expensive to own, even though it cost more to buy. It would be interesting to see what UL would conclude from tests of Unix vs Windows vs anything else.

    If there's a choice between performance and ease of use, Linux will go for performance every time. -- Jerry Pournelle
    [ Parent ]
    Schneiers idea (none / 0) (#28)
    by wiredog on Mon Jul 30, 2001 at 03:02:23 PM EST

    Last January

    If there's a choice between performance and ease of use, Linux will go for performance every time. -- Jerry Pournelle
    [ Parent ]
    It's happened (none / 0) (#29)
    by wiredog on Tue Jul 31, 2001 at 07:48:18 AM EST

    FTC has proposed a regulation requiring patching.

    If there's a choice between performance and ease of use, Linux will go for performance every time. -- Jerry Pournelle
    Government regulation of computer security? | 30 comments (26 topical, 4 editorial, 0 hidden)
    Display: Sort:

    kuro5hin.org

    [XML]
    All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
    See our legalese page for copyright policies. Please also read our Privacy Policy.
    Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
    Need some help? Email help@kuro5hin.org.
    My heart's the long stairs.

    Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!