[94923] in North American Network Operators' Group
Re: motivating security, was Re: Every incident...
daemon@ATHENA.MIT.EDU (John Bittenbender)
Wed Feb 14 01:03:03 2007
Date: Tue, 13 Feb 2007 22:00:12 -0800
From: "John Bittenbender" <kisanth88@gmail.com>
To: nanog@nanog.org
In-Reply-To: <1171294470.13547.88.camel@localhost.localdomain>
Errors-To: owner-nanog@merit.edu
------=_Part_124575_5258284.1171432812132
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On 2/12/07, Per Heldal <heldal@eml.cc> wrote:
>
>
> On Mon, 2007-02-12 at 09:06 -0500, Edward Lewis wrote:
> > I've worked in security for some time, not that it makes me an expert
> > but I have seen how it is promoted/advertised.
> >
> > On Feb/12/07, someone wrote:
> >
> > >Consumers are cheap and lazy.
> >
> > I think that is the wrong place to start. It isn't the consumer's
> > fault that they have a device more dangerous than they think. Look
> > at what the are being sold - a device to store memories, a device to
> > entertain them, a device to connect with people they want to talk to.
> >
> > Everyone economizes on what they think is unimportant. A consumer
> > doesn't care for the software, they care for the person on the other
> > side of the connection. They care about the colors in the office,
> > the taste of the food, etc. So it may appear they "low-ball" that
> > part of the computer equation.
> >
> > My point is that it is convenient to blame this on the consumers when
> > the problem is that the technology is still just half-baked.
> >
> > >What they need is a serious incentive to care about security.
> >
> > I find this to be a particularly revolting thought with regards to
> > security. Security is never something I should want, it is always
> > something I have to have. Not "need" but something I am resigned to
> > have to have. This is like saying "folks will have to die before a
> > traffic signal is put here" or "more planes will have to be taken by
> > hijackers before the TSA is given the funding it needs." Security
> > shouldn't wait for a disaster to promote it - you might as well be
> > chasing ambulances. Security has to resign itself to being
> > second-class in the hearts and minds of society. Security has to be
> > provided in response to it's environment and not complain about it's
> > lot in life.
> >
> > (I realize that this post doesn't say anything about people "dying" -
> > I've heard that in other contexts.)
> >
>
> You're missing the point. My suggestion lies along the lines of "follow
> the money-trail". I want consumers held responsible so that they in turn
> can move the focus to where it belongs; IT vendors.
>
>
> > >Society holds individuals accountable for many forms of irresponsible
> > >behaviour.
> >
> > This is true, but individuals are not held entirely accountable. A
> > reckless driver can cause a multi-car accident on an exit ramps and
> > cause a tie up for the entire morning rush. Are the "victims" of
> > this compensated? What about the person who loses a job offer
> > because of a missed interview and suffers fallout from that?
>
> The system isn't perfect but does that mean we should ditch all attempts
> at regulation. If the no-touch approach towards IT was applied to
> traffic and the automotive industry we could just as well drop all
> regulation of traffic. No rules, no offences.
If you take the driver = computer operator argument as valid (pretty
close); then here perhaps is the meat of the matter.
A driver is someone that has to pass a test and pay for a license to be able
to operate a potentially lethal vehicle. Now while in theory a computer can
be lethal, in general it is not.
With the above said in regards to lethality, regarding the costs potentially
involved in incorrect operation a computer can be near a car.
Accepting this analogy as true would imply that we should start licensing
computer users.
Howerver, given the general non-lethality of a computer coupled with the
idea that a computer license could potentially stifle our industry and limit
innovation/education. (That kid whose parents might just barely be able to
afford a PC might not be able to operate it without a license - two fold
problem sales and familiarity) So, in regards to not hurting our collective
industry (fiscally or in regards to talent to hire down the line) via
regulation and/or financial restrictions like insurance, perhaps we should
lobby for a tax break from the federal government for computer use training
classes. Make it not-OS-specific, as long as you have taken a class that
covers an industry body's recommendation for material you get X dollars back
from the federal government.
Tax breaks, IMO, have been proven to be a great incentive for consumers and
corporations alike in regards to influencing the public good. Whereas
regulation has generally be a stifling influence on innovation and leads to
government bloat and overhead.
Thoughts?
JB
------=_Part_124575_5258284.1171432812132
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On 2/12/07, <b class="gmail_sendername">Per Heldal</b> <<a href="mailto:heldal@eml.cc">heldal@eml.cc</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>On Mon, 2007-02-12 at 09:06 -0500, Edward Lewis wrote:<br>> I've worked in security for some time, not that it makes me an expert<br>> but I have seen how it is promoted/advertised.<br>><br>> On Feb/12/07, someone wrote:
<br>><br>> >Consumers are cheap and lazy.<br>><br>> I think that is the wrong place to start. It isn't the consumer's<br>> fault that they have a device more dangerous than they think. Look<br>
> at what the are being sold - a device to store memories, a device to<br>> entertain them, a device to connect with people they want to talk to.<br>><br>> Everyone economizes on what they think is unimportant. A consumer
<br>> doesn't care for the software, they care for the person on the other<br>> side of the connection. They care about the colors in the office,<br>> the taste of the food, etc. So it may appear they "low-ball" that
<br>> part of the computer equation.<br>><br>> My point is that it is convenient to blame this on the consumers when<br>> the problem is that the technology is still just half-baked.<br>><br>> >What they need is a serious incentive to care about security.
<br>><br>> I find this to be a particularly revolting thought with regards to<br>> security. Security is never something I should want, it is always<br>> something I have to have. Not "need" but something I am resigned to
<br>> have to have. This is like saying "folks will have to die before a<br>> traffic signal is put here" or "more planes will have to be taken by<br>> hijackers before the TSA is given the funding it needs." Security
<br>> shouldn't wait for a disaster to promote it - you might as well be<br>> chasing ambulances. Security has to resign itself to being<br>> second-class in the hearts and minds of society. Security has to be
<br>> provided in response to it's environment and not complain about it's<br>> lot in life.<br>><br>> (I realize that this post doesn't say anything about people "dying" -<br>> I've heard that in other contexts.)
<br>><br><br>You're missing the point. My suggestion lies along the lines of "follow<br>the money-trail". I want consumers held responsible so that they in turn<br>can move the focus to where it belongs; IT vendors.
<br><br><br>> >Society holds individuals accountable for many forms of irresponsible<br>> >behaviour.<br>><br>> This is true, but individuals are not held entirely accountable. A<br>> reckless driver can cause a multi-car accident on an exit ramps and
<br>> cause a tie up for the entire morning rush. Are the "victims" of<br>> this compensated? What about the person who loses a job offer<br>> because of a missed interview and suffers fallout from that?
<br><br>The system isn't perfect but does that mean we should ditch all attempts<br>at regulation. If the no-touch approach towards IT was applied to<br>traffic and the automotive industry we could just as well drop all
<br>regulation of traffic. No rules, no offences.</blockquote><div><br>If you take the driver = computer operator argument as valid (pretty close); then here perhaps is the meat of the matter.<br><br>A driver is someone that has to pass a test and pay for a license to be able to operate a potentially lethal vehicle. Now while in theory a computer can be lethal, in general it is not.
<br><br>With the above said in regards to lethality, regarding the costs potentially involved in incorrect operation a computer can be near a car.<br><br>Accepting this analogy as true would imply that we should start licensing computer users.
<br><br>Howerver, given the general non-lethality of a computer coupled with the idea that a computer license could potentially stifle our industry and limit innovation/education. (That kid whose parents might just barely be able to afford a PC might not be able to operate it without a license - two fold problem sales and familiarity) So, in regards to not hurting our collective industry (fiscally or in regards to talent to hire down the line) via regulation and/or financial restrictions like insurance, perhaps we should lobby for a tax break from the federal government for computer use training classes. Make it not-OS-specific, as long as you have taken a class that covers an industry body's recommendation for material you get X dollars back from the federal government.
<br><br>Tax breaks, IMO, have been proven to be a great incentive for consumers and corporations alike in regards to influencing the public good. Whereas regulation has generally be a stifling influence on innovation and leads to government bloat and overhead.
<br><br>Thoughts?<br><br>JB<br></div></div>
------=_Part_124575_5258284.1171432812132--
