North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: motivating security, was Re: Every incident...

  • From: Alexander Harrowell
  • Date: Mon Feb 12 10:10:05 2007
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=SR6W97MLNSRU5OO2UgFgvRXRXTR9HupwTkFLZdpCsgqwX+brMS1bhZLIkZJSyWm9IBHqRET+IDy1HAfvCkbTCkJBw44pajslHAdV7VjcXZlx6iDBMjG1l5H8FW4uYxoOlLLv2fcgvFWcVratGhcBKxRxPHuHNAX9IpfT33/yzs4=


On 2/12/07, Edward Lewis <[email protected]> wrote:
Security is never something I should want, it is always
something I have to have.  

No-one wants "security", they want not-trouble. Similar to the point that no-one wants energy, they want warm rooms and cold beers. Perhaps we need a concept of "security efficiency"? 

 Security has to resign itself to being
second-class in the hearts and minds of society.  Security has to be
provided in response to it's environment and not complain about it's
lot in life.

(I realize that this post doesn't say anything about people "dying" -
I've heard that in other contexts.)

Yup 

>Society holds individuals accountable for many forms of irresponsible
>behaviour.

This is true, but individuals are not held entirely accountable.  A
reckless driver can cause a multi-car accident on an exit ramps and
cause a tie up for the entire morning rush.  Are the "victims" of
this compensated?  What about the person who loses a job offer
because of a missed interview and suffers fallout from that?

And maybe it isn't recklessness.  A failed water pump may cause a
breakdown, followed by an accident, etc.  Mentioned just to spread
the analogy out.
 
The whole logic of modern computing is that everything migrates towards users. Why shouldn't security? After all, if people didn't let the nasties in, 'twould be very hard to start a botnet..

>There's no need to make exceptions for
>computer users. Make computer-owners/users pay in full for damages
>caused by their equipment with no discount for incompetence.

If that happened, then computer users would be the exception.  I
can't think of any situation in which an accident might occur and the
one causing the accident pays in full to everyone.
[snip]

True, but there are plenty of examples of either market (insurance) or government (regulation) solutions to problems where the individual's misfortune also falls on society. Arguably the bulk of the costs of malware proliferation is an externality - the benefits go to the enemy, but costs aren't restricted to the hacked. Not even close.

I used to work for a gov't facility whose mission was science.  They
had a serious telecommunications problem on their hands.  Although it
was important to solve, they funded science first - up until all the
telecom problems became "too annoying" and money was allocated to
solve the problem.

The appropriate analogy is the Great Stink of 1858. London had been suffering from not having sewerage for years, and poor people had been dying in droves from cholera, but nobody with the power to do anything about it cared enough until the Thames got so bad the committee rooms on the river side of Whitehall stank so much nobody would go in them. Then, wham, out came the chequebook, the compulsory purchase powers, and in came Joseph Bazalgette, with the result of an infrastructure used to this day.