March 27, 2010 at 10:38 pm
Maybe I should have made this comment before reading and responding to other ones, but I don't think this will make much duplication.
If the US government attempts to introduce such standards and enforce the internationally without getting agreement with other nations (something which it has no right to do, appears to be constitutionally forbidden to do, but has a rather nasty habit of doing, often by using force of arms and with the regrettable support of my country's government) there will be a rather nasty row, and there is a risk that the internet will become partitioned into the US bits and the rest of the world. I believe that that's not something anyone wants to see (except maybe a few congressman and a couple of senators).
If there's an attempt to hand over security regulation to a private and totally unaccountable and irresponsible outfit like ICANN which is for some purposes a tool of the US government there will be an strong international backlash, with a risk similar to that noted above.
The are only two ways for the internet to become secure while remaining a worldwide open internet:
1. all internet users could become security aware and adopt sensible security measures; I don't believe this will happen in my lifetime (or that of anyone alive today) - people are just too lazy or too stupid or too careless or (more often than not) all three; or 2. ISPs take repsonsibility for security, which certainly won't happen without legislation, and legislation won't be useful unless it is internationally agreed and enacted and properly enforced (and even then we will have everyone using an ISP of convenience, much as merchant ships today have a flag of convenience).
As for secure databases (not leaking information which should not be leaked, and not being modified to distort the nformation their data supports): well, the obvious problem is that someone has access and that someone has to be trusted. We could go for the old DoD coloured books and take whatever the database equivalent of the orange book's B2 (or A, but I believe no-one ever achieved certification for that level) is, but very few people are going to put up with the operational problems entailed by that (it's a real nightmare to work with - I know, I've been there, although not with DB) so it won't happen generally. So in any real sense most databases will be insecure - or at best only as secure as is our trust in the people who have access. That's trust that they will always be careful and never make a mistake, as well as trust that they won't deliberately breach security; security with regard to the latter is merely difficult, but security with regard to the former is probably totally nonexistant.
Tom
March 28, 2010 at 2:20 pm
There are several fairly decent outfits which already provide freeware AV and anti-spyware (AVG, Spyware S&D, and so on and so forth) but you can bet quite safely that no-one selling certifications would let their certicifation program take account of any freeware installed. So the likely effect is to take good and effective freeware out of the system and push second rate proprietary AV in, reducing overall security (for example I don't regard a system that doesn't run Spybot S&D - or something else as good - as secure at all: I've known it detect trojans that even Trend missed, and Trend is maybe the only big name I trust in this area, and it provides a few nice features that most of the commercial outfits don.t bother with).
That is correct Microsoft also now provides one free that detects Trojans Trend missed but it is available to only Vista and Windows 7 users so there is an easy commercial solution that will benefit Intel, AMD and Microsoft.
I was infected twice while reading news on Yahoo, I blame the company that gave https and Visa and Mastercard transaction gateway to thieves. The US government now pays to monitor the victims of the VA data breach so I think lawyers need to make Visa and Mastercard to provide better due diligence.
Kind regards,
Gift Peddie
March 28, 2010 at 3:43 pm
Gift Peddie (3/28/2010)
That is correct Microsoft also now provides one free that detects Trojans Trend missed but it is available to only Vista and Windows 7 users so there is an easy commercial solution that will benefit Intel, AMD and Microsoft.
I'd like to try the MS AV offering sometime, but until I either become insane and install Vista or become rich and install Windows 7 I can't do it. Of course I could go back to full time permanent employment and let my employer pay for Windows 7 (or for a suitable developer subscription to give me full MSDN download access again) but full time permanent employment is currently a firm no-no (3 reasons: (a) I'm too busy and (b) my wife would do something very nasty to me and (c) doing what I like is more fun that doing what someone else tells me).
Tom
March 28, 2010 at 10:41 pm
I'd like to try the MS AV offering sometime, but until I either become insane and install Vista or become rich and install Windows 7 I can't do it. Of course I could go back to full time permanent employment and let my employer pay for Windows 7 (or for a suitable developer subscription to give me full MSDN download access again) but full time permanent employment is currently a firm no-no (3 reasons: (a) I'm too busy and
Microsoft can remove all 1gig and 2gig running boxes by providing rebates through mass retailers.
Then all others can be offered rebates for new PCs, that will reduce exposure to the few who chooses to use XP.
It is in Microsoft's best interest to get this tool to users because I ran it in a Vista box and there where 15 Trojans after running standard Trend.
(b) my wife would do something very nasty to me and
That is very funny, hey I will send a PM later.
Kind regards,
Gift Peddie
March 29, 2010 at 6:50 am
I'll gladly concede that commercial vendors would be inclined to push the free offerings out of the market. That is what they're there for. Any time you get two capitalists together, the first thing they are expected to do is collude to eliminate further competition....
Yet still, if we are to keep government regulations off our pocketbooks, some method of certifying as secure would be needed. Would it be better to commission 5 companies to determine standards, with membership allowing one "vote" for board members? Or would it be better to deal with whatever commission the government requires?
I would submit that standards established by the community, for the community, would be better than anything imposed upon us. We would have our own voice in the matter, and it could be more effective, across borders, because it's a voluntary membership. ISO certification is effective because it is desirable for the community and ISO certification is voluntary in industry.
Jim
March 29, 2010 at 7:28 pm
Jim Lang (3/29/2010)
Yet still, if we are to keep government regulations off our pocketbooks, some method of certifying as secure would be needed. Would it be better to commission 5 companies to determine standards, with membership allowing one "vote" for board members? Or would it be better to deal with whatever commission the government requires?
5 companies, one board member each - we would get a lowest common denominator result, it would be as bad as Fortran standardisation in the bad old days: a dialogue something like "Hey, we can't allow a requirement to protect against this new XYZ thing, our development guys would be at a disadvantage because you've already been working on it and we haven't" - "OK, we'll leave out XYZ protection provided we also leave out ABC protection, where you guys have the advantage." That way we end up with the required security being the worst of all possible worlds. Of course there might be some mileage in it if you stipulated that none of the 5 companies commissioned were involved in providing security/protection software or services and would not be permitted to be involved in that business until at least 10 years after they ceased being represented on the board and added some safeguards preventing the representatives from moving to a security company during those 10 years or a security company taking over a formerly represented company within the 10 years.
I would submit that standards established by the community, for the community, would be better than anything imposed upon us. We would have our own voice in the matter, and it could be more effective, across borders, because it's a voluntary membership. ISO certification is effective because it is desirable for the community and ISO certification is voluntary in industry.
I'm not too sure about ISO after the doc format standardisation process was successfully hijacked by Microsoft. Finding the right set of academics to propose a standard might be a better bet, provided academic spin-offs were avoided. Or get some of the leaders of the open source movement plus some of the WWW consortium plus some good academics (people like Ross Anderson, not establishment academics) to specify something.
But at the end of the day you need enforcement in some shape or form. That's going to need government involvement, probably, because I don't see ISPs being willing to enforce security unless they are forced to. And government involvement in something like this scares me stiff.
Tom
March 30, 2010 at 11:56 am
If business doesn't address the issue, government will address it.
March 30, 2010 at 12:08 pm
And yet, still, I would prefer a voluntary system that uses peer pressure and customer demands to involuntary regulations. I would much rather say "pound salt" because I can.
Yes, Microsoft got the .docx format accepted. So what? I do NOT have to accept it or support it. That's the beauty of an open standard. Microsoft has an acceptable file format per ISO standards. Accept it or not.
Require ISPs to support such a standard? No. Ask them to? Sure. And when it comes time to select a vendor, why not ask about standards compliance?
Again, if standards are voluntary or mandatory, I would much prefer community supported and voluntary to mandatory, no matter the source.
Viewing 8 posts - 46 through 52 (of 52 total)
You must be logged in to reply to this topic. Login to reply