We Really Need Better Security

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715810

    Comments posted to this topic are about the item We Really Need Better Security

  • jay-h

    SSCoach

    Points: 18808

    I doubt the EU initiative will really reduce data breaches (CIA and NSA somehow weren't able to protect their own data).

    Cardinal Richelieu is quoted as saying "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged."
      I believe the GDPR is basically like this, no matter what the failure point it is simply a mechanism to attach blame and extract money.

    There is a very big difference between computer security regulation and, say, fire safety regulations. Basic principles remain good, fire does not learn any new tricks. With software, some very smart people including groups with the resource backing of nation states are actively looking for ways to subvert it. There will always be some who succeed. Redefining the victim organizations as criminals fixes nothing.

    ...

    -- FORTRAN manual for Xerox Computers --

  • jasona.work

    SSC-Forever

    Points: 49887

    I'm not sure government regulation is going to be the way to go (as jay-h commented, how'd that work out for the NSA?) but something does need to be done.  IoT vendors have been able to take advantage of the consumers mindset of "it's just a thermostat / sprinkler controller / home lighting / DVR / router, as long as it works I don't care" since the outset.  The problem is, the majority of consumers will continue to have the mindset *UNTIL* their stuff starts to not work because of the malware.

    As for the aircraft, I can understand why it could cost ~$1M to change a line of code, likely their software has to go through a full re-certification with the FAA, to verify that the code change won't cause problems elsewhere...

  • jay-h

    SSCoach

    Points: 18808

    jasona.work - Monday, November 20, 2017 7:05 AM

    ...
    As for the aircraft, I can understand why it could cost ~$1M to change a line of code, likely their software has to go through a full re-certification with the FAA, to verify that the code change won't cause problems elsewhere...

    Which brings up another problem. In a tightly regulated field, even FIXING a problem gets far more complex and costly. Similar to the problem (I don't know if it's been finally addressed satisfactorily) of medical equipment running Windows. It was not legal to even do windows security patches without full review by FDA which was costly, and even more critically, very time consuming. So, in essence the regulations reduced the security of the product.

    ...

    -- FORTRAN manual for Xerox Computers --

  • Eric M Russell

    SSC Guru

    Points: 125018

    ... Bruce Schneier has called for regulation of IoT devices. Most people resist any sort of regulatory approach, but I'm not sure this is a bad idea. Not specifics, but perhaps some good guidelines will help...

    I tend to agree too. Sure, too much regulation or poorly thought out regulation is a bad thing, but regulation is the government's primary job. I reject the notion that there should be two standards of regulation and law, one for Main Street / Wall Street and another for the Internet.

    Google should be classified as a communications utility company and de-monopolized.
    FaceBook should be regulated as a media conglomerate.
    Amazon should be taxed just like any other retailer.

    These are not new concepts; it's simply acknowledging that for the past 20 years the public has been communicating, getting their daily news, and shopping online, so existing law needs to expand to cover the entire world, both physical and virtual.

    While we're at it, PII should be considered a potentially hazardous material and international law should govern how and when it is stock piled. 

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • chrisn-585491

    SSCoach

    Points: 15866

    We don't have leadership either government or corporate that is willing to make the mandates and penalties work to enforce security. With technology we are still in a "Wild West" situation. Plus the freedom we currently have with technology requires a "high trust" culture, which doesn't exist in this age of globalization and  reality denial.

    Technical-wise we have crappy software written in crappy languages on crappy OSes by poorly trained workers that cargo-cult and fetish while being lead by crappy management that serves an security apathic elite .

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715810

    jay-h - Monday, November 20, 2017 7:17 AM

    Which brings up another problem. In a tightly regulated field, even FIXING a problem gets far more complex and costly. Similar to the problem (I don't know if it's been finally addressed satisfactorily) of medical equipment running Windows. It was not legal to even do windows security patches without full review by FDA which was costly, and even more critically, very time consuming. So, in essence the regulations reduced the security of the product.

    I didn't necessarily say tightly regulated, but HIPAA and PCI have forced companies to do a better job, although we could argue how much better. These are light frameworks that don't have tight regulations or specifics, neither of which will work. I would argue we could have some force applied by the government to do something, with our industry, perhaps insurance with better informed auditors (maybe a new job area) that decide on what is appropriate.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply