| |
Digital Vandalism Spurs a Call for Oversight
by Jeremy at 12:14 pm EDT, Sep 1, 2003 |
As Internet users brace for the next round of digital vandalism, some experts say that it is time ... "What we're seeing is that voluntary efforts are insufficient, and the repercussions are vast," says Michael A. Vatis, former director of the National Infrastructure Protection Center at the Federal Bureau of Investigation. ... One proposal would require public companies to disclose potential computer security risks in SEC filings. [ Ha! ] "There's a reason this kind of thing doesn't happen with automobiles," says Bruce Schneier. A new California law requires disclosure of computer security breaches if they result in unauthorized access to residents' personal information; customers can sue businesses in violation for civil damages. A new Pew survey said 60 percent favor requiring corporations to disclose vulnerability information. "I kind of despair of the government doing anything," said Richard A. Clarke. I can see it now: "This software may contain certain forward-looking statements ... [which] are necessary estimates reflecting the best judgment of jun^h^h^hsenior programmers that rely on a number of assumptions ..." If you are unable to actually solve your problems, you can at least generate a lot of paperwork to document those failures for posterity. From the new employee manual: "All source code must be reviewed by legal ... A financial impact statement must be provided for each entry in the programmer-provided risk assessment ..." |
| |
RE: Digital Vandalism Spurs a Call for Oversight
by Decius at 11:38 pm EDT, Sep 3, 2003 |
Jeremy wrote:
] If you are unable to actually solve your problems, you can at
] least generate a lot of paperwork to document those failures
] for posterity. I tend to agree. These problems are not the result of negligence. They are the result of complexity. Clearly the standards for handling all of this stuff are not "stable" enough to warrant the kind of controls that are possible in the automotive industry. These rules would create barrriers to entry for small companies (which is why Microsoft likes them), but would do little to improve the situation (this code is already subject to review). Security is a systemic problem and it requires a systemic solution. The original White House plan emboddied the right kind of approach and I don't think we should change course in a reactionary way. I still haven't seen the stuff in the WhiteHouse strategy come down the pipe :: 1. Government systems should be audited and subject to stringent standards.
2. Essential non-goverment systems should also be subject to standards. The existing HIPPA regulations are not an unreasonable starting point.
3. There ought to be clearing houses for information about vulnerabilities and good administrative practices.
4. Network service providers should be required to implement certain basic restrictions, such as anti-spoofing filters on the network's edge. We ought to offer tax subsidies and liability shelters to ISPs that "keep there house clean" in terms of scanning their customer's networks, running IDS systems, and moving "owned" customer machines off of the internet until they can be repaired.
5. This stuff ought to trickle down all the way to the home user. Home computer users ought to get messages from Tom Ridge telling them to keep their patches up to date. Your personal internet security status impacts all of us. Implicit in all of this mostly educational effort ought to be the message that computer security, much like preventing forest fires, is everybody's job. You ought to think about it. We need to train people to think about how their computers expose them to the network. What services are they offering? Should they implement NBT for file sharing, or something like WebDAV? Furthermore, we need to train people to feel personal ownership of the computer security problem and be responsible about it. This is not a silver bullet, but it would certainly have been possible for the 500,000 machines that got infected with blaster to have patched their systems beforehand. How hard is it to click that Windows Update button when it flashes? Solid efforts to train people to do this will pay off in less costly incidents. |
|
| | |
RE: Digital Vandalism Spurs a Call for Oversight
by flynn23 at 9:19 am EDT, Sep 4, 2003 |
Decius wrote:
] Jeremy wrote:
] ] If you are unable to actually solve your problems, you can
] at
] ] least generate a lot of paperwork to document those failures
]
] ] for posterity.
]
] I tend to agree. These problems are not the result of
] negligence. They are the result of complexity. Clearly the
] standards for handling all of this stuff are not "stable"
] enough to warrant the kind of controls that are possible in
] the automotive industry. These rules would create barrriers to
] entry for small companies (which is why Microsoft likes them),
] but would do little to improve the situation (this code is
] already subject to review).
]
] Security is a systemic problem and it requires a systemic
] solution. The original White House plan emboddied the right
] kind of approach and I don't think we should change course in
] a reactionary way. I still haven't seen the stuff in the
] WhiteHouse strategy come down the pipe ::
]
] 1. Government systems should be audited and subject to
] stringent standards.
] 2. Essential non-goverment systems should also be subject to
] standards. The existing HIPPA regulations are not an
] unreasonable starting point.
] 3. There ought to be clearing houses for information about
] vulnerabilities and good administrative practices.
] 4. Network service providers should be required to implement
] certain basic restrictions, such as anti-spoofing filters on
] the network's edge. We ought to offer tax subsidies and
] liability shelters to ISPs that "keep there house clean" in
] terms of scanning their customer's networks, running IDS
] systems, and moving "owned" customer machines off of the
] internet until they can be repaired.
] 5. This stuff ought to trickle down all the way to the home
] user. Home computer users ought to get messages from Tom Ridge
] telling them to keep their patches up to date. Your personal
] internet security status impacts all of us.
]
] Implicit in all of this mostly educational effort ought to be
] the message that computer security, much like preventing
] forest fires, is everybody's job. You ought to think about it.
]
]
] We need to train people to think about how their computers
] expose them to the network. What services are they offering?
] Should they implement NBT for file sharing, or something like
] WebDAV? Furthermore, we need to train people to feel personal
] ownership of the computer security problem and be responsible
] about it.
]
] This is not a silver bullet, but it would certainly have been
] possible for the 500,000 machines that got infected with
] blaster to have patched their systems beforehand. How hard is
] it to click that Windows Update button when it flashes? Solid
] efforts to train people to do this will pay off in less costly
] incidents. Be careful what you wish for here. Yes, people need to be responsible with their systems. But I think a lot of what you're suggesting goes over the line and will quickly spread to regulation and restriction. The government doesn't tell me how to raise my kids, so I don't see why they should tell me how to run my machines. You could potentially have a system where you get fined for dangerous behavior (a la speeding ticket) but here again, it's a slippery slope. Personally, I understand that driving fast increases the liklihood of danger, but when the government sets the speed limit to artificially low levels to act as a revenue stream, that's a problem. |
|
|
|
