Decius wrote:
] Jeremy wrote:
] ] If you are unable to actually solve your problems, you can
] at
] ] least generate a lot of paperwork to document those failures
]
] ] for posterity.
]
] I tend to agree. These problems are not the result of
] negligence. They are the result of complexity. Clearly the
] standards for handling all of this stuff are not "stable"
] enough to warrant the kind of controls that are possible in
] the automotive industry. These rules would create barrriers to
] entry for small companies (which is why Microsoft likes them),
] but would do little to improve the situation (this code is
] already subject to review).
]
] Security is a systemic problem and it requires a systemic
] solution. The original White House plan emboddied the right
] kind of approach and I don't think we should change course in
] a reactionary way. I still haven't seen the stuff in the
] WhiteHouse strategy come down the pipe ::
]
] 1. Government systems should be audited and subject to
] stringent standards.
] 2. Essential non-goverment systems should also be subject to
] standards. The existing HIPPA regulations are not an
] unreasonable starting point.
] 3. There ought to be clearing houses for information about
] vulnerabilities and good administrative practices.
] 4. Network service providers should be required to implement
] certain basic restrictions, such as anti-spoofing filters on
] the network's edge. We ought to offer tax subsidies and
] liability shelters to ISPs that "keep there house clean" in
] terms of scanning their customer's networks, running IDS
] systems, and moving "owned" customer machines off of the
] internet until they can be repaired.
] 5. This stuff ought to trickle down all the way to the home
] user. Home computer users ought to get messages from Tom Ridge
] telling them to keep their patches up to date. Your personal
] internet security status impacts all of us.
]
] Implicit in all of this mostly educational effort ought to be
] the message that computer security, much like preventing
] forest fires, is everybody's job. You ought to think about it.
]
]
] We need to train people to think about how their computers
] expose them to the network. What services are they offering?
] Should they implement NBT for file sharing, or something like
] WebDAV? Furthermore, we need to train people to feel personal
] ownership of the computer security problem and be responsible
] about it.
]
] This is not a silver bullet, but it would certainly have been
] possible for the 500,000 machines that got infected with
] blaster to have patched their systems beforehand. How hard is
] it to click that Windows Update button when it flashes? Solid
] efforts to train people to do this will pay off in less costly
] incidents. Be careful what you wish for here. Yes, people need to be responsible with their systems. But I think a lot of what you're suggesting goes over the line and will quickly spread to regulation and restriction. The government doesn't tell me how to raise my kids, so I don't see why they should tell me how to run my machines. You could potentially have a system where you get fined for dangerous behavior (a la speeding ticket) but here again, it's a slippery slope. Personally, I understand that driving fast increases the liklihood of danger, but when the government sets the speed limit to artificially low levels to act as a revenue stream, that's a problem. RE: Digital Vandalism Spurs a Call for Oversight |
