nanog mailing list archives
Re: motivating security, was Re: Every incident...
From: "Alexander Harrowell" <a.harrowell () gmail com>
Date: Mon, 12 Feb 2007 14:59:03 +0000
On 2/12/07, Edward Lewis <Ed.Lewis () neustar biz> wrote:
Security is never something I should want, it is always something I have to have.
No-one wants "security", they want not-trouble. Similar to the point that no-one wants energy, they want warm rooms and cold beers. Perhaps we need a concept of "security efficiency"? Security has to resign itself to being
second-class in the hearts and minds of society. Security has to be provided in response to it's environment and not complain about it's lot in life. (I realize that this post doesn't say anything about people "dying" - I've heard that in other contexts.)
Yup
Society holds individuals accountable for many forms of irresponsible >behaviour. This is true, but individuals are not held entirely accountable. A reckless driver can cause a multi-car accident on an exit ramps and cause a tie up for the entire morning rush. Are the "victims" of this compensated? What about the person who loses a job offer because of a missed interview and suffers fallout from that? And maybe it isn't recklessness. A failed water pump may cause a breakdown, followed by an accident, etc. Mentioned just to spread the analogy out.
The whole logic of modern computing is that everything migrates towards users. Why shouldn't security? After all, if people didn't let the nasties in, 'twould be very hard to start a botnet..
There's no need to make exceptions for >computer users. Make computer-owners/users pay in full for damages >caused by their equipment with no discount for incompetence. If that happened, then computer users would be the exception. I can't think of any situation in which an accident might occur and the one causing the accident pays in full to everyone. [snip]
True, but there are plenty of examples of either market (insurance) or government (regulation) solutions to problems where the individual's misfortune also falls on society. Arguably the bulk of the costs of malware proliferation is an externality - the benefits go to the enemy, but costs aren't restricted to the hacked. Not even close. I used to work for a gov't facility whose mission was science. They
had a serious telecommunications problem on their hands. Although it was important to solve, they funded science first - up until all the telecom problems became "too annoying" and money was allocated to solve the problem.
The appropriate analogy is the Great Stink of 1858. London had been suffering from not having sewerage for years, and poor people had been dying in droves from cholera, but nobody with the power to do anything about it cared enough until the Thames got so bad the committee rooms on the river side of Whitehall stank so much nobody would go in them. Then, wham, out came the chequebook, the compulsory purchase powers, and in came Joseph Bazalgette, with the result of an infrastructure used to this day.
Current thread:
- Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers), (continued)
- Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers) Marshall Eubanks (Feb 12)
- Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers) Dave Pooser (Feb 12)
- Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers) D'Arcy J.M. Cain (Feb 12)
- Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers) Seth Johnson (Feb 19)
- Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers) D'Arcy J.M. Cain (Feb 12)
- Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers) Per Heldal (Feb 12)
- motivating security, was Re: Every incident... Edward Lewis (Feb 12)
- Re: motivating security, was Re: Every incident... Per Heldal (Feb 12)
- Re: motivating security, was Re: Every incident... John Bittenbender (Feb 13)
- Re: motivating security, was Re: Every incident... coonrad (Feb 12)
- Message not available
- Re: motivating security, was Re: Every incident... Alexander Harrowell (Feb 12)
- Re: motivating security, was Re: Every incident... Edward Lewis (Feb 12)
- Message not available
- Re: motivating security, was Re: Every incident... Alexander Harrowell (Feb 12)
- Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers) Joseph S D Yao (Feb 12)