[discuss] Who is responsible for security

Thu Jan 16 09:24:35 UTC 2014

In message <52D6E45E.5080106 at gmail.com>, at 08:41:18 on Thu, 16 Jan 
2014, Brian E Carpenter <brian.e.carpenter at gmail.com> writes
>On 16/01/2014 07:40, Roland Perry wrote:
>> In message <20140114225417.GC20300 at mx1.yitter.info>, at 17:54:17 on Tue,
>> 14 Jan 2014, Andrew Sullivan <ajs at anvilwalrusden.com> writes
>>>> And do you think motor car suppliers should provide the facilities
>>>> to train all drivers be able to perform the 10,000 mile service?
>>>
>>> To follow your analogy, no; but I _do_ expect my dealer to charge me
>>> when I go in for the service, or else to bury it somehow in the price
>>> of the car.
>>
>> And why should someone paying a few tens of hundred dollars a year for
>> their Internet connectivity not expect some of that to be spent on "user
>> security"?
>
>IMHO what is important is that the ISP's sales literature and small
>print should be accurate in describing what they do or don't do in
>terms of end-user security, and in describing what users are left
>to do for themselves.

That would be helpful, but today it's quite clear that they don't. In 
many cases there isn't any sales literature at all, and even the 
simplest technical parameters are unpublished.

If they were, then almost all of our 2 billion users would have no idea 
what it meant.

>Again, there's a car analogy. Car makers are in fact pretty good
>at this now (in countries where I've bought a car) but they
>weren't very good at it fifty years ago.
>
>When society started to look at it as a consumer protection issue,
>and not as a "Car governance" issue, we got the right answer.

'Consumer protection' generally comes down to resolving financial 
disputes with a supplier.

And the ways that governments make vehicles safer is precisely by 
applying "Car Governance" - a set of complex rules about how the design 
of a car has to meet various criteria.

-- 
Roland Perry