[discuss] Who is responsible for security

Brian E Carpenter brian.e.carpenter at gmail.com
Thu Jan 16 19:08:29 UTC 2014



On 16/01/2014 22:24, Roland Perry wrote:
> In message <52D6E45E.5080106 at gmail.com>, at 08:41:18 on Thu, 16 Jan
> 2014, Brian E Carpenter <brian.e.carpenter at gmail.com> writes
>> On 16/01/2014 07:40, Roland Perry wrote:
>>> In message <20140114225417.GC20300 at mx1.yitter.info>, at 17:54:17 on Tue,
>>> 14 Jan 2014, Andrew Sullivan <ajs at anvilwalrusden.com> writes
>>>>> And do you think motor car suppliers should provide the facilities
>>>>> to train all drivers be able to perform the 10,000 mile service?
>>>>
>>>> To follow your analogy, no; but I _do_ expect my dealer to charge me
>>>> when I go in for the service, or else to bury it somehow in the price
>>>> of the car.
>>>
>>> And why should someone paying a few tens of hundred dollars a year for
>>> their Internet connectivity not expect some of that to be spent on "user
>>> security"?
>>
>> IMHO what is important is that the ISP's sales literature and small
>> print should be accurate in describing what they do or don't do in
>> terms of end-user security, and in describing what users are left
>> to do for themselves.
> 
> That would be helpful, but today it's quite clear that they don't. In
> many cases there isn't any sales literature at all, and even the
> simplest technical parameters are unpublished.
> 
> If they were, then almost all of our 2 billion users would have no idea
> what it meant.
> 
>> Again, there's a car analogy. Car makers are in fact pretty good
>> at this now (in countries where I've bought a car) but they
>> weren't very good at it fifty years ago.
>>
>> When society started to look at it as a consumer protection issue,
>> and not as a "Car governance" issue, we got the right answer.
> 
> 'Consumer protection' generally comes down to resolving financial
> disputes with a supplier.
> 
> And the ways that governments make vehicles safer is precisely by
> applying "Car Governance" - a set of complex rules about how the design
> of a car has to meet various criteria.

Which all started with "Unsafe at any speed". I'm not denying that
IT security may need regulation - my point is that it has to start
with the recognition that it's an issue for society and that's got
to come from the consumer side, as it did with car safety.

Since most of the security exposures popularly blamed on the
Internet are actually due to weaknesses in the end systems, it's
especially important to remove most of this problem from the
Ig rubric.

    Brian



More information about the discuss mailing list