[discuss] Who is responsible for security

Roland Perry roland at internetpolicyagency.com
Thu Jan 16 20:34:23 UTC 2014

In message <52D82E2D.2080806 at gmail.com>, at 08:08:29 on Fri, 17 Jan 
2014, Brian E Carpenter <brian.e.carpenter at gmail.com> writes
>>> When society started to look at it as a consumer protection issue,
>>> and not as a "Car governance" issue, we got the right answer.
>> 'Consumer protection' generally comes down to resolving financial
>> disputes with a supplier.
>> And the ways that governments make vehicles safer is precisely by
>> applying "Car Governance" - a set of complex rules about how the design
>> of a car has to meet various criteria.
>Which all started with "Unsafe at any speed".

That's particular to the USA.

>I'm not denying that
>IT security may need regulation - my point is that it has to start
>with the recognition that it's an issue for society and that's got
>to come from the consumer side, as it did with car safety.

In Europe the demand has come mainly from government, not the consumers; 
who quite often resented the extra restrictions and expense that 
'better' safety measures imposed upon them.

>Since most of the security exposures popularly blamed on the
>Internet are actually due to weaknesses in the end systems, it's
>especially important to remove most of this problem from the
>Ig rubric.

The 'popular' weaknesses are more to do with a lack of built-in 
authentication in the core. With apologies for introducing spam again, 
Open Relays are a classic example.
Roland Perry

More information about the discuss mailing list