[discuss] Who is responsible for security

Fri Jan 17 07:26:26 UTC 2014

I think we need to recall that at there are issues related to government policies on security as well as technical issues related to security.  The pace of change of technology and uses of information makes it I'll advised for government policies to be too specific in the details of security or it's technical implementation...

Finally to take the lock analogy too far, all parties have responsibility; the lock makers, the lock installers  as well as the users.  The user, for example, cannot reasonably use a suitcase lock to secure a house, but likewise, the user cannot be expected to have the expertise of either the lock maker or installer.

Joe

Sent from my iPad

> On Jan 17, 2014, at 6:22 AM, Nick Ashton-Hart <nashton at ccianet.org> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> +1 Roland
> 
> Security in its various guises is THE policy subject with respect to the Internet. Therefore, it cannot be divorced from IG and if you try policymakers will write you (you in this instance being whatever part of the Internet policy community tries to suggest it isn't an IG issue) out of the equation.
> 
> There seems to be a strain of thought that issues of technical governance / management can be divorced from the broader issues driving Internet policy. This is just not true, nor has it been for some time.
> 
> Inline responses
> 
> Roland Perry <roland at internetpolicyagency.com> wrote:
>> In message <52D82E2D.2080806 at gmail.com>, at 08:08:29 on Fri, 17 Jan
>> 2014, Brian E Carpenter <brian.e.carpenter at gmail.com> writes
> 
> <snip>
> 
>>> Since most of the security exposures popularly blamed on the
>>> Internet are actually due to weaknesses in the end systems, it's
>>> especially important to remove most of this problem from the
>>> Ig rubric.
> 
> This is simply not the case, or we wouldn't be taking about mass surveillance in the way that we are. This conception, with respect, became obsolete on week 1 of the Snowden disclosures.
> 
>> The 'popular' weaknesses are more to do with a lack of built-in
>> authentication in the core. With apologies for introducing spam again,
>> Open Relays are a classic example.
> 
> +1
> 
> And there are many more, such as plaintext exchanges of email between mail servers that have not implemented SSL/TTLS/etc.
> - --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> -----BEGIN PGP SIGNATURE-----
> Version: APG v1.0.9
> 
> iQFEBAEBCgAuBQJS2L37JxxOaWNrIEFzaHRvbi1IYXJ0IDxuYXNodG9uQGNjaWFu
> ZXQub3JnPgAKCRDGL9fGMqbWTQ71B/4lmJuOnmHQB/KjPeQMgoifM+rY75WTJC1E
> EWNz8g4dirwqmCBzsp2RtjcdMpUr1DB23ZHM08IHtEoqo0lBz1TFaBQzHcCVB+PZ
> QjGnUI3ilk5WSXF5SlRvdpFfn5ss1b1Bjo0qIyn1fwrrWfr9Uaz8n6vhlbaCZzyh
> 8lybjmhyc9esTgySuMX6gpv1NoOQ5xqYk53zY/btJlJ08kvrIGSwJ73EMP4sYxrJ
> sNBhYvUc5hqnVbxDbbGZClJuCMUHgDGTif4IDhnAwpzomEza/oJiAYNNkcIM+dTX
> 9TFs5UhKCuBwOd6yJJ8YWWbJi32vAiZ0nHE3rhRnmZtjfs4g7lJa
> =7YOw
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> discuss mailing list
> discuss at 1net.org
> http://1net.org/mailman/listinfo/discuss