Scott Granneman, 2006-03-23
In this column Scott Granneman takes the role of dictator of the security world and presents his ideas about mandatory reforms that would improve security for millions of people.
Colapse all |
Post comment
Security Czar
2006-03-23
Anonymous (1 replies)
Anonymous (1 replies)
> if the software is released under an open
> source license (as determined by the Open Source
> Initiative), then there's no fine.
So then, is the fine for causing security incidents? or for not being Open Source?
What's next? Having to wear underwear on the outside? Swedish as mandator...
[ more ] [ reply ]
> source license (as determined by the Open Source
> Initiative), then there's no fine.
So then, is the fine for causing security incidents? or for not being Open Source?
What's next? Having to wear underwear on the outside? Swedish as mandator...
[ more ] [ reply ]
Here here!!!
2006-03-24
Anonymous (1 replies)
Anonymous (1 replies)
If there is harm in writing insecure software, hold software writers accountable -- including open source ones. It is unjust (and stupid) to hold corporations accountable for not producing what their customers are not demanding and what they have not promised unless there is a good public policy rea...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Here here!!!
2006-11-08
Anonymous
Anonymous
As a programer myself, I know how easily you can accidentaly leave a hole in your software for someone to exploit. While I do try to think about every possible hole, i can never be sure that I in fact did think about everything. Therefore I think it's a good practise to give the source code with the...
[ more ] [ reply ]
[ more ] [ reply ]
Security Czar
2006-03-23
Stonewall
Stonewall
Scott, it must be fun to write rants like this every now and then....of course, you are correct in almost everything you say. And it is all about changing people's attitudes, which occurs much too slowly over time.
The phrase "economic externalities" is too academic to get through to most people...
[ more ] [ reply ]
The phrase "economic externalities" is too academic to get through to most people...
[ more ] [ reply ]
Security Czar
2006-03-23
Wremes (1 replies)
Wremes (1 replies)
Hail the Czar. I can follow most of the decrees except for Mandatory multicultures ... Of course if I were a farmer, I'd love to grow wheat and corn so if one was hit by a disease, I'd still have the other to get some profit off. On the other hand that would require me to acquire knowledge both in ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Security Czar
2006-03-31
Anonymous
Anonymous
You must not know any farmers. Most of the farmers that I know DO raise multiple crops for the very reasons you descrribe. They also grow different crops in the same field in different seasons. If I already know how to grow wheat, it doesn't take a lot of education to learn corn. Likewise, if I ...
[ more ] [ reply ]
[ more ] [ reply ]
Security Czar
2006-03-23
Mr. Negative (1 replies)
Mr. Negative (1 replies)
wow...writers block must really be bad.
while (reading)
{
$impressionofScott--;
}
I would have to say that every one of those ideas is so incredibly dim-witted and naïve that I don?t know what to address first. First of all how could one say that vulns don?t cost the dev shops money?I su...
[ more ] [ reply ]
while (reading)
{
$impressionofScott--;
}
I would have to say that every one of those ideas is so incredibly dim-witted and naïve that I don?t know what to address first. First of all how could one say that vulns don?t cost the dev shops money?I su...
[ more ] [ reply ]
Let's go for it!
2006-03-23
assurbanipal (2 replies)
assurbanipal (2 replies)
Hmmm... Fines for insecure software.
That would definitely put Micro$oft out of business.
Not that bad, actually.
They should pay AT LEAST for the unaccountable amount of time spent by legions of doomed users getting stuck with, or stung while using they poor products.
I'll stop here but they'd ...
[ more ] [ reply ]
That would definitely put Micro$oft out of business.
Not that bad, actually.
They should pay AT LEAST for the unaccountable amount of time spent by legions of doomed users getting stuck with, or stung while using they poor products.
I'll stop here but they'd ...
[ more ] [ reply ]
Security Czar
2006-03-23
Nekromancer (1 replies)
Nekromancer (1 replies)
If your proposal goes ahead I'll gather seashells for you... I'll even wash your car ;-)
Regards,
Nekromancer...
[ more ] [ reply ]
Regards,
Nekromancer...
[ more ] [ reply ]
Re: Security Czar
2006-03-30
EasterNerd (1 replies)
EasterNerd (1 replies)
i absolutely agree withy you !!
If this proposal goes forward then i shall wash your car the week after nekromancer does :-)...
[ more ] [ reply ]
If this proposal goes forward then i shall wash your car the week after nekromancer does :-)...
[ more ] [ reply ]
Security Czar
2006-03-23
infamous41md (1 replies)
infamous41md (1 replies)
LOLOL are you living in some alternate reality? You want my grandma to get a license so she can use a computer? Even on a more practical level, how you would possibly enforce this? Mandating companies use a certain percentage of other OSes? So you're going to make a small startup who had planned...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Security Czar
2006-03-23
Todd Knarr (1 replies)
Todd Knarr (1 replies)
One fundamental difference: if you don't change the oil in your car all you cause trouble for is yourself, while if you don't take care of your computer when it comes to malware you cause trouble for other people. A better analogy would be with keeping the brakes and lights on your car in working or...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Security Czar
2006-03-23
infamous41md
infamous41md
Hahah ok I'm just nitpicking here, but I think as far as not changing oil goes you do cause trouble for others. If your oil isn't clean more toxins get released into the atmosphere. Ok, but seriously though...
Not every infected computer is doing damage to others. Maybe some are used in DOS's, o...
[ more ] [ reply ]
Not every infected computer is doing damage to others. Maybe some are used in DOS's, o...
[ more ] [ reply ]
Security Czar
2006-03-23
Anonymous (1 replies)
Anonymous (1 replies)
Awesome. Two additions. Force companies to stop trying to convince us that anti-virus is different than anti-spyware and anti-malware. They may have been different years ago, but now there's no difference in a virus and other forms of malicious software - they all damage system files, spread them...
[ more ] [ reply ]
[ more ] [ reply ]
Security Czar
2006-03-24
Anonymous
Anonymous
You seem to contradict yourself in a couple of comments. You mention that you want everyone to use Open Document files so that even the poorest person who can't afford Microsoft Office or pay for Windows/Mac OSX can view the file. Sounds like a good idea. However, you then mention that users shou...
[ more ] [ reply ]
[ more ] [ reply ]
Security Czar -- A.K.A. Mr. Tin Pot Economic Regulator
2006-03-24
Doug Sibley (1 replies)
Doug Sibley (1 replies)
Licensing for all computer users -- if you use a car it has a computer in it. Really, why should users have to know a damned thing about computers or security if they don't want? Computers should be available secure (a la Nintendo) -- which will come from the market. The option to do dangerous thing...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Security Czar -- A.K.A. Mr. Tin Pot Economic Regulator
2006-03-29
Anonymous (1 replies)
Anonymous (1 replies)
The idea of self-governance does not work when it comes to business (Enron, Worldcom..etc). Decision based on benefits vs. cost marginal analysis alone is a parochial view of economic much less reality. Like it or not, the business world needs some form of governance when it comes to security. Bus...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Security Czar -- A.K.A. Mr. Tin Pot Economic Regulator
2006-04-01
Doug Sibley (1 replies)
Doug Sibley (1 replies)
Sure, business is not perfect and needs regulation that is commensurate with harm to the public. The bulk of the suggestions in the article are not commensurate with harm and should not be adopted....
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Re: Security Czar -- A.K.A. Mr. Tin Pot Economic Regulator
2007-06-21
Anonymous
Anonymous
The cost of software vulnerabilities (testing patches and patching vulnerable installations) is huge and is not born by the software maker by and large. The idea that the customer can choose to not pay for software that contains vulnerabilities is flawed first of all in that the software company do...
[ more ] [ reply ]
[ more ] [ reply ]
Security Czar - more reading of history needed
2006-03-24
Craig S Wright (1 replies)
Craig S Wright (1 replies)
Your view of Roman history would be distorted for a high school history class. I sugest that you read a little more from academic texts and not just popular literature.
I sugest that you also look to what happened to most of the emporers. Very few died a natural death. Why is this? Did they serv...
[ more ] [ reply ]
I sugest that you also look to what happened to most of the emporers. Very few died a natural death. Why is this? Did they serv...
[ more ] [ reply ]
No mandatory training
2006-03-27
Michael Scovetta (3 replies)
Michael Scovetta (3 replies)
Sorry, I agree with most of your points, but certainly not the first. You don't attend mandatory training classes when you purchase other goods like VCRs, drills, or abrasive chemicals. You don't even attend training classes before you have a kid.
Security needs to become invisible. You, the end...
[ more ] [ reply ]
Security needs to become invisible. You, the end...
[ more ] [ reply ]
Re: No mandatory training
2006-03-29
Anonymous
Anonymous
Bad analogies but to an extent I agree. For your typical task-oriented worker (CSR, teller, etc), the computer should be locked down and centrally managed to the point of requiring virtually no training. However, knowledge workers, power users, home users, etc., can't be constrained with highly lo...
[ more ] [ reply ]
[ more ] [ reply ]
Re: No mandatory training
2006-03-29
Anonymous
Anonymous
You can't hurt other people with a VCR or a drill (at least typically). We do require training (or at least proof of competence) for things like cars and heavy equipment where you can hurt someone else. If bad computer security only hurt the user we wouldn't even be having this debate, but your bad ...
[ more ] [ reply ]
[ more ] [ reply ]
Yes! (except for one thing...)
2006-03-28
Penguinisto
Penguinisto
"When computers first boot, users should be offered the choice of several different anti-virus, anti-spyware, and firewall software packages, including ones that they install themselves, to preserve competition."
If you think people gripe about nagware now... oy, vey! No matter how desperately th...
[ more ] [ reply ]
If you think people gripe about nagware now... oy, vey! No matter how desperately th...
[ more ] [ reply ]
Security Czar
2006-03-29
Anonymous
Anonymous
wow! that was so totalitarian that it's almost scarier than george w. and friends... almost all of the issues that you espouse has to do with ignorant users! your method is to train them and certify them and all this other hoobablah but frankly the internet is a dog eat dog world and if you can't su...
[ more ] [ reply ]
[ more ] [ reply ]
Security Czar
2006-03-30
Lunkwill
Lunkwill
Is there anyone who wasn't reminded of Benjamin Franklin's famous words on freedom vs. security?
These ideas are so out of this world in so may aspects, ethical, political and bureaucratic, that you don't even have to start with the technical side of it, the dubious value of "firewall software" and...
[ more ] [ reply ]
These ideas are so out of this world in so may aspects, ethical, political and bureaucratic, that you don't even have to start with the technical side of it, the dubious value of "firewall software" and...
[ more ] [ reply ]
Security Czar
2006-03-31
Paul Stepowski
Paul Stepowski
I'd like to comment on one of your points:
* Training and licensing for all new computer users
In my experience, user education is generally wasted effort. Educating users about security is equivalent to "patching" users. Every time a new type of vulnerability appears, you have to "patch" (e...
[ more ] [ reply ]
* Training and licensing for all new computer users
In my experience, user education is generally wasted effort. Educating users about security is equivalent to "patching" users. Every time a new type of vulnerability appears, you have to "patch" (e...
[ more ] [ reply ]
Security Czar
2006-03-31
FortHEX
FortHEX
1. it's very interesting, but it,s hard to force user read even simple instruction about network security, this instructionn for him is like a nuclear physics for me.
2 people make big money on hard and soft, becouse they make programs simple for using and understanding
and if your programs wil...
[ more ] [ reply ]
2 people make big money on hard and soft, becouse they make programs simple for using and understanding
and if your programs wil...
[ more ] [ reply ]
Security Czar
2006-04-02
Anil B
Anil B
To add up to these points which are not so practical though they sound fair enough to evade tons of future security problems.
All companies having to do with some online monitory transactions ... must get its website or product audited from an regulatory body which could certify and advertise to ...
[ more ] [ reply ]
All companies having to do with some online monitory transactions ... must get its website or product audited from an regulatory body which could certify and advertise to ...
[ more ] [ reply ]
http://www.theregister.com/2006/03/23/microsoft_apple_securi
ty/
...
[ more ] [ reply ]