Licensing for all computer users -- if you use a car it has a computer in it. Really, why should users have to know a damned thing about computers or security if they don't want? Computers should be available secure (a la Nintendo) -- which will come from the market. The option to do dangerous things should also be there in the free world too.

Mandatory Multicultures -- well the entire banking world uses MVS but we have to use Windows 95 since we got chosen at random! This just doesn't make sense. Should the military be forced to use various technologies just in case airplanes and tanks stop working (here, use a musket and you, use a long sword).

Governments using open data formats -- for citizen interaction, makes sense, for internal -- short term projects -- not quite as sure (esp. for research, academic, embedded, etc.)

Fines for insecure software -- users don't want to pay for secure software, until they do why should they get it? Secure software will only come when the pain from insecurity is more then the cost of security -- This is appropriate and rational to ordinary (non-security) people!!!

Organizations accountable -- Yes. Also, organizations that authenticate you based on a SIN # or other insecure ways should be liable when that results in a loss.

Mandatory disclosure of data loss and hacking -- If the security breach is only of corporate strategy data then why should they have to notify the public? For hacking -- there is an argument for mandatory reporting to the police however the police might not want a public report (as to not tip their hand to the hacker they are going after).

Anti-Virus, Firewall, etc. -- If software was built properly then personal firewalls would not be necessary (no ports would be listening and to open a port would not be automatic) but again this should be left up to individuals. Anti-virus and anti-spyware -- why make it mandatory? Who would license it? People should be able to balance risk and reward and not be forced to pay a company to use a computer (say you use BEOS and can't find anti-virus -- should you be locked up? Do all new OSes need an A-V product, even if there are no viruses yet!?!)

DRM cannot be used to deny fair use -- sure, in consumer apps.

Your ideas illustrate why business people hate dealing with security people. Security is a trade-off and increased security has real costs -- business people (and ordinary people of all stripes) want as much of the benefits with as few of the costs as they can get (which should be intuitively rational). Security is a cost to them as is insecurity but they want a balance. We as security people need to articulate risks and options in such a way that business people can find that balance.

This means (for security companies) coming up with innovative products and services to reduce the costs of security. This means for security people advising companies and individuals, determining the risk tolerance of the organization or individual and focusing on practical security for high-risk areas while articulating clearly the risks.

In the effort to improve security, these suggestions represent a step backwards as they cause more economic harm then they solve. This article shows how out-of-touch the security community is.

Doug Sibley

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/394/33386#33386