-jsq
Even if you’re already familiar with the subject, it’s worth a look.
-jsq
Fundamentally, the issue is insecure software. It is a result of bad design, poorly implemented features, inadequate testing and security vulnerabilities from software bugs. The money we spend on security is to deal with the myriad effects of insecure software. Unfortunately, the money spent does not improve the security of that software. We are paying to mitigate the risk rather than fix the problem.Turn an externality into a liability, and software vendors will do something about it. The usual objection is that this would do in free software. I don’t see why, since it should be easy enough to craft liability laws that factored in profit, chronic nature of bugs, etc. so as to distinguish between big commercial vendors and free software volunteers. Meanwhile, many users and even governments are applying their own kind of software liability by moving away from the biggest commercial vendor to smaller ones or to free software.The only way to fix the problem is for vendors to improve their software. They need to design security in their products from the start and not as an add-on feature. Software vendors need also to institute good security practices and improve the overall quality of their products. But they will not do this until it is in their financial best interests to do so. And so far, it is not.
Information Security and Externalities, Bruce Schneier, Schneier on Security, 18 Jan 2007
-jsq
Pushpa Sathish thinks end users are responsible for botnets. Referring to a recent root DNS DDoS attack, he says:
If you thought the news above was bad, brace yourself, you’re about to hear worse. YOU may have been responsible in part for the attack! Before you go all indignant on me, let me put it across differently. Your computer may have been one in the millions used by hackers to launch the disruption of service, without your knowledge, of course.
Heard of botnets? They’re the armies of zombie computers that have been taken over and are controlled by hackers to perpetrate other heinous crimes on the Internet. If you do not protect your system with adequate measures such as anti-virus software and sensible Internet usage, you leave your doors (Windows?) wide open to hackers. Your computer then becomes the next link in the chain of systems that form a botnet!
Root Cause for the Root Attack – YOU! Pushpa Sathish, Staff Writer, Network Security Journal, 7 Feb 2007
While no doubt end users should be somewhat careful about what they do, suppose we make an analogy to automobiles. If a car manufacturer sold cars that were easy for joyriders to remotely hijack out of your garage at night and drive around without you ever knowing it, who do you think would be liable? You, or the manufacturer?
Seems to me the most relevant part of the above post is the parenthetical remark:
(Windows?)
When will we see software vendor liability like we already see automobile manufacturer liability? That would be some good risk management.
-jsq
Adam has some ruminations on what should happen when a data loss has been reported, and it turns out the data wasn’t really lost (the tape was found, the laptop was in the closet, etc.). While I can understand the temptation to strike out that entry in wherever it was logged, I think it’s important to keep both the original report and a new report of the data being found. Why don’t we see statistics on data that wasn’t really lost, anyway? Is it because lost data is almost never found? Or just nobody thought to compile such statistics?
-jsq
Specialty Insurance Blog has a comment about business plans as risk management, in the sense that a good BP is an instrument for getting the principals to think about all the pieces, as well as a checklist for investors to look at to see if the principals did that.
-jsq
Now, if (1) is true, then for all ID theft victims, 40% should know the perpetrator. If (2) is true, then perhaps 11% of ID theft is committed by someone who the victim knows, and 90% of that is detected. Perhaps it’s 90% of ID theft is committed by someone who the victim knows, and that’s only detected 27% of the time.Read his blog for the details. As he says, his hypotheses should be testable. And which (if either) hypothesis is correct should have some bearing on measures that will work to prevent identity theft.Identity theft numbers: Javelin vs. FTC, Adam Shostack, 13 Feb 2007
-jsq
Lamar Smith has proposed to wiretap everything on the Internet:
SEC. 6. RECORD RETENTION REQUIREMENTS FOR INTERNET SERVICE PROVIDERS.
(a) Regulations- Not later than 90 days after the date of the enactment of this section, the Attorney General shall issue regulations governing the retention of records by Internet Service Providers. Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information.
H.R. 837, 6 Feb 2007, "SAFETY Act" (Stopping Adults Facilitating the Exploitation of Today’s Youth Act)
Once again children are used as an excuse for blanket spying.
Continue reading“I think it has served as a barrier the Securities and Exchange Commission always should have had,” Cramer said. “The SEC’s view is that everything can come public, provided that you disclose,” which is not protective of anyone.He doesn’t think SOX is inhibiting IPOs; rather there were a lot of IPOs last year, and right now there aren’t many companies ready to IPO.TheStreet.com TV Recap: Sarbanes-Oxley Has Worked, By TheStreet.com Staff, 2/9/2007 2:25 PM EST
Maybe it’s good risk management for companies to say what they’re doing financially.
-jsq
Sarbanes-Oxley has been a veritable boon for corporate and securities lawyers across the United States. No CEO in his right mind wants to end up sharing a cell with Skilling or Ebbers or, heaven forbid, the likes of some poor fellow who knocked off a 7-Eleven for a couple of hundred bucks and a carton of Winstons. Martha Stewart might not be a bad cellmate, especially if neatness is your thing, but she has already paid her debt to society. There is a real premium these days on professional advice that will keep executives on the right side of the law and out of the slammer.So one view is of SOX as a sort of full employment act for lawyers. Continue readingSarbanes-Oxley is manna for lawyers By Frank Schuchat, Rocky Mountain News, February 10, 2007