Slashdot Mirror
Network Webcurity Wishlist?
breillysf asks: "I am a California-based network security attorney who has been asked by a senior US Senator to compile a list of the most important legal concerns facing network security administrators. He has a good feel for the government security issues (and lack there of), but he is concerned about what is going on in the front lines in the private sector. I thought the Slashdot crowd would have the best feel on the pulse of the current situation. Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for? Or would you tell them to get out of the way?"
"For example, I tried to push for tax incentives for upgrades in network security measures, but the Senator replied that is dead in the water because we are now spending into a deficit. He would rather see insurance companies reward firms with lower premiums for enhanced security. But there are International legal issues, compliance issues, privacy complications, potential negligence liability exposure, lack of federal incident response, FOIA and anti-trust issues with info sharing, conflicting state and federal cybercrime and privacy laws, USA Patriot Act concerns, etc."
To borrow a phrase; if you outlaw nmap, only outlaws will have nmap.
-Peter
How about holding various companies whose products are exploited the most (re: MS) liable for their lack of security?
The number-one item on my wishlist would be for the government to keep completely out of network security issues -- the government should ensure security on its own networks, of course, but they shouldn't be concerned about anything else.
There's already enough laws to deal with DOS attacks and such -- more laws just means more expense for those who have to deal with them.
Twoflower
--
Twoflower
Well, for starters, don't let Microsoft's Chief Security Advisor work as a security advisor for the White House.
At the very least a free one like Tiny Software. I'm sick of getting DOS attacks looking for IIS from zombies on my subnet.
An Education is the Font of All Liberty
First, stay out of the way. don't meddle in things that you know nothing about. Don't place restrictions on security meassures, a la encryption export. Don't mandate government backdoors and don't permit the likes of Carnivore and Magic Lantern.
Second, concentrate on the governments own cyber security problems. Clean up your own house before you start trampling over mine.
The most important and significant problem is not putting the proper resources into getting that security. Upper level management are not technically minded folk, and they don't view computers and true tools. They don't understand the costs when you try to explain it to them. "I'd like to get around $200k so that I can physically seperate out infastructure and give us added security."
Management: "I'll give you 2 un-trained contractors, a spool of thread, and a tin can."
They just don't understand, or appreciate what computers provide, but yet they get irate when something happens. Therefor the largest hurdle to overcome is getting the senior people up to snuff, or willing to to dish out the resources for what needs to be done above and beyond a simply reactionary level. To them, pro-active computer security is like flushing money down the toilet.
I understand everyones concerns with Microsoft and their Passport technology. But what would you have the government do to change it? I think this is more of a case where if you don't want to use it don't. And if a company you deal with requires its use, talk to them.
You can't have the government put a stop to a perfectly legal business practice by Microsoft just because you don't like it. I'm not sure government overcite would be a good thing either. I'm interested to know what you would want the government to do about it.
Is there an FOIA equivalent for private companies holding data on people, along with an obligation for speedy correction -- including a good-faith attempt at propagating corrections to other data-holding companies if the misinformation was propagated?
If not, perhaps there should be.
Only the dead have seen the end of war.
I am thinking specifically of Microsoft, and the Microsoft Outlook Email Viruses, but this could certainly apply to plenty of other companies.
If companies are merely licensing the use of the software to us (and we do not own it), and charging the big bucks, shouldn't they be responsible and/or liable for the consequences - damages from using it? or is this a matter of they get all of the benefits, and we get all of the problems?
"It is a greater offense to steal men's labor, than their clothes"
There's an ongoing trend to criminalize the tools and speech used to conduct security research; This is the single most frustrating aspect of the government's involvement in network security. Lists like bugtraq and tools like nessus and nmap are absolutely vital to the health of a network-connected system. Some suggested legislation would make all security discussions criminal, some would allow such work to only be conducted by approved organizations; Both would shatter the ability of the individual administrator to effectively secure his systems. If I could make one and only one request it would be to specifically disallow legislation that attempts to let companies involved with the internet take the security ball to their private court and bounce it around, leaving individual system administrators with no tools and no forums in which to discuss their own defences. In short: keep public, individual security research legal.
Thanks, and good luck.
Ideology breeds Hypocrisy. Just how much is up to you.
1. Wide deployment of IPSec.
2. Open standards and full disclosure of vulnerabilities.
3. Client diversity in the network ecosphere. A single species (can you say 'outlook') is extremely vulnerable.
I'm a sysadmin at a major US military base, so my experiences might not apply directly to the private sector, but I'm sure there's some overlap. We run into constant legal confusion over when and where we can monitor activity, whether it's mail, web traffic, IDS logs, or whatever. We get conflicting information from all sides on the issue, and no one can point us to a set of clear guidelines or uniform policies. As a result we wind up with security policies that have huge gaps in them - not being allowed to block VBS attachments at the firewall, for example. We've since gotten around that one, but it's a constant fight.
Probably more critical is the lack of knowledgeable people. There are obviously some people at the top with a clue, and they issue some instructions that often make a lot of sense, but between them and us at the functional level there's a huge gap. When we get calls on IDS hits from our MAJCOM network operations center, for example, some of those people aren't even sure how many octets are supposed to be in an IP address. There's very little help provided in implementing the policies as they're directed - everyone's left to figure it out on their own and there's a huge amount of duplicated effort.
What we need more than money or tax breaks is this: centralized resources with tools, policies, information, and efficient channels of communication.
Co-founder and designer at Music Nearby: http://musicnearby.com
This brings up an interesting point, though: should Congress make it illegal for companies to give up your personal information to law enforcement without your consent (or a court order)?
-sting3r
Thanks, but no thanks. I'd much rather stick to securing my boxes with the understanding that it's a hostile net out there than have my government tell me the One True Way to do so. Passing laws which only apply to less than 5% of the world's population will not make the net secure, and feel good legislation is something I can do without.
It is current practice of some US states to sell driver's license pictures and other personal data from their database to private firms, for various reasons. This practice should be illegal, or at the very least carefully monitored at the federal level.
"Can't you see that everyone is buying station wagons?"
1: Get out of our way WRT encryption and other secure technologies. We're not terrorists, we just want to keep our personal information secure. Installing "back doors" and other methods may, on the surface, seem like a good idea for national security, but in reality hackers can enter through those as easily as the government.
2: Hold vendors responsible for security holes in their products. Currently, the EULAs prevent someone harmed by a security flaw from seeking liability, even if that security flaw was deliberately programmed into the software as a "feature."
3: Recognize the role of antivirus firms such as McAfee and Symantec in protecting users. They should be unrestricted in their efforts to make and sell software that can protect computer users from harmful files, regardless of the source.
4: Realize that the best way to catch criminals and terrorists is through the use of human intelligence, which history has proven to be much more effective than randomly reading private EMails. Also, human intelligence doesn't involve threatening the liberty of normal, law-abiding Americans like many of the other proposed methods do.
5: This is probably the most important one: Remember the words of Ben Franklin when he said, "They that would give up Essential Liberty in order to obtain Temporary Safety deserve neither liberty nor safety." I would also add that, in these cases, you usually don't get the safety you're seeking in the first place.
Encourage the Senator to remain aware that legislation about the Internet doesn't have crisp borders. Bits don't change color when they cross national boundaries.
When you do that, you might get him to understand that such laws are not easy to enforce and will certainly involve a lot of jurisdictional disputes.
And you might encourage him to realize that it is the lowest common denominator of behavior on the Internet that represents the cutting edge of security needs.
In other words, passing legislation against US Internet users is tantamount to taking their guns away, when they can at any minute be involved in a virtual gun-fight with, for example, Chinese or Indian crackers who have no such laws hampering them.
In no particular order:
1) The Federal government should encourage, not discourage, the use of encryption, without key escrow or back doors, by not regulating encryption in any way. (The government should also invest heavily in the appropriate technology to break encryption when it needs to do so.) Without the fear of government intervention, application designers will be encouraged to add encryption to email and other software as a business advantage to themselves, thus allowing my business to communicate more securely with ease.
2) The Federal government should encourage open source and open standards by requiring the use of open source software and open standards on all government systems (except possibly military/intelligence systems). This will get more eyes on the code, thus reducing vulnerabilities and fixing them faster, and will ensure that people are unable to take advantage of unpublic holes in uncheckable software.
3) The Federal government should generally *not* regulate the internet, as this can introduce holes that cannot be fixed because of regulatory requirements. In particular, the government should not use either legislation or funding to control the use of the internet by libraries, schools and other non-Federal government institutions, or by private individuals and organizations. There are a few exceptions I would be OK with:
a) requiring "edge filtering" so that networks would not support denial of service attacks;
b) allowing wire fraud charges against people/organizations who deliberately send email without proper and valid headers (or with forged headers), so as to obscure their identity while sending unsolicited commercial email and/or perpetuating scams (note that this should be allowed for the purpose of anonymously propagating a political opinion, for example, just not for commercial use);
c) requiring organizations who control internet naming or numbering to have public accountability, as these organizations were largely granted a monopoly by the US government; opening up these processes to a standards-based system where everyone can participate; or allowing anti-trust legislation against such bodies if they attempt to coercively control internet access.
4) The Federal government should designate ISPs and online communities as common carriers.
5) The Federal government should require cable and telephone companies, as part of their FCC licensing requirements, to offer the option of access to the network for paying subscribers wihtout mandatory membership in an ISP, and in particular an ISP should not be allowed to gain monopoly status by association with a government-granted monopoly such as a cable system. This would have reduced the @Home debacle, for example, to a trivial matter. The potential for AOL/Warner is even worse down the road if something is not done to guarantee choice in broadband access.
OK, I guess I got a little away from security with those last some of that.
-jeff
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
It's all well and good to propose holding Microsoft responsible for security holes in their software, but please keep in mind that this also means that Open Source Software authors will ALSO be held fiscally responsible for holes in THEIR software.
Microsoft will be far more able to pay up for massive holes in IIS than, say, the author of BIND or Sendmail. I would imagine that one successful suit could take out RedHat altogether.
Don't hurt community-oriented authors for making their code public.
-Braddock
I've got a long list of things I do not want the govenment doing, and what they should do instead. They should not be reading my email, they should prosecute those who do as they prosecute those who use the inherently insecure potocal known as US mail. They should not be collecting information they don't need to do the job of infrastucture development, military defense and welfare. They should not be buying insecure propriatory OS such as M$ offers. I'd much rather have information kept on secure servers so that it will stay put. The government should not hand over the publically built communications infrastructure to a cartel of greedy corporate interests. Redundancy should be encouraged and inexpensive anonymous public access assured.
Security should not be an excuse to hand the internet over to either corporate of govenment censors. This is the future of publications and it must remain free. The future freedom and prosperity of our country depends on free information interchange. Business can not funtion without privacy in their plans. Individuals can not be sure what is true if they can not trust the media that brings them their news. Control of the internet by government or corporate censors will eliminate all the blessings of this new form of communications.
How exactly do you do this? Mr. Senator, that is your job. Now get to work.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Don't mandate key escrow. Key escrow will inhibit the adoption of encryption, and encryption is vital to both proper and secure authentication and to data privacy. Attempts by various parties to limit the widespread adoption of encryption might make their job easier but is not good for (internet) security. It is frequently said that if you outlaw encryption, only outlaws will use encryption - that is, making it illegal to use it will not stop criminals from actually doing so.
Re-think laws that make it possible to prosecute scientists for publishing the results of their research - i.e. the DMCA or parts of it.
Encourage the adoption of IPv6 - perhaps by allocating budget for adoption of this by government agencies (I mean carrot here, not stick).
Implementing even a few of these should deal with the national deficit, quite nicely. Some of the biggest costs in both public and priate spending are to fix serious problems, after the fact. The burdon should be shifted, as much as can realistically be done, to those responsible. A stitch in time saves nine. But, damn it, the tax payers shouldn't have to pay for someone else's failure to stitch.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Replying at random to one of the many people who say gov't always gets it wrong and the public sector is where all the smart people are. Go read the comments to the article about project failure. Notice how many of them (like, almost *all*) are about private companies are filled with moron managers who couldn't make the right decision if it sprang full from their butt.
People are people. You get idiots in the public sector. You get idiots in the private sector. Where you get people, you get idiots.
Everyone is smarter than his or her boss. That makes the lowest person in the company the smartest.
However, the goverment can do some things:
1. Deal with Microsoft's monopoly effectively. Microsoft's continued embrace, extend, kill the competition and then screw it up strategy doesn't help security one bit. They have no motivation whatsoever to fix even the simplest problems in Outlook and other swiss-cheese-like products. If there was a viable competitor in that market the two would probably attempt to one up each other on several points, including security.
2. Use more secure and more reliable software inside the government (read Linux, et al). Refuse to use/purchase products where security flaws crop up every time you read slashdot.
3. Use/support open standards and refuse to use/purchase products that rely on embraced and extended technology.
One thing that may help is if there was some independant firm that could give a qualitative and quanitative measurement of a company's security. These independant firms could review patch logs, sys admin proceedures, backup procedures, and employee training materials. They could also perform more intrusive audits, using a standard set of tools (upgraded quarterly) to attempt to infiltrate the organization. At the end, they could then give some sort of ranking, to let a company know what bases have been covered and how they rank with others in the industry.
This service is done by many security firms, but there is no real standard. All the information is propriatary, and usually secret, because a company doesn't want to publicize what holes were found. Even then, there is no real motivation to get ongoing reviews, because, if there are no visible hacker attempts, then it seems like a waste of time and money.
This might be changed by offering computer security insurance. This insurance would cover the cost of recovering after a sucessful cracking attempt, as well as any lost business. An insurance firm would evaluate the current security and ability to recover from a hacking attempt, and find a reasonable insurance rate based on the company's preparedness.
This would help in several ways. First, even though the evaluation would be between the insurance company and the insurance purchaser, the insurance rate would show up on the financial reports. Investors and reporters could compare the rate and the coverage, and make a rough determination of the fitness of the company's security measures. The rate information should be included in the financial report, since this information would help an investor decide how likely a company is to suffer financial loss due to a hacking attempt. It may require a law to get this insurance information into financial reports.
Second, it would give companies a forum to disclose successful hacks. Currently, companies keep all but the most damaging hacking attempts secret, because it makes them look bad in the eyes of investors. If there is a financial incentive to report hacking attempts (they could get some insurance money back), there may be motivation to share this critical information, and other companies may be able to secure their own systems against new methods.
Third, damage claims would be more realistic. When a cracker is caught, many companies let their imagination soar when it comes to damages, assuming fantastical scenarios like, "What if he found our most prized trade secrets, and sold them to our direct competitor, thus making us lose all the profit from that product / service?", or "What is the sum of all the salaries of everyone who ever worked on that machine?". If the company had to actually file a claim, then the insurance company would dictate the terms of that claim, what is fair game for damages and what is not. This will help put the cracker's actions into better perspective.
Fourth, once standards are formed, the government could use the standards for contractors. For instance, a contractor working with "Secret" documents may have to have a score of 90 out of 100 for the general company, and a score of 97 out of 100 for the division working with the secret data. The government may even demand scores of 100 - not unrealistic for a score based on repeatable and auditable tests.
Fifth, the insurance companies would have an incentive to discover what security measures work, and which don't. If they find that yearly training for employees to deter social engineering attacks work, then they can make that part of the standard. If randomized one-use passwords work, then it goes in. If some widely believed precaution has little effect, it can come out of the standard. In general, we'll have a better idea of what makes a secured network, and more books will be written helping small businesses meet the insurance company's demands.
Sixth, we can develop labs like UL for computer security, which can rate software, operating systems, and hardware, giving them ratings for their out-of-the-box configurations. Vendors will work harded for better ratings, and auditors will have an idea how much patching needs to be done for a particular system to be kept up-to-date. Security will actually become a selling point.
I'm not sure if there is a law that would make this happen. I'm sure you can talk to the insurance lobby, and get a rough idea why this doesn't exist yet.
Thank you for using Cluetrain express, be seated and enjoy.
...some of you /.'er saying "you want us to do your job for you?" need to board the cluetrain as well...uh, Senator, law making, U.S. of A, Constitution, righting wrongs, fixing bad laws... mean anything to you?
:) .
I realize I am merely echoing what others have said, but to have a 'fellow professional' ask our opinion/advice is always welcomed.
Add to the fact that a US Senator is asking makes it even more necessary to voice out opinion.
(HELLOOOO! McFly!!!
Apologies for the brow beating, someone had to say it)
I realize it has little to do with security, but hear me out:
Consider the eBook, DeCSS, Napster, DRM, Watermarking, DMCA, SSSCA, RIAA, MPAA, Microsoft, et al.
What do all of these have in common? Bad Laws, legislation, and corporations who are twisting and perverting the legal system to thier own will, and succeeding to implement new forms of Prohibition.
You see the 1920's provided a clue to a generation: You can NOT legislate morality.
What these laws are saying is "Napster Baaad", "Fair use, Baaaad", "Freedom of speech Baaad!"...you get the idea.
Trying to "outlaw computers, fair use, tools of the trade" is a bad idea, but it is one that seems to be advancing at an alarming rate.
What is being ignored in the law making body is:
The tools of the trade (any trade), be it a lock pick, gun, sledge, bolt cutters, or, yes, a computer...these things need to be available reguardless of intent and use.
It seems most corps/senators/congressppl are afraid of "what we might do/think" and are making it illegal.
Wrong, wrong, wrong.
I think a "Digital Boston Tea Party" protesting this "Digital Prohibition and Taxation w/o representation".
But the only thing that comes to mind is lobbing modems and misc computer parts on the Whitehouse/Congressional 'doorsteps' in protest.
Ok, I've gone on long enuf, but I'll leave you with this thought:
The most powerful network security tool is called "a pair of wire cutters", after that is finding the offending wire and pulling as hard as you can
Cheers,
Moose
.
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Provide incentives for building security into products and networks. Push ISPs to block obviously spoofed addresses, and to implement more robust routing protocols with trustworthy authentication. Push for open review (and maybe open source) for security critical software. Use the purchasing power of the US government to push these things. Allow companies to be held liable for negligence, when their poor security causes damage to third parties. Allow software makers as well to be held negligent in not using "due care" in making their software free of security holes (hint: there is a vast literature out there on software engineering that can be used to establish the due care standard). Don't pass more silly laws outlawing "hacking tools", and don't make the big emphasis on prosecuting petty hackers. If most sites had adequate security to begin with, these petty hackers wouldn't stand a chance. Basically, facilitate market mechanisms that force the true cost of poor security to be suffered by those who deserve to suffer.
Apache has more than twice the marketshare of IIS, but gets hacked less than a tenth as much. Now, it may be true that it takes more technical knowledge to set up and run an Apache server than an IIS server that is enabled by default in the OS ... but it doesn't take that _much_ knowledge, and it's certainly possible for inexperienced admins to make dumb mistakes that leave Apache servers open to attack. And yet Apache is much more secure in the real world. This isn't just a difference in the quality of the users; it's a difference in the quality of the products.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Mr. Senator, there is something you can actually do for us.
It even involves you getting to pass a law, which I know is something you Senators greatly enjoy.
It is:
REPEAL THE DMCA SO WE CAN GET SOME DAMN WORK DONE.
Thanks for taking my valuable time (because I pay for your time, too) to listen.
My biggest concern is the woeful state of computer security research in the U.S. Due to crypto restrictions in the U.S., foreign firms offering commercial cryptographic products have gained a major competitive advantage. This has translated into more R&D money for these firms. The crypto regulations were repealed. But now history is repeating itself, due to congressional meddling with Intellectual Property laws (DMCA, and it's ilk). It's had a chilling effect on security research in this country. Similarly, the Sklyarov arrest resulted in foreign security experts being very wary of even attending conferences in the U.S.
At a time when the U.S. needs to strengthen our computer security infrastructure, congress has managed to handicap the very people needed to accomplish this goal.
So, bottom line, change the laws (starting with the DMCA), before all computer security research moves offshore.
[Insert pithy quote here]
Both are considered "weapons" that can be used to "attack" others (or, in the case of crypto, facilitate attacks, although strong crypto is still considered a "weapon" by the government, right?)
Both are also tools that can (and mostly are) be used for legitimate purposes
Both suffer from attacks from their critics who can't differentiate between the inherent goodness/badness of a tool and the goodness/badness of the intent behind the use of the tool.
Both suffer from the radical polarization of viewpoints on both sides of the issue.
The only difference that I see is that we don't have a Constitutional Amendment that says "the right of the people to use BackOrifice shall not be infringed..." Perhaps that's what we need?
I know many people who are pro-"gun rights", and by making these parallels, I've started turning them into pro-"Crypto and Internet Security" people as well. After all, if they passionately believe in the right to defend themselves from the threat that may come through their front door, they will believe in making all the information available for defending from the threat that may come through their cable box!
(I might add that while examining these isues, I've come to understand and sympathise with the pro-"Gun Rights" people a bit more. I still don't agree with all their points, but at least I understand their basic beliefs.)
Decriminalize the publication of information. Throwing someone in jail because they talk about an encryption system or they reverse engineer a protocol, is stupid.
Criminals, by definition, will not obey they law. Criminalizing research and information sharing hinders only the legitimate researchers and security professionals.
If a product/services is secure, it has nothing to fear from scrutiny.
Learning HOW to think is more important than learning WHAT to think.
A key component of enhancing network security is to maintain (or improve) the pathways in place for vulnerability reporting. CERT, BUGTRAQ, the NYTimes, etc, are frequently responsible for encouraging vendors to respond rapidly to holes in their systems, and are undoubtedly responsible for getting many people to install those patches.
Recently, at least one large unnamed software company which has had a security PR problem apparently has raised again the ugly suggestion that reporting bugs publicly is irresponsible. (Bad software doesn't cause people to break into systems -- it's people saying that the software is bad that causes people to break into systems.) Other people have suggested closed lists so only "appropriate" people hear about vulnerabilities. It is very important that the government not get boondoggled into restricting access to information about security vulnerabilities.
There are those who argue that making available exploit code as part of a description of an attack is a large part of the problem (somehow they think there is some magic involved in turning words into code and almost no one can do it). It's unfortunate that public demonstration of an exploit, not mere description, is frequently needed to actually get a vendor to acknowledge a vulnerability.
Instead of limiting information, why not pressure vendors to write better code in the first place (c'mon, who thought that having your email client execute arbitrary script code in an email was a *good* idea?), and to respond rapidly to problems without having to be splattered over the NY times.
1. Retain the freedom to publish details about security holes.
We've already seen the chilling effect on free speech here in America. Many security conferences are moving outside the borders of the USA, worried that many of their experts could be imprisoned under the DMCA.
More importantly, the congress is going to have to make some tough choices -- one of them will be whether or not code is free speech.
You can tell your Senator friend that if the act of publishing a security hole is banned, that won't stop the black hat hackers from publishing the information.
2. Encourage insurance companies to offer "hacking" insurance.
The current model for security reporting is bad. Software vendors don't want to announce security holes for fear of bad press. Web stores running on insecure servers don't want to admit they were hacked or they'd lose their customer base. But even though you paid $10,000 for this software, it comes with no warranty -- the company assumes no liability for it whatsoever.
Hacking insurance solves this by setting rates for companies based on the software they're using. Higher rates would be asessed for insecure software running a e-commerce webserver. It protects e-commerce sites against losses they might incur from hacking.
More importantly, over time insurance companies will act like a industry force, publishing ratings on the relative security of software, and thereby forcing software vendors to react in the first place.
3. Don't reward software companies who release insecure code with the power of the FBI and the Justice Department.
The FBI has become the enforcement wing for Microsoft. It's sad that the real issue of Melissa and IL0VEY0U were that Outlook had security holes so big you could drive a truck through them. Unfortunately, Microsoft used the FBI as a PR cro-bar to turn public opinion away from their software insecurities to those that took advantage of them.
It's like Ford releasing a car with locks that didn't work and then using the police investigations to spin the media focus to concentrate on the perpetrators, not the defect.
4. Privacy Privacy Privacy
The industry failed to come up with a working privacy protection plan for the consumer who does web browsing. They came up with a lite protocol that will appear in IE6. If websites are compliant to the new standard (which many of them aren't), websites will break under IE6, and users will find themselves shutting those features off the web browser in order to access their favorite web sites.
Senators, if anybody, should be completely aware of all the issues surrounding privacy. They, themselves made it illegal for cops to obtain video rental records without a warrant, while allowing medical records and social security numbers to fly through the ether completely unrestricted.
I recommend the following for starters:
1) Websites should NEVER be allowed to store a credit card number or an SSN on a hard drive after the transaction as completed.
2) Credit Bureaus must allow people access to their own credit history -- for free -- and must tell people when a credit report was sent and to whom it was sent to. This is the fastest way to stop the number of growing identity fraud cases.
3) SSN's and other personal information such as medical records should be treated like copyrighted works. Organizations must ask the owner's permission before it is given out to others.
4) Limit the collection of personal infomation online. This is in essence, so called, "cyberstalking." If I were to do it, it's probably illegal. If companies do it, it's okay.
5. Back Doors and click-through licenses
Software companies should not be allowed to introduce back doors for the purpose of disabling software. Often these are announced in the EULA. For example, after installing Microsoft Media Player the user has given approval to Microsoft to disable *any* software on the computer.
You can be sure that hackers are well on their way to figuring out how to exploit Media Player for illegal purposes.
;^)
A back door is really a master key. Government back door schemes require the encryption to have a back door key, and for the government to have that key.
If you're paranoid about the government like I am, you can see where giving it the master key can ruin your day. But even assuming that the government is all white hat, you're still in deep trouble.
That master key is worth hundreds of millions of dollars in the right hands. Organized crime could use that key to commit credit card fraud on millions of credit cards. This is also a great way for terrorists to get funding. Depending on the crypto scheme, it could be used to forge communications, rerouting shipments. If I had the Master Key and needed a couple of hundred pounds of plastic explosive, that would be my first idea.
And that key can't be kept very secure if it's being used. Thousands of people, whether law enforcement officials or court officials, will have access to that key. Out of a thousand people, somebody's going to be bribable for a mere one or two million dollars. Or be required to hand over the key to get their loved ones back. Or write down their password and have their office computer broken into. It won't be too hard for a determined criminal to get that master key.
I am a big fan of crypto, but I would honestly prefer no crypto to back door crypto. At least if you have no crypto you know you're not being spied on.
--The basis of all love is respect
The same thing happened to the auto industry as it matured. Today we have strong warranties on cars, strong liability laws, and cars work very reliably. The auto industry kicked and screamed about regulation for decades. But in the end, they built better cars. It's time to do the same for software.
I'd suggest, as a start, that software which will open "executable content" (which can contain viruses, etc.) without the user's explicit permission for each opening make the vendor of said software liable for negligence should any harm result from said action. This liability must not be waiveable. That puts the burden on mail readers and web browsers to protect the user against incoming attacks. Don't accept any arguments that this is technically infeasible; it's not.
Don't protect private companies and individuals from anyone but the government. We can take care of ourselves.
Don't protect the government from law-abiding citizens. We're at sufficient disadvantage already.
Don't protect the privacy of convicted criminals.
Don't create laws that favour any one kind of entity over any other, except law-abiding citizens and corporations over convicted criminals.
Don't legislate exclusions of liability for security breaches. Let the civil courts decide who, if anyone, is responsible for damages due to security breaches.
Don't restrict or attempt to restrict cryptography, and strictly prohibit the three letter agencies from planting or distributing intentionally weakened or defective cryptographic tools.
Don't allow the three letter agencies to wiretap data connections without meeting constitutional requirements - it does nothing to improve security and most likely decreases it by creating additional copies of sensitive information.
Most importantly of all - *DO* build trust in the security community by passing and strictly enforcing JUST, FAIR LAWS in all matters concerning digital security, copyright law, privacy, and civil liberties. In other words, do your job as statesmen and earn the respect and trust of all the citizens you supposedly represent. Your job is MUCH easier to do when we can trust you, and sadly, your record makes that outright impossible.
Comment removed based on user account deletion
The problem with that attitude is that, to get real security, you have to do things in a secure way everywhere. That means that everybody has to be thinking in terms of security... and not only that, but thinking in terms of things that will actually help, rather than just giving a false sense of security. That takes a certain mindset, and the only way to develop that mindset is to think about ways to break security, to see examples of how security is broken, and to see how existing security measures work, both so you can improve them and so you can avoid screwing them up.
If you restrict access to information, you end up with only two sets of people who have a clue:
-
-
Security is everybody's problem, and that means everybody has to understand it. When you release information widely, you educate 100 good guys for every bad guy. When you try to keep everything secret, you hold the good guys back more than the bad guys.A small group of overworked security specialists. These people can't do it all, and, if the rest of the world is poorly informed, they won't be listened to. In addition, in an environment where information is tightly restricted, it's very difficult to recruit and educate new security specialists.
The bad guys. Being more motivated than the general population, the bad guys will get most or all of the "restricted" information through their own networks.
I'm not saying that there's never a reason to keep anything secret, but there should be a presumption in favor of openness. You should try to keep something secret only when:
It describes the details of an actual vulnerability that hasn't been fixed, and provides information useful in exploiting that vulnerability, AND
Having information about the vulnerability would not, in itself, permit people to protect themselves, AND
You're reasonably sure that large numbers of bad guys don't already know about it. In network security, large number of bad guys will definitely find out about it within a few months, if they haven't already found it independently. That means that keeping anything secret for a long time will never work.
In government, the sorts of things we need to watch out for are:
Excessive classification. It would be nice to see more legislative sunsets on classification, and more requirements for review of the decision to classify something. Patent secrecy orders are especially suspect.
Programs where government information is shared only with "trusted private sector partners". Not only is this intrinsically bad, but it encourages cronyism and corruption, and can create economic problems by raising barriers to entry in security-related industries.
Misguided weakening of "sunshine laws" like the FOIA. Because information is power even more in the Federal bureaucracy than in most places, there's an incentive for agencies to hoard it for political reasons. When all else fails, these laws often serve, not so much to free the underlying information, as to expose the illegitimate reasons it's being held secret.
The occasional calls for outright banning the release of scientific or engineering information, in the style of the idiotic Feinstein "bomb making information" law.
To me, the withholding of security risk information is a form of fraud. It is the same as rolling back the odometer on a used car. It is the same as selling Pintos with exploding gas tanks and the same as selling flammable pajamas to children. Companies must be required to release security risk information about their systems in a timely manner. They must be legally liable for damages that result from security issues between the time they discover the problem and the time they warn users of the problem. These kinds of penalties will force companies to create secure systems in the first place. And, to warn people in a timely manner so that they can take action to protect themselves. Although it is tempting I don't think the developers should be required to fix the system. But, a list of all outstanding security problems must be included in advertising and on the packaging of any system. People have to be able to make an informed decision about what systems to use. We put warning labels on beer and cigarettes, we require people to wear seat belts, we require the disclosure of the ingredients of all our food, we have lemon laws to protect us from unscrupulous car salesmen, and we have product liability laws that cover every physical thing we purchase. But, we have no equivalent legal protection from the purveyors of software snake oil.
The only way a company should be able to get out from under these penalties is to declare the product "dead", notify all customers of record that no more security support will be given for that product. Declaring the software dead should also require that the source code and/or system designs as well as any patent and copyrights to the system be released to the customers so that customers can arrange for other sources of security support for the system. At that point the company would not be allowed to sell, distribute, or accept any sort of payment including royalties and support payments for the software.
Stonewolf
Sorry, We don't need congress to help in anyway except not to pass any laws that could be used to infringe upon our constitutional freedoms. Encourage full disclosure. Do not be misguided/misled by information and initiatives put forth by mega-corporations that try to compensate for their ethical shortcomings.
Let's look at this on a higher level.
Do we really need more laws?
If this guy realy wants to be a servant of the people how about going through the old, dusty laws and getting rid of them.
You know, the ones like swinging a lantern in front of a horseless carriage. These guys in government really need to 'clean house' not 'shop more'. I know it's not as sexy, but being a servant is not a sexy job.
-- www.globaltics.net
Political discussion for a new world
1. Don't make it illegal to do research or learn about security issues. It is necessary in order to provide security.
2. Don't make it illegal to announce security flaws and exploits. It is critical that information about security holes be open and available.
3. Prosecute people who cause damage by using software with malicious intent - not for developing software.
4. Either require Microsoft to fix their pathetically broken security model or allow people to recover damages from them for security lapses. The situation with Microsoft software vis a vis security is ludicrous.
5. Mostly keep the government out of the way - there is nothing the government or a bunch of new laws can do to make networks or the Internet more secure.
6. Encourage the FBI's NIPC to develop some minimum level of expertise and competence. Right now, there doesn't seem to be any. All they do is parrot what Microsoft tells them.