Slashdot Mirror
Network Webcurity Wishlist?
breillysf asks: "I am a California-based network security attorney who has been asked by a senior US Senator to compile a list of the most important legal concerns facing network security administrators. He has a good feel for the government security issues (and lack there of), but he is concerned about what is going on in the front lines in the private sector. I thought the Slashdot crowd would have the best feel on the pulse of the current situation. Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for? Or would you tell them to get out of the way?"
"For example, I tried to push for tax incentives for upgrades in network security measures, but the Senator replied that is dead in the water because we are now spending into a deficit. He would rather see insurance companies reward firms with lower premiums for enhanced security. But there are International legal issues, compliance issues, privacy complications, potential negligence liability exposure, lack of federal incident response, FOIA and anti-trust issues with info sharing, conflicting state and federal cybercrime and privacy laws, USA Patriot Act concerns, etc."
Plain and simple, getting patches and rolling them out is a pain in the ass, for most vendors products. I've switched most of my servers to BSD based systems, simply because it's easier and simpler for me to stop a service, do a cvs update against the patched source tree, compile and reenable the service, than it is for any other operating system.
Windows update is ok (the 75% of the time that it works), but there are far to many interdependancies between products - for example, to apply the latest Outlook 2000 bugfix, you need to download a 50MB patch for all of Office 2000, and have an Office 2000 disk around - since all my Outlook 2000 installs came with Small Business Server, I don't have this, and can't apply the
patch.
In short, it needs to be easier to patch systems - so simple, that people will bother to do it on a regular basis.
BBK
Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for?
BAN MICROSOFT.
-Lx?
In a competitive OS environment, security would be a selling point in today's new world. But it isn't. All these Word and Outlook viruses are Microsoft-specific.
Microsoft products are regularly cracked for two reasons. The first is that, being a monopoly, they are ubiquitous. If Yale was the only company in the nation making padlocks, criminals would only study Yale padlocks and learn to crack them, no matter how well they were built.
The second is that Microsoft is not particularly security-conscious. The road to Windows started in DOS, which needed no security--it couldn't be networked! All the DOS-based Windows--3.1, 95, 98, ME--either have no security or had security put in after the fact. Only Windows NT, 2000, and (perhaps, I don't know) XP were built with security in mind at the beginning.
Even with that, Microsoft has made a conscious decision to promote ease of use over security. It's always a trade off: security is obnoxious. If you don't believe me, think back to the last time you misplaced your car keys. Microsoft's decision has been wonderful in giving the average user unprecedented access to information, but just as wonderful in giving the average computer criminal unprecedented access to everyone else's information.
DoJ vs. Microsoft is still going on, last I checked. Anything that creates competition in the OS market will help secure the Internet. Vendors are likely to make security a selling point, and criminals will have to learn to crack multiple platforms to commit their crimes.
--The basis of all love is respect
By thugs in black suits you mean lawyers right?
What, me worry?
It seems every other post starting a new thread has been moderated to 5, and most of them are shite. What is going on?