License to Surf, Take Two

NaugaHunter writes "A story on Yahoo asks Should [a] License Be Required to Go Online? It appears to be suggested by Bruce Schneier, chief technology officer for Counterpane Internet Security Inc. 'It could be a four-year college degree, a one-month course. It might be a good idea.' The story also details efforts of some schools from simple orientation to threats of fines for spreading viruses, and questions exactly who would be responsible for keeping track of who is and isn't licensed." Not a new idea, but one that's going to keep coming up. Update: 09/13 18:11 GMT by M : Bruce Schneier notes that he isn't in favor of computer licenses.

No respect at all for Schneier, now.

[HBI]

For pete's sake, this has to be the most elitist article I have seen recently. Because Mr. Schneier knows what to do to keep his computer uninfected, let's blame the users and force them to be certified to be online.

Idiot.

How about blaming the actual target, the operating systems and flawed web standards that allow this. Look at certification authorities, browser, and OS vendors. I saw one of those hidden install ActiveX objects recently that has a Thawte signature. Why? Well, that CA's root cert is preloaded in IE so therefore, the signed ActiveX will install without any user intervention with default security settings.

What is wrong with this picture?

1. Why is Thawte issuing a certificate/signing code to/from a shady vendor like this?
2. Why does Microsoft let anyone with a signed ActiveX object install the thing without question, by default?
3. Why does the functionality to do so over the web exist in the first place? We know that scripting/file upload from untrusted Internet sources is the #1 security problem with end user systems. So why?

The problem was flawed assumptions at the outset. Microsoft assumed the Internet environment would remain benign, as it was in the early days of commercialization. Therefore, security was not a consideration. This has proven utterly false. The CAs figured they were in the business of printing up certificates for money. Check on the reliability of a vendor? Why, that would cost too much...so what are certificates and signing really worth? Not a whole hell of a lot. Yet we tell people to trust their money and credit card numbers to this intrinsically flawed system of 'trust'.

We, in IT in general, really need to reconsider all these flawed assumptions we have made and the bill of goods that has been sold to the general public. I have been doing end user support for 15 years now and I would be all too willing to blame this on the user. In this case we cannot. In the end, we have to realize it is not their fault. It is ours. We assumed things would stay the way they were, and they haven't.

Now let's fix it...invalidating the entire CA model and delegating that function to the government would probably be a good start. Have all certificates emanate from a government source or be considered invalid. That might actually work.

While we are at it, let's get the government involved in regulating operating system software in a formal fashion. Sure, I like the private sector and all, but it hasn't worked, has it? We have this huge security mess. Perhaps a greater degree of regulation is required to get us out of this mire, because market forces aren't going to fix the fact that Microsoft's operating system is woefully inadequate for today's Internet and most probably cannot be fixed while preserving backward compatibility for a meaningful number of applications.

The last two paragraphs were just ideas off the top of my head. I'm sure others could be arrived at, and better.