Slashdot Mirror
Do We Need a Sarbanes-Oxley for The Internet?
An anonymous reader asks: "Since 2002, corporate executives have been held accountable through the Sarbanes-Oxley Act (SOX) for their own internal IT security (with heavy fines and even prison terms when SOX isn't complied with) despite the fact that this level of accountability doesn't exist for some critical elements of the internet. Is it high time for industry to collaborate on a stringent security doctrine to hold organizations accountable for operating, providing and commercializing Internet service, in effect a Sarbanes-Oxley Act for the Internet?"
NO!
I spent 10 years in IT of the financial industry. The day SOX got passed everything went downhill. The problem is that it's more about accountability that actually doing things right. Now I can't blame the law for that. The law makes lots of sense. But the way companies handle it adds 100 times the overhead and even more technical problems. Entire systems are built so there's a "signiture" of approval and record of every little thing. People are so busy making others accountable (basically flowing both uphill and downhill) and no one takes accountability for their own actions and quality of work goes way down. What happens in the company is whatever intrisic trust there was between coworkers disappears. All the company wants and needs is the paper trail. Cost of the service goes up while quality goes down.
So while we want some accountability, and IT version of SOX is not the way to go. There are other good reasons, but this is one I'm personally experienced with. It's among the reasons I left the financial industry 2 months ago.
Developers: We can use your help.
Yes, obviously the answer to EVERY problem about the Internet is more laws on the books. The scary thing is, with things like SOX, we spend more money and time on bureaucracy than fostering an environment which would preclude the need for SOX in the first place. Instead of criminalizing bad conduct, why doesn't the government try to encourage could conduct by, say, granting tax relief for companies that are fully SOX compliant instead of prosecuting executives that fail to make this happen. That would encourage good behavior far better than turning people off to being in business in the first place.
Think about it - let's say you're Bill Gates or Scott McNealy; would you really want to be in a position where failure to do your job correctly would result in jail time? SOX is stupid for exactly this reason.
Now, translate that to the internet. You are a webmaster, and because you didn't install NT4SP26 on your IIS farm, you could face 20 years in jail. Utter bullshit. Let's kill this idea before it gets any momentum!
main(){char I,l,O[]={'-',1-1,0,(1<<5)-1,0+'-',-10-1,-10,11-0,
This kind of law requires a huge amount of wisdom to write and implement. The U.S. government just does not have that ability at present. Instead, the government is being sold to whomever will pay the most: Unprecedented Corruption: A guide to conflict of interest in the U.S. government.
SOX is a lie to make the public feel safe. You can still move money around from departments and expenses. The accountants make money on SOX, and you get a false "Warm and Fuzzy" feeling that the CEO/CFO wont take out personal loans. But golden parachutes still exist, and sign and profit bonus's, and a zillon other ways to get the Excecutives some money.
And the article is full of fluff, the companies he listed are already under SOX control, except offshore gambling.
Not great detail, but a quick over at wikipedia.
http://en.wikipedia.org/wiki/Sarbanes-Oxley
No, we don't need ANY further regulation for the net! Net issues need to be handled by the net community and by technology. All others should keep their big fucking noses out of net business!
SOX is a farce that is more about show than substance. It's generated zillions of billable hours for program mangers to create lots of project plans, but it is still up to the company to decide to actually do anything concrete.
Want a recent example of the corruption in the U.S. government? Here's one from Ed Foster: Crime and Punishment, and Copyright.
In the U.S. government of today, anyone can get anything they want if they have money.
Quotes:
"After all, the music and movie industry moguls who spend so much time and money getting Congress to do their bidding are not without sins of their own. Just as an example, last month Time Warner -- a corporation with a foot in both industries -- agreed to pay a $300 million fine to the SEC to settle civil fraud charges. It had earlier paid $210 million to get the DoJ to go away on criminal fraud charges involving some of the same accounting shenanigans. Time Warner just had to pay this chump change rather admit guilt, in spite of the fact that, as one SEC officer noted, some 'of the misconduct occurred while the ink of a prior Commission cease-and-desist order was barely dry.' Oh, by the way, the Time Warner CFO, Controller, and Deputy Controller also agreed to never do such nasty things again. But apparently they don't face jail time, or even fines, and they're still working for Time Warner.
"So it's possible some of the same Time Warner officials who have been caught once or twice robbing investors in the past could be doing so again even as we speak. Of course, last week they may have been too busy passing out rewards to their minions on Capital Hill, or perhaps they were involved in all those lawsuits the MPAA and RIAA were filing to harass the researchers developing the Internet2."
Are you talking about regulating ISPs differently? Corporate IT departments? Home computer software? All of the above? What are you talking about regulating? What is the problem that you would like to solve?
"Sarbanes-Oxley Act for the Internet" is meaningless. How would that be significantly different from a Sarbanes-Oxley Act for your dumb face?
There are no trails. There are no trees out here.
As a CEO you can't start a project called "Let's get secure!" and expect to be immune to all threats.
Security isn't a one time spending.
You can't spend 2 times the amount of X Dollars and expext to be 2 times more secure than spending only X Dollars!
Security is a process.
Security is a process.
Security is a process.
Security is a process.
Security is a process.
Security is a process.
You have to rethink everthing everytime.
Security nees a steady budget.
Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
I would advocate minimum possible regulations, particularly ingredients that require rigorous identification, government screening to prevent "slander of the state", etc.
Delegate control and punishment measures down throught the DNS hierarchy - if you run an open relay that spews, then it's up to your provider to discipline you - or face worse consequences upstream as his provider gets angry about the flood.
"Provided by the management for your protection."
Jesus Christ for the love of god (whichever one)...NO!...run away from SOX, its just blame deferral, endless policy creation (and not even the few needed good ones), its endless "clarifying meetings", its getting ITIL'd, its an endless stream of crap, like getting burried under a mountain of wet blankets.
You and your colleuges get suffocated in crap, stuff that you where hired to do because, well, you know what you are doing...oh no, you must get approval to shit....
RUN AWAY!!!!
all you are, is all you are, i'm so sorry for you.
And what does this imply? Well, for starters it'll require something like a SOX regulation; while it won't demand packet sniffing per se, it will demand that source and destination ip addresses, MAC addresses, and ports be logged, so that people who release viruses/trojans/spyware/spam et. al. can be held accountable. Then anyone running a "web service" may be required to take logs of activites (to be used in investigations of fraud or terrorist activities), so that authorities may request these materials upon subponea.
And even then it won't be enough to stop identity theft, copyright infringement, and other criminal activities on the net. That when Congress will come to the "realization" that programming is what makes everything on the net possible, and finally demand that programmers be held accountable for their code. That will be the death-knell of amateur computer science, for you won't be permitted to write a program and run it on an internet-enabled computer without having to take responsibility for that program's actions, limiting one's recreational programing to toy computers and sandboxes. It will progress to the point where it will be "impossible" for a programmer to take responsibility for writing something on the internet, because he/she cannot afford the insurance that he/she will have to take out to cover the insurance necessary to protect themselves from programming lawsuits when a program they authored is used to perform evil actions.
Obviously some people will have to be allowed to program on the net everyday, to patch programs that users find bugs in or black-hats find exploits in. The only way for these programmers to obtain programming insurance is to partake in several programming certification classes in order to obtain a license to program. Maybe I'm being paranoid, but this seems to be the logical extension of the government's desire to determine accountability for all activities towards the internet.
which stands for "freedom of thought, freedom of expression, and freedom of information on the Internet", i say, this is a very stupid idea.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Otherwise the big corporations will reap obscene profits
SOX deals with accountability within US corporations. It doesn't speak to the operations of companies outside the US. Attempts by particular countries to legislate the Internet have historically been ineffectual at best. This would be no exception.
1) Take a look what PGP did to export their book of PGP source code.
2) Can the (US) government order you what you have to do at $DAYJOB or in your free time?
Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
NO.
Do What Thou Wilt Shall Be The Whole Of The Law!
I'm too lazy. What does that function in your sig output?
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I have a bunch of real-life horror tales for ISO 9002 and how hard (and expensive) that made it to get real quality into a product even with willing participants.
Forex, there was the case of the key part made mirror-image (and late). The supplier flat-out refused to RMA or even look at it because their ISO9002 system guaranteed that the part was good. It was ISO9002 vs reality, and reality lost. Shades of the Hubble mirror! In order to make the building work, the company in between had to pay someone else to fabricate another part - in a hurry, not under ISO9002, and at their own expense - in the right shape, and use that. IOW, the ISO9002 paperwork for the building is now as much a lie as the ISO9002 paperwork of the original supplier, even though the replacement part is probably stronger and longer-lasting than the mismade original and the alternative would have been to halt construction of the (already behind schedule because of this) building for another few months and pay literally ruinous contract penalty fees.
In a couple of cases, having any single unwilling participant in the loop would have been crippling, and trying to apply the system to a company full of drudges and yet make it function would have been far more painful than just cutting your losses, firing everyone, declaring bankruptcy and going on the dole the next day.
Got time? Spend some of it coding or testing
Got time? Spend some of it coding or testing
The problem is, they said that about big business, until Enron and friends collapsed. By then it was too late.
The Internet is in a dangerously similar position: it's so free at present that even normal laws agreed in almost all jurisdictions effectively don't apply, and the results range from irritations like spam e-mails, through disruption from viruses, to serious harm via phishing, electronic fraud, and several more "up-and-coming" crimes.
The major problem with the Internet is the fact that you can do things effectively anonymously. With anonymity comes lack of accountability, and with that comes the cessation of any effective rule of law whatsoever. (I realise that a lot of people may now bleat about all the damage that would be done by losing that anonymity, and probably 1/5 of them will be making a valid point rather than just parroting.)
But the simple fact is that with freedom must come responsibility, always. I believe in as much freedom as possible, up to the point where the individual's freedom is harmful to society as a whole, but if you're going to say what you like, you have to expect to be held accountable for what you say. (/me inserts standard "shouting 'Fire!' in crowded theatre illustration.)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Look you twat, you can shout fire or whatever you like on the internet and no one will be killed. They won't be hurt either. You talk about bleating, it seems that you are the one that is bleating the line on regulation.
The intarweb isn't the real world. Why should realworld laws govern a place that isn't real? Because people are stupid? Tough fucking shit for them! If they fall for fraudulent activity on the intarweb then they deserve what they get. If the fraud extends into the real world, such as their real bank account, then there are already laws that deal with that. With phishing, we already have bank fraud, wire fraud and postal fraud. Why do we need an intarweb fraud law as well? Especially when it can't possibly be enforced? The people that propose these asinine regulations are just as stupid as the people that fall for the scams they are trying to prevent.
That's the thing that you morons seem to forget. There are already MORE than enough laws in the real world that govern every facet of real life. When things cross over from the virtual world of cyber space into the real world they are already regulated. There is absolutely no need for regulation of cyberspace.
When it's virtual, it's virtual. When it's real, it's already regulated. Don't be a tard!
you want to really break 'the internet' once and for all.
Display some adaptability.
OK, if the accounting is too expensive, then maybe that part can be reduced or modified?
But, for blog's sake keep the whistleblower protections.
Thanks to S/O, a public company can no longer fire you simply for disclosing their illicit activities (note that a non-public company still can do so, although AFAIK this has not been tested in court yet). Otherwise Enrons and Worldcoms will happen all over again because people will be afraid to speak out, fully expecting that their employer with their army of lawyers will just figure out a way to put the blame on them. If the job picture gets really bleak then people will be speaking out nada.
Too bad that this very critical part of Sarbanes/Oxley is being mostly glossed over by most of the posts here. Whistleblower protections are needed more often than most people think, and they benefit more than just the whistleblower.
The public, the free market, and the individuals adversely affected by the illicit practices (not only accounting but also untraceable relaunderable illegal debt collection practices for instance... *ahem*) stand to benefit by someone who is willing to talk.
Maintaining public confidence might be worth some cost. I think it is worth the cost of rethinking, not denouncing Sarbanes/Oxley.
I'm not surprised if public companies would want to reduce their liability by trying to raise a firestorm over the accounting part of it. That would lift a giant sword of Damocles over their leadership. Some of their employees have to trudge along on menial tasks, but guess who benefits if the tasks are as menial and frustrating as possible? The same leadership that's assigning the tasks and very conspicuously labeling "Sarbanes/Oxley" all over them.
We should require accountability for security breaches, with the following rules:
* All viruses, worms, and trojans must contain the author's name, home address and telephone number
* There is to be a $1 tax on the virus writer for every machine infected
* All viruses must contact an official government server when infecting a machine, in order to allow the tax to be collected
* To ensure full collection of the tax, viruses may not infect a machine until an Internet connection has been established
* Viruses must request user confirmation before destroying any data
* Anyone who was involved in writing code covered by a security patch is banned from coding for 6 months, and must take a security course
You are indeed an innocent_white_lamb. You are one of the sheep. The sheep that are foolish enough to believe what they are told, accepting everything at face value.
Do you not see the "rest of the world" already falling in line with US policy? Do you honestly believe that if your country did not follow US doctrine and the US cut you off from their part of the internet that you would be severely affected? No more Slashdot, eBay, Yahoo, Google or any of the other sites you likely use on a daily basis. Can you traceroute to any of your favorite websites without passing through a US exchange? You don't feel that you and your country would feel the pinch?
The US "invented" the internet, Tim Berners Lee only invented HTML. The US also still controls the majority of the internet today and certainly from a policy level that is unlikely to change. The US will invent constraining laws that will negate the internet that we know today and the rest of the world will follow the US lead whether they like it or not.
Surely you are not such an innocent lamb that you are too naive to see that your Prime Minister is already a US lapdog.