[LINK] What's a reasonable level of code-checking?

Darryl (Dassa) Lynch dassa at dhs.org
Fri Aug 18 07:36:50 AEST 2006


link-bounces at anumail0.anu.edu.au <> wrote:
|| --- Craig Sanders <cas at taz.net.au> wrote:
|| 
||| computer security is a shared responsibility between the developers,
||| the distributors, AND the users. finding the correct balance of
||| rights vs responsibilities may be difficult but legislating so that
||| the entire responsibility is on the shoulders of the developers is
||| just plain broken.
|| 
|| I can envision bullet-proof systems that simple "just work"
|| out of the box. Let's say a purpose-built network box for
|| connecting consumers to the big wide info-autobahn
|| seamlessly and with total security. The box has a
|| well-defined set of functional and security requirements. It
|| can be tested against those requirements. We do have the
|| nouse to make such a box today.

Yes, the only way to really make something secure is to take away any
configuration ability on the part of a user and ensure the system is locked
down into a high security model.

|| In that case, I do not see the consumer having *any*
|| responsibility in securing the box. The consumer's
|| responsibility is not to act stupidly and give away their
|| money / ID / whatever using that box.
|| But the law cannot and should not protect idiots from their
|| own stupidity. It is in the consumer's own interest not to
|| use the box to their own disadvantage.

To take the responsibility away from the user would entail also taking away
choices and ability to change.  Once freedom of choice is introduced, so is
responsibility.  That lack of choice would have to be extend to anything
connecting to the black box also otherwise the security model starts to fall
apart.  Security is determined by the weakest link.
 
|| The way things are going now, especially in consumer land,
|| is really pathetic. People I talk to on a daily basis do not
|| use their Windows box for Internet banking. They are too
|| scared to. They know their bank accounts can be emptied out
|| in seconds if they are not careful. Interestingly, when I
|| ask about fears of ID theft, I usually get a blank stare.
|| Why? Because that particular avenue of endeavour is newer on
|| the 'net. It will only be a matter of time before Joe
|| Sixpack will be fearful of ID fraud in addition to losing his bank
|| account contents. Add to that newer emerging crimes and soon Joe
|| Sixpack will not want to use the Internet at all with his Windows
|| box. 
|| 
|| Perhaps this will be a Good Thing (TM).

It is a wonder the banks haven't started marketing a black box of their own
that would only connect to their site and would only allow secure transactions
between them and the consumer.  I suppose then we would have more home
invasions.

Darryl (Dassa) Lynch 




More information about the Link mailing list