[LINK] What's a reasonable level of code-checking?

David Lochrin dlochrin at d2.net.au
Fri Aug 18 10:55:05 AEST 2006 

On Fri, 18 Aug 2006 07:36, Darryl (Dassa) Lynch wrote:

> Yes, the only way to really make something secure is to take away any configuration ability on the part of a user and ensure the system is locked down into a high security model.

   The problem with a "locked-down purpose-built network box for connecting consumers to the big wide info-autobahn" is that we'd need a range of boxes configured for each consumer's profile of applications.  This customer wants to run VoIP, that one wants to run some combination of games, and another wants an IPsec tunnel to their employer.  A network-box which allowed everything would not be very secure.

   I've come across two NetComm SOHO ADSL routers, their old NB3 and their fairly recent NB5.  The NB3 is a really first class, professional design, but I'm told their customers complained it was too complicated.  The NB5 seems to have been dumbed down in an attempt to achieve simplicity & security.  However I would not recommend this device because whatever level of security it may offer is not clear, mostly through lack of configuration flexibility and information about how it works.  (I'm told the onboard "help" was removed to save memory, and customer support all seems to be at the button-pushing level).  After being upgraded to firmware release 17 (!) my own NB5 is now gathering dust.

   This all illustrates the basic problem - users must have application flexibility, but supporting this flexibility requires a great deal of technical skill.  It's just not possible to have our cake and eat it too.

> To take the responsibility away from the user would entail also taking away choices and ability to change.  Once freedom of choice is introduced, so is esponsibility.  That lack of choice would have to be extend to anything connecting to the black box also otherwise the security model starts to fall apart.  Security is determined by the weakest link.

   Exactly, but the user's responsibility may lie with having their computer & network professionally configured.  And what level of professional liability insurance does that require of the expert?

>|| --- Craig Sanders <cas at taz.net.au> wrote:
>|| The way things are going now, especially in consumer land, is really pathetic. People I talk to on a daily basis do not use their Windows box for Internet banking. They are too scared to. They know their bank accounts can be emptied out in seconds if they are not careful.

   Yes....  it's fascinating to see how reality is coming up against the bank's dream of almost no customer-contact, with everything done over the 'net.  They have something of the same problem as the airlines - airline travel is now becoming so unpleasant people will simply avoid using them, and a good thing too as far as the planet is concerned.

David

More information about the Link mailing list