Feeds

As Emperor of Security, I hereby decree...

Benovolence is my middle name

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Fines for insecure software

Bruce Schneier has often written about economic externalities, in which "the cost of a decision [is] borne by people other than those making the decision". In other words, companies creating software don't really suffer financially when their software products ship with massive insecurities in them. This needs to change.

If a company ships software that proves to be insecure, perhaps in some critical way, it'll be fined. The fines will based on a percentage of yearly revenue, and it will be a big enough percentage to hurt. There's one exception to this rule: if the software is released under an open source license (as determined by the Open Source Initiative), then there's no fine. (Ed: Is this because they have no money?

Organisations entrusted with your data will be held accountable

Another result of the current reality in economic externalities in security is the almost constant loss of personal and financial data due to carelessness and hacking. It's reached epidemic status, and it too needs to stop. The solution is similar to that in the previous decree: fines keyed to the organisation's yearly revenue. In addition to fines, however, these organisations will have to reimburse the people whose data was lost or stolen. A few large fines and reimbursements, which will lead most definitely to some firings, and I guarantee that security in this area will improve.

Mandatory disclosure of data loss and hacking

Of course, along with massive fines comes mandatory disclosure. If a company loses data, or is the victim of a security breach, it must reveal this to the public. A website will be set up to list these organisations so that they can be publicly shamed, and the amount they paid in fines will also appear there. California has such a law, without which the public would never have known about some particularly egregious data losses that a few companies incurred. A national law would go the next step to help inform people while holding companies accountable.

Mandatory anti-virus, anti-spyware, and firewall software

If you drive a car without changing the oil, eventually you'll destroy that car. Likewise, if you use a computer without anti-virus, anti-spyware, and firewall software, eventually you'll destroy that computer and hurt others as your infected machine spews malware and spam onto the net. When computers first boot, users should be offered the choice of several different anti-virus, anti-spyware, and firewall software packages, including ones that they install themselves, to preserve competition. Instead of 30 or 90 days, this software should be good for a year. How many people today buy new computers and don't buy the subscription after 90 days? As the end of that year approaches, users should be warned repeatedly that they must upgrade. No upgrade, no net access...except to sites offering upgrades. No anti-virus, anti-spyware, or firewall software, no net access...except to sites offering this software.

DRM cannot be used to deny fair use or first sale

I recently wrote a column explaining that DRM as currently practiced is a disaster not only for users, but also for the companies trying to use the technology. To solve those problems, DRM should be allowed, but it cannot be used to deny fair use or first sale rights.

Briefly put, the right of fair use says that I can use copyrighted materials in ways that the copyright owners may not intend or desire - for educational use, say, or for reviews or critique - while the right of first sale says that I can transfer to another person or entity a copyrighted work without asking permission first. If DRM prevents someone from exercising fair use or first sale, it's verboten; otherwise, it's OK. If you want to use DRM to protect your company's financial records, that's fine; if you want to use it to keep me from backing up my DVD or transferring songs I bought to a friend, that's not allowed.

That's it...those are my decrees. Some of you will call me mad, some of you will accuse me of megalomania rivaled only by the Roman emperors of old, and some of you will see things that I left out. Perhaps my ideas are crazy, but they're at least enough to spark discussion about solutions. And as a benevolent dictator, I choose to emphasise the word "benevolent" - if we try an idea for a while and it doesn't work, I'm more than willing to try something else. Finally, I urge you to propose your own ideas. If you were emperor of the security world, what would your orders be?

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Scott Granneman is a senior consultant for Bryan Consulting Inc in St Louis. He specialises in internet services and developing web applications for corporate, educational, and institutional clients.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.