Feeds

As Emperor of Security, I hereby decree...

Benovolence is my middle name

  • alert
  • submit to reddit

Security for virtualized datacentres

Fines for insecure software

Bruce Schneier has often written about economic externalities, in which "the cost of a decision [is] borne by people other than those making the decision". In other words, companies creating software don't really suffer financially when their software products ship with massive insecurities in them. This needs to change.

If a company ships software that proves to be insecure, perhaps in some critical way, it'll be fined. The fines will based on a percentage of yearly revenue, and it will be a big enough percentage to hurt. There's one exception to this rule: if the software is released under an open source license (as determined by the Open Source Initiative), then there's no fine. (Ed: Is this because they have no money?

Organisations entrusted with your data will be held accountable

Another result of the current reality in economic externalities in security is the almost constant loss of personal and financial data due to carelessness and hacking. It's reached epidemic status, and it too needs to stop. The solution is similar to that in the previous decree: fines keyed to the organisation's yearly revenue. In addition to fines, however, these organisations will have to reimburse the people whose data was lost or stolen. A few large fines and reimbursements, which will lead most definitely to some firings, and I guarantee that security in this area will improve.

Mandatory disclosure of data loss and hacking

Of course, along with massive fines comes mandatory disclosure. If a company loses data, or is the victim of a security breach, it must reveal this to the public. A website will be set up to list these organisations so that they can be publicly shamed, and the amount they paid in fines will also appear there. California has such a law, without which the public would never have known about some particularly egregious data losses that a few companies incurred. A national law would go the next step to help inform people while holding companies accountable.

Mandatory anti-virus, anti-spyware, and firewall software

If you drive a car without changing the oil, eventually you'll destroy that car. Likewise, if you use a computer without anti-virus, anti-spyware, and firewall software, eventually you'll destroy that computer and hurt others as your infected machine spews malware and spam onto the net. When computers first boot, users should be offered the choice of several different anti-virus, anti-spyware, and firewall software packages, including ones that they install themselves, to preserve competition. Instead of 30 or 90 days, this software should be good for a year. How many people today buy new computers and don't buy the subscription after 90 days? As the end of that year approaches, users should be warned repeatedly that they must upgrade. No upgrade, no net access...except to sites offering upgrades. No anti-virus, anti-spyware, or firewall software, no net access...except to sites offering this software.

DRM cannot be used to deny fair use or first sale

I recently wrote a column explaining that DRM as currently practiced is a disaster not only for users, but also for the companies trying to use the technology. To solve those problems, DRM should be allowed, but it cannot be used to deny fair use or first sale rights.

Briefly put, the right of fair use says that I can use copyrighted materials in ways that the copyright owners may not intend or desire - for educational use, say, or for reviews or critique - while the right of first sale says that I can transfer to another person or entity a copyrighted work without asking permission first. If DRM prevents someone from exercising fair use or first sale, it's verboten; otherwise, it's OK. If you want to use DRM to protect your company's financial records, that's fine; if you want to use it to keep me from backing up my DVD or transferring songs I bought to a friend, that's not allowed.

That's it...those are my decrees. Some of you will call me mad, some of you will accuse me of megalomania rivaled only by the Roman emperors of old, and some of you will see things that I left out. Perhaps my ideas are crazy, but they're at least enough to spark discussion about solutions. And as a benevolent dictator, I choose to emphasise the word "benevolent" - if we try an idea for a while and it doesn't work, I'm more than willing to try something else. Finally, I urge you to propose your own ideas. If you were emperor of the security world, what would your orders be?

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Scott Granneman is a senior consultant for Bryan Consulting Inc in St Louis. He specialises in internet services and developing web applications for corporate, educational, and institutional clients.

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.