Feeds

As Emperor of Security, I hereby decree...

Benovolence is my middle name

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Fines for insecure software

Bruce Schneier has often written about economic externalities, in which "the cost of a decision [is] borne by people other than those making the decision". In other words, companies creating software don't really suffer financially when their software products ship with massive insecurities in them. This needs to change.

If a company ships software that proves to be insecure, perhaps in some critical way, it'll be fined. The fines will based on a percentage of yearly revenue, and it will be a big enough percentage to hurt. There's one exception to this rule: if the software is released under an open source license (as determined by the Open Source Initiative), then there's no fine. (Ed: Is this because they have no money?

Organisations entrusted with your data will be held accountable

Another result of the current reality in economic externalities in security is the almost constant loss of personal and financial data due to carelessness and hacking. It's reached epidemic status, and it too needs to stop. The solution is similar to that in the previous decree: fines keyed to the organisation's yearly revenue. In addition to fines, however, these organisations will have to reimburse the people whose data was lost or stolen. A few large fines and reimbursements, which will lead most definitely to some firings, and I guarantee that security in this area will improve.

Mandatory disclosure of data loss and hacking

Of course, along with massive fines comes mandatory disclosure. If a company loses data, or is the victim of a security breach, it must reveal this to the public. A website will be set up to list these organisations so that they can be publicly shamed, and the amount they paid in fines will also appear there. California has such a law, without which the public would never have known about some particularly egregious data losses that a few companies incurred. A national law would go the next step to help inform people while holding companies accountable.

Mandatory anti-virus, anti-spyware, and firewall software

If you drive a car without changing the oil, eventually you'll destroy that car. Likewise, if you use a computer without anti-virus, anti-spyware, and firewall software, eventually you'll destroy that computer and hurt others as your infected machine spews malware and spam onto the net. When computers first boot, users should be offered the choice of several different anti-virus, anti-spyware, and firewall software packages, including ones that they install themselves, to preserve competition. Instead of 30 or 90 days, this software should be good for a year. How many people today buy new computers and don't buy the subscription after 90 days? As the end of that year approaches, users should be warned repeatedly that they must upgrade. No upgrade, no net access...except to sites offering upgrades. No anti-virus, anti-spyware, or firewall software, no net access...except to sites offering this software.

DRM cannot be used to deny fair use or first sale

I recently wrote a column explaining that DRM as currently practiced is a disaster not only for users, but also for the companies trying to use the technology. To solve those problems, DRM should be allowed, but it cannot be used to deny fair use or first sale rights.

Briefly put, the right of fair use says that I can use copyrighted materials in ways that the copyright owners may not intend or desire - for educational use, say, or for reviews or critique - while the right of first sale says that I can transfer to another person or entity a copyrighted work without asking permission first. If DRM prevents someone from exercising fair use or first sale, it's verboten; otherwise, it's OK. If you want to use DRM to protect your company's financial records, that's fine; if you want to use it to keep me from backing up my DVD or transferring songs I bought to a friend, that's not allowed.

That's it...those are my decrees. Some of you will call me mad, some of you will accuse me of megalomania rivaled only by the Roman emperors of old, and some of you will see things that I left out. Perhaps my ideas are crazy, but they're at least enough to spark discussion about solutions. And as a benevolent dictator, I choose to emphasise the word "benevolent" - if we try an idea for a while and it doesn't work, I'm more than willing to try something else. Finally, I urge you to propose your own ideas. If you were emperor of the security world, what would your orders be?

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Scott Granneman is a senior consultant for Bryan Consulting Inc in St Louis. He specialises in internet services and developing web applications for corporate, educational, and institutional clients.

Intelligent flash storage arrays

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.