February 10, 2007

On starting afresh with Security...

The gut-wrenching fight with who we want to be continues over at Mozilla. In a status update, Mitchell posts on the evolving Principles:

SPECIFICITY: There were a set of comments about the Manifeto not being specific, either about the nature of the goal or the steps we might take to get there. This was intentional on my part. With regard to specificity of the goals, I’m not sure we know now. And I’m pretty sure that interpretations will change. For example, what does security mean? We know it means security vulnerabilities -- problems with code that allow malicious actors too much room to move. More recently, “phishing” has become a serious problem. It’s not a classic code vulnerability though, so any definition of security that focused solely on code would be too limited. There will undoubtedly be other types of problems that will come up. So if we try to define “security” today it may be incomplete and it will undoubtedly be incomplete in the future.

My hope is that the Manifesto sets a stake in the ground that the broad topic of security is fundamental. Then a variety of groups can engage in more detailed discussions of what this means for them and what steps they will take. The Mozilla Foundation will clearly focus on products, technology and user interaction. Other groups can set out other specific tasks that contribute to improved Internet security.

That's just what I wanted to say ...

The recognition that security has failed has tracked the rise of phishing, growing through the years 2003-2004, but has been reinforced by data breaches, DDOS, botnets, etc. Those who saw the widening dichotomy between actual breaches and peacock strutting of the security industry started to ask questions. Is there one security or two? Is it possible to be secure and and not secure at the same time? Is there any point in talking about security at all, or is it all risk management? Who should we be securing, and what are we paying for?

Certainly, the discussion can only start with a fairly brave admission: We certainly stuffed that up, didn't we! Until we get over that barrier, until we recognise the awful gut-twisting fact that as a discipline, we said we could do it and we didn't, we won't ever be able to address the problems.

Mozilla makes the point above; has your organisation declared the failure insecurity to the public lately?

Posted by iang at February 10, 2007 08:46 AM | TrackBack

So the facade of security is really a veneer, a titular expression of concern. As in Governance the thieves know the difference between real honest efforts to address an issue and fake snake oil attempts to paint the sky. Influence peddling has become the generic solution to issues and security is no different. The illusion of security is enough to slick the lust and satiate the desire to feel secure. The illusionist lives for the fabricated event most commonly occurring in the media. The thieves live for the actual event of theft and reward, without any ramifications, or at least a series of significant payoffs with minimal punitive damages after a long period of time.

The thieves know one thing that as long as posture is more important that results security is a notional issue that they only have to exploit. This exploitive method has found a home in legal regimes in that most tax issues are focused on the least likely to respond with appeals to the regulatory process. Tax the poor on tobacco, spirits, and health. Exploit the common user, who is ignorance of the abusive practices ramifications. The moral side step taken by industry to separate the applications from the operating systems has effectively left the common user with a fine line to walk and one that has been smudged intentionally. The world of the gray, poorly defined terms and responsibilities is the fodder for exploitation, but unlike or systems or regimes established for commerce the complex nature has rendered the consumer and regulators unable to respond.

The great void in responses to exploitative application regimes, re-enforced by poorly designed operating systems will find equilibrium. This pile of excuses and fake public expressions of honest intent is going to break. The cascading systemic event can and will break the back of our highly complex interdependent society. It may not be a virus or an attack it might be that people fail to trust companies that use this technology as its base for providing the desired service. What will happen if cash in its physical form replaces electronic funds, manual transcripts replace electronic in medical services, and so on. There is a risk that has not been quantified, and that risk is extreme distrust by consumers of the use of software applications.

Posted by: JimN at February 11, 2007 09:01 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.