Re: Our Data : an appeal - a "Plimsoll line" for computer security

From: Richard Atkinson (big@un.com)
Date: 06/14/02 

From: "Richard Atkinson" <big@un.com>
Date: Fri, 14 Jun 2002 09:16:24 +0100

I certainly applaud the idea.
However, the Plimsoll concept is fundamentally flawed and totally unworkable
in the 21st Century.

i) If we had a committee to decide on security then we'd end up with
something like W3C - I think it only exists to give the man who invented web
browsing a job.
ii) We've already got ISO 17799, and if you read it and implement it
(properly), you'll get security.
iii) If you're after a technical solution, there's hundreds of solutions and
it all depends on what you want to do.

I also find attacking Microsoft boring - I'm bored to death with the *nix vs
Microsoft argument. All software is flawed one way or another. I don't
rely on MS-Word to be my firewall or anti-virus program, and I can't use
Open Office as my mailsweeper.

If we want a 'Star Trek' technology future, we'll have to standardize on 1
vendor, otherwise Linux shuttle systems won't interface with Microsoft
Enterprises.

One last point - if we did have a 21st Century Sam Plimsoll, he'd have to be
rich enough to influence people to his way of thinking - errr, sounds like
he's already been reincarnated into Bill Gates!!!

"David Mohring" <heretic@heretic.ihug.co.nz> wrote in message
news:slrnaghja3.1h4.heretic@heretic.ihug.co.nz...
> An invitation to discussion.
>
> From the Plimsoll Club history
> http://www.plimsoll.com/history.html
>
> +Samuel Plimsoll, M.P.
> +(1824-1898)
> +
> +Samuel Plimsoll brought about one of the greatest shipping
> +revolutions ever known by shocking the British nation into making
> +reforms which have saved the lives of countless seamen. By the
> +mid-1800's, the overloading of English ships had become a national
> +problem. Plimsoll took up as a crusade the plan of James Hall to
> +require that vessels bear a load line marking indicating when they
> +were overloaded, hence ensuring the safety of crew and cargo. His
> +violent speeches aroused the House of Commons; his book, Our
> +Seamen, shocked the people at large into clamorous indignation.
> +His book also earned him the hatred of many shipowners who set in
> +train a series of legal battles against Plimsoll. Through this
> +adversity and personal loss, Plimsoll clung doggedly to his facts.
> +He fought to the point of utter exhaustion until finally, in 1876,
> +Parliament was forced to pass the Unseaworthy Ships Bill into law,
> +requiring that vessels bear the load line freeboard marking. It
> +was soon known as the "Plimsoll Mark" and was eventually adopted
> +by all maritime nations of the world.
>
> The risks,issues and solutions for providing a more secure
> operating and application enviroment have been known for decades.
>
> Those who do not already comprehend the issues and are willing to
> learn, should take some time out to listen to some of the speechs
> at Dr. Dobbs Journal's Technetcast security archives...
> http://technetcast.ddj.com/tnc_catalog.html?item_id=502
>
> ..., starting with Meeting Future Security Challenges
> http://technetcast.ddj.com/tnc_play_stream.html?stream_id=411
> by Dr. Blaine Burnham, Director, Georgia Tech Information Security
> Center (GTISC) and previously with the National Security Agency
> (NSA)
>
> The design and implementation of some applications and servers are
> just too unsafe to use in the "open ocean" of the internet.
>
> Numerous security experts have railed against Microsoft's lack of
> security, best summed up by Bruce Schneier Founder and CTO
> Counterpane Internet Security, Inc who rightly said ...
> http://www.counterpane.com/crypto-gram-0201.html#1
> +Honestly, security experts don't pick on Microsoft because we
> +have some fundamental dislike for the company. Indeed, Microsoft's
> +poor products are one of the reasons we're in business. We pick on
> +them because they've done more to harm Internet security than
> +anyone else, because they repeatedly lie to the public about their
> +products' security, and because they do everything they can to
> +convince people that the problems lie anywhere but inside
> +Microsoft. Microsoft treats security vulnerabilities as public
> +relations problems. Until that changes, expect more of this kind
> +of nonsense from Microsoft and its products. (Note to Gartner: The
> +vulnerabilities will come, a couple of them a week, for years and
> +years...until people stop looking for them. Waiting six months
> +isn't going to make this OS safer.)
>
> In a recent speech "Fixing Network Security by Hacking the
> Business Climate", also now on Technetcast
> http://technetcast.ddj.com/tnc_play_stream.html?stream_id=700
> , Bruce Schneier claimed that for change to occur, the software
> industry must become libel for damages from "unsecure" software,
> however historically, this has not always been the case, since
> most businesses can insure against damages and pass the cost along
> to the consumer.
>
> The Ford Pinto and more recently the Ford Explorer's tires are two
> examples of public and media pressure being more successful than
> just threat of lawsuits. Even so, just as with the automotive
> industry, eventually though public pressure the governments around
> the world have to step in and pass regulations that set up a
> minimum set of requirements an automobile has to meet to be deemed
> "road worthy". This includes crash testing as well as the
> inclusion of safety equipment on all models. The requirement are
> not constant and change to meet the expectations and demands of
> the public and lawmakers.
>
> The onus is not only on the automotive industry itself but also on
> the users. Most countries require that all automobiles undergo
> regular inspection and maintain an up to date "Warrant of
> Fitness".
>
> In the same way, if you want a secure IT infrastructure, eventually
> the software design, implementation and each deployment will have
> to undergo the same type of regulation and scrutiny.
>
> David Mohring - Any constructive comments welcome.

Relevant Pages

  • Re: Our Data : an appeal - a "Plimsoll line" for computer security
    ... the Plimsoll concept is fundamentally flawed and totally unworkable ... , you'll get security. ... I also find attacking Microsoft boring - I'm bored to death with the *nix vs ... > minimum set of requirements an automobile has to meet to be deemed ...
    (comp.security.misc)
  • Re: Security and EOL issues
    ... A belief that a good company, if Microsoft were one, would provide ... regulations governing what the automobile industry must do. ... older software's security would be just fine. ... > Computer Emergency Response Teams, ...
    (Security-Basics)
  • Our Data : an appeal - a "Plimsoll line" for computer security
    ... +Samuel Plimsoll, M.P. ... at Dr. Dobbs Journal's Technetcast security archives... ... security experts don't pick on Microsoft because we ... minimum set of requirements an automobile has to meet to be deemed ...
    (comp.security.misc)
  • Our Data : an appeal - a "Plimsoll line" for computer security
    ... +Samuel Plimsoll, M.P. ... at Dr. Dobbs Journal's Technetcast security archives... ... security experts don't pick on Microsoft because we ... minimum set of requirements an automobile has to meet to be deemed ...
    (comp.security.misc)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)