RE: The Future of Security

[Rick Smith <rick_smith () securecomputing com>]

At 06:49 AM 12/03/1999 -0600, Scott, Richard wrote:

>       Second handful of 2cents is my concern over Home Computer Security.
> I can not believe that Joe Blogs who wants to surf the net is going to spend
> money on security his computer, be it Dial-up modem or *DSL.  If I had a
> *DSL service and I believe I had been hacked, I think the American public to
> rely on a legal battle to receive compensation from the DSL provider.  May
> be a text book example in court would then ensure ISP companies to provide
> adequate security as part as their service.  Just how this is done, is yet
> to be seen. 

I'm skeptical that they'll hold ISPs responsible for security. It's too big
of a can of worms and it's already proven legally difficult. Most ISPs seem
to want to be treated as communications carriers, so they're not
responsible for the content or its effects on the recipients. There were a
couple of legal battles involving timesharing services turned ISPs (Prodigy
was one) where they had a policy of monitoring e-mail for bad things, their
monitoring failed, and they were held legally liable for the failure. The
phone company, for example, isn't legally liable if you are victimized by
fraud over the phone.

Also, there's the question of whether security measures might look like
"censorship" or even "restraint of trade" in today's Internet. One reason
it's so hard to build a good firewall is that a new multimedia protocol
appears every two weeks, and each new one puts new demands on the
firewall's ability to sort good from bad. The "secure" answer is to block
the new things until there's a way to handle them safely. If a dominant ISP
tries to do such a thing, I'd anticipate legal questions.

> Furthermore the use of new payment systems could make the ISP's
> enforce better security, by providing the hardwares to perform filtering,
> processing of information from these payment systems.  I believe that this
> market will totally change once a court case has been found in favour of the
> service user.

The international flavor of the Internet, as well as the widespread
adoption of its underlying technology, makes some changes harder than
others, regardless of what courts say.

I find it useful to think of the Internet as a variant of today's network
of roads that lead from individual driveways to streets to superhighways.
What sort of things succeeded for making roads practical? What strategies
just don't work? The road system is about the only thing I know of that is
so distributed, so easy to extend, and so hard to control.


Rick.
smith () securecomputing com
"Internet Cryptography" at http://www.visi.com/crypto/