FW: Laws of Connections (Previously-True definition of Intrusion Prevention)

["Bohling James CONT JBC" <james.bohling () JBC JFCOM MIL>]

Well George you ventured into a new topic so I second it

----------------------------------------------------------------
As it is at the moment, there is no penalty for connecting to the 
Internet even if the organization or individual is clueless.  Right 
now, the burden (such as it is or is not) is on corporate governance 
and individual conscience to understand ones system(s) and protect 
them.  In most cases in which an individual or corporation operates a 
system that interfaces with the public (automobiles and long-haul 
trucking come immediately to mind), the operator must demonstrate 
understanding of basic "rules of the road" and safety before they are 
licensed to use the system "in public."  And there are criminal and 
civil penalties for failing to do so.  I suspect that until the use of 
digital systems comes under the same kind of regulation, we will 
continue to see individuals and organizations behaving with total 
disregard for their own risk and the risk they pose to others
----------------------------------------------------------------

First of all the comment above is great in the context of researching
the disadvantages of computing (individual & Corporate) on the private
and public networks.  From a Corporate standpoint, they should be
required to adhere to some type of connection (internet or private
link-both can be cracked) standard and/or regulation.  As in "Truck
Driving", computers, may put others at risk.  Truck driving may cause
physical harm and computing one may be harmed by reputation, assets, and
other intangibles, maybe physically if the wrong group/person gains
knowledge ; )  
Corporations are providing a service and storage of information about
individuals that should be kept confidential to ensure the prevention of
any malice.  This is different from the internet user at home that just
wants to use a service provided by a Corp and/or research.  He/She has
no intention to learn about computers except how to use it.  Sort of
like you ("you" was meant to mean everyone in list) and I with
telephones (Phreaking still happens).  This should automatically put the
security of these individuals computing resources into the hands of the
Software, HW, Systems, Solutions providers.  
If my baby's (doesn't mean I have one) crib breaks, falls and causes
him/her to lose a leg.  I have the ability and right (because of {bench
law}-look it up) to consultation, suit, and possibly reparations due to
negligence in engineering, proper due diligence, corporate
mis-management.  However, if my babies social security number is stolen:
1. from the IRS via a Web server Crack/Hack 2. Used successfully to
mitigate the attackers tax burden 3. Creates a credit report of bad
history that probably won't be noticed until he/she is old enough to
purchase their first item on credit (honestly-who checks their
children's credit report) I have no repercussion except from the
individual who attacked the IRS.  But what about the company that wanted
to quickly provide a Web server to make a buck (ex. Microsoft) and ended
up bucking (yes I like puns) the security for the system.  
The attacker is a simple mom & pop only making enough to survive and
made the wrong decision (should still be punished) breaking into the
IRS; However, the vendor gets away with the excuse "code is really hard
to verify an test completely" for security and not have to provide any
due diligence paper trail supporting the excuse that they did the best
they could in accordance with best practice and standards.  
The Corp. should be punished again for not providing me (or my child) a
well engineered and safe product.  

Right now the laws are orientated like IDS, response driven, instead of
going after the source and should have a concentrated task force to help
curve an almost overwhelming task due to the lack of commerce
regulation.  

For those of you who think regulation will increase the costs of online
interaction, then your wrong.  At the beginning everywhere was supposed
to set up a site for online purchase and it would be cheaper than the
store.  Well, the business model realized that hey we are offering a
competitive service and we can keep the cost the same as the inshore.
The only place I have really found an exception to this is through
www.bookpool.com.  They offer tech books at a very low cost where the
cost of shipping does not add to and/or put the price back/above to the
original cost of the product.  95% of other places still charge the same
price for the product even though it is just sitting on a server on an
internet billboard and they are only paying a web consultant to maintain
it every few days (that was extremely polar - as I do know the cost of
maintaining an e-commerce site entails 
*a lot* more than a web consultant


---------------------------------------------------------------------------
---------------------------------------------------------------------------