IDS mailing list archives
FW: Laws of Connections (Previously-True definition of Intrusion Prevention)
From: "Bohling James CONT JBC" <james.bohling () JBC JFCOM MIL>
Date: Thu, 8 Jan 2004 16:22:52 -0500
Well George you ventured into a new topic so I second it ---------------------------------------------------------------- As it is at the moment, there is no penalty for connecting to the Internet even if the organization or individual is clueless. Right now, the burden (such as it is or is not) is on corporate governance and individual conscience to understand ones system(s) and protect them. In most cases in which an individual or corporation operates a system that interfaces with the public (automobiles and long-haul trucking come immediately to mind), the operator must demonstrate understanding of basic "rules of the road" and safety before they are licensed to use the system "in public." And there are criminal and civil penalties for failing to do so. I suspect that until the use of digital systems comes under the same kind of regulation, we will continue to see individuals and organizations behaving with total disregard for their own risk and the risk they pose to others ---------------------------------------------------------------- First of all the comment above is great in the context of researching the disadvantages of computing (individual & Corporate) on the private and public networks. From a Corporate standpoint, they should be required to adhere to some type of connection (internet or private link-both can be cracked) standard and/or regulation. As in "Truck Driving", computers, may put others at risk. Truck driving may cause physical harm and computing one may be harmed by reputation, assets, and other intangibles, maybe physically if the wrong group/person gains knowledge ; ) Corporations are providing a service and storage of information about individuals that should be kept confidential to ensure the prevention of any malice. This is different from the internet user at home that just wants to use a service provided by a Corp and/or research. He/She has no intention to learn about computers except how to use it. Sort of like you ("you" was meant to mean everyone in list) and I with telephones (Phreaking still happens). This should automatically put the security of these individuals computing resources into the hands of the Software, HW, Systems, Solutions providers. If my baby's (doesn't mean I have one) crib breaks, falls and causes him/her to lose a leg. I have the ability and right (because of {bench law}-look it up) to consultation, suit, and possibly reparations due to negligence in engineering, proper due diligence, corporate mis-management. However, if my babies social security number is stolen: 1. from the IRS via a Web server Crack/Hack 2. Used successfully to mitigate the attackers tax burden 3. Creates a credit report of bad history that probably won't be noticed until he/she is old enough to purchase their first item on credit (honestly-who checks their children's credit report) I have no repercussion except from the individual who attacked the IRS. But what about the company that wanted to quickly provide a Web server to make a buck (ex. Microsoft) and ended up bucking (yes I like puns) the security for the system. The attacker is a simple mom & pop only making enough to survive and made the wrong decision (should still be punished) breaking into the IRS; However, the vendor gets away with the excuse "code is really hard to verify an test completely" for security and not have to provide any due diligence paper trail supporting the excuse that they did the best they could in accordance with best practice and standards. The Corp. should be punished again for not providing me (or my child) a well engineered and safe product. Right now the laws are orientated like IDS, response driven, instead of going after the source and should have a concentrated task force to help curve an almost overwhelming task due to the lack of commerce regulation. For those of you who think regulation will increase the costs of online interaction, then your wrong. At the beginning everywhere was supposed to set up a site for online purchase and it would be cheaper than the store. Well, the business model realized that hey we are offering a competitive service and we can keep the cost the same as the inshore. The only place I have really found an exception to this is through www.bookpool.com. They offer tech books at a very low cost where the cost of shipping does not add to and/or put the price back/above to the original cost of the product. 95% of other places still charge the same price for the product even though it is just sitting on a server on an internet billboard and they are only paying a web consultant to maintain it every few days (that was extremely polar - as I do know the cost of maintaining an e-commerce site entails *a lot* more than a web consultant --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- FW: Laws of Connections (Previously-True definition of Intrusion Prevention) Bohling James CONT JBC (Jan 09)