Interesting People mailing list archives
IP: an excellent comment on -- Policing the Internet: Anyone but Government
From: Dave Farber <farber () cis upenn edu>
Date: Sun, 20 Feb 2000 07:21:12 -0500
To: farber () cis upenn edu From: edyson () edventure com (Esther Dyson) Subject: Re: IP: Policing the Internet: Anyone but Government Cc: Steve Lohr <lohr () nytimes com> Date: Sun, 20 Feb 2000 07:05:14 -0500 What should we do to avoid repeats of the recent denial-of-service (DOS) attacks on Websites such as Yahoo! and eBay? As I've said, the Net gives economies of scale to individuals - even to criminals. And a further creepy aspect of these attacks is that they came from the machines of unsuspecting third parties whose machines had earlier been compromised by the attackers. That is, some people's poor security was used to attack third parties - whose security was not compromised but whose machines couldn't function because of the volume of traffic sent their way. Thus, we can't just say that the victims deserved it because of their own loose security. Most of the solutions suggested for such security problems (and future ones) involve strong government regulation and surveillance. And many of the reactions to the solutions justifiably point out the dangers to individual freedom if we create a Police Net - the virtual equivalent of a police state. But we don't necessarily need to make a one-dimensional choice between security and freedom. A more fruitful approach is to look at public as a kind of public health/safety problem, and ask how we can improve public hygiene/safety. For starters, people - at companies, universities, and any other organization that uses computers - need to be encouraged to secure their machines, both for their own safety and so they cannot be compromised to launch an attack on someone else. How to make this happen? Regulations would probably set a minimum and a clear target that criminals would take delight in working around. And government surveillance, limitations on anonymity, required registration of all usersÂ…..the cure might be worse than the disease. Instead, there are a number of paths to pursue; there's no single solution. To start, consider what the insurance industry and liability laws did for fire safety. The insurance companies should get involved, since every large company has been calling its insurance company this month (or looking for one). And they *will* get involved, since it's a nice line of business. Of course, the point is for them to take the trouble to *reduce* the risks rather than simply charging high premiums for high risks. Insurance companies need to get the expertise to assess their clients' security systems. And they will probably also turn to all those consultants and experts who no longer have Y2K to worry about/bill for. Security consulting is a nice new line of business - and it's socially responsible! And a final step, one which could benefit from government/regulatory action: Require that companies disclose their security practices and potential liabilities in financial statements. ISPs and computer vendors would have to disclose the security provisions of the systems and services they sell, and could also be sued for negligence. Then we could let the market (and yes, the lawyers!) take care of it, far more flexibly than formal regulations and requirements could. Yes, it's a pity to bring in lawyers and liability, but that is an easier cost to bear than the loss of freedom. In short, we need to understand that electronic security costs money, just like regular security (locks, guards, alarm systems). Power implies responsibility; if you buy a computer that can be used as a weapon, you need to make sure that it is designed and installed safely. Of course your average user doesn't know how to set up a safe system, but he needs to demand service from someone who does. Smaller businesses (who don't file financial statements with the public) need to understand that they are liable, just like the guy who doesn't bother to shovel his sidewalk after the snowstorm. Yes, it's a pity to rely on the legal system, but better that than government surveillance. Government-sponsored *education* (and due-care precedents set in court) could be very valuable, but self-interested companies will also provide education in the form of advertising outlining the dangers and their solutions. May the best solutions evolve to match the evolving risks! At 06:48 am 02/20/2000 -0500, Dave Farber wrote:http://www.nytimes.com/library/review/022000internet-security-review.htm Policing the Internet: Anyone but Government By STEVE LOHR he attacks on eBay, Yahoo, E*Trade and other big Web sites earlier this month showed the Internet to be surprisingly vulnerable to a few laptop-toting cyber-vandals. This is a pressing public concern, surely, as the nation increasingly comes to rely for commerce and everyday communication on this chaotic, global computer network. But when President Clinton met last week with more than two dozen representatives of the Internet community, a big role for government was not on the agenda. The president asked what could or should the Government do. Not a lot, the Internet elite told him. The message: It's an industry issue. "No one in that room was asking the government to fix this problem," said Nicholas Donofrio, senior vice president for technology at I.B.M., who attended the meeting. The gathering epitomized the main thrust of Government policy in the Internet arena. Government, the theory goes, should offer a forum and be a cooperative partner, so as to facilitate the rapid rise of Internet commerce. That stance was set in a July 1997 policy document on E-commerce written by Ira Magaziner, a senior White House policy adviser at the time. His document extolled the "breakneck speed of change in the technology" and stated, "Government attempts to regulate [the Internet] are likely to be outmoded by the time they are finally enacted." The hands-off approach, however, will be challenged more and more as the <snip>Esther Dyson Always make new mistakes! chairman, EDventure Holdings chairman, Internet Corp. for Assigned Names & Numbers edyson () edventure com 1 (212) 924-8800 -- 1 (212) 924-0240 fax 104 Fifth Avenue (between 15th and 16th Streets; 20th floor) New York, NY 10011 USA http://www.edventure.com http://www.icann.org PC Forum: 12 to 15 March 2000, Scottsdale (Phoenix), Arizona Book: "Release 2.1: A design for living in the digital age" High-Tech Forum in Europe: October 2000 - probably Barcelona
Current thread:
- IP: an excellent comment on -- Policing the Internet: Anyone but Government Dave Farber (Feb 20)