Security Maven Calls for Internet 'Disease Control' Agency

[William Knowles <wk () c4i org>]

http://www.eweek.com/article2/0,4149,1474670,00.asp

By Dennis Fisher 
January 29, 2004 

SEATTLE - The dominance of Windows in the marketplace continues to 
represent a threat to the safety and security of the Internet and is a 
problem that must be addressed at the highest levels of government, a 
noted security researcher said in his keynote speech at the Black Hat 
Windows conference here Thursday. 

Dan Geer, one of the authors of last year's controversial paper on the 
subject of the Windows monoculture on the Internet, said that the 
assertions in the paper and his speech are not new and are beginning 
to draw the attention of legislators and government officials in the 
United States and abroad. 

"This wasn't a shot out of the dark. It's not a new idea, even though 
in some sense I got fired publicly because I said this," said Geer, 
who was fired as the chief technology officer of security consultancy 
@stake Inc. following the paper's publication. "This is a problem that 
demands attention on the national government scale and maybe the world 
scale. It is an idea whose time has come." 

Geer, who is now heading his own risk management firm and is also 
chief scientist at security vendor Verdasys Inc., said that Windows' 
dominance is only part of a complex equation that has led to this 
state of affairs. Also contributing to the problem is the relative 
lack of skill of most PC users and the number of current 
vulnerabilities in Windows. 

To combat the combination of these issues, Geer endorsed the idea of a 
central authority that would collect data on virus outbreaks and other 
problems, analyze the malware, look for protective measures, and look 
for new infection vectors and ways to defend against those attacks. 

The idea for a kind of Centers for Disease Control and Prevention for 
the Internet is not new, nor is it Geer's. It was first proposed in a 
paper called "How to Own the Internet in Your Spare Time," which was 
presented at the 2002 Usenix Security Symposium. 

"The idea of a CDC-type organization for the Internet is a very 
intriguing one," Geer said. 

Given the magnitude of the MyDoom virus outbreak this week, it is an 
idea that may begin to get some traction. 

Geer also raised the possibility that the government would be forced 
to develop some regulations regarding security and liability if the 
industry doesn't address the problem on its own. 

"Let me be clear. I loathe regulation. Loathe it," he said. "But we 
are going to get some regulation. I just want to make sure that we get 
the right kind." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.