once more, with feeling.

William Allen Simpson william.allen.simpson at gmail.com
Wed Sep 10 13:29:32 EDT 2008 

James A. Donald wrote:
> Peter Gutmann wrote:
>> Unfortunately I think the only way it (and a pile of other things as 
>> well) may get stamped out is through a multi-pronged approach that 
>> includes legislation, and specifically properly thought-out 
>> requirements ....
> 
I agree.   I'm sure this is a world-wide problem, and head-in-the-sand
cyber-libertarianism has long prevented better solutions.  The "market"
doesn't work for this, as there is a competitive *disadvantage* to
providing improved security, and it's hard to quantify safety.

Remember automotive seat-belts?  Air-bags?  Engineers developed them,
but the industry wouldn't deploy because the "market" failed to demand
safety.  That is, long-term safety would cut into short-term profits.

The corporate world actually led the public to believe (through
advertising) that they were sufficiently safe without them.  Only
legislation and regulation resulted in measurably greater safety.

M$ has long advertised (falsely) that safety was their concern, and their
systems were already safe.  We all know how that worked out....


> The average cryptographic expert finds it tricky to set up something 
> that is actually secure.  The average bureaucrat could not run a pie 
> stand.  Legislation and so forth requires wise and good legislators and 
> administrators, which is unlikely.
> 
So, what campaigns are you working on currently to improve this?

I've educated dozens of U.S. legislators over the years....  Indeed, the
original funding for my NSFnet work 20 years ago was funded by the Michigan
House Fiscal Agency, and my early IETF work was funded by the Levin (Senate)
and Carr (House) campaigns.


> Visualize Obama, McCain, or Sarah Palin setting up your network 
> security.  Then realize that whoever they appoint as Czar in charge of 
> network security is likely to be less competent than they are.
> 
The problem, as always, is enough folks that are competent in both
computer security *and* political action.

Cannot say much about McCain/Palin, but the Obama folks have been fairly
computer literate from the beginning.  Not always as security conscious as
I'd like, but some seem to be receptive.  Unlike McCain (who needs help to
get his email), Obama himself seems from reports to be tech-savvy.

We either have to educate more political folks about computer security,
or more security folks have to become active in politics.  The former is
the never-ending long-term problem, while the latter is an effective
sort-term solution.

At the IETF, we used to have a t-shirt, with 9 layers instead of 7.  The
top was "Political", with "you are here" next to it.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list