once more, with feeling.

Wed Sep 10 16:01:04 EDT 2008

[Moderator's note: with my other hat on, let me say that although I'm
a libertarian, I do not want to have this mailing list fill with
libertarianism vs. statism arguments. I'm going to cut this off pretty
quickly. --Perry-as-moderator]

William Allen Simpson <william.allen.simpson at gmail.com> writes:
> I agree.   I'm sure this is a world-wide problem, and head-in-the-sand
> cyber-libertarianism has long prevented better solutions.  The "market"
> doesn't work for this, as there is a competitive *disadvantage* to
> providing improved security, and it's hard to quantify safety.

I have to disagree, for a wide number of reasons. I'll avoid getting
too deeply into them them here.

>> The average cryptographic expert finds it tricky to set up something
>> that is actually secure.  The average bureaucrat could not run a pie
>> stand.  Legislation and so forth requires wise and good legislators
>> and administrators, which is unlikely.
>
> So, what campaigns are you working on currently to improve this?
>
> I've educated dozens of U.S. legislators over the years....  Indeed,
> the original funding for my NSFnet work 20 years ago was funded by
> the Michigan House Fiscal Agency, and my early IETF work was funded
> by the Levin (Senate) and Carr (House) campaigns.

And yet, in spite of the efforts people make, we still have
significant problems, don't we? It doesn't take great genius to
understand why current spam legislation is flawed, but I haven't seen
it fixed even though you will be hard pressed to find many people who
claim to love spam. We have lots of legislation against various forms
of computer crime and yet we have virtually no prosecutions even
though something like half of the computers in the country have been
broken in to. We also used to have quite reasonable wiretap laws in
this country which were blown out of the water when political
expediency demanded it.

I contend that none of this is an accident, or particularly easy to
change.

>> Visualize Obama, McCain, or Sarah Palin setting up your network
>> security.  Then realize that whoever they appoint as Czar in charge
>> of network security is likely to be less competent than they are.
>>
> The problem, as always, is enough folks that are competent in both
> computer security *and* political action.

I don't see how that is going to change.

One can hope for an ideal, substantially superior world, but generally
speaking human beings have to live with the world that we have, and
most importantly with the behavior patterns of real people.

The core of the libertarian view on this and many other topics is not
that it wouldn't be wonderful if we had perfect legislation enforced
by perfect policemen, but that we must acknowledge that in the real
world we will get the result of a very flawed and problematic
political process which will be enforced humans rather than angels.

On the political process side, large companies with powerful interests
will be immediately involved once the topic of mandatory security
standards comes to the fore. Many of those companies will see
lobbyists as cheaper than IT infrastructure. There will also be those
who see legislation as an opportunity to cash in -- they will try to
twist the laws in such a way as to make a buck, by mandating solutions
they think will profit them. Some people in our profession may even
decide to do what cosmetologists, private investigators and even
doctors have done in the past, and reduce competition by requiring
licensing as a way of preventing others from entering in to their
field. We will also find that the people writing the regulatory
standards may very well be the sort who are not entirely right
minded -- not everyone in this field can even understand why http: is
a bad transport for bank login pages, so we can't expect that everyone
in the field can recognize good regulations.

I suspect the difference between one's aspirations and the output of
this process will be much like the difference between a dog before and
after it falls into a meat grinder. Much of the underlying material
remains, but the parts are no longer arranged into something you would
consider a faithful pet.

On the enforcement side, we will suddenly find ourselves in a
situation where people who are far from the best technically will be
asked to examine extremely complicated computer systems and to decide
whether to penalize firms for failing to properly comply with very
complicated regulations. I will not belabor the point -- having seen
the results of this in much less technical areas, like finance, I must
say that I do not have very high hopes for the outcome of the process.

Again, it is easy to say "there ought to be a law!", and it is much
harder to get the right law into place, and even then almost
impossible to get it properly enforced. I have very few hopes for this
path.

Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com