Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

It's time to stop playing war games in the name of "security"

It's time to stop playing war games in the name of "security"

  • Comments 4
  • Likes

Really interesting article.

Military mindset no longer applicable in our line of work
http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1171862,00.html

My favorite bit: "Obviously, secrecy is important to business, as is the ability to trust messages to the military, but these two camps have opposite priorities. For example, if we had developed a business approach that ensured transactions were genuine instead of a military approach that protected the secrecy of credit card numbers, ID theft wouldn't be an issue today."

Comments
  • I don't think the business mind-set really always helps all that much, either, sadly.

    The most glaring examples are the "your data is now ours, and we can sell it to whomever" issues that have been plaguing various credit card processing companies for some time.

  • True, but that's not directly related to the point the article was making. This is more of a data ownership issue, and until we have regulations in this country that:

    * specifically define the subject of the information to be the information's owner

    * place financial risk of disclosure on the collectors of that information

    We won't solve the problems. Right now, you don't own the information collected about you, and the people who collect it have no financial incentive to protect it -- they don't usually pay in the event of exposure.

    We as a society must fix these two problems first.

  • I thought I was going to come across as a frothing loon if I said that out loud - it's something I've been saying for quite some time, though.

    My data is my data, and I may allow you to borrow it so that you can do business on my behalf, but unless there's a legislatively mandated requirement that you have access to my data, I should be able to decide who gets to borrow it or not.

    If there _is_ a mandated requirement for you to have my data, or I have allowed you access to it, there should be a process for me to inspect, and correct, any factual data you carry that describes me.

    European data protection laws have had this right from early days.  In school, I went to a day of the committee readings of the Data Protection Act in the House of Commons, and was thoroughly expected to be disgusted (as a know-it-all teenager); I came away impressed by the fact that our politicians seemed to understand the basics of what they were discussing.

    It's not without its faults, granted, but the rights ascribed to data subjects are unparalleled by anything here in the United States.

  • I have been working on hardening guidance for almost 10 years. The first few I worked on were essentially...

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment