On Thu, 2011-02-10 at 23:57 +0000, Alan Cox wrote: > > The real issue is two fold: > > > > 1. The vast number of compute systems across the Internet that are not > > managed at all. > > > > 2. The inability of platform creators to consider security as a priority. > > This is driven by economic realities > > - Users don't understand what poor security costs them so won't pay > for it > > - The legal system is curiously lax when it comes to software and people > get away both with contractual opt-outs no physical device maker could > and end users somehow manage to dodge all sorts of liabilities for > carelessness on their part they couldn't with a car > > - Most users aren't able to tell good and bad security (the lemon problem) > > - Particularly in business the users don't actually care about security > or taking insecure actions. It's not *their* problem if the hotel front > desk gets a virus because they installed games on it. > > As with most things - if you want to fix it make it more expensive not to > do so than to fix it, the rest then just happens. > > Alan What I also find is that the average business user is focused on his job, not on security. Most have seen the news, but so far it hasn't affected them personally, so it must have been some thing that other person did that got them in that fix. Lack of personal expense is more than economic. Moreover most things people use do not expose their bodies and persons to the kinds of threats that affect their computers, resulting in the threat not being internalized. It doesn't help that the governments of the world and the business admins want back door access to the users systems. The legality of that access is for another thread, but one of the side effects is that really effective security would make that access nearly impossible. Remember the hassels over PGP when it came available? And now China has copies of the Microsoft core software source code, so that they can have better access to the control of the internet within their own country. Add the DMCA, DRM software, the Sony Blu-Ray software scandal and the vision that Hollywood uses to glamorize crackers (note the use of the word cracker, the evil doer on networks, vs hacker, which is the legal expression of new uses for existing software and hardware). The question becomes not how to secure a system, but rather how much should it be secured. The tines of that fork are governmental, user need/requirements, reuse as a hacker might do, and access by ones business supervisors on business systems or access by ones business supervisors on ones personal systems, and the ultimate decisions of what should or should not be legal use of ones personal computer (porn, file sharing, personal email, financial dealings, personal communications, and facebook type uses etc.) Then there are archivists, who look toward archeology of the future, and the future analysis of our society and how we should protect and preserve the content not just of our production, but of our culture and society. Then we have to balance those interests against the desire of each person for their own personal freedom or lack thereof in their particular culture, such as socialism, sharia law, mosaic law and so on for all the distinct cultures/theologies/societies that exist on earth. There is not a single point of security, but rather a sphere in a complex dimensional space. Where one falls within that sphere will determine the value they place on security and privacy. As we go from where we are today into a future where everything will, or may anyway, be on line, how does each society deal with these issues? What will cause the next civil war and where will it occur? This all ties into the security question because total security is at center of care space and none at all is the exclusionary border. Economics, status, and personal feelings are all spaces that overlap and overlap the security space. Your particular comfort zone is likely within the space described by the union of your particular spheres of interest somewhere within that global space. So the questions that this poses are: 1. Do you need security? 2. How much security do you need? 3. How much would you pay to get that security? 4. How much effort would you expend to maintain that security? Know the answers to the questions and you begin to answer the question about security from the individual perspective. Repose the questions to your particular government and you begin to outline the space of permissible security. Ask those questions again to your community, church, or peer group and you get the societal view. Ask the one final time to your business colleagues and you get the business perspective. Each of these perspectives outlines a potential area of security that would be acceptable to that group. Find the AND area of all these spheres and you get the answer that will fit the current market place. If you want more system security, you have to take steps to change the answers at the origin of the answers, whatever they may be. Regards, Les H -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
