LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.
02/09/2010 09:45 AM EST

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

 

Events calendar tab
Macworld 2010
2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010
2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)
2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo
2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse
2/21/2010 to 2/24/2010
Las Vegas
IBM


 
print Printable version 
Most Read Latest News Blog Resources
Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Oracle acquires AmberPoint
Today's merger will probably affect most of AmberPoint's existing partnerships with other ...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

A Bolshevik Take on Computer Security


By Allen Holub
January 1, 2006 — 
Zeichick’s Take in the Dec. 1 SD Times News on Thursday, one of this newspaper’s regular newsletters, fretted about management’s reluctance to pay to build secure systems. The column, written by Alan Zeichick, SD Times’ editorial director, quotes several programmers venting their frustration, and Zeichick points out (rightly) that we should all be worried about insecure applications. The problem is not a management one, however, nor is it technical. The problem is political.

Consider identity theft. This problem is entirely soluble. The real issue is that no existing laws encourage credit card issuers to adopt secure practices—quite the contrary, in fact. If credit issuers (including the credit card companies) were required to verify a person’s identity before granting a loan, there simply wouldn’t be an identity-theft problem.

How do you verify identity? Think about how you open a checking account: You have to show up at the bank in person with some sort of legitimate ID, one that was based on some hard evidence that you’re who you say you are—a state driver’s license for example, augmented by some proof of address like a utility bill in your name. Driver’s licenses can be forged, of course, but it’s a lot harder to do that than it is to steal a credit card application out of somebody’s mailbox and scribble a new address on it.

Identity verification is easy when the card issuer is your own bank, but what if you want a card from a different bank? The banks can use the same process that your browser uses when it decides to trust a certificate. Banks trust each other. It’s not that difficult for the card-issuing bank to require that you have a bank account somewhere, and then verify your address, etc., by contacting your bank. To get even more secure, the issuer could send a permission form to the address on file with your bank and not issue the card until that permission (with the signature compared to the one on file at your bank) was granted.

Unfortunately, our laws are written in such a way that the human cost of identity theft (such as repairing trashed credit ratings) is borne by the victim, not by the card issuer, so the banks have absolutely no financial incentive to adopt secure issuance protocols. In general, corporations have no conscience—their decisions are strictly economic. The corporation doesn’t care whether a computer system is technically “correct” or “secure” unless the cost of a breach is greater than the cost of the infrastructure, with the odds of a breach factored into the equation. That’s the way businesses work. This isn’t good or bad; it just is. Government’s role in a corporate society is to add humanity to the cold calculations of the accountants.

A secure credit card issuance protocol is not rocket science, but it’s expensive. The only way to get a corporation to incur this kind of expense is to make it more expensive not to do the vetting. For example, if card issuers were fined $1,000,000 every time they issued a card in your name without verifying your identity using a well-defined protocol, then I guarantee that they’d do the verification. I’d be happy to throw in a $20 application fee to help defer the cost.

Now let’s look at Web security and the like. We know how to make these systems secure, but the companies that own the sites don’t want to pay for the security. Sound familiar?

Since computer security in the general sense is also “national security” in the political sense, one could make an argument for a legal framework that forced all public-facing computer systems to be secure. Consider the environmental laws. No company was willing to spend money on clean air until forced to do so, but it certainly benefits society as a whole (as compared with the individual companies) for these laws to be in place. In the long term, clean air benefits the companies too.

The same argument applies to internet security. Think about the hit on the economy that’s caused by hackers. It’s huge. Ultimately, it’s our tax dollars that are paying for the unemployment and other social ills that are part of the economic consequence. Put another way, a company that doesn’t want to spend on security is actually just shifting the cost of the insecure system to you in the same ways that the banks have shifted the cost of identity theft to you.

You cannot stop security breaches by attacking the attacker any more than you can stop theft solely by going after thieves after something has been stolen. There are always more thieves than cops. You can, however, require that companies take basic measures to guard their customers’ valuables, and there’s nothing more valuable than your identity.

Allen Holub is an architect, consultant and instructor in C/C++, Java and OO Design. Reach him at www.holub.com.


Share this link: http://www.sdtimes.com/link/29052
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading