Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET

[ddm at pizzashack.org (Derek D. Martin)]

On Fri, Mar 23, 2001 at 08:31:49PM -0500, Derek D. Martin wrote:
> On Fri, Mar 23, 2001 at 06:31:12PM -0500, Kenneth E. Lussier wrote:
> > Schneier said it best when he said " Anyone who believes that
> > reactionary security measures are sufficient is either ignorant, blind,
> > or management".  
> 
> This is both humerous and well-said, but belies the real problem.

Since I made this comment, and the rest of what I said had basically
nothing to do with it, I ought to expound upon that...  I didn't
initially for somewhat of a lack of an explanation for what the
problem *IS*.  I'm having trouble putting the idea into words...  But
I'll give it a shot.

The problem is not that management is stupid; they are NOT stupid.
The problem is not that management is ignorant, or that users are
ignorant, of the security issues involved with running a network, even
though that may be true.  This does, however, begin to touch upon the
heart of the matter.

The PROBLEM, as much as I can get my brain around it, and convey to
you, is that technology is cool.  No, seriously.  We are all so
impressed with ourselves, and our ability to create new and exciting
stuff that didn't exist before we created it, that we're in WAY too
much of a hurry to USE our cool new technology, before any real
consideration is given to what the RAMIFICATIONS of using it are.

This, I think, can be seen in lots of areas, especially in computer
science and electrical engineering fields.  But another example that
comes to mind is the biotech industry.  How long is that super-cool
new flu vaccine tested before it's given out en masse?  Do you, as the
consumer of that flu vaccine, really have any idea that 5 years down
the road, it won't cause you to become seriously ill and die?  Is the
risk worth avoiding a little cold?  

Similarly, is the risk of having every computer on the planet
connected worth the benefits?  How can you make an informed judgement
about the answer to that question, if you do not fully understand what
those risks are?  Or if you don't even know that there are risks?  And
yet, millions of people have connected themselves to the Internet,
oblivious to the possibilities of such evils as credit card fraud,
personal record falsification, and identity theft, which are the most
serious (and quite real) threats to average computer users that I can
think of at the moment.  

Just because you CAN do something, doesn't mean you should.  The
TCP/IP protocols were not really designed with security in mind.  Even
if you practice "safe e-commerce" and only use sites that have strong
SSL, you are still very much at risk.  Were you one of the millions of
credit card numbers stolen by Russian hackers?  How would you even
know?

Now, before you label me a doomsdayer (if you haven't already), I'm
not saying that we should never use all this cool technology that
we're developing.  I do think, however, that we need to be a little
more conscious of how we use new technology, and what the likely
outcomes of using that technology are.  I think we need to question
what the benefits and risks of using new technologies are, rather than
simply accept on blind faith that those developing these new
technologies have your well-being in mind, and wouldn't hurt a fly, as
seems to be the prevailing attitude.  

I also think that those responsible for bringing us this new
technology need to be more concientious about informing their
customers what the risks are, and that we need to hold those
technology companies responsible when their new baby goes horribly
wrong.  

There's a lot more to this too, like the effects that this would have
on the economy, etc... but it's too late to trouble my head with all
that right now.

:)

-- 
Somebody set up us the bomb.
All your base are belong to us.
Take off every zig for great justice.
---------------------------------------------------
Derek Martin          |   Unix/Linux geek
ddm at pizzashack.org    |   GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).