On Tue, Oct 31, 2017 at 5:44 PM, james woodyatt <jhw@xxxxxxxxxx> wrote: > On 10/31/2017 05:20 AM, Phillip Hallam-Baker wrote: >> >> [...] it is the casual negligence many of the technologists show when it >> comes to security risks. >> >> The question I see is who is going to be in control. Will it be the user >> or someone else. >> [...] > > I think you've already answer that question for yourself in the excerpt > below. > >> We have to have a plan to make the Internet safe for users, yes. But what >> we also need at this point is a plan to protect society from the Internet >> itself. [...] > > According to that view, it will be someone else, unless "our" plan to > protect "society" from the criminal users of the Internet is adequate. > > Absolutely speaking *only* for myself here, but I view talking about plans > "to protect society from the Internet itself" like a pretty much straight up > attack on the fundamental idea of an Internet Society as a thing worthy of > that name. Not at all. Much of the problem of 'Internet crime' has nothing to do with the Internet. Until 1995, almost no critical infrastructures were designed with the expectation that they would be connected to a global network and need a security model to meet that attack model. The principle exception being the Internet which very few people understood to be critical. Phishing is not a problem of Internet insecurity, the fundamental security problem is that the credit card security model is based on a password printed on the front of every card. Advance fee fraud is not a problem of Internet security, it is primarily a problem caused by unscrupulous people being able to efficiently contact hundreds millions of people and then deceive a small fraction (less than 0.1%) whose behavior is frequently explained by dementia. The fact that we now have SCADA attacks on a regular basis is not a problem of Internet security, it is primarily caused by the fact that the protocols they use today were designed 40 years ago and have no inbuilt security. Your response here is the response typical of many technologists, 'nothing to do with me'. Having been involved in national politics in multiple countries, I can tell you that approach is not going to be remotely acceptable to elected representatives whose constituents rely on them. Congressional, EU action is inevitable, in fact it has already begun. The question is one of framing. Right now, the Internet is seen as the problem because it was the new factor that was introduced and invalidated the assumptions that the legacy infrastructures depended on. If we don't want to get regulated to heck and back, we have to change the conversation so that policy makers understand that the Internet is the one infrastructure that was originally designed with the understanding that every device would be connected to every other device and that this would create a new set of security requirements. > Instead, it seems to me that we have a philosophical tussle between A) > people who think of the Internet firstly as a command and telemetry system > for political and economic data, to be policed by and subservient to state > power, used mainly as a tool for governing the populace, and B) people who > think of the Internet firstly as an open standard communication technology > to which justice demands that everyone is recognized to have an equal right > to lawfully regulated use for any public or private purpose. > > How you think about security risks, it seems to me, depends on which side of > this philosophical debate you align. Accusing the other side of "casual > negligence," when it's actually the case that the other side has set > different priorities, is probably not the best way to facilitate better > mutual understanding. The reason I am presenting these issues here is precisely the fact that they are dismissed out of hand as you do here while making a plea for seeing both sides! I am currently writing an infrastructure that makes open end-to-end secure messaging as easy to use as regular email despite the express opposition to this idea from my own government expressed repeatedly by the Prime Minister and Home Secretary. So I think it is pretty clear which side I sit on. But that does not mean I reject the other side out of hand. Closing his plenary address to the first Web conference, Tim Berners-Lee described the Web as 'building a whole new world'. Well we have built a whole new world and it has replaced the old one. And a lot of people are rather upset with us as a result even as they spend their time venting their rage at what we have wrought on Facebook and Twitter.