[Moderator's note: with my other hat on, let me say that although I'm a libertarian, I do not want to have this mailing list fill with libertarianism vs. statism arguments. I'm going to cut this off pretty quickly. --Perry-as-moderator]
William Allen Simpson <[EMAIL PROTECTED]> writes: > I agree. I'm sure this is a world-wide problem, and head-in-the-sand > cyber-libertarianism has long prevented better solutions. The "market" > doesn't work for this, as there is a competitive *disadvantage* to > providing improved security, and it's hard to quantify safety. I have to disagree, for a wide number of reasons. I'll avoid getting too deeply into them them here. >> The average cryptographic expert finds it tricky to set up something >> that is actually secure. The average bureaucrat could not run a pie >> stand. Legislation and so forth requires wise and good legislators >> and administrators, which is unlikely. > > So, what campaigns are you working on currently to improve this? > > I've educated dozens of U.S. legislators over the years.... Indeed, > the original funding for my NSFnet work 20 years ago was funded by > the Michigan House Fiscal Agency, and my early IETF work was funded > by the Levin (Senate) and Carr (House) campaigns. And yet, in spite of the efforts people make, we still have significant problems, don't we? It doesn't take great genius to understand why current spam legislation is flawed, but I haven't seen it fixed even though you will be hard pressed to find many people who claim to love spam. We have lots of legislation against various forms of computer crime and yet we have virtually no prosecutions even though something like half of the computers in the country have been broken in to. We also used to have quite reasonable wiretap laws in this country which were blown out of the water when political expediency demanded it. I contend that none of this is an accident, or particularly easy to change. >> Visualize Obama, McCain, or Sarah Palin setting up your network >> security. Then realize that whoever they appoint as Czar in charge >> of network security is likely to be less competent than they are. >> > The problem, as always, is enough folks that are competent in both > computer security *and* political action. I don't see how that is going to change. One can hope for an ideal, substantially superior world, but generally speaking human beings have to live with the world that we have, and most importantly with the behavior patterns of real people. The core of the libertarian view on this and many other topics is not that it wouldn't be wonderful if we had perfect legislation enforced by perfect policemen, but that we must acknowledge that in the real world we will get the result of a very flawed and problematic political process which will be enforced humans rather than angels. On the political process side, large companies with powerful interests will be immediately involved once the topic of mandatory security standards comes to the fore. Many of those companies will see lobbyists as cheaper than IT infrastructure. There will also be those who see legislation as an opportunity to cash in -- they will try to twist the laws in such a way as to make a buck, by mandating solutions they think will profit them. Some people in our profession may even decide to do what cosmetologists, private investigators and even doctors have done in the past, and reduce competition by requiring licensing as a way of preventing others from entering in to their field. We will also find that the people writing the regulatory standards may very well be the sort who are not entirely right minded -- not everyone in this field can even understand why http: is a bad transport for bank login pages, so we can't expect that everyone in the field can recognize good regulations. I suspect the difference between one's aspirations and the output of this process will be much like the difference between a dog before and after it falls into a meat grinder. Much of the underlying material remains, but the parts are no longer arranged into something you would consider a faithful pet. On the enforcement side, we will suddenly find ourselves in a situation where people who are far from the best technically will be asked to examine extremely complicated computer systems and to decide whether to penalize firms for failing to properly comply with very complicated regulations. I will not belabor the point -- having seen the results of this in much less technical areas, like finance, I must say that I do not have very high hopes for the outcome of the process. Again, it is easy to say "there ought to be a law!", and it is much harder to get the right law into place, and even then almost impossible to get it properly enforced. I have very few hopes for this path. Perry -- Perry E. Metzger [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]