Steven H. McCown wrote:
The issue about security is that whoever creates this web server-based
application will be storing information about *minor children* (am I the
only one with this concern?) in a semi-public manner.  Most websites that
store information have some clause that says something like no one under 18
without a parent's permission may use this website.  Even Disney is
constantly saying "make sure you have your parent's permission...".  That's
a lame phrase, but it does show this issue is real.

It is not like parents don't have to sign a stack of papers just so Johnny can go to scout camp now. Getting parent's permission to track their Son's scouting progress would just be yet another form.

Congress is, right now,
considering legislation to punish those websites who don't take 'sufficient
measures' to secure their website.  What are the ramifications of that?
Since that thought is extremely subjective, the risk one would be taking is
completely unknown.

Visa recently created a security certification program for website owners that do on-line transactions. I assume what the government is considering is something similar. Anything that helps make on-line security better is welcomed.

The other issue is what value would a centralized database really offer?
For day-to-day usage, it would offer zero value.  If a scout moved wards, it
would allow his records to be transferred.  However, much of that is
maintained by BSA, anyway.  If local databases were used, then
'transferrable data objects' could be used to transfer information between
databases from the old ward to the new.

The database doesn't necessarily need to be centralized but being on-line has many advantages. Many times I see records being lost because people don't backup their laptops, new people are called and the "hand off" of the records is not made, people move, etc.
The reason that I proposed the non-centralized storage option is that not
that security is more or less, but because attacks on very small databases
yield very small rewards.  In contrast, attacks on highly-centralized
databases offer greater rewards for the attacker.

I don't see any reason for non-centralized storage myself. If the software is open source then that means folks could run it anywhere and not necessarily the Church's computers (which would most likely be the case for non-LDS troops). I would suggest, however, that for LDS troops that the Church does provide the hosting systems (and core security, backups, etc). I would suggest that on the Church's hosting servers they use OS-level virtualization (see http://en.wikipedia.org/wiki/Operating_system-level_virtualization) to divide the system into virtual private servers for each troop. This way each troop's data is isolated from other troops data. In fact, to the troop it looks as if they are running on their own dedicated server. Therefore, if one troop's server is compromised then all the other troops data is still safe. BTW, OS-level virtualization shouldn't be confused with other types of virtualization. Software like VMware are actually emulators and not very efficient. OS-level virtualization (e.g. "OpenVZ", "Virtuozzo", "Solaris Containers", etc.) is much more efficient and can support on the order of 100 Virtual Private Servers (VPS's) on a single physical server.
The biggest problem with any tracking process is that the Scoutmasters are
usually quite lax about record keeping, in the first place.  If one or
several parents abstained from allowing their children's information to be
stored on a website, then it would create *2 processes* for the Scoutmaster
to use for record keeping -- if they were to use the online system.  Do you
think that they will use both?  Having been a Scoutmaster, I would say no.

I haven't been a scoutmaster but I am an YM's President. If a parent didn't want their Son's information kept online then I would recommend that the parent track their Son's progress. I have seen some parents that do a much better job tracking their Son's progress for both Scouts and Duty to God that any of our YM leaders (including myself). These parents are usually the ones that have the best YM.

That will cause the online system to suffer in favor of good ol' pencil and
paper.  IOW, in order to make an online database about kids, it must be
really, really secure.  My point is that you can't guarantee anything and is
it worth the risk...

-stacey.

_______________________________________________
Ldsoss mailing list
Ldsoss@lists.ldsoss.org
http://lists.ldsoss.org/mailman/listinfo/ldsoss

Reply via email to