"Greenarrow 1" <[EMAIL PROTECTED]> wrote: > I feel government should not become involved with the internet and/or its > security. For one if people look at the governments security most > departments have a grade of C or below. ...
Not that I'm trying to suggest that "the government" -- I guess you really mean "the US government" so I'll add "or any other government" -- necessarily should be the driver of such things, but the only reason you know how bad ("C or below" you say) your government departments are at IT security is because they actually care enough to one, try to measure it and two, publish the results. > ... Would you want someone like that > telling you how to secure programming? Well, there is plenty of anecdotal evidence that suggests the rest of the private sector is _worse_ than the government sector, so I strongly doubt that self-policing will work! And worse still, the private sector is _heavily_ motivated to hide that fact. If the (US) private sector really was going to be the saviour of IT security, it would have been rampantly in favour of recent attempts to add IT security compliance statements to federal reporting documents for publicly listed and traded companies (or have been championing even stronger measures!), but what did it do -- that's right, lobbied really hard to get such measures and any suggestion of them removed. If the private sector really was vested in IT security concerns it would be rooting for removal of the liability exempt status that almost exclusively applies to computer software and its developers. What other "responsible" professional business sector has got away with such a scam for so long? And don't try to sell me that "but it will depress innovation" BS -- "we" don't have to beat the stinking pinko commie rat- b*stards to the moon, or anywhere else, any more so why are so many software developers (and their political pointsmen) still saddled with such a short-sighted, Cold War mentality that is clearly a significant anti-quality, and therefore anti-security, driver? Oh, and the "but it will kill open-source" BS'ers can butt out too -- if your code is that bad that you won't take _any_ responsibility for it, don't publish it _regardless_ of the licensing terms and, if it is any good, what possible damage (apart from to your reputation and ongoing business viability) can liability to, say, the cost of the software, do to you? (Of course, such a move may have the effect of "forcing" most large s/w developers to adopt freeware or open source approaches to make their insurance premiums affordable, but that would not necessarily be a bad result.) Why hasn't the private sector been actively in favour (beyond actively mouthing support for the general notion that better IT security is something we all need) of public IT security reporting standards, removing software's "liability exempt" status, or any other concrete measures to get a handle on the scale of the problem, provide means to measure whether we're slipping, holding or improving and so on? It wouldn't be that there are vested financial interests in treating us like mushrooms (keeping us in the dark and feeding us sh*t)? Surely not! How scurrilous a suggestion... ... Above I said your government departments "care enough" to actually try to provide some IT security metrics. In fact, I'm sure they don't care for it at all and would prefer, like their private sector counterparts, to not have to do anything of the sort. The reason they "care enough" to make such measurements is simply because they are required to do so. I would just love to see how the high and mighty, reputedly IT security loving, US private sector stacked up against the same metrics... Regards, Nick FitzGerald