In some mail from Douglas M. MacFarlane, sie said:
> On Thu, 12 Mar 1998, Darren Reed wrote:
> > In some mail from Emmanuel Gadaix, sie said:
> > [...]
> > > What would you think of the following: let's pass some law that force the
> > > sysadmin of a site to comply with some security standards. Let's have fines
> > > for sites that are broken into. Let's make it mandatory to report any
> > > intrusion to a independant investigation agency (under strict
> > > confidentiality of course). Let's fine sites that are found not to be
> > > patched. Let's fine also vendors that don't issue security patches soon
> > > enough and therefore threaten everybody's security.
> > ... It is extremely easy for outsiders
> > such as you, or I, to make such remarks as you have above which have
> > the potential to imply certain people are not able to do their job
> > when in fact it doesn't necessarily have anything to do with their
> > ability, but constraints laid down by business.
> > Passing any law to codify the requirements of a professional position
> > is an extremely naieve thing to do, especially with a profession that
> > has only really existed for less than quater of a century.
> This is clearly not true. Both the legal and medical fields have
> explicit malpractice standards that are enforceable (more or
> less).And many trade organizations have the same, and ample industry
> standard adn zoning laws to comply with. Negligence and malpractice
> litigation has a long history.
I recognise this but what was being suggetsed is not the same. What
was suggested was to put those standards of practice into law rather
than into the operating standards of a professional body. As you have
mentioned trade organisations, legal & medical fields have their own
`laws' to comply with.
> I think what he's getting at, though, is that in connecting a system
> to the Internet you have a tortuous obglicagiont to administer that
> system competently.
What about Joe Smith, the average home user ? If I choose to run linux
at home, do I need to be an expert on security and unix to ensure that
not only do I do it safely but others can't get into my box ? I'm sure
you didn't mean to account for that scenario too (or if you did, you're
not being realistic) and were justing aiming at business.
> How many of us have been frustrated in tracking
> a cracker because one of their launching points was a system that
> was wide open, easlily patched, adn the admin was either
> non-responsive or hadn't established suitable access tracking and
> event logging.
If you're doing this personally then you're trying to solve hacker
problems the wrong way. Your first port of call should be CERT (or
which ever group is most appropriate for you) and let them handle
the tracking and contacting the "right" people.
> Writing and enforcing the standards would be a mammoth task, but we
> might be the better for it.
Make sure it's done by the `right' people too.
This is where bodies such as SAGE are needed however the task isn't
as simple as writing and enforcing standards, there's a need for
there to be recognition of that `badge' from employers as well as
industry and even tertiary institutions. The problem isn't even
that simple either. The industry, today, is probably going to be
vastly different in 20 years time, much as it is different to 20
years ago. If you were to compare this to the medical/legal
profession (or even accountancy), each of those is hundreds of
years old, and in comparison to the job of the systems admin,
haven't changed very dramatically in their lifetime.