Essays in the Category "Laws and Regulations"
Page 8 of 10
Sue Companies, Not Coders
At a security conference last week, Howard Schmidt, the former White House cybersecurity adviser, took the bold step of arguing that software developers should be held personally accountable for the security of the code they write.
He’s on the right track, but he’s made a dangerous mistake. It’s the software manufacturers that should be held liable, not the individual programmers. Getting this one right will result in more-secure software for everyone; getting it wrong will simply result in a lot of messy lawsuits.
To understand the difference, it’s necessary to understand the basic economic incentives of companies, and how businesses are affected by liabilities. In a capitalist society, businesses are profit-making ventures, and they make decisions based on both short- and long-term profitability. They try to balance the costs of more-secure software—extra developers, fewer features, longer time to market—against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales…
Make Businesses Pay in Credit Card Scam
The epidemic of personal data thefts and losses – most recently 40 million individuals by Visa and MasterCard – should concern us for two reasons: personal privacy and identity theft.
Real reform is required to solve these problems. We need to reduce the amount of personal information collected, limit how it can be used and resold, and require companies that mishandle our data to be liable for that mishandling. And, most importantly, we need to make financial institutions liable for fraudulent transactions.
Whether it is the books we take out of the library, the Web sites we visit, our medical information or the contents of our E-mails and text messages, most of us have personal data that we don’t want made public. Legislation that securely keeps this data out of the hands of criminals won’t affect the privacy invasions committed by reputable companies in the name of price discrimination, marketing or customer service…
Risks of Third-Party Data
Reports are coming in torrents. Criminals are known to have downloaded personal credit information of over 145,000 Americans from ChoicePoint’s network. Hackers took over one of Lexis Nexis’ databases, gaining access to personal files of 32,000 people. Bank of America Corp. lost computer data tapes that contained personal information on 1.2 million federal employees, including members of the U.S. Senate. A hacker downloaded the names, Social Security numbers, voicemail and SMS messages, and photos of 400 T-Mobile customers, and probably had access to all of their 16.3 million U.S. customers. In a separate incident, Paris Hilton’s phone book and SMS messages were hacked and distributed on the Internet…
Information Security: How Liable Should Vendors Be?
An update to this essay was published in ENISA Quarterly in January 2007.
Information insecurity is costing us billions. We pay for it in theft: information theft, financial theft. We pay for it in productivity loss, both when networks stop working and in the dozens of minor security inconveniences we all have to endure. We pay for it when we have to buy security products and services to reduce those other two losses. We pay for security, year after year.
The problem is that all the money we spend isn’t fixing the problem. We’re paying, but we still end up with insecurities…
The Security of Checks and Balances
Much of the political rhetoric surrounding the US presidential election centers around the relative security posturings of President George W. Bush and Senator John Kerry, with each side loudly proclaiming that his opponent will do irrevocable harm to national security.
Terrorism is a serious issue facing our nation in the early 21st century, and the contrasting views of these candidates is important. But this debate obscures another security risk, one much more central to the US: the increasing centralisation of American political power in the hands of the executive branch of the government…
Security and Compliance
View or Download in PDF Format
It’s been said that all business-to-business sales are motivated by either fear or greed. Traditionally, security products and services have been a fear sell: fear of burglars, murders, kidnappers, and—more recently—hackers. Despite repeated attempts by the computer security industry to position itself as a greed sell—”better Internet security will make your company more profitable because you can better manage your risks”—fear remains the primary motivator for the purchase of network security products and services…
Unchecked Police And Military Power Is A Security Threat
As the U.S. Supreme Court decides three legal challenges to the Bush administration’s legal maneuverings against terrorism, it is important to keep in mind how critical these cases are to our nation’s security. Security is multifaceted; there are many threats from many different directions. It includes the security of people against terrorism, and also the security of people against tyrannical government.
The three challenges are all similar, but vary slightly. In one case, the families of 12 Kuwaiti and two Australian men imprisoned in Guantanamo Bay argue that their detention is an illegal one under U.S. law. In the other two cases, lawyers argue whether U.S. citizens—one captured in the United States and the other in Afghanistan—can be detained indefinitely without charge, trial or access to an attorney…
CLEARly Muddying the Fight Against Terror
Danny Sigui lived in Rhode Island. After witnessing a murder, he called 911 and became a key witness in the trial. In the process, he unwittingly alerted officials of his immigration status. He was arrested, jailed and eventually deported.
In a misguided effort to combat terrorism, some members of Congress want to use the National Crime Information Center (NCIC) database to enforce federal civil immigration laws. The idea is that state and local police officers who check the NCIC database in routine situations, will be able to assist the federal government in enforcing our nation’s immigration laws…
Curb Electronic Surveillance Abuses
As technological monitoring grows more prevalent, court supervision is crucial
Years ago, surveillance meant trench-coated detectives following people down streets.
Today’s detectives are more likely to be sitting in front of a computer, and the surveillance is electronic. It’s cheaper, easier and safer. But it’s also much more prone to abuse. In the world of cheap and easy surveillance, a warrant provides citizens with vital security against a more powerful police.
Warrants are guaranteed by the Fourth Amendment and are required before the police can search your home or eavesdrop on your telephone calls. But what other forms of search and surveillance are covered by warrants is still unclear…
Sidebar photo of Bruce Schneier by Joe MacInnis.