[ga] Judge punishes bad security - Food for thought..??

[Jeff Williams <jwkckid1@ix.netcom.com>]

All assembly members,

  Today there has been some talk about security interests and concerns
again.  This has also been discussed in the recent past on the
ICANN ALSC list as well.  Here is a couple of articles of recent
events in this regard that the court systems are now beginning to
impose as it seems that ICANN and others can't seem to get
their act together on in doing..

Judges Punish Bad Security

 Two stories with a common theme.

The first involves the U.S. Department of Interior.  There's an ongoing
litigation between Native Americans and the U.S. Government regarding
mishandling of funds.  After seeing for himself how insecure the
Department's computers were, and that it was possible for someone to
alter
records and divert funds, a U.S. District Judge ordered the department
to
disconnect its computers from the Internet until its network is secured.

The second involves a couple of Web hosting companies.  One day, C.I.
Host
was hit with a denial-of-service attack.  They traced at least part of
the
attack to companies hosted by Exodus Communications.  C.I. Host filed an

injunction against Exodus, alleging that they committed or allowed a
third
party to commit a DOS attack.  A Texas judge issued a temporary
restraining
order against three of Exodus's customers, forcing them to disconnect
from
the Internet until they could prove that the vulnerabilities leading to
the
DOS attack had been fixed.

I like this kind of stuff.  It forces responsibility.  It tells
companies
that if they can't make their networks secure, they have no business
being
on the Internet.  It may be Draconian, but it gets the message across.

On the Internet, as on any connected system, security has a ripple
effect.  Your security depends on the actions of others, often of others

you can't control.  This is the moral of the widely reported distributed

denial-of-service attacks in February 2000: the security of the
computers
at eBay, Amazon, Yahoo, and CNN.com depended on the security of the
computers at the University of California at Santa Barbara.  If Eli
Lilly
has bad computer security, then your identity as a Prozac user may be
compromised.  If Microsoft can't keep your Passport data secure, then
your
online identify can be compromised.  It's hard enough making your own
computers secure; now you're expected to police the security of everyone

else's networks.

This is where the legal system can step in.  I like to see companies
told
that they have no business putting the security of others at risk.  If a

company's computers are so insecure that hackers routinely break in and
use
them as a launching pad for further attacks, get them off the Internet.
If
a company can't secure the personal information it is entrusted with,
why
should it be allowed to have that information?  If a company produces a
software product that compromises the security of thousands of users,
maybe
they should be prohibited from selling it.

I know there are more instances of this happening.  I've seen it, and
some
of my colleagues have too.  Counterpane acquired two customers recently,

both of whom needed us to improve their network's security within hours,
in
response to this sort of legal threat.  We came in and installed our
monitoring service, and they were able to convince a judge that they
should
not be turned off.  I see this as a trend that will increase, as
attacked
companies look around for someone to share fault with.

This kind of thing certainly won't solve our computer security problems,

but at least it will remind companies that they can't dodge
responsibility
forever.  The Internet is a vast commons, and the actions of one affect
the
security of us all.


Dept. of Interior story:
<http://www.zdnet.com/zdnn/stories/news/0,4586,5100521,00.html>
<http://www.wired.com/news/politics/0,1283,48980,00.html>

Exodus story:
<http://www.cio.com/archive/110101/court.html>

Regards,
--
Jeffrey A. Williams
Spokesman for INEGroup - (Over 121k members/stakeholdes strong!)
CEO/DIR. Internet Network Eng/SR. Java/CORBA Development Eng.
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1@ix.netcom.com
Contact Number:  972-244-3801 or 214-244-4827
Address: 5 East Kirkwood Blvd. Grapevine Texas 75208


--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html