I don't know if http://www.boingboing.net/ is really qualified to be the weblog of the year, again (I voted for someone else). However, it is a good read from time to time, if you can wade past all the contstant harping on how copyrights are evil (They've been turned into evil, but I don't need to be told that with every single post. Do me a favor and give it a rest for a day. 'Kay?). This little piece on about CIO (Chief Information Officer) magazine was very interesting. There's always a balance between security and usability, both in real life and in the computer world. Specifically, if you make things more secure, the less easily usable it becomes. I recall an anecdote (probably an urban myth but I'm too lazy to check Snopes) where the military set up an elaborate and secure comuter system, but nobody used it because it required too many passwords and too many hassles. Likewise, visit any corporate office, and you are bound to find passwords and ID's written down on sticky pads and scattered about the cubicles. When security comes smack up against usability, usability always wins. The problem is when lack of security interferes with usability. The search for the Next Big Idea to correct this imbalance is really laudable, but the problem is that they're asking CIOs for the solution, which is like asking fishermen to come up with a solution to overfishing. I'll get to that in a moment. "That's my solution," Amoroso says. "Create a service. Make money. A telling example is that of Ed Amoroso of AT&T, who compares end users to morons, and thinks the best solution is to centralize the computing network power under (naturally) AT&T's control. Take away the ability of millions of end users to make dumb decisions (like leave their static IP connected XP boxes without a firewall and with the mailserver ports turned on ... to quickly be turned into spam zombie boxes by hackers), give the power to intelligent managers, and problem solved. He's right in a sense, but he's also insanely stupid. INSANELY stupid. (And greedy too.) His analogy is electrical distribution, and that's very telling, because electrical distribution is still for the most part a monopoly. Like AT&T and airlines before deregulation, and like computers before the internet came along. If you want high prices and stagnation, then by all means this is a great model to follow (Just ask Chaiman Mao, his Central Planning Board, and their 5 Year Plans). If you want cheap innovation that leads to profits for all (ie: the information transformation when the Internet aka OS agnostic communication came along), deregulating and decentralizing the system is what we need. Since we'll never be able to compete against efficient centralizers like Japan or China or France, adopting their model is a fast way to failure. Besides, we'd give the contract to Google anyway, and AT&T isn't exactly the font of knowledge (unless you'd like lessons on how to destroy the most successful company ever). "Let's make all end user devices nonprogrammable..." Props to James Whittaker for being even dumber then Amoroso. Instead of millions of people coming up with new and creative solutions, inventing entire categories of industries in their garages (Apple, HP, Dell, Google, Cicso, eBay), we'll take it all away and make sure only those that the Party deems capabale will use them. And while we're at it, let's take away those pencils and paper too, ideas are even more dangerous then programs, let's take away the guns (them kills people), cars (drunk driving, accidents), and scissors (you can run with them and hurt yourself). When you start using North Korea as your economic model, it's time we take you away, because you are far too dangerous. Sure it's secure, but really, do you really want to live there? Besides, we already DO treat computers like guns. Anybody can buy one anywhere, nearly everybody has one at home, and you can buy as many of whatever kind you like completely under the radar of any regulation or sales tax by visiting a trade show. We should be marching toward a realm where it's harder for people to create vulnerabilities." I was going to really rag on Mary Ann Davidson, CSO of Oracle. But the more I thkn about it, the more I think she's been misquoted. Because what it sounds she's saying is that we should be regulating out bad programming. Which is a nice goal, but pretty much akin to regulating that the sky be pink all the time. And without articulating any conrete steps to get where she wants to go, it's just more pity hot air that wastes my time. I think we should have better programming, more fuel efficient cars, moving sidewalks everywhere, and 2 cows for every garage. But if that's all I'm saying, then it's just about as useful as a bucket of warm piss (less, actually, you can turn a bucket of piss into ammonia which is valuable as a commercial fertilizer). The Point My point is that the problem isn't that end users are morons, they are and always will be. And it isn't that freedom = bad security. It's that the business model is backwards. Companies aren't serving the market, they're looking for the market to serve the companies. The music industry is a perfect example. People want music, and they want it on their computers and digital players and to share with their friends. So, does the music industry give the customer what they want? Of course not. They raise the price of the CD, sue the customer, and run every attempt at online distribution out of business. And then they act all shocked when the customer says "fuck it all" and just starts ripping and filesharing away. iTunes is the proof in the pudding, give the customer cheap downloadable semi-restricted songs (I'd bet they'd double sales if they dropped a lot of the restrictions they left in place), and they'll buy. Better yet, partner with a hardware manufacturer, and make money on both sides of the equation. The market has a need, a huge need. Serve the need, and you'll make lot of money. You don't need to go to Harvard Business School to learn this. Sam Walton sure didn't. Look at spam. Spam regulation has failed utterly, because companies like AT&T, hate spam coming in, like to send spam out. They call it marketing, my inbox calls it spam. Any regulation that has attempted to limit the sending of junk emails has been beaten into uselessness because AT&T can't imagine not being able to send me crap I don't care about. AT&T is not going to provide any solutions to this problem. The solution, however, is very clear, and we already have a model that works. Snail Mail! Sender pays! But the companies that have an interest have been trying to hash out some regulation along these lines for years, and they've gone nowhere. Well, screw regulation and screw the companies, all it'll take is for one company with a semi-large installed user base to serve the customr and they'll all fall into line. Gmail by google would be perfect, because it's free, has a large user base, and is still in Beta. It's simple. If any more emails from any IP address exceeds a set large number (say 10,000), then Gmail will refuse to deliver until the IP sends a nominal payment ($0.01 an email let's say). Likewise, Gmail will send a nominal payment for outgoing emails. What if hotmail doesn't want to pay? Seriously, have you ever recieved a legitimate email from somebody using hotmail? All my friends and I use hotmail for is to act as spamboxes (you know, when a company like AT&T asks for your email addy and then sells it to everyone under the sun). Or you can set up an exception list and gmail will deliver those for free for the first 1000 emails. What about outgoing, what if the end user doesn't want to pay? Again, set up a large exception quota, maybe 500 a month. Surely the company can absorb a $5/month charge, especially if it attracts more people to your service (not recieving spam is a big draw for people nowadays). Anything over 500/month is just crazy. Listservs? Get a blog and push an RSS feed instead. What about spoofing? Let the sender deal with that crap. I'm sure once hotmail and gmail are facing large fraudulant bills they'll agree on a standard encryption scheme. Better yet, hard drives are insanely cheap, and you can't beat the bandwidth of FedEx. Mail a HD full of recieved email along with bill every month. Sender's job is to verfiy recieved vs. sent and send appropriate payment. Payment dispute? Sue! Privacy concerns? Email is like sending a postcard, you have no privacy to begin with. Or send the HD's via US Mail. HD gets intercepted, that's a federal offense. Likewise, 2 simple tweaks in regulation should fix software problems. Firstly, use alternatives that are better. The Air Force example in the article is great, but for all the wrong reasons. Microsoft didn't cave and make the Air Force's systems more standard and secure because they were about to lose the contract. Microsoft caved because there was a competitor (that probably has a better product). Buy from the competition every now and then, and watch your main vendor make better products. Secondly, treat software like a product, not a license. You buy it, you own it, and the company that made it is actually responsible for what it does. If it is defective, the owner shouw be able to sue for damages or a fixed replacement. I'll bet Microsoft will be beating your door down to get a new patch in your hands if it faced the possibility of a bagillion lawsuits. In short, if you want secure computing, don't try and hobble the market with regulations or dictates to protect your business model. Instead get the hell out of the way of small start-ups that are looking to actually serve the market demand. Better yet, make products that serve the market, and make billions along the way.
Link: