[Dshield] Interesting Zombie Data Graphs

Stephane Grobety security at admin.fulgan.com
Wed Nov 9 15:40:34 GMT 2005


FJA> I'd proposed an "Internet Driver's License" a while back in several
FJA> forums I teach/speak/rant to.  This driver's license nothing that will
FJA> get you thru security at an airport, but it's regulated by the ISP.

This idea surfaces from time to time and I just hate it.

First, it wouldn't get the job done: People will not update their
training and will quickly be left out of the loop. You also need more
than half an hour of training to have even the slightest glimp of the
challenges of modern computing regarding security. There is also the
fact that people do NEVER think security applies to them until the
time it comes back to bite them: even if they understood the problem
and know how they should behave they simply won't do it because it's
easier not to think about it. I've seen this happen everywhere I've
had the occasion to give training, no exception.

Second, there is the fact that it simply can't be implemented. Even if
you managed to get a law passed in your country for a mandatory
license to use Internet (the only way to have ISP investing money in
what is, essentially, something that will NEVER generate any added
revenue), you couldn't pass it to all countries in the world.

So, this idea is of the same level of realism than simply wishing
everyone on Internet would behave ethically: It would solve almost all
security problems but it's sadly completely disconnected from reality.

And one final note: 5 years ago, I could give people safety
instruction that should keep them out of trouble as long as they
followed it: do not open email attachement you wheren't expecting, do
not navigate to questionable web site, do not reveal your password to
anyone, even if you trust them and see them face to face, etc. Since
then, both the technology and the use we make of it has evolved so
much that these won't be enough any more: in order to keep a system
safe, you now need a number of layers of security making user training
less and less important (which is actually good: you can't trust users
anyway).

Good luck,
Stephane



More information about the list mailing list