10/19/2002

Open Source. To promote a fruitful debate of the merits of open source software and to provide information to Danish software user that will enable them to make informed choices with respect to open source vs. proprietary software (or other models for that matter), I took the initiative in the spring of 2002 to set an informal forum where people from Danish businesses and public agencies and institutions could meet to discuss the implications of open source and exchange experiences. Peter Toft of SSLUG, Jesper Laisen of Foreningen Fri Software og Kim Østrup of IBM Danmark have been very encouraging and helpful in setting up Open Source Forum.
Open Technology. Thomas Madsen-Mygdal has directed my attention to a new - in the seemingly never ending line of - American organizations that focus on IT issues whilst trying to promote other interests in particular the general public interest than the traditional myopic and short-sighted interests of the IT-industry and withholders:

American Open Technology Consortium (ATC) is a nonprofit organization of technologists who have joined together to educate lawmakers and regulators about technology — especially in regards to The Internet, which is the most world-changing technology since the wheel.

"All the significant technology trends start with technologists," Marc Andreessen says. Yet lawmaking and regulation concerning technology has always tended to start elsewhere: with well-connected interest groups, for example.

Unlike gun owners, environmentalists and evangelical Christians, technologists have never been a politically influential group. Certain large employers may have influence; but nothing to equal that of, say, Disney, the RIAA or the MPAA.

AOTC is here to change that. The influence we want is simple and straightforward: we want to speak truth to power. We know technology. We know what the Internet is about and the kind of good it does in the world. We have done far more to conceive and build the Net than any company, or any industry. And we did it for the good of the whole world, not for any special interest.

By its nature the Internet embodies three virtues:

- Nobody owns it
- Everybody can use it
- Anybody can improve it

No one company is going to stand up for these virtues. That job falls, like the job of building the Net itself, on the shoulders of technologists. That's who we are and why we're here.


Very interesting initiative. How I wish that we in Europe and here in Denmark had the right people to initiate the same kind of organization.

10/17/2002

IT-security. For some time now at conferences and in articles, I have tentatively broached the idea that a higher level of IT-security will only result, if in particular companies get strong economic incentives to improve their IT-security. The IT-industry has not surprisingly taken the view point that market incentives are strong enough and that role of government should be to educate and inform about IT-security not to regulate. I don't buy that argument. Event though I don't believe that government should mandate different levels of IT-security in techno-specific legislation, I do believe that traditional tort or compensation law has a very important role to play. Companies both software vendors and users should be liable for the damages that insufficient IT-security cause towards others.

Interestingly, it seems that there is a trend starting among IT-security experts to share similar views. Listen to what Bruce Schneier has to say in his 15 October 2002 edition of his Crypto-Gram newsletter:

Security is a commons. Like air and water and radio spectrum, any individual's use of it affects us all. The way to prevent people from abusing a commons is to regulate it. Companies didn't stop dumping toxic wastes into rivers because the government asked them nicely. Companies stopped because the government made it illegal to do so.

In his essay on the topic, Marcus Ranum pointed out that consensus doesn't work in security design. Consensus security results in some good decisions, but mostly bad ones. By itself consensus isn't harmful; it is the compromises that are almost always harmful, because the more parties you have in the discussion, the more interests there are that conflict with security. Consensus doesn't work because the one crucial party in these negotiations -- the attackers -- aren't sitting around the negotiating table with everyone else. "And the hackers don't negotiate anyhow. In other words, it doesn't matter if you achieve consensus...; whether it works or not is subject to a different set of rules, ones over which your wishes exercise zero control."

If the U.S. government wants something done, they should pass a law. That's what governments do. It's like pollution; don't mandate specific technologies, legislate results. Make companies liable for insecurities, and you'll be surprised how quickly things get more secure. Leave the feel-good PR activities to the various industry trade organizations; that's what they're supposed to do.

10/14/2002

DRM. Funny how acronyms can change their meaning. DRM to many means Digital Rights Management. To other it has simply taken the meaning of Digital Restriction Management.

David Reed was chief scientist and VP R&D at Lotus: "This is what is wrong with Berman-Coble, with DRM, with TCPA, and with Gator. It's my computer, dammit. If I don't give informed consent, you can't use it."
http://www.satn.org/archive/2002_09_29_archive.html

Dan Bricklin, co-inventor of Visicalc, the first killer app for the PC: "If you are an artist or author who cares more than about the near-term value of your work, you should be worried and be careful about releasing your work only in copy protected form. Like the days when "art" was only accessible to the rich, two classes will probably develop: Copy protected and not copy protected, the "high art" and "folk art" of tomorrow."
http://www.bricklin.com/robfuture.htm

Ray Ozzie, inventor of what became Lotus Notes, the world's first groupware collaborative software for PCs, a killer app: "With rich and open access, will contractual controls on use of Web Services data be sufficient, or will we need technical means of use enforcement? How far will Digital Restrictions Management creep its way
into the system-to-system realm?"
http://www.ozzie.net/blog/stories/2002/08/22/nondiscretionaryControlsCantLiveWithemCant.html

Quotes compiled by Nathan Cochrane, Deputy IT Editor: Next: The Age and Sydney Morning Herald.
ISOC DK IT-security conference. As the first event of the relaunched ISOC DK, an international conference on IT Security in the Information Society will take place in Copenhagen 2 November 2002 just a few days before the IST 2002: Partnerships for the Future event in Copenhagen. See the program for the IT Security in the Information Society here (PDF-file).