Your “RentaGong” gang appear to be doing what most of the ignorant do-gooders have wanted to do from the moment the Internet escaped academia - namely fiddle mightily with what they perceive to be the symptoms, and avoid the challenges of grappling with the root causes.

What you and they seem to driving at is a walled garden solution, probably run by a large organisation that will pay fat stipends to political advisers and consultants. Maybe Bill Gates was too hasty when he turned the Microsoft Network from a propreitary scheme into an open IP environmenet.

Awaken Prestel and BT Gold! Your time has at last come…

At the time of writing, for example:

https://tino-paypal.viscomp.biz

is a PayPal phishing website with a valid cert issued by Equifax, but this is NOT a PayPal site, despite the look of it…

So except for the lack of a green bar in the very newest browsers, this appears to be the genuine article and apparently a respected certificate owner says so. Expecting users to understand what is wrong here is to ask far far too much.

Do you seriously believe this Richard?

“…people who reached the top of their professions (who are therefore quick learners, even if they start by knowing little of the topic)…”

Are you quite certain this has absolutely nothing to do with brown nosing and having time to waste playing the system?

Far from being the problem, the answer lies in the notion “that individuals are just not well-informed enough to understand the security implications of their actions”

Security starts with the users. There is no point in any of these proposed measures as long as users do not understand the basics of identity management starting with their own online identities. Minimal extra effort with TLDs would provide an “all SSL” domain hierarchy as the root of traceable trust.

Faced with this, my company would convert all its software to FOSS and charge for other things - CPU time, support, consultancy, training etc. (We already get a lot of income from such things).

Thus end-users would not benefit.

In your three points above about what you thought might happen you neglected to mention TPM, DRM and Secure Licencing.

In a way you kind of missed out an essential point with physical-v-virtual product. In the case of a defective car or part the manufacture can apply a series of tests to reveal if the claimed defective part is realy theirs (and have profited by the sale) or counterfit (for which they have no liability). Unfortunatly for virtual/data-bit only products like software this is not possible in the same way, it requires something in addition to the actual product.

Ill thought out legislation (ie to customer orientated from the manufactures perspective) might well leave the manufacture wide open to supporting counterfit product. It might be a bit for bit copy, but importantly the manufacture has not derived any benifit from the use of it. Which would make legal liability a real minefield that could take courts many many years to set case law for, or worse preasure for new draconian legislation (see history of the Fritz Chip etc).

No industry is going to willing go down that kind legal liability route unless there is no alternative open to it. Especially as it would encorage the likes of “amulance chasser” and “patent troll” lawyers who would dearly love a new “class action” playground to flex their muscels in and earn the “spare change” to buy the latest in luxury jets and yachts…

After a little thought you will realise that the manufactures would if they have to accept legislation for liablility, like another route open to them, and will fight tooth and nail for their version and rules.

Of the few workable systems out there currently they are likley to look at,

1, Trusted Platform (TPM)
2, Digital Rights Managment (DRM)
3, Secure Licencing

The prefered choice of major software suppliers would be TPM with the required additional cost (hardware) being enforced on all “appliance” manufactures. Which would if handled correctly (from the major software houses perspective) give the ultimate lock in for them and their chosen hardware associates with minimal cost to them whilst alowing all sorts of “new inovative” licencing models (for which you and I will be forced into accepting as ther will be no other choice as they effectivly own your platform).

DRM has for many reasons had a fairly bad press, both for the apparent draconian / questionable / illegal attitudes and actions of some rights holders, and for the fact it appears (on the surface) to be fairly eaisily bypassed and probably always will be. It’s demise has also been predictade because some suppliers of digital media are showing the view point that DRM is way to much trouble for too little gain (cost-v-profit).

As for secure licencing which is somewhat similar to DRM but is unique to each individual sale not a product or range (therefor no master key or equivalent to be found for any easyily distributable “class break”). Unfortunatly for the software manufacture Secure Licencing has many (if not most) of the bad points of DRM plus a significant added expense to the software manufacture. Effectivly they no longer produce millions of identical copies of their product and push them into the distributor chain, they now have to supply a million securly variant copies of the product directly to the end user if they want to maintain effective (control) security.

So as the preasure for “Liability Legislation” increases then I think you will see the major software companies pushing for TPM, either directly or through another guise (National Security / Anti-terrorism / whatever else the idiot legislators will swallow).

If the legislators are stupid enough (why do you think the Manufactures refer to it as “educating” the electorate / representatives) to go down that route (and belive me they will unless counter preasure is supplied) the effects on all “Digital Creativity” will be catastrophic. It will get to the point where you would not be able to take a photo, sound / movie clip / of your child to send to their addoring grandparents without having to pay a fee back to the major software houses.

Likewise semi-proffesionals would not be able to create software or music or other digital art without having to pay a fee to the TPM system holder(s) to “licence” the key for the TPM so that they can make it available to others.

Also small proffesional organisations will find themselves in a similar position of having to pay to get access to the market place.

As for the big boys they will deal amongst themselves in the sme way they currently do with cross patent agrements etc, and will effectivly maintain a cartell…

Oh and don’t think they have not considered the “Marketing Data” asspect of TPM where your every move gets reported back to the TPM organisation to be sold on for a proffit, and compleate lack of your privacy and personal security.

With Legal Liability the law of “unintended consiquences” always applys and it might well hurt us end users considerably more than the current no liability unregulated “wild west” marketplace we currently have.

The best way forward is probably a (semi) open marketplace where paid for products have to be shown to meat common criteria. Where the criteria are set by an independent foundation and testing tools are frealy available, and those with mandated liability (Banks etc) require the user to use products that meet the criteria.

Slightly less desirable would be the likes of the Underwriters Laboritories (UL) which enabled the isurance industry to offer discounts to end users who used products that meet their requirments.

I am not against “Lemon Laws” they have their place, when it comes to the likes of matters of “safety” but, they can as has been seen by numerus court cases be used inappropriatly. I suspect the original drafters of the legislation that allowed “Class Action” are somewhat saddend by the ways it has been (ab)used.

My post with quotes from the report about it: http://blog.cronto.com/index.php?title=do_you_listen_to_your_users

I suppose the main thing that needs to happen is to make sure that the open source question is part of the debate.

It will be interesting to see how this plays out.

For instance, where will the open source commutity fit in? I hate to see open source distruibtion effectively outlawed as many developers and projects couldn’t afford the required insurance.

Limiting the liability to the products purchase price probably won’t work either , as the price for a single license is slow low it hardly compensates for the loses of a security incident.

Thanks for the links to your postings; I’ll take a look.

I remain unconvinced that a regulatory system closer to one that governs pharmaceuticals rather than the current regulatory regime wouldn’t at least be progress. We can certainly point to problems with the current pharmaceutical regulatory regime, and lots of people do. At the same time though at least one thing it gives us some transparency into methodology and results.

I’ve written a few small pieces that I think might be beneficial in this area:

http://securityretentive.blogspot.com/2007/08/what-is-safe-enough.html
http://securityretentive.blogspot.com/2007/05/analyzing-software-failures.html

While I agree with your points about net utility caused by said regulatory regime, I’m not exactly enamored with the existing regime either and I wonder if you have any thoughts as to a better model.

Thank you