Tuesday, July 30, 2002

Law professor Neal Katyal has an editorial in today's NYT. He bemoans cyber-lawlessness and suggests remedies:

"The federal government should develop programs to increase awareness of computer security issues... More research is also needed on solutions like palm and fingerprint recognition, which could reduce or even eliminate the need for passwords... Congress should ... increase financial and technical assistance to centers that train computer scientists in advanced techniques. The industry itself should also educate the general public about the proper use of computers and good password practices."

General education certainly seems like a good thing. I am appalled at the poor administration I have seen in systems that are supposed to be secure, like outsourced email services. Administrators choose extremely poor passwords for users (e.g. each user's social security number, or the same easily-guessed password for every person in the company who has an account).

However, I fail to see how computer scientists need to be trained in advanced techniques. Many of the advanced techniques we already have suffer from severe deployment problems, such as public/private key systems. The basic techniques deployed so far aren't so terrible, except that they're consistently used badly. It's not computer scientists that need training in basic techniques, it's users and particularly system administrators, who generally aren't computer scientists.

Also, it's not clear how to follow through on the suggestion that "the industry itself should also educate..". It seems any company using computers has in its own best interests to train its users about proper use of computers and passwords. These companies are far more likely to act in their own self-interest than have the software industry step up and do it for the general public.

No comments:

Blog Archive

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License.