(A Javascript-enabled browser is required to email me.)


Matthew D. Healy:
Metarisks of reporting security flaws
from TBTF for 1997-04-04



April 4, 1997

This material is Copyright © 1997 by Matthew D. Healy <Matthew.Healy@yale.edu> of the Yale Center for Medical Informatics.


Date: Mon, 31 Mar 1997 11:29:03 -0500
From: Matthew.Healy@yale.edu (Matthew D. Healy)
Subject: Meta-risks of browser flaws

I fear the steady stream of news reports about yet another security flaw in
this or that web program may give rise to some severe metarisks; I dunno
which if any of the following possibilities would be most likely:

 o A "boy-who-cried-wolf" reaction -- maybe people will start ignoring
   stories about Yet Another Web Security Flaw.

 o An exaggerated fear of security problems may cause people to give
   up on the Web entirely.  I dunno whether using the Web to buy stuff
   is more or less risky than using older technologies to accomplish
   the same tasks.  I do know that older technologies are far from
   100% perfect; for instance both my wife and my father have had
   their bank accounts hit by check forgers.

 o Those who favor tighter Government control over the Internet may
   use such incidents as "evidence" that the net community can no longer
   be trusted to run something that is rapidly evolving from nifty
   techno-toy to serious communications infrastructure.

 o Overly-rapid attempts to fix the known bugs in what are, by and large,
   kludges that were implemented in a big hurry may produce more and worse
   bugs.  I strongly believe the root cause of most web-related security
   holes is that market pressures pushed developers to concentrate on
   implementing new features quickly, without taking the time to do it right.

The most positive imaginable outcome would be for those who develop web
software to slow down and focus on getting things right; anybody wanna lay
odds on _that_ happening any time soon?

Matthew.Healy@yale.edu  http://paella.med.yale.edu/~healy

[ TBTF for 1997-04-04 ]