Wednesday, February 16, 2005

ComputerWorld Columnists, Again

Another week, another filler column from ComputerWorld which puts forward silly suggestions based on an insane premise. If ComputerWorld fields aggrieved that I'm picking on it, it should make itself a smaller target...

This time, the columnist (Frank Dzubeck of Communications Network Architects, whose Website says "Index of /") asks "Can the Internet Ever be Trusted?" and calls for the formation of a Trusted Internet Group just like the doomed-to-fail Trusted Computing Group;
here.

I won't dissect the Trusted Computing Group in detail, because that needs a few thousand words.

Let's answer the "can the Internet be trusted" question first: No.

You can't trust the Internet, and you never could. That's not because of the particular problems - insecurity, spyware, phishing and so on - but because the Internet is far too abstract to be trusted.

You can only give someone trust based on knowledge and judgement, and for most people knowledge and judgement about "the Internet" is too remote to form the basis of a decision about trust.

Trusting "the Internet" is simplistic and irrational, and a new high-tech fix won't change that.

The question is: whom and what can you trust? The answer: Knowledge and process.

I'll start with process first, because it's the part that "the industry" (a nebulous thing at best) controls. The problem with Internet commerce in 2005 is that too many companies have created inadequate processes; they've then encouraged people on the basis of "trust in the brand" to use these processes for commerce; and finally they've abused the processes to make them untrustworthy, all while jacking up at any suggestion that things aren't just rosy in the garden.

To take a bank as an example.

The only way to trust a bank's process is if the client software can only talk to the bank's servers. Anything else is vulnerable, regardless of the presence of specific exploits. Banks decided that convenience was more important, so they wilfully created browser-based banking even though they knew it was less secure than "own client" banking.

"The Internet" is not at fault - it's the process that's broken.

Banks then - frequently - write the browser software so that it doesn't show the URL in the address bar (undermining the "knowledge" part of the trust equation). A bank which writes its software this way is teaching users to trust in the absence of knowledge - which is so irresponsible it beggars description.

Then, in the name of cheap communications, banks routinely use e-mails to put sales pitches in front of their customers, and routinely use links from the e-mails to their product sites - and have kept doing so even after the phishing scams became widespread.

This encouraged people to put their trust in bad processes - but it's not "the Internet" which is at fault and it would not be fixed by a "Trusted Communications Group".

As a member of the Link mailing list said, if you say "Can the Post Ever be Trusted?" you quickly see how stupid a question is posed about the Internet.

To propose a solution which removes knowledge and responsibility from users, and which at the same time relieves participants from the need to create good process, is beyond stupid. And to propose that yet-another industry cargo cult can push out the answer on parachutes?

That's not solution, that's just more problem.

But what would I expect from a network consultant with a slash for a home page?

No comments: