Bruce Schneier neatly sums of this argument in a recent blog post,
Universal identification is portrayed by some as the holy grail of Internet security. Anonymity is bad, the argument goes; and if we abolish it, we can ensure only the proper people have access to their own information. We'll know who is sending us spam and who is trying to hack into corporate networks. And when there are massive denial-of-service attacks, such as those against Estonia or Georgia or South Korea, we'll know who was responsible and take action accordingly.
Schneier also points out the fallacy in this argument,
Imagine a magic world in which every Internet packet could be traced to its origin. Even in this world, our Internet security problems wouldn't be solved. There's a huge gap between proving that a packet came from a particular computer and that a packet was directed by a particular person. This is the exact problem we have with botnets, or pedophiles storing child porn on innocents' computers. In these cases, we know the origins of the DDoS packets and the spam; they're from legitimate machines that have been hacked. Attribution isn't as valuable as you might think.
In an article entitled Driver's License for Web Users… Bad Idea Susan Brenner a professor of Law and Technology agrees with Schneier
I don't see that we have the inevitable, persistent visibility online that we have when we're operating a motor vehicle on city streets or on highways. We don't (as far as I know) have the digital equivalent of traffic cops trolling the Internet to see if we're obeying the online traffic laws (would we also need to invent those if we're going to introduce Internet driver's licenses?).
What do you think? Should Internet users be licensed? If so, would this improve security? If so, at what costs?
No comments:
Post a Comment