Legal aid

In your cover story in September, ‘The lawless Internet', you say that, in the early days of the Internet, people thought it would be tamed. It is my view that this says more about people's ignorance and aspirations than anything else.

I can remember, for example, being involved in a debate on domain name piracy back in about 1997. The great hope then centred on the addition of new gTLDs [generic Top Level Domains] and the increased policing and opportunity that that would bring. When I told those at the debate that in my view that would only compound the problem and that in effect regulation would only come about through self-help, I was looked at as if I were crazy.

I was, of course, not the only one to hold this minority view; in the subsequent few years, concerned brand owners, including BT, brought cases to court that have established some order, at least in the UK, in a not dissimilar way to the ‘Direct action' being brought against 419 email scammers highlighted in your case study.

I was particularly interested in the comments from Susan Brenner [professor of law and technology at the University of Dayton, Ohio]. I think her ‘solution' – to hold individuals and companies legally responsible for securing their own IT systems – as laid down in the article is too simplistic.

As you might be aware, legislation of this type already exists – for example, in California, securing personal identifiable information like the equivalent of the UK's NI numbers is mandatory, as is the public reporting of any data breach.

In Europe, meanwhile, some data protection law contains similar mandatory provisions but without the reporting obligation. The net effect is that many businesses ask that servers with their data are not located in California and there is a move to offshore data in more sympathetic jurisdictions.

The Internet is not an entirely lawless place but there is more of a role for self-help than in almost any other sphere of a business's operation.

Jonathan Armstrong
Associate, Eversheds

Security perception

Regarding your ‘The lawless Internet' article, although I agree wholeheartedly with the sentiments behind wanting to improve web security, I have two issues I'd like to raise:

° Whilst the last few years has seen some (arguably major) improvements in the joined-up approach to systems integration between the global players in both the business applications and operating systems arenas, it's taken IT (in its broadest sense) a very long time to get there. What's required to ensure that the web security issue doesn't get bogged down in the same mire of vested interests and anti-competitive practices is a complete mind-shift. Are we capable of it?

° I personally know a couple of small business owners who were affected, to varying degrees, by the Sasser worm attacks. Neither, however, would liken the problems they faced to having a Molotov cocktail thrown through their office window, the parallel drawn by ICI's Paul Simmonds in your article. You get hacked, you may lose money and/or your business; you get fire-bombed, people lose their lives not (at the very worst) their livelihoods. This kind of alarmist and sensational rhetoric does no credit to the clear case for web security improvement, and I'd suggest it could actually de-value the argument by distracting us from it.

Steve Pauline
Snr business analyst, BI Centura Foods

First principles

I have just read your article ‘The Lawless Internet' in your September issue.

My company has been a provider of wide area network services for nearly 40 years – indeed, we are probably the oldest provider of such services in the world. We were ‘connecting' governments, corporations and individuals long before the acronym ISP or even the PC came into existence, and believe me, security back in those early days was far better managed than it is in general terms today.

The Internet is clearly here to stay; its growth cannot be stopped nor can it be policed. Moreover, it cannot be owned by any government or corporation. Any attempt to legislate it will and must fail, and is, in my opinion, totally unnecessary.

I sit on the final examination board for a couple of universities, as the technical examiner, and find that I am forced to fail 90% of all undergraduates simply because in the main they do not have a clue about the fundamentals of systems engineering. The reason: we tend to educate in very specific areas and we do not teach basic systems engineering principles any longer.

Of course, academia will say that there is little need to know these fundamentals. In my opinion, it is this general attitude that has allowed IT networks to be compromised. The only long-term answer must be education and an understanding of the fundamentals.

Almost every day we are called upon as a company to advise business users on how they should protect their networks and almost every day we are astounded at the vulnerability of many of these networks.

Last year, a company selling shrink-wrapped software firewalls asked us to conduct a non-destructive interrogation at one of its [prospective] customers.

We found that we were able to easily access every site we were asked to ‘hack'. The software company then submitted our report and sold the unsuspecting end user their own software solution.

In every case, the purchaser failed to request us to test the security of the new software [after the implementation].

However, as a ‘responsible' business, we decided to go ahead and test without permission and, in almost every case, found that the ‘new' firewall was less than effective.

Needless to say, we advised the end user of our findings and have since ended our association with the firewall vendor.

The simple answer to any security system is to understand the fundamental principles and to be vigilant.

In many ways, it is a bit like common burglary: We tend to install and build bigger and better locks but leave a window open – or more relative to our subject, the burglar simply removes the window itself.

Dr John L Dimmock
Technical director, Media Services Sussex

Password exposure

For at least the last five years, the IT industry has been writing about and discussing how passwords alone offer an insufficient defence against threats such as computer hackers [see article, 'Matrix of trust', Information Age, September 2004].

Relying on reusable passwords to protect an organisation's network leaves a company vulnerable to computer criminals. An attacker only needs to guess, snoop or crack the password of one user and they can use that stolen identity to gain full access to the organisation's systems.

We are still reading about how users will happily trade their passwords for chocolate bars, that most people use passwords that are easy to guess such as a child's name, pet's name, birthdays and so on, and that security breaches are on the increase each year.

The UK Department of Trade and Industry has been sponsoring a bi-annual Information Security Breaches Survey since 1998 and, over that time, the proportion of UK businesses that have had a security incident during the year has increased drastically from 32% in 1998 to 94% in 2004. And in 2004 one in five large organisations reporting a security breach associated it with weak identity management.

Isn't it about time that business and public sector organisations woke up to the fact that they need to adopt more secure methods of authenticating their users, to counter the threat of identity theft attacks? This threat is only going to increase as the boom in mobile and home-based [access] continues to grow.

Or will we be reading about the problem with weak passwords this time next year, and the year after, and the next…?

John Stewart
CEO, Signify

Remote control

Whilst your Q&A interview with the BBC's chief technology officer John Varney (Information Age September 2004) painted a visionary picture of the future of broadcasting media, it actually covered up a far more mundane reality.

BBC Technology was made a commercial concern in 2001 in order that it could carry out external contracts and the income generated would be passed back to the BBC as savings in IT provision.

The contract between the BBC (represented by Varney) and BBC Technology, known as the Technology Service Agreement (TSA) was a five-year contract that was set to run to 2006. The TSA was delivering the required level of savings. However, in 2003, Varney decided that greater savings were required. BBC Technology responded that the only way the savings could be achieved would be to make 25% of its 1,400 staff redundant. The BBC was not prepared to pick up the large redundancy bill that would have resulted, so the decision was made to outsource the entire operation; that is, to pass the redundancy bill to another company. [BBC Technology became part of Siemens Business Solutions in September 2004.]

John Varney stated in the December issue of Ariel (the BBC's in-house newspaper) that "there can be no certainty that there will be no redundancies associated with the change of ownership", and Siemens have also intimated that they will carry out a review which might lead to redundancies.

BBC Technology, prior to the outsourcing decision, was carrying out its own internal cost-cutting exercise, known as Project LEO (Lean Efficient Operation). While it identified areas where cuts could be made, this information was not shared with the staff of BBC Technology because, as a senior manager stated, "the staff would find the report too distressing". However, the same information was passed by the BBC to Siemens and the other two shortlisted bidders.

In effect, the new owners of BBC Technology were handed a redundancy blueprint.

Name and address supplied.

Slacking off?

The surprise French best seller, Bonjour Paresse [Hello Laziness] – a battle cry for passive resistance to modern office culture – shook up corporate France this summer. In 100-odd pages, the author convincingly argues that not only can you be a slacker and get away with it, but that only by reducing your productivity to zero have you any hope of climbing the corporate ladder.

This begs a question of IT directors (and one that the board is certain to ask): Is the IT department working at full productivity to deliver business value or is IT's slacking endemic? With project overruns and exceeded budgets being a frequent occurrence, the board can only assume the worst.

In order to avoid returning to the ‘glory days' of spiralling contractor fees and IT setting its own agenda, the IT director has the major challenge to ensure employees are working at full productivity, not embracing the lessons of Bonjour Paresse. How can any IT director be confident that skills are being effectively used and personnel fully employed at any time?

Too many companies are reliant on emails, whiteboard-based analysis and ‘finger in the wind' assessment of the impact of new projects on existing schedules. However, resource and timesheet management software can provide the level of control and visibility required to meet the growing demands and expectations of the business, discouraging slacking and improving the IT director's standing with the board.

Barry Muir
Managing director, Innate Management Systems

Editor's note: As one reviewer put it, Bonjour Paresse by Corinne Maier (an economist at state-owned Electricité de France) is "a call to middle managers to rise up and throw out their laptops, ‘organigrams' and mission statements…the unexpected publishing sensation of the summer in France". Another described it as exploring "the hopeless, mindless world of corporate slavery and the fine French art of accomplishing nothing on the company's payroll. Seriously, she makes Dilbert seem like a go-getter." Six months after its publication, we are still awaiting an English translation.

° Information Age will be taking an in-depth look at IT project and resource management in its December issue.