Private Security Industry Bill - latest Straw outrage

[Ross Anderson]

Owen:

> from time to time we all see surprisingly well britched and
> street-wise organisations 'taken for a ride'.

By jove, better pass a law against it then. The gummint can't
possibly leave vulnerable persons such as Barclays Bank to
fend for themselves.

> those whose sole interest is in a 'fast buck', both through the
> selling of rubbish and, perhaps by engaging in a secondary (and
> very grey) market in information on who is relying on 
> exploitable systems.

Of course, it's completely inconceivable that the various agenices
involved in giving advice as part of the `critical infrastructure
protection' effort might ever retain notes of possible exploits,
let alone pass them from the protective part of the agency to the
exploitation part. Given that government is so trustworthy - and
no-one else is in this vale of tears - the entire business of
information security clearly needs to be nationalised forthwith.

> The obvious example is the old one of the bent locksmith who
> keeps an extra key to premises

Nowadays called `co-regulation'

> voice cipher units which also radiate clear speech on such a 
> frequency and at such a power as for the speech to be recoverable
> at a range of some few hundreds of metres

... coregulation in action!

> The problem is one of standards and must affect the providers of
> consultancy services as well as equipment manufacturers, agents
> and resellers of products and turnkey solutions.

In view of the current situation in the countryside, it might be
considered somewhat politically insensitive to mention the word
`fox' in the same sentence as `henhouse'. So shall we rather go 
back to the crypto debate of four years ago and debate the merits
of licenced versus unlicenced, trusted versus untrusted, third
parties? Who would you trust to give your systems a thorough
inspection, my students and I - or a company signed up to GCHQ's
CLEF scheme?

Ross