[ISN] Failed System Security Paradigm

From: mea culpa (jerichoat_private)
Date: Wed Feb 10 1999 - 03:18:12 PST

  • Next message: mea culpa: "[ISN] Israelis charged in Pentagon, NASA hacks"

    Forwarded From: JohnE37179at_private
    
    System Security
    The Failed Paradigm
    
    Current information system security strategies revolve around encryption
    and some form of password. This approach, even if perfect, only protects
    transmission and transcription of information. Two elements are missing:
    the truth of the information transmitted and the identity of the users of
    the system. If the identity of a user is not absolutely confirmed at the
    time of enrollment even a perfect system will only confirm a potentially
    false identity - resulting in a insecure system.
    
    The paradigm of accuracy in information systems is limited to
    transcription and transmission. The truth of content is not considered.
    
    The result of these approaches is the rapid growth of identity fraud.
    Identity fraud appears in many guises. The acquisition of a false
    identification is relatively simple and the simplest of hacker techniques
    - social engineering - is all it may take to break the most technically
    sophisticated system. 
    
    Why would someone trying to break a system try to break an encryption code
    when all they need do is a simple deception of identity? 
    
    Are we not all deceiving ourselves with the race to build the strongest
    encryption and passwords without working on the more basic problems of
    user identity and message truth? 
    
    The response I get when I raise this question is either that this is the
    "user's" problem or it is a "wet brain" problem and not susceptible to a
    computational solution. Both these responses ignore or misclassify the
    problem in an attempt to finesse a solution. 
    
    There are information strategies that when coupled with existing
    technology can both absolutely determine and verify an individual's
    identity and determine the truth of message content. While this is an
    emerging solution, it has had over 16 million commercial uses and in tests
    has demonstrated error rates of fewer than one in 22 million. 
    
    John Ellingson
    President, e-Dentification, Ltd.
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:18:31 PDT