Re: [ISN] ICSA certifies weak crypto as secure

From: cult hero (jerichoat_private)
Date: Fri May 28 1999 - 19:08:35 PDT

  • Next message: cult hero: "[ISN] Top 10 candidates for a "duh" list (general sec/crypto)"

    Reply From: edison <edisonat_private>
    
    A few thoughts on the subject. 
    
    First, with the frightening amount of completely unsecured consumer info
    sites on (and off) the net today, I would disagree that ICSA's actions
    reflect "very badly" on our industry.  Because there are much easier
    targets, consumerinfo.com can be resonably certain that it won't even be
    attacked for quite some time.  At least until most of the rest of the
    sites are secure in the same fashion. 
    
    Don't get me wrong, I'm not advocating 40-bit encryption as 'secure,' but
    it is 'more secure' than nothing at all.  And until the ingorant IT
    managers with sites on the net clue in, this kind of certification won't
    _hurt_ our industry.  Please don't attack me - I'm just saying that while
    we professionals might recognize weaknesses in this level of security,
    those outside don't and "we" still look good to them. 
    
    Second, if you've every been to a hacker BBS/site, you have to know that
    getting into Equifax or any other reporting agency is pitifully easy.  If
    you think 40-bit encryption is weak, how about a 2 character alphanumeric
    "password" on accounts that can be pulled from your own credit report? 
    And for that matter, there are posted algorithms to the account scheme, so
    you can even generate your own. 
    
    I will agree that there are more unsavory characters on the net than there
    are people aware of CBI dialups.  But then again, 40-bit crypto is not
    exactly _easy_ to crack. 
    
    -edison
    
    On Fri, 28 May 1999, cult hero wrote: 
    
    > I am becoming concerned about the apparent lack of professional competence
    > within even well-known segments of the security community. I hope the
    > incident I discovered is an isolated one, but even a single such incident
    > is disquieting.
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: OSAll [www.aviary-mag.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:24:01 PDT