[ISN] Security Excuses are on the Rocks

From: InfoSec News (isnat_private)
Date: Wed Mar 27 2002 - 23:29:07 PST

  • Next message: InfoSec News: "[ISN] Come on, own up: IT managers leave firewalls open for hackers"

    Forwarded from: Elyn Wollensky <elynat_private>
    By Peter Coffee 
    March 25, 2002 
    Welcome to "stupid customers," the saga of IT vendors' ongoing 
    attempts to blame the victim. This week, we honor Jim Balsillie, 
    chairman and CEO of Research In Motion, who commented earlier this 
    month on the intrinsic insecurity of Internet traffic—and why it's not 
    his company's fault that people don't understand it.
    Balsillie was asked about an attack discovered by @Stake that enabled 
    researchers to read wireless messages intended for a user of the 
    Internet Edition of RIM's popular BlackBerry device. He huffed and he 
    puffed and he blew the question down, saying, "Internet traffic isn't 
    supposed to be secure. ... It's kind of like a company making beer and 
    cola and someone saying that there's alcohol in the company's drinks, 
    when the children are drinking cola."
    Well, no, it's really not like that, and IT executives need to 
    understand why that's a deeply flawed analogy.
    First comes the matter of labeling. Alcoholic beverages are labeled 
    and sold in a manner that leaves no doubt as to what you're getting, 
    with full disclosure of the harm that it can do: birth defects, 
    impairment of driving ability and long-term health problems.
    Even my Nokia phone displays the warning "Voice privacy not active" 
    for the duration of my call unless link security is in effect. That's 
    far more forceful than RIM's approach of warning by omission, with RIM 
    executives saying that security was never promised or that the Mobitex 
    specification makes it all clear.
    Second comes the matter of expectation. Beer ads don't show Boy Scouts
    drinking the product - but we see the RIM advertisements in in-flight
    magazines and elsewhere, and they don't show people relying on their
    BlackBerry units for updates on their local coffee shop's waiting
    times. The RIM ads all suggest that these devices will warn you of
    crucial business developments, such as changes to a proposed contract
    or other urgent matters. Don't such important purposes call for secure
    message platforms?
    Alcohol labels and advertising rules aren't voluntary. Would IT 
    vendors like to have legislators do the same for them?
    Report your pink elephant sightings to peter_coffeeat_private
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 01:52:14 PST