[ISN] Security Excuses are on the Rocks

From: InfoSec News (isnat_private)
Date: Wed Mar 27 2002 - 23:29:07 PST

Next message: InfoSec News: "[ISN] Come on, own up: IT managers leave firewalls open for hackers"

Previous message: InfoSec News: "[ISN] MS vs. open source: Security's the same"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Elyn Wollensky <elynat_private>

http://www.eweek.com/article/0,3658,s=706&a=24507,00.asp

By Peter Coffee 
March 25, 2002 

Welcome to "stupid customers," the saga of IT vendors' ongoing 
attempts to blame the victim. This week, we honor Jim Balsillie, 
chairman and CEO of Research In Motion, who commented earlier this 
month on the intrinsic insecurity of Internet traffic—and why it's not 
his company's fault that people don't understand it.

Balsillie was asked about an attack discovered by @Stake that enabled 
researchers to read wireless messages intended for a user of the 
Internet Edition of RIM's popular BlackBerry device. He huffed and he 
puffed and he blew the question down, saying, "Internet traffic isn't 
supposed to be secure. ... It's kind of like a company making beer and 
cola and someone saying that there's alcohol in the company's drinks, 
when the children are drinking cola."

Well, no, it's really not like that, and IT executives need to 
understand why that's a deeply flawed analogy.

First comes the matter of labeling. Alcoholic beverages are labeled 
and sold in a manner that leaves no doubt as to what you're getting, 
with full disclosure of the harm that it can do: birth defects, 
impairment of driving ability and long-term health problems.

Even my Nokia phone displays the warning "Voice privacy not active" 
for the duration of my call unless link security is in effect. That's 
far more forceful than RIM's approach of warning by omission, with RIM 
executives saying that security was never promised or that the Mobitex 
specification makes it all clear.

Second comes the matter of expectation. Beer ads don't show Boy Scouts
drinking the product - but we see the RIM advertisements in in-flight
magazines and elsewhere, and they don't show people relying on their
BlackBerry units for updates on their local coffee shop's waiting
times. The RIM ads all suggest that these devices will warn you of
crucial business developments, such as changes to a proposed contract
or other urgent matters. Don't such important purposes call for secure
message platforms?

Alcohol labels and advertising rules aren't voluntary. Would IT 
vendors like to have legislators do the same for them?

Report your pink elephant sightings to peter_coffeeat_private




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.

Next message: InfoSec News: "[ISN] Come on, own up: IT managers leave firewalls open for hackers"
Previous message: InfoSec News: "[ISN] MS vs. open source: Security's the same"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 01:52:14 PST