That is an excellent story. I read it yesterday. I particularly enjoyed the line: "Encrypting transactions on the Internet, the Purdue computer scientist Eugene Spafford has remarked, "is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench." I liked the story because it talks about how some security measures can give an extremely false sense of security. It also makes the point of how strong crypto isn't a solution for security as it can be easily circumnavigated if you have access to either end-point of a cyrpto-tunnel. It also was clear that technology is not always the solution for security. The single largest weakness in any security system is the people using the system. Laziness and ignorance are perhaps one of the most valuable tools hackers and terrorists have. The article made me think of one of the more laughable security products on the market - personal firewalls (particularly ZoneAlarm) - which give people this warm feeling that their PCs are all nice and safe. But if you watch people using a computer with Zone or Tiny installed, they will mindlessly punch the "Yes" button when it asks them "Can this application communicate with the network." Basically, the software does nothing but nag people and make them feel more secure (I like to call it "nagware"). Very few users have the knowledge to really analyze what that product is saying to them, hence they allow everything through. Which defeats the entire point of the technology and in a sense makes them LESS secure. Anyways, interesting article. A good read for all security folks. ------------------------------------------------------------ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation www.anitian.com ------------------------------------------------------------ -----Original Message----- From: Shaun Savage [mailto:savagesat_private] Sent: Tue 8/13/2002 5:04 AM To: CRIME Cc: Subject: CRIME A good paper on "insecurity" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just read the paper. It showed how brittle the security is in the nation. http://www.theatlantic.com/issues/2002/09/mann.htm Shaun - -- savagesat_private GPG = B527 8F72 BAFA D490 6B30 6885 9FA2 34E8 EA73 F975 Public key at http://www.savages.net/gpg/savages -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - savagesat_private iD8DBQE9WPXbn6I06Opz+XURAsZSAJ43kzGABYPLZ0c0KMcWsLA/RsMWngCgtg1a sL20dSpHGOCsTvMzH4j2XBo= =ia5/ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 11:18:03 PDT