I wrote: >> I think this hits the nail squarely on the head. If the data owner believes >> that attackers have the means and motive to intercept their traffic as it >> traverses public telecom networks, then additional security is warranted. >> If the data owner doesn't believe the attackers' benefits will outweigh >> their costs, then encryption is unnecessary. At 3:21 PM -0600 4/22/98, Henry Hertz Hobbit wrote: >I have news for you. The public telecom networks are *not* all that >secure. .... I would >advise you that telcos are far more vulnerable than you want to >believe. I would advise you that Kevin Mitnick was accused of playing these games over 15 years ago and that the technology has simply improved over the years. The fact that outsiders can manipulate phone switch behavior makes it just about as vulnerable as anyone might want to believe. To repeat my original point -- figure out what you have to lose if someone interferes with your data. Figure out how difficult and reliable the defense measures are. Make the trade off. Lots of people are going to look for security measures, but some folks aren't. >.... Any system you consider for longer distances would be >best if it had time-based passwords. Please, let's not get into >a discussion of the hacker stealing the password generating >algorithm. If the long distance link is encrypted with a strong algorithm and key, then reusable passwords aren't quite as risky. If the link isn't encrypted, then neither a time based password or a challenge response system like SafeWord is going to protect you from hijacking, unless you reauthenticate for each transaction. Some really paranoid SafeWord customers do that, like a certain bank that got burned for several hundred thousand a few years back. Hijacking is a risk if you've got hackers in the phone switch. Rick. smithat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:20 PDT