Return-Path: <sentto-279987-5188-1029356999-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 14 Aug 2002 13:32:08 -0700 (PDT) Received: (qmail 32432 invoked by uid 510); 14 Aug 2002 20:28:34 -0000 Received: from n5.grp.scd.yahoo.com (66.218.66.89) by all.net with SMTP; 14 Aug 2002 20:28:34 -0000 X-eGroups-Return: sentto-279987-5188-1029356999-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.198] by n5.grp.scd.yahoo.com with NNFMP; 14 Aug 2002 20:29:59 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_7_4); 14 Aug 2002 20:29:59 -0000 Received: (qmail 6968 invoked from network); 14 Aug 2002 20:29:59 -0000 Received: from unknown (66.218.66.218) by m5.grp.scd.yahoo.com with QMQP; 14 Aug 2002 20:29:59 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta3.grp.scd.yahoo.com with SMTP; 14 Aug 2002 20:29:59 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g7EKUlB27031 for iwar@onelist.com; Wed, 14 Aug 2002 13:30:47 -0700 Message-Id: <200208142030.g7EKUlB27031@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 14 Aug 2002 13:30:47 -0700 (PDT) Subject: [iwar] [fc:The.myth.of.cybersecurity] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.4 required=5.0 tests=WORK_AT_HOME,DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: The myth of cybersecurity By Ray Ozzie August 14, 2002, 4:00 AM PT In late July at a technology conference in the nation's capital, President Bush's top cybersecurity adviser, Richard Clarke, said the technology industry was acting irresponsibly in selling computer network devices that remain remarkably easy to attack. "It is irresponsible to sell a product in a way that can be so easily misused by a customer in a way that jeopardizes their confidential and proprietary and sensitive information," Clarke said. In fact, it's the industry's "dirty little secret": If you use your company's networks or the Internet, your daily online communication activity--from sending and receiving e-mail and instant messages to using the Web--can be, and in all likelihood are, trivially monitored by others. Toward what end? Think about it. When I was a boy, my friends and I would occasionally play tricks on girls in our neighborhood, quietly sneaking over to their homes, opening Ma Bell's little gray box mounted on the side of their parents' home and tapping into their nightly gabfests with a telephone that we'd brought over. Just mischievous kid stuff? Dream on. Industry pundits found it quite unsettling at a conference recently when, without permission, Web images being received by their wirelessly connected laptops were grabbed "off the air" and displayed onstage, live. It also works for wired networks: Programmers have been building "sniffers" such as Dsniff and EtherPEG for years, for law enforcement, amusement and profit. Your company's network administrators can watch anything you do that flies by on their wires. So can the people who keep the servers and routers running all night long at your Internet service provider. But they wouldn't do that, would they? People are always the weakest link. In order to protect you, corporate information technology administrators are hard at work solidifying the "great firewall" around your organization--keeping the outside out, and the inside in. But at the same time, you need to work from home. And increasingly, you need to work closely with business partners and customers, but the IT group won't give them VPN (virtual private network) access because doing so would expose too much. So how do you get your work documents and presentations through the firewall? Many of us send them home as e-mail attachments. Or, like former CIA Director John Deutch, we take them home on memory cards. But how safe is the confidential information on our laptops? Once, many years ago in Paris, I walked into my hotel room and found the chambermaid moving nervously away from my computer. "Je jouais le solitaire (I was playing solitaire)," she said. Hmm. So how did we get ourselves into this situation, and what should we do about it? Surely the industry can--and should--take a good share of the blame, as should the government. Internet pioneer David Reed recently pointed out that in the early years, efforts to incorporate end-to-end encryption into the base standards of the Net were reportedly discouraged for reasons of national security. But "weak encryption" is no longer a reasonable excuse for insecure systems. It's clear by now that real security comes not just from strong crypto, but from recognizing and embracing human strengths, frailties and common behaviors in building, managing and using complex systems. People are always the weakest link. The industry also needs to explore new approaches to secure systems. Although Public Key Infrastructure (PKI) works within a well-managed enterprise environment, work relationships now commonly cross enterprise boundaries into domains of questionable trust. And third-party "notaries" don't help much; they introduce significant risk: When VeriSign was fraudulently duped into issuing Microsoft certificates to an unknown party in early 2001--with little reported recourse--utopian visions of "outsourcing identity and trust" crumbled. Enterprises need, and must demand, more cellular approaches to trust and secure information-sharing, such as peer trust, webs of trust and fine-grained federated trust. The "Great Wall" approach is outdated, with the distinction between inside and outside becoming blurred. We need alternatives to the firewall and VPN models of protection. Someday, some shareholder is going to lose quite a bit of money because an electronic message was "sniffed" or "spoofed." But there's no need to wait. There are practical actions that can be taken immediately and inexpensively. For example, Windows XP supports an Encrypting File System that is very useful for laptops; buy the upgrade, turn it on and password-protect computers. Both Microsoft Exchange and Lotus Notes support enterprise message encryption--if IT departments would simply use it. These are just a couple of alternatives. We've been through years of asbestos and tobacco liability suits. Will liability for IT complacency be next? Someday, some shareholder is going to lose quite a bit of money because an electronic message was "sniffed," or "spoofed." Someone's health or financial records are going to get into the wrong hands. A design will be compromised; someone will get hurt. And at that point, network television cameras are going to be focused on a lawyer who's asking a company executive, or a government official, "Sir, were there reasonable alternatives at the time?" More Perspectives biography Ray Ozzie is chief executive of Groove Networks and the creator of Lotus Notes. ------------------------ Yahoo! Groups Sponsor ---------------------~--> 4 DVDs Free +s&p Join Now http://us.click.yahoo.com/pt6YBB/NXiEAA/RN.GAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT