Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [ISN] they should have used crypto...
From: mea culpa (jerichoDIMENSIONAL.COM)
Date: Mon Dec 06 1999 - 12:10:05 CST
From: Dan Schrader <Dan_Schradertrendmicro.com>
-----BEGIN PGP SIGNED MESSAGE-----
Steven M. Bellovin wrote:
>Naturally, those of us on this list advocate routine use of cryptography.
>cases where cryptography or the lack thereof is demonstrably
>commercially significant are rare. A new one has just come to light.
Actually, routine use of cryptography will result in huge security problems.
Why? Because the best place to stop computer viruses, trojans and other
malicious code is at the email server - and you can' scan encrypted mail.
As the poster wrote, "cases where cryptography or the lack thereof is
demonstrably commercially significant are rare." True. However cases of
computer viruses being commercially significant are common. Computer
Economics Institure found that viruses caused over $7.6 billion in damages
in the first 6 months of this year alone - an order of magnitude more then
all other security exploits combined.
But viruses aren't really a security issue . . . Wrong, viruses such as
Melissa varients take documents off your computer and email them to dozens
or hundreds of people. Viruses such as Pretty Park take passwords off your
machine and post them to IRC sites. And we all remember BO2K, NetBus, etc.
What about desktop virus protection?
1. It has demonstrably failed - see damages mentioned above
2. It relies on end user compliance
3. We never will be able to update 100's of millions of desktops fast
enough to stop the next Melissa virus.
Finally, ISP such as US West and Sprint have started adding virus protection
a part of their internet access offerings - which will be a very effective
way to contain virus outbreaks - but only if email is not routinly
Lession: - Encrypt selectively
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
ISN is sponsored by Security-Focus.COM