OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Executives liable for computer crime?

Re: Executives liable for computer crime? (update)

Rick Smith (rick_smithsecurecomputing.com)
Thu, 27 Aug 1998 14:55:11 -0500

At 08:16 PM 8/25/98 -0700, Wood, Tom D wrote:

>IMHO, the salient point that the author has attempted to make with this
>paper is this...
>"If your network has been plundered and then used to plunder your neighbor's
>network, and all your depending on for security is static re-usable
>passwords (especially for dial-in services), in the eyes of the Fed's your
>toast!"

I applaud the author's attempt to encourage stronger authentication. The
more we all use it, the easier it'll become to use. Second, let me note
that Secure Computing manufactures SafeWord, so my attitude is somewhat
biased.

Now I'm not a lawyer, but I doubt anyone's going to be hauled into court
for negligence until one of two things happen: 1) one time passwords are
built into commercial platforms and application systems, and/or 2)
industries publish standards that mandate one time passwords in specific
critical applications. They'll be negligent if they intentionally bypass a
security mechanism or if they violate an accepted standard of behavior. I
don't think the legal climate for one time passwords has reached this
point. Others, including colleagues here at Secure Computing, may disagree
with me, so take this as a purely personal opinion.

The banking industry published the X9.9 authentication standards many years
ago, but their use is optional. Citibank started using SafeWord after their
little problem a few years back with overseas money transfers. Usually it
takes a visible victim or two before people start taking steps to be more
careful.

Rick.
smithsecurecomputing.com

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:40 CDT