RE: [iwar] [fc:Security.Not.in.the.Cards]

From: Leo, Ross (Ross.Leo@csoconline.com)
Date: 2001-10-23 09:14:59
Next message: Tony Bartoletti: "Re: [iwar] them's fightin' words"
Previous message: Fred Cohen: "[iwar] [fc:Taleban.-.who.can't.hack.-.get.hacked]"
Maybe in reply to: Fred Cohen: "[iwar] [fc:Security.Not.in.the.Cards]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <72222DC86846D411ABD300A0C9EB08A1079C303C@csoc-mail-box.csoconline.com>
To: "'iwar@yahoogroups.com'" <iwar@yahoogroups.com>
From: "Leo, Ross" <Ross.Leo@csoconline.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Tue, 23 Oct 2001 11:14:59 -0500
Reply-To: iwar@yahoogroups.com
Subject: RE: [iwar] [fc:Security.Not.in.the.Cards]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

These gentlemen may or may not realize it (and would likely dismiss it even
if they did realize it) but they are speaking of the very type of mechanism
that be an enabler for a government to establish the "Big Brother" of
Orwellian creation.  They see these methods they are proposing as ways to
make Americans more secure.  And though I do not have a full transcript of
their comments, surely they must realize that the ways and means they
propose can be just as easily defeated by a clever boots as the current
systems are today by a similarly clever boots.

Their indignant outrage at the attacks on America are certainly echoed by
many (me included), and their proposals would be supported by many in the
hot flash aftermath of the heinous deed.  However... (and I am confident I
am repeating others here) the trading away of liberties in the short term
for the sake of (perceived) improved security and safety at home is
dangerously naive.  Such liberties, once gone, are gone pretty much for
good, and usually cannot be reclaimed without some form of fierce struggle.
Not something I think most Americans would care for on either the front end
(the initial loss) or back end (the struggle to reclaim).

In order for such a system to work, one would have to invest billions of $$
in Oracle installed on Sun platforms running RedHat Linux (or better still,
the NSA's version called SeLinux).  Then the government's person checking
agencies (DSS, DoD, INS, Treasury, FBI et al) would have to do full
background checks on literally everyone in the USA (meaning the borders get
closed until we catch up) to ensure complete validation of identity and
trustability.  Other countries would have to do likewise, or at least supply
the same quality of information to the US to perform this - to fail to do
this means the person coming in...doesn't, and is refused entry at the
border.  All such validated persons would then carry a government issued ID
card, and this would serve as true verification of personhood.

Right (don't forget...this is the planet Earth).

Everything I described can be faked, and is today.  This practice of
fraudulent identity creation is a virtual science and a very big business in
Nigeria today, and elsewhere.  It goes on to no small degree in the US.  Our
identity-verification agencies have amazingly huge gaps in their processes,
big enough for a 767 to fly through.  Our Intelligence Community has been
emasculated and dismantled over the recent decades.   In other words -
except for the promise of a big database system and the hardware to run it,
the mechanisms don't exist to do this.  Nor will they in the near future -
too much rebuilding and paradigm shifting needed before that happens.  The
profession of identity fakery will not go away either - its will simply
become more creative and more insidious.

Mr. Ellison and Mr. McNealy should focus on their companies, their families,
and the quality and safety of the lives entrusted to them as corporate and
family leaders.  They are not the saviours of America and their proposed
methods for helping out will not solve anything we want solved.  It would
also do for them to remember that they are not experts in security or
intelligence, and they should leave these to the professionals.


Ross A. Leo, CISSP, CBCP





-----Original Message-----
From: Fred Cohen [mailto:fc@all.net]
Sent: Tuesday, October 23, 2001 10:23
To: iwar@onelist.com
Subject: [iwar] [fc:Security.Not.in.the.Cards]


Security Not in the Cards

By Peter Coffee, Eweek, 10/23/2001
<a
href="http://www.eweek.com/print_article/0,3668,a%253D16936,00.asp">http://w
ww.eweek.com/print_article/0,3668,a%253D16936,00.asp</a>

If your only tool is a hammer, it's often said, all problems look like
nails.  What, then, does the world look like to someone who owns a
hammer factory?

Oracle's Larry Ellison and Sun's Scott McNealy each propose to define
terrorist threats in terms of nails that their products can pound down. 
"We need a national ID card with our photograph and thumbprint,"said
Ellison on Sept.  22-adding (no surprise here), "We need a database
behind that." He's offered to donate the software.  I don't accuse him
of profiteering; I'm sure he's quite sincere.  But wrong. 

Sun's McNealy also wants a national identity system, though his vision
is (still less surprising) based on the distributed intelligence of
smart devices using Java to execute authentication algorithms.  "If you
get on a plane," McNealy said on Oct.  11, "I want to know who you are."

Does McNealy see the contradiction between his position on ID cards and
his position on executable Internet content? He disparages Microsoft's
case for cryptographically signed ActiveX controls, but Microsoft's
position equates to McNealy's and Ellison's contention that
identification is safety.  Both are wrong. 

Digital signatures for downloaded code tell you only, after the fact,
whom you can sue for the damage that was done when the code turns out to
be malignant-like finding a passport in the rubble. 

Java proponents have always praised its far more finely grained approach
of granting only specific privileges: If you want to tell a Java program
that it's allowed to open only files whose names begin with "Q" and only
if there's an "r" in the name of the current month, you can enforce that
policy. 

Security isn't a matter of what you allow to get in.  It's a matter of
what you allow to happen and how you arrange to detect and report
attempts to circumvent those limits. 

National ID cards for people, like perimeter security for IT
installations, are not a defense in depth-but they consume resources
without providing the more genuine security that we should be achieving
by other means. 

Tell me what makes you feel secure at peter_coffee@ziffdavis.com. 


------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Tony Bartoletti: "Re: [iwar] them's fightin' words"
Previous message: Fred Cohen: "[iwar] [fc:Taleban.-.who.can't.hack.-.get.hacked]"
Maybe in reply to: Fred Cohen: "[iwar] [fc:Security.Not.in.the.Cards]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST