Return-Path: <sentto-279987-3322-1003853690-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 23 Oct 2001 09:16:07 -0700 (PDT) Received: (qmail 22631 invoked by uid 510); 23 Oct 2001 16:14:19 -0000 Received: from n29.groups.yahoo.com (216.115.96.79) by 204.181.12.215 with SMTP; 23 Oct 2001 16:14:19 -0000 X-eGroups-Return: sentto-279987-3322-1003853690-fc=all.net@returns.onelist.com Received: from [10.1.4.53] by n29.groups.yahoo.com with NNFMP; 23 Oct 2001 16:14:50 -0000 X-Sender: Ross.Leo@csoconline.com X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-8_0_0_1); 23 Oct 2001 16:14:49 -0000 Received: (qmail 4568 invoked from network); 23 Oct 2001 16:14:49 -0000 Received: from unknown (10.1.10.27) by l7.egroups.com with QMQP; 23 Oct 2001 16:14:49 -0000 Received: from unknown (HELO csoc-fire1.csoconline.com) (140.169.2.142) by mta2 with SMTP; 23 Oct 2001 16:14:49 -0000 Received: from csoc-mail-imc.csoconline.com by csoc-fire1.csoconline.com via smtpd (for mta1.onelist.com [208.48.218.7]) with SMTP; 23 Oct 2001 16:14:48 UT Received: by csoc-mail-imc.csoconline.com with Internet Mail Service (5.5.2653.19) id <VDPXPDLT>; Tue, 23 Oct 2001 11:13:48 -0500 Message-ID: <72222DC86846D411ABD300A0C9EB08A1079C303C@csoc-mail-box.csoconline.com> To: "'iwar@yahoogroups.com'" <iwar@yahoogroups.com> X-Mailer: Internet Mail Service (5.5.2653.19) From: "Leo, Ross" <Ross.Leo@csoconline.com> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 23 Oct 2001 11:14:59 -0500 Reply-To: iwar@yahoogroups.com Subject: RE: [iwar] [fc:Security.Not.in.the.Cards] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit These gentlemen may or may not realize it (and would likely dismiss it even if they did realize it) but they are speaking of the very type of mechanism that be an enabler for a government to establish the "Big Brother" of Orwellian creation. They see these methods they are proposing as ways to make Americans more secure. And though I do not have a full transcript of their comments, surely they must realize that the ways and means they propose can be just as easily defeated by a clever boots as the current systems are today by a similarly clever boots. Their indignant outrage at the attacks on America are certainly echoed by many (me included), and their proposals would be supported by many in the hot flash aftermath of the heinous deed. However... (and I am confident I am repeating others here) the trading away of liberties in the short term for the sake of (perceived) improved security and safety at home is dangerously naive. Such liberties, once gone, are gone pretty much for good, and usually cannot be reclaimed without some form of fierce struggle. Not something I think most Americans would care for on either the front end (the initial loss) or back end (the struggle to reclaim). In order for such a system to work, one would have to invest billions of $$ in Oracle installed on Sun platforms running RedHat Linux (or better still, the NSA's version called SeLinux). Then the government's person checking agencies (DSS, DoD, INS, Treasury, FBI et al) would have to do full background checks on literally everyone in the USA (meaning the borders get closed until we catch up) to ensure complete validation of identity and trustability. Other countries would have to do likewise, or at least supply the same quality of information to the US to perform this - to fail to do this means the person coming in...doesn't, and is refused entry at the border. All such validated persons would then carry a government issued ID card, and this would serve as true verification of personhood. Right (don't forget...this is the planet Earth). Everything I described can be faked, and is today. This practice of fraudulent identity creation is a virtual science and a very big business in Nigeria today, and elsewhere. It goes on to no small degree in the US. Our identity-verification agencies have amazingly huge gaps in their processes, big enough for a 767 to fly through. Our Intelligence Community has been emasculated and dismantled over the recent decades. In other words - except for the promise of a big database system and the hardware to run it, the mechanisms don't exist to do this. Nor will they in the near future - too much rebuilding and paradigm shifting needed before that happens. The profession of identity fakery will not go away either - its will simply become more creative and more insidious. Mr. Ellison and Mr. McNealy should focus on their companies, their families, and the quality and safety of the lives entrusted to them as corporate and family leaders. They are not the saviours of America and their proposed methods for helping out will not solve anything we want solved. It would also do for them to remember that they are not experts in security or intelligence, and they should leave these to the professionals. Ross A. Leo, CISSP, CBCP -----Original Message----- From: Fred Cohen [mailto:fc@all.net] Sent: Tuesday, October 23, 2001 10:23 To: iwar@onelist.com Subject: [iwar] [fc:Security.Not.in.the.Cards] Security Not in the Cards By Peter Coffee, Eweek, 10/23/2001 <a href="http://www.eweek.com/print_article/0,3668,a%253D16936,00.asp">http://w ww.eweek.com/print_article/0,3668,a%253D16936,00.asp</a> If your only tool is a hammer, it's often said, all problems look like nails. What, then, does the world look like to someone who owns a hammer factory? Oracle's Larry Ellison and Sun's Scott McNealy each propose to define terrorist threats in terms of nails that their products can pound down. "We need a national ID card with our photograph and thumbprint,"said Ellison on Sept. 22-adding (no surprise here), "We need a database behind that." He's offered to donate the software. I don't accuse him of profiteering; I'm sure he's quite sincere. But wrong. Sun's McNealy also wants a national identity system, though his vision is (still less surprising) based on the distributed intelligence of smart devices using Java to execute authentication algorithms. "If you get on a plane," McNealy said on Oct. 11, "I want to know who you are." Does McNealy see the contradiction between his position on ID cards and his position on executable Internet content? He disparages Microsoft's case for cryptographically signed ActiveX controls, but Microsoft's position equates to McNealy's and Ellison's contention that identification is safety. Both are wrong. Digital signatures for downloaded code tell you only, after the fact, whom you can sue for the damage that was done when the code turns out to be malignant-like finding a passport in the rubble. Java proponents have always praised its far more finely grained approach of granting only specific privileges: If you want to tell a Java program that it's allowed to open only files whose names begin with "Q" and only if there's an "r" in the name of the current month, you can enforce that policy. Security isn't a matter of what you allow to get in. It's a matter of what you allow to happen and how you arrange to detect and report attempts to circumvent those limits. National ID cards for people, like perimeter security for IT installations, are not a defense in depth-but they consume resources without providing the more genuine security that we should be achieving by other means. Tell me what makes you feel secure at peter_coffee@ziffdavis.com. ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more! http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST