I sent the following letter to the editor of the NYT expressing my personal view of the article. Perhaps others on this list should send letters expressing their viewpoints as well. Dear Sir/Madam: I have been reading, with great interest, the responses from security experts all over the Internet to John Markoff's October 11 article titled "Discovery of Internet Flaws Is Setback for On-Line Trade", and I thought your readers might like to know what real experts in the field think about Mr. Markoff's article. While the most recent announcement by Professor Brewer was generally taken as a positive step from American academia in catching up to the rest of the information security world, it is hardly a breakthrough, or even a novelty. To get a perspective on this, an average of about 10 new vulnerabilities of this magnitude or larger are discussed on Internet forums every month. The "CERT" team at Carnegie-Mellon University has published more than 10 similar types of attacks so far this year, the Internet forum "8lgm" publishes an average of more than one per month, the "BugTraq" Internet forum tracks and shows fixes for about two similar holes per month, and the "cypherpunks" forum uncovers several holes in cryptographic and other systems each month. The idea portrayed by Mr. Markoff that businesses rushing to the Internet are largely unaware of these risks is also quite naive. A recent Computer Security Institute study showed that one in every five enterprises has reported suffering an Internet security incident. Most experts believe the reality is much worse and that many who responded "no" either refuse to admit it or simply don't know. Over 50 percent of companies connected to the Internet provide high-risk features such as FTP and WWW to all employees, and 39 percent have no firewall to limit attacks from the Internet. According to several published papers, about 10 times as many attempted attacks are detected when firewalls are in place than are detected when they are not in place. Since the Internet was first introduced, many of the American Universities that have been so active in developing information technology have essentially ignored the security issues. Their ignorance of these issues has produced literally hundreds of protocols that are now in use by millions of computers from all over the globe and which, because of their insecure designs, are inherently difficult to secure. Thousands of individuals from all over the world have spent their spare time, often on nights and weekends, helping other people by developing and freely distributing new security technologies. They have been finding security problems and solving them for many years, most often without recognition or renumeration. They have been trying to tell the people developing these protocols about protection problems and have been widely ignored, with a few notable exceptions, by the American Universities. I personally think that it is a travesty that a relatively minor contribution by a few people at Berkeley gets front page headlines while the ongoing contributions of thousands of volunteers goes largely unrecognized. If you want the real story about electronic commerce and security issues on the Internet, listen to the people who are doing the work every day. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236