Secure Internet-based Electronic Commerce: The View from Outside the US
I've just made a draft copy of this paper available for comment as http://www.cs.auckland.ac.nz/~pgut01/paper.htm, a copy of the introduction is given below. The whole thing is around 170K long (40 A4 pages when printed). If anyone has any comments to make on it, please let me know. Peter. Introduction ------------ The creation of a global electronic commerce system will provide an extremely powerful magnet for hackers, criminals, disgruntled employees, and hostile (but also "friendly") governments intelligence agencies. This problem is magnified by the nature of the Internet, which allows attackers to quickly disseminate technical details on performing attacks and software to exploit vulnerabilities. A single skilled attacker willing to share their knowledge can enable hordes of dilletantes around the world to exploit a security hole in an operating system or application software within a matter of hours. The Internet also enables an attacker to perform an attack over long distances with little chance of detection and even less chance of apprehension. The ability to carry this out more or less anonymously, at low cost, and with little chance of being caught, encourages attackers. Because of well-publicized break-ins there has been a steadily increasing demand for encryption and related security measures to be included in software products. Unfortunately these measures often consist either of "voodoo security" techniques where security is treated as a marketing checkbox only, or are rendered ineffective by the US governments refusal to allow non-americans access to the same security measures which it allows its own citizens. Organisations employing such (in)security systems may make themselves liable for damages or losses incurred when they are compromised. This paper covers the issues of using weak, US government-approved security as well as problems with flawed security measures, examines some of the measures necessary to provide an adequate level of security, and then suggests several possible solutions.
pgut001@cs.auckland.ac.nz wrote: draft copy of this paper available for comment as
http://www.cs.auckland.ac.nz/~pgut01/paper.htm, a copy of the introduction is given below. The whole thing is around 170K long (40 A4 pages when printed). If anyone has any comments to make on it, please let me know.
Only 1 comment :
404 Not Found
The requested URL /~pgut001/paper.htm was not found on this server.
Res Ipsa Loquiter
On Tue, 29 Oct 1996, pclow wrote:
pgut001@cs.auckland.ac.nz wrote: draft copy of this paper available for comment as
http://www.cs.auckland.ac.nz/~pgut01/paper.htm, a copy of the introduction is given below. The whole thing is around 170K long (40 A4 pages when printed). If anyone has any comments to make on it, please let me know.
Only 1 comment :
404 Not Found
The requested URL /~pgut001/paper.htm was not found on this server.
Res Ipsa Loquiter
I had no trouble obtaining a copy. Its worth another attempt in my opinion; it's a superb article. -- .////. .// apache@quux.apana.org.au o:::::::::///
::::::::::\\\ Finger me for PGP PUBKEY Brisbane AUSTRALIA '\\\\\' \\ <A HREF="http://quux.apana.org.au/~apache/">
pgut001@cs.auckland.ac.nz wrote ...
I've just made a draft copy of this paper available for comment as http://www.cs.auckland.ac.nz/~pgut01/paper.htm, a copy of the introduction is given below. The whole thing is around 170K long (40 A4 pages when printed). If anyone has any comments to make on it, please let me know.
Peter.
1) "...the number of security problems inherent in SMTP are legendary" Incorrect. SMTP is safe. Some (most?) implementations of SMTP have not been safe. There is a big distinction between the protocol and its implementation. 2) "C2...now being applied to networked single-user systems over multiple windows (which may require different security levels)" I'm not aware of anyone doing that - doesn't mean it's not happening - just seems an unusual configuration. Other than these nits seems a v. thoroughly researched paper.
Introduction ------------
[...]
Because of well-publicized break-ins there has been a steadily increasing demand for encryption and related security measures to be included in software products. Unfortunately these measures often consist either of "voodoo security" techniques where security is treated as a marketing checkbox only, or are rendered ineffective by the US governments refusal to allow non-americans access to the same security measures which it allows its own citizens. Organisations employing such (in)security systems may make themselves liable for damages or losses incurred when they are compromised. This paper covers the issues of using weak, US government-approved security as well as problems with flawed security measures, examines some of the measures necessary to provide an adequate level of security, and then suggests several possible solutions.
In general you equare security with cryptography - which is fine - but there are other tools that you need to use in addition to cryptography to secure a system and network. -- Nicolas Hammond NJH Security Consulting, Inc. njhm@njh.com 211 East Wesley Road 404 262 1633 Atlanta 404 812 1984 (Fax) GA 30305-3774
participants (4)
-
apache -
Nicolas J. Hammond -
pclow -
pgut001@cs.auckland.ac.nz