NYT Markoff Article and one person's response

[Dr. Frederick B. Cohen]

I sent the following letter to the editor of the NYT expressing my
personal view of the article.  Perhaps others on this list should send
letters expressing their viewpoints as well.

Dear Sir/Madam:

	I have been reading, with great interest, the responses from
security experts all over the Internet to John Markoff's October 11
article titled "Discovery of Internet Flaws Is Setback for On-Line
Trade", and I thought your readers might like to know what real experts
in the field think about Mr.  Markoff's article. 

	While the most recent announcement by Professor Brewer was
generally taken as a positive step from American academia in catching up
to the rest of the information security world, it is hardly a
breakthrough, or even a novelty. 

	To get a perspective on this, an average of about 10 new
vulnerabilities of this magnitude or larger are discussed on Internet
forums every month.  The "CERT" team at Carnegie-Mellon University
has published more than 10 similar types of attacks so far this year,
the Internet forum "8lgm" publishes an average of more than one per
month, the "BugTraq" Internet forum tracks and shows fixes for about
two similar holes per month, and the "cypherpunks" forum uncovers
several holes in cryptographic and other systems each month.

	The idea portrayed by Mr.  Markoff that businesses rushing to
the Internet are largely unaware of these risks is also quite naive.  A
recent Computer Security Institute study showed that one in every five
enterprises has reported suffering an Internet security incident.  Most
experts believe the reality is much worse and that many who responded
"no" either refuse to admit it or simply don't know.  Over 50 percent of
companies connected to the Internet provide high-risk features such as
FTP and WWW to all employees, and 39 percent have no firewall to limit
attacks from the Internet.  According to several published papers, about
10 times as many attempted attacks are detected when firewalls are in
place than are detected when they are not in place. 

	Since the Internet was first introduced, many of the American
Universities that have been so active in developing information
technology have essentially ignored the security issues.  Their
ignorance of these issues has produced literally hundreds of protocols
that are now in use by millions of computers from all over the globe and
which, because of their insecure designs, are inherently difficult to
secure. 

	Thousands of individuals from all over the world have spent
their spare time, often on nights and weekends, helping other people by
developing and freely distributing new security technologies.  They have
been finding security problems and solving them for many years, most
often without recognition or renumeration.  They have been trying to
tell the people developing these protocols about protection problems and
have been widely ignored, with a few notable exceptions, by the American
Universities. 

	I personally think that it is a travesty that a relatively minor
contribution by a few people at Berkeley gets front page headlines while
the ongoing contributions of thousands of volunteers goes largely
unrecognized.  If you want the real story about electronic commerce and
security issues on the Internet, listen to the people who are doing the
work every day. 

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236