The future of security

Anne & Lynn Wheeler lynn at garlic.com
Wed May 26 11:51:01 EDT 2004 

At 09:36 AM 5/11/2004, Steven M. Bellovin wrote:
>In message <409ACFC7.6050407 at systemics.com>, Ian Grigg writes:
> > Security architects
> >will continue to do most of their work with
> >little or no crypto.
>
>And rightly so, since most security problems have nothing to do with
>the absence of crypto.
> >
> >j.  a cryptographic solution for spam and
> >viruses won't be found.
>
>This ties into the same thing:  spam is *unwanted* email, but it's not
>*unauthorized*.  Crypto can help with the latter, but only if you can
>define who is in the authorized set of senders.  That's not feasible
>for most people.

one of the issues has been that many crypto security solutions have been 
oriented towards hiding information. that may work with outsiders ... but 
traditionally, 90percent of fraud has been insiders ... and recent news 
last friday about study to be published was that interviewing something 
like 1000 people involved in identity theft cases ... it was determined 
that at least 70percent had some sort of employee involvement.

in that sense ... the internet and introduction of the possibility of 
outsider related fraud ... has distracted/obfuscating focus from the real, 
long standing issues.

my repeated observation that current generation of desktop systems were 
originally introduced to operate in a standalone environment where 
applications could be introduced that freely took over the whole machine. 
attempting to continue to satisfy the standalone ... total take-over 
requirements at the same time using the same platform for generalized 
interconnect to an increasingly hostile environment creates some 
diametrically opposing objectives.

there have been some number of time-sharing systems from the 60s & 70s that 
were designed from the ground up to handle multiple, concurrent users that 
potentially had conflicting, competitive, and/or opposing objectives (say 
multiple users from competing corporations and industrial secrets might be 
involved). these systems with designed in security from the ground-up have 
shown to be immune to many of the current day vulnerabilities and exploits. 
to some extent, there could be valid claims about attempts to use 
cryptography as bandaids to address fundamentally flawed infrastructures 
(or at least infrastructures that were specifically designed to not handle 
many of the existing situations that they have been used for) ... aka lets 
use bandaids to treat strep infections.



--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/ 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list