Information Security News mailing list archives

Re: they should have used crypto...

From: mea culpa <jericho () DIMENSIONAL COM>
Date: Mon, 6 Dec 1999 11:10:05 -0700

From: Dan Schrader <Dan_Schrader () trendmicro com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven M. Bellovin wrote:

Naturally, those of us on this list advocate routine use of cryptography.

But

cases where cryptography or the lack thereof is demonstrably
commercially significant are rare.  A new one has just come to light.


Actually, routine use of cryptography will result in huge security problems.

Why?  Because the best place to stop computer viruses, trojans and other
malicious code is at the email server - and you can' scan encrypted mail.

As the poster wrote, "cases where cryptography or the lack thereof is
demonstrably commercially significant are rare."  True.  However cases of
computer viruses being commercially significant are common.  Computer
Economics Institure found that viruses caused over $7.6 billion in damages
in the first 6 months of this year alone - an order of magnitude more then
all other security exploits combined.

But viruses aren't really a security issue . . . Wrong, viruses such as
Melissa varients take documents off your computer and email them to dozens
or hundreds of people.  Viruses such as Pretty Park take passwords off your
machine and post them to IRC sites.  And we all remember BO2K, NetBus, etc.

What about desktop virus protection?
1.  It has demonstrably failed - see damages mentioned above
2.  It relies on end user compliance
3.  We never will be able to update 100's of millions of desktops fast
enough to stop the next Melissa virus.

Finally, ISP such as US West and Sprint have started adding virus protection
a part of their internet access offerings - which will be a very effective
way to contain virus outbreaks - but only if email is not routinly
encrypted.

Lession:  - Encrypt selectively

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOEQrZJpIgtrcTNAvEQJQXwCgxmMOL6Jgt+7dD+9GriApguHrZXgAn1MX
VmUtd+9k7CMzIuIWRHYqDUU5
=nGuO
-----END PGP SIGNATURE-----

ISN is sponsored by Security-Focus.COM

Current thread:

Re: they should have used crypto... mea culpa (Dec 06)
- <Possible follow-ups>
- Re: they should have used crypto... mea culpa (Dec 07)
- Re: they should have used crypto... mea culpa (Dec 07)
- Re: they should have used crypto... mea culpa (Dec 13)