Educause Security Discussion mailing list archives
Re: New Internet for Security
From: Dennis Meharchand <dennis () VALTX COM>
Date: Sun, 15 Feb 2009 20:48:15 -0500
Disclosure - Vendor Response - Valt.X is making the S Chip and related products (Ultra Security Cards and Secure Drives) to secure the boot drive of computers with absolute certainty. Well put John. A few years back I stood at the back of the room of a Chicago Hotel with Microsoft Chief Security Officer speaking and concluded - if they ever solved the security problem the gravy train of new OS releases would stop so they never will!! The top 3 Anti Virus companies own 85% of the market - Anti Virus/Spyware products one can conclude are products not fit for the purpose created - and there is likely a massive lawsuit waiting in the wings against the people that sell this C R A P. With our small startup finally getting funded we will ship our Desktop/Server Ultra Security PCI/PCI-e cards, Digital Secure Drives and Hybrid Secure Drives to be in stores by 1st July 2009. The PC Design teams of some top 10 PC manufacturers are in to discuss implementing the Valt.X S Chip in computers this year. The problem we solve is that the boot drives of computers are protected from all attacks with absolute certainty - this is how endpoint computers are infected and we solve the problem. I am absolutely certain every time I start up my computer that my boot drive has not been compromised at all. The Spam Email problem is also easy to solve - if all goes well I'll release the solution to Spam likely early next year. The Data Theft problem is harder - but our solution of not allowing endpoint computers to be infected goes a long way in solving the "outside thief" problem. It's the "inside thief" that concerns me and that's NOT an internet problem. Dennis Meharchand CEO, Valt.X Technologies Inc. Tel: 1-800-361-0067, 416-746-6669 Fax: 416-746-2774 Email: dennis () valtx com Web: www.valtx.com -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Bambenek Sent: February 15, 2009 2:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [Possible Spam] Re: [SECURITY] New Internet for Security I'm not sure why this topic keeps coming up... the problems we face are not technical in nature and by extension cannot be solved with technical solutions. It is consistently mentioned that a patchwork of global laws hinders our ability to prosecute criminals. Sure, this is true. But that's a feature of globalization. A global marketplace requires a global body to set the rules of engagement and no one wants to go there. We want all the benefits of globalization but none of the "consequences" and the internet is just one manifestation of this ongoing problem. (And mind you, I fall on the political side of significant distrust for global bodies). Fraud is easy because our mode of economic transactions was never reconsidered for the electronic world. For instance, we have a national ID in the United States, it's a nine digit number printed on a piece of paper that's laughable to forge. Worse yet, all it takes is mere knowledge of that number to effectively assume someone's identity. We'd laugh someone out of our offices if they confessed having a nine-digit number as a password. However, our economy uses only a 9-digit username that's effectively public (let's be honest, the entire balance of numbers is more or less owned by now) without a password. The same is true for financial transactions, it's all based on "what you know"... Philosophically, we've responded to these threats by cementing ourselves like 12 steps behind the bad guys. We do nothing until an attack is successful and money starts being stolen. And then we simply apply a "signature" that will stop yesterday's attack. If you wish to use the information warfare moniker, it's as if we've stepped on the battlefield committed to only playing defense and then acting shocked, absolutely shocked that we cannot win. There are some technical tools to be brought to bear, but by and large these aren't technical problems. If we can build a fraud model around it, we simply build it into the cost of doing business and pass it down the consumer. Sorry about that. If we want to solve this problem, the solution isn't fad-ish investments in creating a new internet, it starts with slowing down this mad rush of slapping crap online because it's new and sexy without even considering the implications of what we are doing. We dropped e-Commerce on the world like we dropped Little Boy on Hiroshima. Before then, you'd have to forge a credit card and start walking to a store or making phone calls. Pretty easy but darn tedious to really make bank. Insert computers and now you can do millions of transactions because mundane and repetitive transactions are the kind of things computers are really good at. Solutions? Sure, it's time to tell the libertarian bitter-enders we've had a national ID for decades and short of remaking society, there is no way to get rid of some authoritative "widget" to verify someone's identity for the purposes of making transactions. We've got PKI, it isn't a difficult technical problem to solve compared to the political problems. We need to stop being afraid to get out ahead of attacks and shut down entire avenues of exploitation. How about verified e-mail? Pick a solution, there are plenty. How about we stop assuming that the end-user PC is secure for making electronic transactions because end-user PCs (almost by definition) are insecure and insecurable. Let's stop putting sensitive information on them. Let's start disrputing the criminal syndicates. They deploy botnets that start stealing credit card information, let's flood them with fake (or even better, "real" ones that allow us to follow the money) financial account information. Let's drive down the profit of stolen financial information to a mere pittance of what it is today. In short, let's drive a stake in the heart of their business model and start to make them respond to us instead of us waiting until they slap us around for a few days and then deploying an AV signature that's stale the second it hits the wire. j Theresa Rowe wrote:
http://www.nytimes.com/2009/02/15/weekinreview/15markoff.html?th&emc=th <http://www.nytimes.com/2009/02/15/weekinreview/15markoff.html?th&emc=th> Do We Need a New Internet? "Bad enough that there is a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over." Do you think it is really that bad? -- Theresa Rowe Chief Information Officer Oakland University
Current thread:
- New Internet for Security Theresa Rowe (Feb 15)
- <Possible follow-ups>
- Re: New Internet for Security Marty Manjak (Feb 15)
- Re: New Internet for Security Gene Spafford (Feb 15)
- Re: New Internet for Security Tracy Mitrano (Feb 15)
- Re: New Internet for Security David Shettler (Feb 15)
- Re: New Internet for Security Jeffrey I. Schiller (Feb 15)
- Re: New Internet for Security John Bambenek (Feb 15)
- Re: New Internet for Security Leo Song (Feb 15)
- Re: New Internet for Security Dennis Meharchand (Feb 15)
- Re: New Internet for Security Kevin Shalla (Feb 16)
- Re: New Internet for Security Hugh Burley (Feb 16)
- Re: New Internet for Security Keith Schoenefeld (Feb 16)
- Re: New Internet for Security Valdis Kletnieks (Feb 17)
- Re: New Internet for Security Valdis Kletnieks (Feb 17)