Re: New Internet for Security

[Dennis Meharchand <dennis () VALTX COM>]

Disclosure - Vendor Response - Valt.X is making the S Chip and related
products (Ultra Security Cards and Secure Drives) to secure the boot drive
of computers with absolute certainty.

Well put John. A few years back I stood at the back of the room of a Chicago
Hotel with Microsoft Chief Security Officer speaking and concluded - if they
ever solved the security problem the gravy train of new OS releases would
stop so they never will!! The top 3 Anti Virus companies own 85% of the
market - Anti Virus/Spyware products one can conclude are products not fit
for the purpose created - and there is likely a massive lawsuit waiting in
the wings against the people that sell this C R A P.

With our small startup finally getting funded we will ship our
Desktop/Server Ultra Security PCI/PCI-e cards, Digital Secure Drives and
Hybrid Secure Drives to be in stores by 1st July 2009. The PC Design teams
of some top 10 PC manufacturers are in to discuss implementing the Valt.X S
Chip in computers this year. The problem we solve is that the boot drives of
computers are protected from all attacks with absolute certainty - this is
how endpoint computers are infected and we solve the problem. I am
absolutely certain every time I start up my computer that my boot drive has
not been compromised at all.

The Spam Email problem is also easy to solve - if all goes well I'll release
the solution to Spam likely early next year.

The Data Theft problem is harder - but our solution of not allowing endpoint
computers to be infected goes a long way in solving the "outside thief"
problem. It's the "inside thief" that concerns me and that's NOT an internet
problem.

Dennis Meharchand
CEO, Valt.X Technologies Inc.
Tel: 1-800-361-0067, 416-746-6669
Fax: 416-746-2774
Email: dennis () valtx com
Web: www.valtx.com

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Bambenek
Sent: February 15, 2009 2:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [Possible Spam] Re: [SECURITY] New Internet for Security

I'm not sure why this topic keeps coming up... the problems we face are
not technical in nature and by extension cannot be solved with technical
solutions.  It is consistently mentioned that a patchwork of global laws
hinders our ability to prosecute criminals.  Sure, this is true.  But
that's a feature of globalization.  A global marketplace requires a
global body to set the rules of engagement and no one wants to go
there.  We want all the benefits of globalization but none of the
"consequences" and the internet is just one manifestation of this
ongoing problem.  (And mind you, I fall on the political side of
significant distrust for global bodies).

Fraud is easy because our mode of economic transactions was never
reconsidered for the electronic world.  For instance, we have a national
ID in the United States, it's a nine digit number printed on a piece of
paper that's laughable to forge.  Worse yet, all it takes is mere
knowledge of that number to effectively assume someone's identity.  We'd
laugh someone out of our offices if they confessed having a nine-digit
number as a password.  However, our economy uses only a 9-digit username
that's effectively public (let's be honest, the entire balance of
numbers is more or less owned by now) without a password.

The same is true for financial transactions, it's all based on "what you
know"...

Philosophically, we've responded to these threats by cementing ourselves
like 12 steps behind the bad guys.  We do nothing until an attack is
successful and money starts being stolen.  And then we simply apply a
"signature" that will stop yesterday's attack.  If you wish to use the
information warfare moniker, it's as if we've stepped on the battlefield
committed to only playing defense and then acting shocked, absolutely
shocked that we cannot win.

There are some technical tools to be brought to bear, but by and large
these aren't technical problems.  If we can build a fraud model around
it, we simply build it into the cost of doing business and pass it down
the consumer.  Sorry about that.

If we want to solve this problem, the solution isn't fad-ish investments
in creating a new internet, it starts with slowing down this mad rush of
slapping crap online because it's new and sexy without even considering
the implications of what we are doing.  We dropped e-Commerce on the
world like we dropped Little Boy on Hiroshima.  Before then, you'd have
to forge a credit card and start walking to a store or making phone
calls.  Pretty easy but darn tedious to really make bank.  Insert
computers and now you can do millions of transactions because mundane
and repetitive transactions are the kind of things computers are really
good at.

Solutions?

Sure, it's time to tell the libertarian bitter-enders we've had a
national ID for decades and short of remaking society, there is no way
to get rid of some authoritative "widget" to verify someone's identity
for the purposes of making transactions.  We've got PKI, it isn't a
difficult technical problem to solve compared to the political problems.

We need to stop being afraid to get out ahead of attacks and shut down
entire avenues of exploitation.  How about verified e-mail?  Pick a
solution, there are plenty.  How about we stop assuming that the
end-user PC is secure for making electronic transactions because
end-user PCs (almost by definition) are insecure and insecurable.  Let's
stop putting sensitive information on them.

Let's start disrputing the criminal syndicates.  They deploy botnets
that start stealing credit card information, let's flood them with fake
(or even better, "real" ones that allow us to follow the money)
financial account information.  Let's drive down the profit of stolen
financial information to a mere pittance of what it is today.  In short,
let's drive a stake in the heart of their business model and start to
make them respond to us instead of us waiting until they slap us around
for a few days and then deploying an AV signature that's stale the
second it hits the wire.

j



Theresa Rowe wrote:
>  http://www.nytimes.com/2009/02/15/weekinreview/15markoff.html?th&emc=th
> <http://www.nytimes.com/2009/02/15/weekinreview/15markoff.html?th&emc=th>
> Do We Need a New Internet?
>
> "Bad enough that there is a growing belief among engineers and
> security experts that Internet security and privacy have become so
> maddeningly elusive that the only way to fix the problem is to start
> over."
>
> Do you think it is really that bad?
>
> --
> Theresa Rowe
> Chief Information Officer
> Oakland University