Interesting People mailing list archives
IP: more**2 on "cyber-corps" of network defenders -- A CHEAPER, SAFER WAY!!
From: Dave Farber <farber () cis upenn edu>
Date: Sun, 07 Feb 1999 17:52:27 -0500
Date: Sun, 7 Feb 1999 17:51:01 -0500 To: farber () cis upenn edu From: Gene Spafford <spaf () cs purdue edu> Subject: Re: IP: more on "cyber-corps" of network defenders -- A CHEAPER, SAFER WAY!!
Date: Sun, 7 Feb 1999 12:24:21 -0800 To: farber () cis upenn edu From: Jim Warren <jwarren () well com> 2. Of course, the cheap and *effective* way to create bullet-proof information protection and computer security would be to facilitate *automatic*, uncrackable encryption of every computer file and every Internet message. With everything scrambled, there would be little incentive to crack the systems. But with everything scrambled, then the *government* couldn't snoop and peep -- and that power is obviously much more important to the administration than corporate security or personal privacy. And anyway, if dispursed crypto was used, then the tax loot couldn't be easily bogarted by the Beltway Bandits.
This is not correct. Encryption would be a big help, but it is not the total solution. Encryption doesn't solve denial of service. Encryption doesn't solve insider misuse. Encryption doesn't provide 100% protection against malicious code. Encryption doesn't address issues of computer forensics, reliable audit, or how to build trusted systems. Encryption doesn't guarantee valid identification (although it helps with authentication). Encryption does provide survivability or bug-free construction of code. Encryption doesn't secure the data on the screen or currently in memory being manipulated by the current application. Inside most businesses, you don't want strong encryption. It makes it more difficult to handle disaster recover and debugging. It makes interoperatibility somewhat more difficult. And user accident or misuse may result in the loss of critical data. If encryption is used at all in those environments (for storage), then key recovery or escrow is vital. And when encryption isn't used, you need other measures of protection. The place where strong encryption helps in in communications, in long-term storage, and in computer transport. But that is hardly the full spectrum. I would counsel against letting fervor for one agenda dominate the field. It leads to unfortunate imbalances. For instance, law enforcement has been so focused on restricting encryption for so long, they have neglected other investigative methods. As encryption becomes more common, they are left behind the curve in technology even more. That isn't good for all of us -- we do need effective law enforcement in "cyberspace" and in our societies. An interesting question -- and an interesting one for security researchers -- is how to build strong, affordable methods of defense that support law enforcement without sacrificing individual privacy and rights. Encryption -- by itself -- does not answer that question, either.
Current thread:
- IP: more**2 on "cyber-corps" of network defenders -- A CHEAPER, SAFER WAY!! Dave Farber (Feb 07)