--- begin forwarded text
Subject: Re: 56 Bits?????
Date: Thu, 28 Oct 1999 16:47:13 -0700
From: Mark Talbot <[EMAIL PROTECTED]>
To: "Thomas Weyer" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
Sender: <[EMAIL PROTECTED]>
[EMAIL PROTECTED] wrote:
[SNIP]
>Now a statement on Apple Data Security. I take my Apple badge off
>for a moment. Personal opinions follow. Feel free to attack
>PERSONALY if you need but what follows is only MY opinion, NOT a
>statement from Apple.
>
>When one tries to do EVERYTHING one tends to accomplish little.
>While the current implementation of Apple Data Security does not
>deliver EVERYTHING that EVERYONE wants, it as I have told MANY people
>accomplishes my primary goal. It make your mother's iMac more secure.
>It is NOT intended to REPLACE PGP. I don't think it's what many of
>the "propeller-heads" on this list will use, however WE ARE a
>minority. What it focuses on is making things more secure without
>adding much in the way of complexity for 80% of our users, MOST of
>which used NOTHING before. If it moves the bar up for them, provides
>a way to add additional functionality, and can easily move to strong
>crypto if allowed by law how could anyone call it less than a success.
[SNIP]
My problem with this statement is that it's misleading and this seems to
be Apple's official policy as well. On the Apple website they have some
pages extolling the virtues of their wondrous new OS. The page describing
the new encryption feature <http://www.apple.com/macos/feature6.html>
contains the sentence "So even if someone manages to slip into your
office physically (when you're on a coffee break, say) and steals
sensitive files that you've encrypted, they can't read what's in them."
This is essentially bullshit. If someone gains physical access to "your
mother's iMac" with the purpose of stealing sensitive files they're going
to ignore the "industrial-strength" encrypted file and simply use
Norton's UnErase to recover the unencrypted original which is not
securely deleted. Apple has created a feature whose implementation that
is worse than merely clueless. It's actually *dangerous* in that a lot of
people who don't know any better are going to use this to encrypt
sensitive information and never realize (unless they find out the hard
way) that the data is still there on the drive.
As to users having a path to eventually get to strong crypto "if allowed
by law": I live in the US and can use crypto of whatever strength I wish.
A company may provide to me crypto of whatever strength they wish. It
would seem to follow that if Apple is only providing weak crypto in the
products it is offering to sell me (AirPort, OS9) then this is a choice
that *Apple* has made. It would seem to be a relatively simple matter for
Apple to offer strong crypto domestically & weak crypto everywhere else;
Netscape and Microsoft already do this with their browsers.
MST
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
