Dr. Swire: First I have to laud your courage for venturing onto this forum of inconsolate security derelicts.
If there is one thing to learn about the world after 911: everything is a potential military target. Infrastructure and the internet is certainly one that needs to be secured. The question is how draconic security is going to have to be. With the advent of wireless 802.11b/g there will soon be no practical limit to access and adding 10-20 million new users a month on the world-wide web, as you can imagine the mind boggling growth of potential problems. With that said, it makes it too easy to piggyback off other people's access and remain totally anonymous on the internet and thus unleash any type of new attack or DoS. There remains so much work in plugging holes, finding new ones and fixing them, that it is impossible for any large network, to plug them all. The Clairmont-Everhardt Index of potential Security vulnerability being equal to the (Number of Computers)! * (Number of People using the systems)! * (Number of Ports)! * (the Lines of Code)! * (The number of Applications)! * (Number of Routers/Hubs)! and any other factors you wish to include. Your article,in some ways, contains the essence of the problems that are occurring and getting worse, not just what is secure and what is not, but that everything is a security risk. It is so easy to slip up, passwords thru e-mail, trivial passwords, unsecured cookies, trivial encryption, identity theft. We can go on and on. Potential answers are not in a new a group of AV, Firewall and security companies flailing around trying to keep up. It should be a centralized regulated effort to stop spam, virii, trojans, etc etc. Now a centralized database with automated filtering, fault isolation, shutting down the badly infected, is necessary and/or going to a true fully encrypted network is not the total answer. Too many people leave the barn door wide open. But until that day we need some type of rapid response team to get things nailed down quickly. And it needs to be centralized and it needs to have authority to plug the holes, put out the fires before they spread. And that doesn't guarantee success. It is a war on cyber terrorism, criminal activity and that is not going to end overnight, someone is always willing to sell the keys to the kingdom. My rant on that. This is a perfectly good service that Homeland Security could provide with a fairly modest budget. The question is how to keep the whole business democratic without denying access to the common user. The answer is adequate user community oversight and participation. The first part has been partially done with spam, it could gradually grow to contain, questionable sites(Porn, illegal services etc.), advertising offer sites, download sites, spyware downloaders, mail filters (elminate redundant and frequent ad offers). Again the answer for the user community would be voluntary participation. Frankly I don't know anyone who wants their computer infected with this constant bombardment of junk I would love to have a centralize mail filter to eliminate all this crap. And your paper is a great start in that direction and I laud the effort. I have been working in practical data security for over 20 years, from encryption, login password, intrusion detection, firewalls, security policy, penetration testing etc. etc. There is no single answer but I think if we can work on a Six Sigma program to re-iterate the process and continue to improve we can become more effective, so we all can fully enjoy the internet and the fun stuff. I am plugging holes in UNIX security and must get back to that never ending battle for truth justice and the american internet hiway(with apologies to Superman). Warm Regards, Jan clairmont,KMGO Paladin of Security - Prof. Peter P. Swire Moritz College of Law of the Ohio State University John Glenn Scholar in Public Policy Research (240) 994-4142; www.peterswire.net -----Original Message----- From: Barry Fitzgerald [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 01, 2004 10:49 AM To: Peter Swire Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] New paper on Security and Obscurity Peter Swire wrote: >Greetings: > > I have been lurking on Full Disclosure for some time, and now would like to >share an academic paper that directly addresses the topic of “full >disclosure” and computer security: > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html