On Tue, Jul 13, 1999 at 04:13:13PM -0500, Bruno Wolff III wrote:
> They are discouraging it by harrassing companies for having hooks for
> strong encryption and by prohibiting export of strong encryption products.
The NSA is, yes. Hopefully this will be alleviated by some of the new bills
that are in congress now. Either way, the government can't control it forever,
only until mass-marketed cryptography software starts being produced outside
the US.
> You don't need to by certificates for S/MIME. You can make your own. As long
> the people who you communicate with know it is your certificate you don't
> need to have it signed by someplace that wants money.
If a certificate isn't signed by a certifying authority, then all of the people
who receive messages signed with that certificate will have to have the
certificate in their own personal "keyring" or similar file. This decreases
security because not only does it make the certificates harder to use, it puts
the burden of key verification on the sender instead of the certifying
authority.
> > Yes, scanning engines are going to have to get smarter and smarter to
> > maintain their usefullness. Is there a point I'm missing?
>
> Yes. Finding viruses is going to become so computationally expensive that
> it will not be practical.
I doubt it. Have you looked at the current list of viruses that the
commercial scanners can detect and remove? It is in the 5-digit range, and an
average file can be scanned in less than a second. With the microprocessor
world moving like it is, I doubt that the above statement will be true anytime
soon.
My opinion is that most IS shops, right now, want a way to scan incoming emails
for viruses. I know my company does. If this need is not filled by free
software, it will be (and is already being) filled by commercial software.
> Also expect the rate of false positives to become
> higher.
>
> > Yes, but it's not realistic. No matter what you tell someone, if their
> > best friend sends them an email with an executable in it saying "this is
> > cooool!!!!", the person is probably going to run it.
>
> If you are using a capability system, the program won't be able to do anything
> more harmful than try to induce an epileptic fit by making the screen flash
> rapidly.
>
> > Perhaps you could explain what a "capability system" is.
>
> Take a look at http://www.eros-os.org/faq/basics.html .
The concept sounds nice. However the expected release date was the middle of
last year, and the author hasn't even modified some of the pages on that site
since last april. So when can we really expect to see something like this?
--Adam
