Re: Internal vs external threats, any references?

[Rick Smith]

I said:

>> If it's programmable it's vulnerable.

Ben Laurie replied:

>Oh, right. There's no attack you can defend against, right?

One has to be careful with one's universal quantifiers.

"There's no attack you can defend against." - false
"There are defenses against some attacks." - true
"There are defenses against all attacks." - false

My own experience makes me skeptical to the point of incredulity when
someone claims to be invulnerable to viruses and trojans. One can defend
against limited cases at best, and defenses get stretched to the breaking
point as time and technology move on.


Rick.
[EMAIL PROTECTED]
"Internet Cryptography" at http://www.visi.com/crypto/

Re: Export ?

[Rick Smith]

At 03:24 PM 9/30/99 -0400, Andy Maslar wrote:
>At the risk of being flamed for being a hopeless newbie, or perhaps as
>one asking a practical question about export regs, (something that seems
>in bad taste lately) I will nevertheless proceed:
>
>Are hash functions (MD5 specifically) controlled by export regs?

"It all depends."

If you're embedding it in a product and using it just to do authentication
or integrity checking, then it falls outside of the export regulations.

If you're embedding it in a product and using it to hide information (i.e.
a stream cipher where the one way hash function generates the keystream)
then you need to submit it for review. If it has the effective strength of
a 40 bit or 56 bit cipher, then you can probably export it (assuming they
finish their review in a timely manner). 

If you just want to post some source code on your web site or include it in
something that might be exported, then I don't know for sure. Read over the
regulations (BXA, the Bureau of Export Administration, has them on the web
somewhere). If there isn't language in the regulations that declares one
way hash functions to be encryption algorithms, then it should be OK. But
you might want to ask an export control lawyer.

Rick.
[EMAIL PROTECTED]
"Internet Cryptography" at http://www.visi.com/crypto/

[FYI] DN: SPEECH/99/122 by Mr Erkki LIIKANEN on Crypto

[Axel H. Horns]

http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&do
c=SPEECH/99/122|0|RAPID&lg=EN

 CUT ---

Speech by Mr Erkki LIIKANEN Member of the European Commission for 
Enterprise and Information Society Trust and Security in Electronic 
Communications : The European Approach Information Security Solutions 
Europe (ISSE 99)Welcome Address Berlin, 4 October 1999  


 DN: SPEECH/99/122 Date: 1999-10-05


 TXT: EN
 PDF: EN
 Word Processed: EN

SPEECH/99/122 

Speech by Mr Erkki LIIKANEN 

Member of the European Commission for Enterprise and Information 
Society 

Trust and Security in Electronic Communications : The European 
Approach 

Information Security Solutions Europe (ISSE 99) Welcome Address 

Berlin, 4 October 1999

1. INTRODUCTION 

Ladies and gentlemen, 

To start with, I would like to congratulate The European Forum for 
Electronic Business and Teletrust for organising this conference. A 
comprehensive European event on security held on a yearly basis was 
much needed in Europe. I therefore wish that ISSE will become a major 
event in Europe when it comes to discussing information security 
issues, not only amongst the converted, but also, and hopefully 
increasingly, the laymen.  

The very launch of this event, and the broad audience it attracted on 
its first edition, already demonstrates a few things: 

First, that there is a growing interest for information security 
issues in Europe. This is a direct result of the rapid growth of the 
Internet and electronic commerce in Europe. The latter is good news 
for Europe considering the growing importance of the networked 
economy in terms of growth and employment.  

Second, that European Union policies have been successful. I don't 
mean to take all the credit for the take-up of the Internet and 
electronic commerce in Europe especially since our conviction is that 
the development of the information society must, and can only be 
market-led. Yet it is clear that the liberalisation of 
telecommunications in the Union has created the right conditions for 
the expansion of the Internet and electronic commerce.  

2. WHY IS CRYPTOGRAPHY SO IMPORTANT? 

Cryptographic technologies are at the heart of information security. 
A few years ago, cryptography was still an arcane topic restricted to 
a closed circle of people in the known. It is only recently, with the 
growth of the Internet, that cryptography and on-line security has 
made it to the headlines.  

Why? Simply because cryptography is the preferred, if not only, means 
to ensure authenticity and confidentiality in electronic 
communications. Without it, there will be no safe electronic 
communications.  

The bottom line is: no security, no trust, no notable shift towards 
commercial and financial transactions on the Internet! And all the 
impressive forecasts we have seen regarding the growth of electronic 
commerce will remain pie in the sky.  

With close to 200 million Internet users, there is already, today, a 
strong market basis for security products and services. This is 
clearly indicated by the multiplication and the impressive growth 
figures of cryptographic companies. For the time being, the security 
market largely remains a corporate one. This is no surprise since 
business-to-business activities carried out over proprietary networks 
still account for over 85% of the total electronic commerce market.  

But the security market will only really explode once it becomes a 
mass market. 

The odds are, that the Internet will be everywhere in Europe in a 
matter of five years or so. We can expect half of the European 
population to be hooked on the Internet by 2005. Not only that there 
will be a computer connected to the Internet in half of Europe's 
homes. But access terminals become increasingly diversified and 
include, not only the computer, but increasingly the digital TV set-
top box, the personal assistant or the mobile phone, and very soon 
cars and even home appliances.  

But then again, who will routinely shop on-line if the credit card 
number cannot be transmitted safely? If there is no guarantee that 
the orders placed will be not fed into a marketing database to create 
a highly detailed buyer's profile?  

The same applies to simply surfing the Net. For how much longer will 
Internauts accept to leave footprints on every Web site they visit, 
allowing outsiders to track down their every move and interest? How 
many people will be discouraged from getting on-line by the fear of 
loosing their privacy?  

This means that all along the chain of Internet services, there is an 
essential need for security features.  

Since the technology is there, this doesn't seem to be a problem, 
only a breath-taking business opportunity for the cryptographic 
industry. But actually no! The situation can be compared to 
telecommunications services in Europe: Their growth is directly 
linked to the