Fw: [ISN] Commentary: The Threat Of Microsofts .Net

2001-10-31 Thread Jason 


- Original Message -
From: InfoSec News [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, October 30, 2001 9:32 AM
Subject: Re: [ISN] Commentary: The Threat Of Microsofts .Net


 Forwarded from: John Ellingson [EMAIL PROTECTED]

 In a message dated 10/26/01 5:06:08 AM, [EMAIL PROTECTED] writes:

  Suppose somebody breaks in. Everyone's personal and financial
 information would suddenly be in the hands of the intruders. Or
 worse--they could be scattered about in a series of resulting
 malfunctions. The extent of the financial, social, and political
 disaster that could result is hard to imagine. 

 The real risk isn't someone breaking in. While the focus of this group
 is on security and most of us work in the digital world, the greatest
 risk is still some form of social engineering. Approximately 80 of all
 losses/unauthorized access occurs from inside the firewall. It comes
 from people who have previously had access, but it was never turned
 off, or someone who is bribed, or has a grudge, or is otherwise
 motivated. Those of us in the security business have a duty to look at
 system security as a whole. That does not mean just device to device,
 it means including all users and it crucially means an assumption that
 not everyone will follow the rules.

 If I could offer a classic example: We all know that identity fraud is
 growing by leaps and bounds. It is doing so because we enable it. We
 enable identity fraud through some of the very schemes and technology
 we use to provide security. Identity fraud is enabled through the use
 of PKI, encryption, digital certificates, over reliance on credit
 reports and the dangerously false assumption that one identity must be
 attached to one person and that person matches the identity.

 We continually design point solutions, each one a link in the security
 chain.  We defer to some integrator or our customers to assemble the
 chain. But as we all know, no one provides a complete chain or even a
 design for the complete chain. Security that is either just a bunch of
 unconnected links (weak or strong), or a linked chain that is one link
 short of a connection, is no security at all.

 We live in a world that has digitized the paradigm of business that
 existed in the 50s. In the fifties businesses knew their customers and
 would recognize them on the street. Today most business wouldn't
 recognize their customers face to face. Yet, we have not changed our
 underlying basic assumptions.

 We cannot build a truly secure environment out of patches to an
 obsolete paradigm.


 John Ellingson
 CEO
 Edentification, Inc.
 #
 ||
 ||

 -
 ISN is currently hosted by Attrition.org

 To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the
BODY
 of the mail.




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Fw: [ISN] Commentary: The Threat Of Microsofts .Net

2001-10-31 Thread JohnE37179 


In a message dated 10/31/01 3:09:38 PM, [EMAIL PROTECTED] writes:

 but do not PKI, encryption, [and] digital certificates, de-
pending on their use, actually help to PROVE one's identity through reliable,
trusted, or otherwise authoritative third parties? 

In closed systems, yes. However, even in those environments there is a 
substantial risk, because there really are no trusted, or otherwise 
authoritative third parties, short of a full blown background check. 
Approximately 80% of all attacks are from those trusted insiders.

Remember 100% of embezzlers are trusted implicitly.

In a world of digital strangers the concept almost loses its meaning.

I've been around this business for nearly 20 years and I'm not sure who you 
could really classify as a trusted third party. 

John Ellingson
CEO
Edentification, Inc.
608.833.6261
#
||
||



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

[ISN] Commentary: The Threat Of Microsofts .Net

2001-10-26 Thread R. A. Hettinga 


--- begin forwarded text


Status:  U
Date: Fri, 26 Oct 2001 04:26:24 -0500 (CDT)
From: InfoSec News [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ISN] Commentary: The Threat Of Microsofts .Net
Sender: [EMAIL PROTECTED]
Reply-To: InfoSec News [EMAIL PROTECTED]

http://www.kingpublishing.com/fc/new_technology/commentary.htm

BY WHITFIELD DIFFIE AND SUSAN LANDAU

For more than two centuries Americans have prided themselves on
protecting their freedom by limiting the concentration of power. With
its famous balance of power, the U.S. Constitution divides federal
power among the three branches of government, while the Bill of Rights
provides other checks all of which have served the country well.

With new threats have come new protections. In the nineteenth century,
corporations grew and multiplied, and some amassed the kind of power
we had always sought to limit in our own government. Anti-trust laws
were passed to guarantee that commercial power would be distributed
among competing companies in every sector of business.

These protections have also served us well.

But now a new threat has arisen that may be less obvious but more
dangerous.

While computer and communication technology have enhanced our lives in
many ways, they have also caused fundamental changes that make
protecting ourselves from the concentration of power more
difficult--in part because these technologies have made it feasible to
build organizations that are larger and more globally-distributed than
ever before. The result: we need to be more alert to potential abuses
of power.

The fact that everything is interconnected makes it possible to
concentrate power in a new way. A business that holds a monopoly in
one area may be able to use its influence to extend its monopoly in
entirely new ways. This is what is happening as Microsoft attempts to
extend its monopoly over personal computer operating systems into the
Internet world.

Microsoft .NET (pronounced dot net') is a far-reaching project to
channel the personal information of all customers who browse, shop,
and congregate on the Internet into Microsoft or Microsoft-controlled
companies. It is made up of components: Passport establishes an
individual's identity on the Internet .NET My Services collects

various pieces of private information--including .NET Contacts, .NET
Location, .NET Inbox, .NET Documents, .NET Devices, and .NET Wallet.

The control over computer software that Microsoft has achieved through
its dominance of operating systems has limited competition and
innovation throughout the computer field.  Through .NET, it is
attempting to exert the same control over all Internet commerce. Just
as kings got to grant or deny royal charters to businesses, the
Redmond giant, if successful, may be able to say who can do business
on the Net and who can't.

But there is another and more immediate problem with .NET--something
that could evolve from a problem to a national crisis even if
Microsoft is well behaved or well regulated in the use of its new
powers.  That is the problem of security, as opposed to privacy.

What is the difference? If Microsoft knows everything about
everyone--and the information being collected by Passport and My
Services make that look quite likely--the company could still be
constrained in how it uses that information by laws or corporate
privacy policies. That presupposes, however, that Microsoft is
actually in control of the information it has collected.

Microsofts security record is nothing to brag about. Windows is the
most widely used yet one of the least secure operating systems around.
Microsoft programs have shown themselves vulnerable to worms, viruses,
and break-ins, on Microsoft's own computers and on everybody else's.
The Melissa virus spread through Microsoft's word processing and
e-mail programs, sending itself to the first 50 people in each of the
infected machine's address lists. A year later the ILOVEYOU virus
infected the Web through a different part of Microsofts e-mail
package. More recently Microsoft's own internal systems were hacked,
and the intruders spent over a month accessing system source code,
likened to Microsoft's crown jewels, before their unlawful entry was
discovered.

Why should Passport be any different? Early security analyses show
that compromises made for the sake of universal availability make
Passport less secure than it might have been, less secure than it
should be, and perhaps just plain insecure. The My Services databases
will be a particularly ripe target for hackers. (Since all users of
Microsoft's free Hotmail service have Passports, many unknowingly,
there are already 160 million Passport users.)

Remember, Willie Sutton used to rob banks because that's where the
money is.

Suppose that in a year or two Microsoft has succeeded in funneling the
lion's share of information about people's identities, preferences,
financial assets, and shopping habits to itself and putting them all
in one big database