re: what are realistic threats? (second issue)

• To: nsyfrig@wppost.depaul.edu
• Subject: re: what are realistic threats? (second issue)
• From: Gary Gaskell <gaskell@dstc.qut.edu.au>
• Date: Wed, 28 Sep 1994 12:18:05 +1000 (EST)
• Cc: dmk@allegra.att.com, www-security@ns1.rutgers.edu, zurko@osf.org
• In-Reply-To: <se883c95.062@wppost.depaul.edu>
• Reply-To: Gary Gaskell <gaskell@dstc.qut.edu.au>

to add my two cents worth!

I think there can be no talk of a transaction system, where it is known 
to have security holes, but hope that is technically tough to attack. We 
have a social responsibility to ensure the underlying system is secure as 
is possible and reasonable.

To comment on unlikely attacks.  We have had earlier undergrads here 
hack machine, change IP address etc. If they can do this, and more, we 
need tough requirements.  

Further I am not so worried about unprofessionals as these, but major 
marketing agencies/corporations, seeing it as an opportunity for 
intelligence on the markets - in effect giving them "insider tradering". 
It will be very tempting to them due to their resources and technical 
abilities.

So lets evolve a system that is enforcable, with strong authentication 
etc. Hopefully this discussion will then turn to writing requirements (to 
debate), otherwise it could get religous.

To some up.
If an attack is known, it is possible, and a threat should not be leftt 
open. The problem maybe, as authentication protocols have shown, it is 
near impossible to say something is secure (similar to saying your code 
has no bugs!)

regards

Gary Gaskell
DSTC 
Cooperative Research Centre for Distributed Systems Technology
Queensland University of Technology
Ph    +61-7-864 1051            FAX    +61-7-864 1282
Email gaskell@dstc.qut.edu.au   URL    http://www.dstc.edu.au/intro.htm

On Tue, 27 Sep 1994 nsyfrig@wppost.depaul.edu wrote:

> Once you unleash something like global electronic commerce in any form,
> whether it's digital-cash based or transaction-based, you are creating
> probably one of the most powerful magnets in history for all the hackers,
> underworld figures, disgruntled people of all types.  No matter what we
> do, we will most likely create one of the ultimate stress tests as a
> by-product:  Not only will there be an interesting challenge for humans to
> solve, but there is a real chance there will be money at the other end, or
> at least a sense of an adventure if they get caught before they grab the
> stash.  As with all new crimes, the initial people stand the best chance of
> getting away with it (the first few airline hijackers had a much higher
> success rate until the airport security system was put into place).
> 
> Furthermore, depending on how anything was broken, it may be possible
> to create "construction kits" sort of like the computer virus construction
> kits that were around for a while (and may still be there for all I know). 
> Even in foolproof schemes, people can get lucky.
> 
> Do we punt?  No.  As people have said before in here and elsewhere,
> we have other mechanisms to control the situation and ensure lawyers
> stay employed.  We just need to make sure we keep as many people as
> honest as we can.
> 
> Nathan Syfrig
> 

• re: what are realistic threats? (second issue)
• From: nsyfrig@wppost.depaul.edu

• Previous: re: what are realistic threats?
• Next: re: what are realistic threats? (second issue) -Reply
• Index(es):
  • Index
  • Thread