Re: NYT Article and Physical Security

• To: jbass@dmsd.com (John L. Bass)
• Subject: Re: NYT Article and Physical Security
• From: Rick Smith <smith@sctc.com>
• Date: Mon, 23 Oct 1995 10:34:57 -0500 (CDT)
• Cc: smith@sctc.com, www-security@ns2.rutgers.edu
• In-Reply-To: <9510220555.AA24361@dmsd.com> from "John L. Bass" at Oct 21, 95 11:55:58 pm

I posed the following question to the group:

>      This is where it gets back to WWW security. Are we trying to make WWW
>      safe for everyone right out of the box?

John L. Bass replied:

> In all Netscapes marketting hype for both clients and servers that seems to
> be the express goal.

More to the point, is this objective being embraced by the rest of the
technical community? I don't see much evidence in it from the HotJava
community overall, though there are a few voices in the security
wilderness, even at Sun.

John L. Bass further noted:

> As more and more IS depts proxy Netscape thru their firewalls I get even
> more concerned that the "the security" of netscape SLL sessions is infact
> the perfect cover for a well healed trojan horse. At one of my clients sites
> they have a rigrous bastions, but pay little heed to the risks of a trojan
> netscape client. At least telnet session can be logged in clear text, IS has
> not idea what passes thru the gateway encrypted as an SSL session.

An interesting point. There's a military guard system that decrypts
encrypted data before release in order to check for improperly
released information. But in practice it seldom makes sense to apply
that level of control to corporate information. It's a legal and
policy issue -- there's no case law nor documented loss that demands
such measures in private transactions.

Even if the Telnet information were plaintext, the sites with the most
to lose couldn't afford to log very much traffic, even on high
capacity DATs. And once the data was logged, there's little chance
anyone would review the contents, except perhaps to look for evidence
after the fact.  Unless all traffic is logged, there's a good chance
the incriminating traffic passed through without being saved. And some
legal opinions (see Cheswick & Bellovin) question the court standing
of computer log files that are not automatically collected for some
business purpose. For example, if you turn on the logs just to to
catch Joe, the courts might not accept the logs as evidence.

Much of this is because of Telnet -- there's not structure to the
interaction so you can't log "transactions" like you can log WWW page
accesses. I generally recommend that people serious about security
should shun Telnet and stick to better structured protocols when
traversing a security boundary.

Rick.
smith@sctc.com       secure computing corporation

• Re: NYT Article and Physical Security
• From: jbass@dmsd.com (John L. Bass)

• Previous: Re: NYT Article and Physical Security
• Next: Re: NYT Article and Physical Security
• Index(es):
  • Index
  • Thread