ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Should IETF do more to fight computer crime?

2000-05-22 23:50:02
from [Chet Uber] [Permanent Link] 
At 03:09 AM 5/23/00 +0200, you wrote:

At 18.28 +0200 0-05-22, Bertrand(_dot_)Ibrahim(_at_)cui(_dot_)unige(_dot_)ch 
wrote:
>I would hope that any software I use, that is able to put
>my digital signature on some data, would ask me for my
>pass-phrase every time my private key is used. I would
>even hope that such software wouldn't be able to use my
>private key without the pass-phrase, otherwise anybody
>with access to my computer could easily forge my signature.

It is not easy to design encryption software which cannot
be corrupted by viruses. A virus could catch your passphrase,
and then use it itself for nefarious purposes. That is why
many people want to use smart cards. But I am not sure they
are secure. A virus could catch the communication to and
from your smart card. And developers of smart cards seem
to want to put so much functionality in the card itself,
that it becomes open to viruses in itself.
First, The idea of a standards committee working to "fight computer crime" is a pipe-dream. You might as well ask ..... The issue is building software/firmware/hardware that works and is as secure as possible. We all have heard the story about secure computing on a network, so we shall be spared the sophism. One could argue the theoretical flaws to almost any system -- and not do anything but waste bandwidth.
We are engineers and scientists working to solve technical problems securely. We are not lawyers to intermix Title 18 Sec. 1030 style codes in with our IP headers, they pay the "suits" do those things. We can have strong resolve that these problems mean that work from the groups on secure time stamping, strong encryption, AAA, etc. etc. make for a more "solid chain of custody" for a "reasonable prudent man."
In other words, doing those things that we are already chartered to do would make sense and new work to create secure mechanisms within the framework of the IETF-IESG-IAB should help to "fight computer crime." And all this without making changes to "fight computer crime."
Second, The issue of law in today's arena does not provide for a non-jurisdictional universe. I mean the Jupiter Bureau of Investigations (JBI) will deal with the Internet within the 10,000 km terrestrial boundary and within, no one on Earth will have jurisdiction here. Each country, each state, each county, and each city have different values and mores. The fact that people from around the world can be your virtual neighbors has generated a buzz word around eCommerce - The Death Of Distance. The problem is that while they virtually in proximity; they are really nine time zones away and are separated by several geographical jurisdictional boundaries (not to mention diplomatic boundaries).
Finally, I believe it was Steven's comment that it is very difficult to build a secure system that has selective levels of security; thus allowing law enforcement more easy access.
To me it is this simple --- Continue to support promising new IP versions (IPv6). Get IPsec to actually work with current IPv4 systems across all hardware and software boundaries. Revitalize the use of already existing secure protocols. Embrace the spread of IETF members from the security area into other areas of the IETF; or better yet. seek them out and ask them about possible concerns you have about your latest ID, RFC, thought et al.
WE ARE NOT a part of the United States Justice Department. We (for the most part) are not lawyers or judges or law enforcement personnel; and we sure as hell don't play them on TV. Stick with protocols, not attempts to be in the Justice Department.
Please understand that I am not against the United States Justice Department and the National Security Agency wanting the ability to obtain legal wiretap information. I am against becoming the jack-booted thugs of ambitious bureaucrats, not wanting to do their own dirty work. If they want this so bad, let them pass-the-laws, obtain the money, and expend the all-important-political-capital to make a pipe dream like this happen. 

Protocols not Codification!!!!!!


Warmest Regards,

Chet Uber
Deputy Director of Operations
Incident Response Team Leader
NEbraskaCERT (c). 7660 Dodge, Omaha, NE 68114
vox 402-498-2673 fax 402-391-3906
chet(_dot_)uber(_at_)necert(_dot_)org       www.NEbraskaCERT.org
"Are you in a Security State of Mind?" © 1998-2000

"Quis custodiet ipsos custodes?"
"Who watches the watchmen?"   - Juvenal, Satires, VI, 347
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Should IETF do more to fight computer crime?, Valdis . Kletnieks
Next by Date:  Re: Should IETF do more to fight computer crime?, Graham Klyne
Previous by Thread:  Re: Should IETF do more to fight computer crime?, Jacob Palme
Next by Thread:  Re: Should IETF do more to fight computer crime?, Steven M. Bellovin
Indexes:  [Date] [Thread] [Top] [All Lists]