I think that many people in the security world and rather more outside
it are repeating a big mistake we made during the cryptowars of the
1990s here.
During the cryptowars, designing protocols to make them 'Freeh-proof'
became a priority. It was certainly a bigger priority than making them
usable by ordinary people. Case in point, insisting on deploying S/MIME
and PGP as pure end-to-end security protocols to remove the possibility
of interception at the server. This is the architecture that you need to
defeat interception at the server but it comes at the cost of having to
push out credentials to all the end points. So fewer than 0.01% of users
ever enroll for an end user credential, fewer use them. Meanwhile we
have a major problem with spam and social engineering attacks, both of
which exploit the lack of authentication in the email system.
The risk we face here is that people dismiss trustworthy computing in
the same way for no other reason than to spite the RIAA.
Security responds badly to political mandates, particularly the mandate
'don't make the system too secure'. There are real problems in using
trustworthy computing for copyright enforcement systems. Any system that
depends on protecting the confidentiality of decryption keys that are
embedded in a couple of billion end points is going to have limited
effectiveness. But that fact says nothing about the practicality of
protecting secrets that are only deployed out to a few thousand end
points that are subect to regular and effective control.
I'll continue on my personal (not corporate) blog:
http://dotfuturemanifesto.blogspot.com/2008/02/dont-make-it-too-secure.h
tml
-----Original Message-----
From: Theodore Tso [mailto:tytso(_at_)mit(_dot_)edu]
Sent: Monday, February 18, 2008 7:58 PM
To: Hallam-Baker, Phillip
Cc: Christian Huitema; Spencer Dawkins; Iljitsch van Beijnum;
michael(_dot_)dillon(_at_)bt(_dot_)com; ietf(_at_)ietf(_dot_)org
Subject: Re: IPv6 NAT?
On Mon, Feb 18, 2008 at 03:34:50PM -0800, Hallam-Baker, Phillip wrote:
In the scenario I gave, the data I wish to stop the kids accessing is
already on my network, net nanny is totally useless in this instance.
Let us imagine that I have a configuration that consists of one Vista
machine and one Home Server on which there is stored a collection of
ripped DVDs of video nasties, you know The Sound of Music, Care Bears
Movie etc. some of the nastiest films I have seen. I do not with the
kids tastes to be corrupted by this rubbish.
Heh. From the Capitol Step's, "All I Want For Christmas Is A Tax
Increase" album:
http://www.amazon.com/gp/music/wma-pop-up/B000003JOO001001/ref=mu_sam_wm
a_001_001
Security cannot be effective when it is provided in the form of a DIY
assembly required project. But thats what the field has been doing.
I'm afraid it's worse than that. As long as we provide general purpose
computers, and some insiders that are determined to bring home databases
filled with SSN so they can do work in the evenings, or children who
know more about computers than their parents and who are determined
download videos of "Barney does Dallas", I'd claim is pretty much
impossible to solve the particular security problem which you are
worried about.
And I'm not sure people are really willing to accept computers with the
sorts of controls that would prevent these sorts of attacks on data.
Look at the resistence to Microsoft's Palladium project by people such
as Ross Anderson. (http://www.cl.cam.ac.uk/%7Erja14/tcpa-faq.html)
Most consumers are far more focused on the sorts of abuse that could be
perpetrated by Hollywood, the Music Industry, and Microsoft, rather than
problems with databases filled with US Military personnel's credit
information getting stolen out of unsecured laptops of incompentent
government bureaucrats. One could have a debate about whether this is a
correct assessment of risks by the consumer and by organizations like
EFF and EPIC, but it's reality that won't be easily changed.
In any case, this is a bit of a rathole from the original discussion, I
suspect....
- Ted
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf