[143] in WWW Security List Archive
re: what are realistic threats?
daemon@ATHENA.MIT.EDU (Pat Farrell)
Wed Sep 28 10:13:21 1994
Date: Wed, 28 Sep 1994 07:41:06 -0400 (EDT)
From: "Pat Farrell" <pfarrell@netcom.com>
To: dmk@allegra.att.com, www-buyinfo@allegra.att.com,
www-security@ns1.rutgers.edu, pfarrell@netcom.com
Reply-To: "Pat Farrell" <pfarrell@netcom.com>
In message Tue, 27 Sep 94 13:44:42 EDT,
dmk@allegra.att.com (Dave Kristol) writes:
> zurko@osf.org (Mary Ellen Zurko) says [to www-security, not www-buyinfo]:
>> The classic security services for contering threats are
>> authentication, authorization, data integrity, and data protection
>> (privacy).
> Okay, let me ask a very specific question, one that my original posting
> asked in an obscure and elliptical way. The question is, How realistic
> a threat are active attacks?
I suggest that you review the classic texts, papers, etc.
The fundamental concept of security is that the key is to make the
cost of the attack higher than the value received upon success. If you
need references, just ask.
The current threat of active attack is modest. (I'll let folks disagree on
this) But as commerce of increasing value occurs, there is more motivation
to attack. It is easy to see Billions of US$ of commerce in a short
while over the 'net. Skimming a percent or two is a target that is
very attractive, and likely to justify serious attacks.
If you don't like the hypothetical, think about this: If you were a smart
crook, how hard would you look at attacking one percent of Compuserve or
AOL's revenue stream? CI$ has a million users, at $10 a month this would
tempt me if I weren't so honest.
Pat
Pat Farrell Grad Student pfarrell@cs.gmu.edu
Department of Computer Science George Mason University, Fairfax, VA
Public key availble via finger #include <standard.disclaimer>
