[11245] in Commercialization & Privatization of the Internet
Re: Internet Security
daemon@ATHENA.MIT.EDU (Bruce Gingery)
Sat Mar 26 23:00:20 1994
Date: Fri, 25 Mar 1994 15:15:05 -0700 (MST)
From: Bruce Gingery <lcbginge@antelope.wcc.edu>
To: Rosalind Resnick <rosalind@harrison.win.net>
Cc: com-priv@psi.com
In-Reply-To: <263@harrison.win.net>
On Thu, 24 Mar 1994, Rosalind Resnick wrote:
> Hi! I'm doing some research into Internet security for a book I'm
> working on and would like to pick the brains of the members of this
> list on a couple of issues:
>
> 1. How "safe" is the Internet as medium for transmitting private e-mail,
> documents and financial data? Is the Internet any less safe than, say,
> CompuServe or Prodigy?
I do not now, nor have I had either a CI$ or Prodigy account, but am
quite familiar with others who have had such accounts, and with their
use of such accounts. Regarding Prodigy, thought they now have
InterNet Netblocks, I've seen NOTHING as to how a Prodigy user may
be addressed from the InterNet as a whole. They seem to still be
"cut off" from the rest of the world.
The primary problem with CompuServe is the throw-away policy with
E-mail. I have had MANY messages to CI$ users which never got delivered
BECAUSE THEIR MAILBOX OVERFLOWED. On-system mail, presumably would be
rejected when the sender attempted to post, but network mail is just
discarded. Other Internet mail generally bounces back if undeliverable.
-- not always, but usually.
> 2. Would you personally send your credit card number via Internet e-mail
> to purchase a product? Would you feel comfortable typing it in at a
> Gopher site? Do you happen to know of any instance in which someone's
> credit card information was "stolen" on the Internet and used to make
> unauthorized purchases?
Not without encryption, and even then I'd hesitate slightly. It's
slightly less safe (in my estimation) than passing it over a voice
connection -- to pass it in a clear text message. My primary hesitation
is mistrust of the intended recipient, though I fully realize that
"packets" can be "sniffed", just as phone lines can be "tapped".
Good software encryption techniques are at least as good as the "scrambler
telephones" used by military organizations, and some others.
> 3. What measures can small, midsize and large businesses that hook up
> directly to the Internet via SLIP connections and T-1 lines take to
> safeguard their computer systems from Internet security breaches? What
> are the tradeoffs of each approach?
Firewalls and other indirect connections OR reasonable security
procedures on internal systems. Actually both are quite reasonable.
Security breaches are STILL possible, but just like any other security
breach, it's a matter of making sure that you are not the EASIEST and
MOST DESIRABLE target for the criminal. The same theory applies.
Targets will be accessable, easy, high-prize (at least in the estimation
of the criminal) or a hate target. It's really not that much different
from other forms of security.
> 4. Which type of network security measure do you believe to be most
> effective against Internet breaches -- firewalls or data encryption?
> Is there any particular encryption software that you'd recommend?
No. Which kind of food is better, bananas or grain? It's not even
an apples vs oranges comparison. Both have their place, and overhead
costs. For the mid-to-large company, BOTH, but wisely installed
and administered, and even more important, proper training for use
to those who will use the facilities so protected. Just like too
many people have their login passwords written plainly on the desk
"board", too many people would be casual about breaching either
encryption or firewall bridges (i.e. socks). I won't go into the
ways of breaking encryption here.
> 5. What do you think needs to be done in terms of network security
> before businesses and their customers can feel comfortable sending
> confidential data back and forth on the Internet?
Internet connections are safer than faxes. If you're comfortable
sending faxes across the phone, you should feel safe sending E-Mail
via a firewall.
> Please include your title, company name, location and phone number with
> your response so that I can follow up.
Ok, full contact info under separate cover.
Bruce Gingery lcbginge@antelope.wcc.edu
> Rosalind Resnick
> Interactive Communications
> 305-920-5326 (voice)
