[Esd-l] A sticky problem???

Brent Wallis brent.w at infosynergy.com.au
Wed Jun 12 23:00:02 PDT 2002 

John and others,
Thanks for the responses(some personal). So far all confirm my own thoughts.
As I said before, sometimes we can get caught up in ourselves, and it's good
to get positive, feedback that confirms ones own thoughts and
philosophy.....some comments below:

> 1. In my mind, data interchange via SMTP is like using a butter
> knife to cut spread concrete...it works, but there are far better
> and more efficient ways. SMTP is for messaging between users, not
> unattended data interchange. Does everyone agree? or do I have
> that wrong?
>>Email is absolutely not guaranteed reliable. It is only a
>>"best-effort" system. Some of the hazards are:
>>  1. Delivery is not guaranteed.
>>  2. Timeliness is not guaranteed.
>>  3. Privacy is not guaranteed.
>>  4. By itself it provides no authentication of the sender's identity.
Well yes, we all take that as given, have you ever tried explaining that
to an AI (see below) individual?...I don;t recommend it if you want to keep
your sanity..:)
All of these of course are the reasons why PGP and S/MIME (and others) are
out there..

>>Basing critical business functions on email is at best stupidity, at
>>worst negligence.
Herein lies the crux of the issue, fighting what I call
"arrogant ignorance"...AI..:-)

I am sure everyone has met someone whose personality type precludes the
words
"I am wrong", mixed with ignorance, it's a dangerous practice and very
difficult to deal with in a business environment.
This type of problem seems rampant in the IT B2B field in this country.
All the sharks and know it alls have come out to play..

Ignorance of the security issues is a grave concern. This person in
particular has adoptd a head in sand strategy....or even worse, thinks that
the learning is over, and that they know everything they need to carry out
development on the Internet...of course, all of us know that continued
learning in Internet security is a must if we are to be effective.

This is one isolated problem that has placed a large number of business
partners at risk through arrogant ignorance.....what I really can't get over
is the fact that there are another 400 to 500 admins or consultants out
there that nodded their head and did what was asked of them. Of course, the
nature of the problem is such that each of those admins may have had theior
own concerns, but are isolated by the fact that they are unable to
communicate with each other, or are unaware of each others existence.

> 2. Anyone that tells me they have invented an encryption algorithm
> that no-one knows about just tells me they are full of crap and
> alarm bells start ringing....what do you think?
>
>To misquote Bruce Schneier: anybody can invent a crypto system that
>they themselves cannot break. This, of course, says nothing about the
>true security of the system.

>Why Cryptography Is Harder Than It Looks:
>   http://www.counterpane.com/whycrypto.html

> Tune your bullshit detectors:
>    http://www.counterpane.com/crypto-gram-9902.html#snakeoil
Interesting reads....thanks:)


> I should point out that this is not a call to have something
> changed in the sanitizer.

>I'd be willing to take a look at their pseudo-MIME and see if it's
>salvagable or not...
I may call on you later to assist me. This whole thing is becoming more and
more like a perfect subject for a "potential thesis" by the minute..:)
How do we as knowledgable professionals get the decision makers to
understand the nuts and bolts of the argument.
How many businesses out there think they are safe and secure? Not knowing
that one of theie main business partners have effectively trojaned their
networks?

> It's just fine and works well, I am more focussed on whether or
> not I am on the right track and would appreciate comment from any
> angle.

>Do you think they're at all open to rational discussion of the
>shortcomings of their method? If not, you're probably wasting your
>time.
Just like any fanatic (this guy is definitely an MS fanatic..) rationality
is not in the agenda.
Nope I unfortunately have "lost" this one, but my client has thankfully
understood my concerns. They are not fools and
will keep this particular system on a standalone machine with a dialup email
account. Experience tells me that what goes around comes around... karma is
such a wonderful leveler.:)

> This is very important in terms of what I am having to deal with
> in the e-Commerce sector, and I want my facts absolutely
> correct(and real world anecdotes from you guys) before taking the
> next step, which would be informing the other 400 or so businesses
> that use this program that they have a security issue to deal with

>>Suggestion: If it's that easy to crack, then crack it, show them that
>>you can crack it, and tell them that you'll publish the details on
>>bugtraq in two weeks (or a month if you're feeling generous) unless
>>they make honest efforts to address the security problems.

Hmm, well that's a whole new debate...:)....when I have done this, I have
always carried out the process in FULL VIEW of the target and with express
permission. Although tempting, I couldn;t do as you suggest, it's against my
working method, besides, I am acting on behalf of someone else.

Of course, these guys brought up the "this is our software and you can't
look at it....blah blah blah..." which only gives me more cause for concern.
I reckon they spend so much time in the land of lies that they actually
start believing themselves.

>>I would see it as my responsibility to not allow others to unknowingly
>>rely on a system with provably bad security.

True, and if our client had not listened to our concerns, we would have
stopped working for them. We have done this many times with others because
of blatant security breaches that 3rd party "gurus" have intorduced into
their system/network.
Walking away gains respect because it shows that we value our security
philosophy over business. I want to me remembered for the former rather than
the latter.

But, I agree also that the other users need to be at least tapped on the
shoulder and told about the problem. BUT client confidences and all dictate
that we would have to do it with them (our client)in the know. As there are
potential "million dolar" sales contracts in the balance, the unfortunate
case of not being able to do the right thing is apparent.
However,the fact remains that a glaring security hole exists. In order for
me to approach the problem in the correct quarter. I will spend time
ensuring my facts are correct......before.....:) well I know a few people in
the media that will be interested...:) and everyone loves a monopoly
"bash-in" ... As I said before, I want to get the facts....the years of
kneejerk over-reaction to false positives are over for me....I am too damn
old...:)

One point to note is that retail industry in this country (my calling was a
buyer for 20 years before my IT degree) is almost closed. There are several
large players, and the control their suppliers mostly with threats...an un
fortunate problem when it comes to this to say the least


> John my appologies if this is off centre, but the sanitizer is a
> part of this and I would be interesetd in other experiences that
> may be similar to this...

>>Not at all. This is the "Email Security Discussion" list, not the
>>"Email Sanitizer Discussion" list.
Cool.....just didn;t want to clog it up..:) and thanks again for your valued
comments.

Brent Wallis

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
   345 days until The Matrix Reloaded

More information about the esd-l mailing list