[Esd-l] A sticky problem???

John D. Hardin jhardin at impsec.org
Thu Jun 13 10:42:00 PDT 2002

On Thu, 13 Jun 2002, Brent Wallis wrote:

> >>"best-effort" system. Some of the hazards are:
> >>  1. Delivery is not guaranteed.
> >>  2. Timeliness is not guaranteed.
> >>  3. Privacy is not guaranteed.
> >>  4. By itself it provides no authentication of the sender's identity.
> All of these of course are the reasons why PGP and S/MIME (and
> others) are out there..

N.B.: Encryption does not address problems 1 and 2.

> This is one isolated problem that has placed a large number of
> business partners at risk through arrogant ignorance.....what I
> really can't get over is the fact that there are another 400 to
> 500 admins or consultants out there that nodded their head and did
> what was asked of them. Of course, the nature of the problem is
> such that each of those admins may have had theior own concerns,
> but are isolated by the fact that they are unable to communicate
> with each other, or are unaware of each others existence.

Is there a business journal or professional organization newsletter
that they (both the consultants and the businesses themselves) may
subscribe to? Write a letter to the editor, maybe they will publish

You might be able to find a news reporter willing to do an article on

Is there any kind of electronic forum?

> How do we as knowledgable professionals get the decision makers to
> understand the nuts and bolts of the argument.

I don't really know. There will be some parts that they do have to
rely on our judgement for, such as "good cryptography is difficult".

> How many businesses out there think they are safe and secure? Not
> knowing that one of theie main business partners have effectively
> trojaned their networks?

The solution to that is publicity. Decision makers should have good
information upon which to base their decisions. If their decision is
only based upon marketing and PR, you can guess what the quality of
the decision will be.

> But, I agree also that the other users need to be at least tapped
> on the shoulder and told about the problem. BUT client confidences
> and all dictate that we would have to do it with them (our
> client)in the know. As there are potential "million dolar" sales
> contracts in the balance, the unfortunate case of not being able
> to do the right thing is apparent.

What would be the problem? Possibly revealing that your client is
using an insecure system?

> >>Not at all. This is the "Email Security Discussion" list, not the
> >>"Email Sanitizer Discussion" list.
> Cool.....just didn;t want to clog it up..:) and thanks again for
> your valued comments.

Thanks for feeling they're valuable... {bask}

Best of luck.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
   344 days until The Matrix Reloaded

More information about the esd-l mailing list