Firewalls: Re: VNPs and things --

Firewalls
(April 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: VNPs and things --
From:	"Marcus J. Ranum" <mjr @ clark . net>
Organization:	V-One Corporation, Baltimore, MD Office
Date:	Mon, 22 Apr 1996 02:20:57 -0400 (EDT)
To:	mjr @ v-one . com
Cc:	Firewalls @ GreatCircle . COM
In-reply-to:	<no.id> from "mjr" at Apr 22, 96 02:01:07 am
Phone:	410-889-8569
Reply-to:	mjr @ v-one . com

[Warning: late-night rambling alert!]
I write:
>In order to support online
>banking/brokerage applications for thousands of users, RSA

	That should read "thousands of simultaneous users." 
(i.e.: hundreds of thousands or millions of registered users)

	Lots and lots of people are trying to figure out how to
make money over the Internet. The problem is that all the currently
thought-of ways to make money involve large volumes of transactions.
Large volumes of transactions are a nasty problem because they
have to be FAST and CHEAP and if they involve security then
you are up against the universal law:

		Cheap, Fast, Good - pick any two

	It's simply not going to work if every E-cash transaction
costs $.001 for processing, but the processing bureau needs a
warehouse full of CRAYs.

	We security dweebs have our work cut out for us!! If
all the commercial firms that are eyeing the 'net as their
future playground, they have to find a model that is profitable,
and if it's security significant that means that we security
dweebs need security that violates the universal law and is
simultaneously cheap, fast, and good. I don't have the reference
but one analyst group (Yankee, I think it was) has even published
conclusions that indicate that nobody actually cares a fig
for security for Internet transactions; they only care because
the New York Times said it was a problem. The interesting
conclusion Yankee made was something to the effect that if
all the Internet's security problems were fixed tomorrow, it
would not be noticeably better as an environment for doing
the kind of commerce that is currently being done.

	What I wonder, though, is if anyone *KNOWS* that is
currently being done! In my wanderings this last year, I have
seen things being schlepped across the 'net, with no security,
that absolutely terrify me. Patient medical records, military
logistics(!) bank transactions, stock trades -- all manner of
completely, mind-bogglingly scary stuff. But it's OK because
it hasn't made the New York Times. Yet.

	Perhaps the security model of the future is the
"school of fish" technology. Assume that if all the fish
"just do it" a few will get snapped up and eaten but the
vast majority will continue to cheerfully swim and spawn
and be happy. Come to think of it, that's the "security
model" for credit cards. I'm getting cynical in my old
age, aren't I?

mjr.
----
Chief Scientist, V-ONE Corporation  --  "Security for a connected world"
work            http://www.v-one.com
personal        http://www.clark.net/pub/mjr/mjr-top.html

Follow-Ups:

Re: VNPs and things --
From: Chris Woods <cjwoods @ Paladin . COM>
Re: VNPs and things --
From: Dermot Tynan <dtynan @ fws . ilo . dec . com>

Indexed By Date	Previous:	Re: digital unix firewall From: thierry agassis <thierry @ osftag . geo . dec . com>
Indexed By Date	Next:	RE: Stopping Fakemail (smtpd-port25) From: Dale Walker <speed!icr . com . au!dale @ oznet02 . ozemail . com . au>
Indexed By Thread	Previous:	Re: VNPs and things -- From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Thread	Next:	Re: VNPs and things -- From: Dermot Tynan <dtynan @ fws . ilo . dec . com>