Sent in to me by Gary —

I am interested in computer security. I have been ever since I worked at what was Coopers & Lybrand in their Computer Audit Assistance Group in the 1980’s. Their have been at lot of changes since then, but I think there are a couple of areas were we have not made much progress.

We have virus checkers and we have spam checkers. Microsoft has improved security so much that popular humor columnist Dave Barry wrote that with their security features enabled, it was impossible to either send or receive email. Security for the “corporate” environment has improved, well at least the entire mail system is not being shut down these days by script viruses, but no one is looking out for the needs of the small business and home user.

I have the ability to send digitally signed and encrypted email. I have had it for years. Every year, I test it to make sure I still know how to use it. I thought, maybe, if I used a secure method to identify myself, people might not be afraid to open my emails, but hardly anyone uses digital signatures or encryption. When we check our email, we are told we only open mail from entities you trust. We trust what we see. Despite the fact that we are told how easy it is to generate fake emails.

The protections against Identity Theft and fraud are a joke. Last month in the Boston Globe, two reporters wrote how they forged each others identity and had fraudulent credit cards in days.

There are computer security and identity mechanisms which can be used to help protect us. I wish people would start using them.

There are quite a few firms that offer help in these area. My opinion is that, unfortunately, most of them are more interested in exploiting computer security for profit than in making computers more secure. The same goes for identity theft. Until we get financial institutions more interested in protecting our identities than in how many new cards they can issue, we are in trouble.

Wide spread adoption of computer security and identity management is required and that is not going to happen unless there are some major changes.

There are a few organizations that are trying to promote a more “trusted computing” environment.

There is the free thawte web of trust at http://www.thawte.com/wot/ for acquiring personal email certificates.

There is a more extensive effort by the folks at CAcert.org. They offer free digital certificates for a variety of purposes. I was certified by a member of their board of directors. I am a Notary Public in Massachusetts. In my opinion, CAcert’s free certification process is just as valid as the State of Massachusetts.

I have looked into getting certificates from other sources, however, when they tell me its $400.00 (or $600 or more) per year I don’t pursue it, but their certification and approval process is basically the same. And I am pretty sure the person who would approve me, is sort of like me, but with a few more restrictions on what he could do. Restrictions like if the payment clears and the person has no outstanding felony warrants in the local police jurisdiction, he gets a certificate. So what, he also wants to take flight lessons (but just for taking off, landing is not necessary), that’s not my problem.

Quite honestly, given the shafting the public has gotten from such corporate stalwarts as Enron and Worldcom, I am more inclined to trust the little guys.

When I worked at Coopers and Lybrand (PriceWaterhouse Coopers in its current incarnation) I worked on a little project evaluating a manufacturing software package for its security features. As it turned out, my assessment got me into hot water. Another Coopers office called the partner in charge of my unit and said, what is this guy trying to do? We want to do business with these folks and we can’t have one of our staff members saying that “one of the primary security concerns for this package is that it be properly installed and administered”. I should say, for the most part, I saw a lot of good work done at Coopers; however, there were instances where I thought they could be investigated under the Racketeer Influenced and Corrupt Organizations (RICO) act.

There are legitimate concerns about the security mechanisms I am alluding too. But way to often, I think we are just nitpicking.

I remember reading this in the ACM’s February 2002 Forum. “Hello World Gets Mixed Greetings”. A teacher puts forward an example of a first programming assignment, and generates a lot of controversy. The example program took around 10 lines of code, the comments explaining its deficiencies filled up pages. It’s a first assignment, not OOP in a nutshell. Unfortunately, this is a good example of what you can expect from your colleagues.

I think the computer security world should shift its focus from trying to get it perfect, to getting people to use start using existing technologies and to committing to be responsive to needed changes.

The benefits of using the existing technologies outweigh the potential cost of them being exploited. There are billions of dollars being lost in fraudulent transaction every year with existing safeguards, but if we believe we will totally prevent fraud, we are sadly mistaken.

I hope the folks at www.CAcert.org are successful. I hope that someone stops the folks who have sent me hundreds of emails offering penis enlargement. I hope we come to our senses and realize that we can’t trust the FROM field in our emails and that all of our lives would be easier if all computer code was signed and that we could have assurance that the developers identity could be verified.