Re: REVIEW: "Network Security Essentials", William Stallings

From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 04/28/04

  • Next message: Sachs: "Trouble programming network access filter gateway" 
    Date: 28 Apr 2004 21:36:06 GMT

    In article <c6p1lo$jie$1@kestrel.csrv.uidaho.edu>,
    johns <johnsxxx@mudbog.edu> wrote:
    :Correction: make that "acceptable loss" $48 billion
    :according to the Federal Trade Commission. That
    :is everybody I guess. Meaning what? Meaning that
    :you "security experts" have not a clue !!!!!

    Oh, some of us have a clue or three.

    I don't do any business on ebay, so the possibility of my being ripped
    off by ebay's security is zero. No-one can fake my credit card information
    into some ebay any other electronic service, or copy my credit card
    info in the back room of some restaurant, because I don't have any
    credit cards at all. No-one can secretly record the PIN on my ATM
    or debit cards, because I don't have any of those either.

    I do my banking in person, at the branch my account is at, and each
    time a teller does not recognize me, the teller looks up my signature
    on file: even if the teller has seen me there before and knows my
    face but has not -personally- looked up my signature before, they take
    the time to look it up. I never -ever- complain about the "delay"
    because the checking tells me that they are taking the time to ensure
    that my money is kept secure.

    My bank account uses a passbook, which I regularily update, and each
    time I get it updated, I examine it for unexpected transactions or
    strange codes, and I question everything that I don't expect.

    No-one can use my SSN to for identity fraud, because I don't have
    an SSN ;-) In Canada, you are only required by law to give the equivilent
    number for a small number of purposes directly related to taxes,
    and any business that asks for my number as a form of ID will not
    be given it -- even if it means that I have to take my business elsewhere.

    Oh, and no-one can use my driver's license for identity fraud either:
    I don't have one of those either.

    My point here is not something arcane such as "all those things are Evil":
    my point is that security is about controlling risks, and some of us have
    the sense to control those risks that are under our control. The mechanisms
    that I use to control personal risks have associated costs and benefits,
    and I fully respect anyone who takes the time to evaluate the costs
    and benefits as would apply to their situation and comes up with different
    choices as to what is acceptable to them and what is not.

    Risks such as that someone might have their paypal password phished from
    them are NOT under my control. That doesn't mean that I "have not a clue":
    it means that I do not have a martyr complex that leaves me feeling
    responsible for righting all the wrongs in the electronic world.
    *** happens, and I do NOT accept the guilt or worthlessness that you
    would dump on me for my not having come up with mathematical or
    electronic solutions to social problems that have existed for all of
    known history. 

    -- 
   Entropy is the logarithm of probability   -- Boltzmann
  • Next message: Sachs: "Trouble programming network access filter gateway"