Sex, Drugs & Technology
By Carole Fennelly
Once upon a time, Rock music was blamed for society's ills. People
were warned about hidden messages in The Beatles' songs. Although I
wasn't much of a Beatles fan, I attentively listened for these
"messages" and somehow still managed to survive those formative years
without joining a Satanic Cult. Every generation contends with
fear-mongering stories catering to paranoia, and Social Engineering's
effectiveness at manipulating people's views, further illustrated by
the proliferation of bogus virus warnings, has landed cryptography in
the crosshairs.
Tales of child pornographers, pedophiles, and drug dealers using
cryptography to conceal their nefarious activities seeks public
sympathy and calls for government action to curb such criminal
activities. Obviously, anyone using encryption *must* have something
to hide. Commonly heard arguments seemingly assume that anyone using
encryption is hiding criminal activities. This may be true in some
cases, but legitimate reasons also exist for protecting data. For
example, cryptography assures the validity and ownership of encrypted
data. Ironically, the U.S. government's desire for weak cryptographic
systems undermines the validity of evidence found online.
Recent news stories indicate terrorists are leaving hidden messages on
Web sites through the evil science of cryptography. The "breaking
news" essentially points out that bad guys are streamlining their
operations with computers. Well, duh! I bet they use phones as well!
Adding a more frightening twist, readers learn that "the messages are
scrambled using free encryption programs set up by groups that
advocate privacy on the Internet." Those damn privacy groups....
http://www.cnn.com/2001/TECH/internet/02/06/terrorists.internet.ap/index.html
Yet another story claims these tech-savvy terrorists use
steganography, as well as cryptography, to hide their secret messages.
Steganography is based on the notion of communicating without the
communication being noticeable. The Greeks practiced steganography by
writing messages on couriers' heads. People who intercepted the
couriers, unable to find any messages in their possession, let them
pass. The receiving General, however, knew where to look. Presumably,
terrorists are embedding their encrypted data in pornographic files
(those immoral terrorists), which are then extracted and deciphered by
the intended recipients. Despite vague references to "unnamed" sources
and "closed door" meetings, no one has made *any* evidence supporting
these claims publicly available. Strangely enough though, the same
computer security company is heavily quoted in both stories.
Law enforcement agencies assert that encryption protects criminals and
hinders police efforts to protect the public. Jumping on the
opportunity to expand their surveillance activities, authorities
employ such tools as the "Clipper Chip" and Carnivore - the e-mail
spying program. In response to the public’s outcry over privacy, the
FBI is changing the name from "Carnivore" to the less threatening-
sounding, "DCS1000". I feel better already.
http://news.cnet.com/news/0-1005-200-4769965.html?tag=mn_hd
We're supposed to trust our government and believe it is concerned
with our safety; however, law enforcement agencies extend beyond a
single entity, comprising hundreds of thousands of individuals.
Agencies may enforce non-disclosure policies, but agency employees can
still break it. Those considering a career move to the private sector
- not an uncommon occurrence pose a particular risk. Wouldn't
gathering information about future clients and competitors be nice? A
DEA Agent recently charged with selling confidential information to a
private investigation company represents just one of many cases
involving an official abusing his position.
http://www.usdoj.gov/usao/cac/pr2001/007.html
http://www.securityfocus.com/news/142
People fear what they don't understand, and the average person doesn't
understand anything ending with "-ography". When in doubt, blame
technology.
About the author(s)
----------------
Carole Fennelly is a partner in Wizard's Keys Corporation, a company
specializing in computer security consulting. She has been a Unix
system administrator for almost 20 years on various platforms, and
provides security consultation to several financial institutions in the
New York City area. She is also a regular columnist for Unix Insider
(http://www.unixinsider.com). Visit her site (http://www.wkeys.com/) or
reach her at carole.fennelly@unixinsider.com.
________________________________________________________________________
ADDITIONAL RESOURCES
Steganography
http://www.jjtc.com/stegdoc/sec201.html
Rubberhose Project
http://www.rubberhose.org/
BXA's Encryption Web Site
http://www.bxa.doc.gov/Encryption/Default.htm
Cryptography, Encryption and Stenography
http://www.infosyssec.org/infosyssec/cry1.htm
Security, in English
Bruce Schneier demystifies information security
http://www.unixinsider.com/jsw/unxsec_nl/swol-12-2000/swol-1201-bookshelf.html
The Ghost in the Machine
http://www.itworld.com/jump/unxsec_nl/www.itworld.com/Man/3914/CIO101599_trendlines_content/
Securing 802.11 wireless LANs
http://www.itworld.com/jump/unxsec_nl/www.itworld.com/Net/2629/ITW1844/
AUDIOCASTS
Interviews on the IT topics you wanted!
Pete FioRito on assessing your security
http://www.itworld.com/jump/unxsec_nl/mithras.itworld.com/media/000719peteFioRito_future.ram
http://www.itworld.com/jump/unxsec_nl/mithras.itworld.com/media/000719peteFioRito_vulnerability-a-56.asx
_________________________________________________________________________
COMMUNITY DISCUSSIONS
Web Security
Delve into the gory technical details of Web security in this
discussion for security pros (and newbies) of all stripes.
http://www.itworld.com/jump/unxsec_nl/forums.itworld.com/webx?14@@.ee6b67b/127!skip=58
__________________________________________________________________________
PRIVACY POLICY
http://www2.itworld.com/CDA/ITW_Privacy_Policy
Copyright 2001 ITworld.com, Inc., All Rights Reserved.
http://www.itworld.com
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Mon Feb 19 01:03 CST 2001