"It is irresponsible to sell a product in a way that can be so easily misused by a customer in a way that jeopardizes their confidential and proprietary and sensitive information," Clarke said.
In fact, it's the industry's "dirty little secret": If you use your company's networks or the Internet, your daily online communication activity--from sending and receiving email and instant messages to using the Web--can be, and in all likelihood are, trivially monitored by others.
Toward what end? Think about it.
When I was a boy, my friends and I would occasionally play tricks on girls in our neighbourhood, quietly sneaking over to their homes, opening Ma Bell's little grey box mounted on the side of their parents' home and tapping into their nightly gabfests with a telephone that we'd brought over. Just mischievous kid stuff?
Dream on.
Industry pundits found it quite unsettling at a conference recently when, without permission, Web images being received by their wirelessly connected laptops were grabbed "off the air" and displayed onstage, live. It also works for wired networks: Programmers have been building "sniffers" such as Dsniff and EtherPEG for years, for law enforcement, amusement and profit.
Your company's network administrators can watch anything you do that flies by on their wires. So can the people who keep the servers and routers running all night long at your Internet service provider.
But they wouldn't do that, would they?
In order to protect you, corporate information technology administrators are hard at work solidifying the "great firewall" around your organisation--keeping the outside out, and the inside in. But at the same time, you need to work from home. And increasingly, you need to work closely with business partners and customers, but the IT group won't give them VPN (virtual private network) access because doing so would expose too much.
So how do you get your work documents and presentations through the firewall? Many of us send them home as email attachments. Or, like former CIA Director John Deutch, we take them home on memory cards.
But how safe is the confidential information on our laptops? Once, many years ago in Paris, I walked into my hotel room and found the chambermaid moving nervously away from my computer. "Je jouais le solitaire (I was playing solitaire)," she said. Hmm.
So how did we get ourselves into this situation, and what should we do about it?
Surely the industry can--and should--take a good share of the blame, as should the government. Internet pioneer David Reed recently pointed out that in the early years, efforts to incorporate end-to-end encryption into the base standards of the Net were reportedly discouraged for reasons of national security.
But "weak encryption" is no longer a reasonable excuse for insecure systems. It's clear by now that real security comes not just from strong crypto, but from recognising and embracing human strengths, frailties and common behaviours in building, managing and using complex systems. People are always the weakest link.
The industry also needs to explore new approaches to secure systems. Although Public Key Infrastructure (PKI) works within a well-managed enterprise environment, work relationships now commonly cross enterprise boundaries into domains of questionable trust. And third-party "notaries" don't help much; they introduce significant risk: When VeriSign was fraudulently duped into issuing Microsoft certificates to an unknown party in early 2001--with little reported recourse--utopian visions of "outsourcing identity and trust" crumbled.
Enterprises need, and must demand, more cellular approaches to trust and secure information-sharing, such as peer trust, Webs of trust and fine-grained federated trust. The "Great Wall" approach is outdated, with the distinction between inside and outside becoming blurred. We need alternatives to the firewall and VPN models of protection.
But there's no need to wait. There are practical actions that can be taken immediately and inexpensively. For example, Windows XP supports an Encrypting File System that is very useful for laptops; buy the upgrade, turn it on and password-protect computers. Both Microsoft Exchange and Lotus Notes support enterprise message encryption--if IT departments would simply use it. These are just a couple of alternatives.
We've been through years of asbestos and tobacco liability suits. Will liability for IT complacency be next? Someday, some shareholder is going to lose quite a bit of money because an electronic message was "sniffed," or "spoofed." Someone's health or financial records are going to get into the wrong hands. A design will be compromised; someone will get hurt.
And at that point, network television cameras are going to be focused on a lawyer who's asking a company executive, or a government official, "Sir, were there reasonable alternatives at the time?"
Are you safe from a cyberattack? What protection do you use?
Insecure protocols
A large part of the problem is that people ignore the security options available to them because they're "too hard". Security always costs ease of use, though how much varies. Do _you_ encrypt your email? No? I didn't think so. There are free tools to do it, and low-priced commercial ones that are a bit easier to use. So the reason is probably "its too hard".
If we all used PGP or S/MIME for email, tunneled POP3, IMAP and SMTP over SSL (encrypted connections) and/or used IPSEC (encryption for all network communications), plus set _good_ passwords on PCs for boot and screensaver, the issue would be much reduced. Similarly, using HTTPS not HTTP for web access where possible would help. Oh, and DO NOT EVER USE TELNET, that's what ssh is for.
The options are all there, but nobody uses them because products encouraging them are seen as too difficult and don't sell. Users are idiots. They'll get around security to make things easier.
_this_ is the real problem.