[NTLUG:Discuss] OT? security comparsion

Leroy Tennison leroy_tennison at prodigy.net
Thu Nov 17 04:59:32 CST 2005 

Neil Aggarwal wrote:

>Terry:
>
>Using your analogy, I think it is like putting the key in an envelope,
>writing the word "Key" on the outside, and leaving it on top of the doormat.
>
>Anyone that is looking will have full access to whatever you are sending.
>
>If they are looking the in the first place, they have some mischeivious
>or malicious intent.
>
>	Neil 
>
>
>--
>Neil Aggarwal, JAMM Consulting, (214) 986-3533, www.JAMMConsulting.com
>FREE! Valuable info on how your business can reduce operating costs by
>17% or more in 6 months or less! http://newsletter.JAMMConsulting.com 
>
>-----Original Message-----
>From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org] On Behalf
>Of Terry
>Sent: Tuesday, November 15, 2005 10:50 PM
>To: NTLUG Discussion List
>Subject: Re: [NTLUG:Discuss] OT? security comparsion
>
>On 11/15/05, Neil Aggarwal <neil at jammconsulting.com> wrote:
>  
>
>>Terry:
>>
>>How does that add security?
>>Someone can just unzip the file.
>>
>>        Neil
>>    
>>
>
>It's not a high level of security by any means, but it's better than
>just straight text in the body of an email that you can see in the
>packets as they  travel across the Internet.
>
>It's kind of like leaving the key under the door mat vs leaving the 
>key hanging out of the door knob.  Someone just walking passed the
>house will see the key in the door knob but they won't see it if it's
>under the door mat.
>
>  
>
>>--
>>Neil Aggarwal, JAMM Consulting, (214) 986-3533, www.JAMMConsulting.com
>>FREE! Valuable info on how your business can reduce operating costs by
>>17% or more in 6 months or less! http://newsletter.JAMMConsulting.com
>>
>>-----Original Message-----
>>From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org] On
>>    
>>
>Behalf
>  
>
>>Of Terry
>>Sent: Tuesday, November 15, 2005 6:08 PM
>>To: NTLUG Discussion List
>>Subject: Re: [NTLUG:Discuss] OT? security comparsion
>>
>>On 11/15/05, m m <llliiilll at hotmail.com> wrote:
>>    
>>
>>>Hi All:
>>>
>>>A lot of security experts say sending important on the internet is not a
>>>good idea.
>>>It is true. But a lot of advantages make people willing to send
>>>      
>>>
>importand
>  
>
>>>information over internet.
>>>Pay by credit card online is one of the example.
>>>      
>>>
>>Probably the easiest measure you can take is just write to a text file
>>and then compress it and send as attached .gz or .zip  file.   I
>>usually use .zip
>>i.e.
>>   edit file.txt
>>   [my sentitive information, passwords etc.]
>>   zip file.zip file.txt
>>
>>Send file.zip as attached file.
>>
>>_______________________________________________
>>https://ntlug.org/mailman/listinfo/discuss
>>
>>
>>_______________________________________________
>>https://ntlug.org/mailman/listinfo/discuss
>>
>>    
>>
>
>
>--
><><
>
>_______________________________________________
>https://ntlug.org/mailman/listinfo/discuss
>
>
>_______________________________________________
>https://ntlug.org/mailman/listinfo/discuss
>
>  
>
Although it's somewhat academic, an issue we aren't considering is the 
size of the transmission.  If the zip file is more than one packet they 
had better have all the packets.  If it's clear text having anything is 
having all of whatever you capture.  Unless it's store-and-forward (like 
email where it can reside for some length of time on one or more 
devices) capturing a transmission in route is quite difficult.  If you 
have ever taken a trace on a busy network you have seen that it can be 
100's of packets a second.  You had better know what you are doing.  The 
real danger is at the end points where the transmission originates or 
has to come back together.  Out "in the middle of the 'net" packets can 
take different routes to their destination (not to mention the high 
volumes).  Capturing an entire message there is almost impossible with 
one exception: single packet messages.  This is probably the big risk of 
Web transactions, your response (such as an account number) can travel 
in a single packet.

Other relatively simple solutions are to send whatever you are 
transmitting in pieces and by different methods.  Need to provide a 
credit card number?  Send every third digit by one of three methods: 
email, fax and phone message.  A second solution is what I call 
obfuscating (hope I spelled it right).  You embed (scatter) the real 
data in the midst of irrelevant data ( a credit card number in four 
strings of 75 numbers each).  Only you and the recipient know the scheme 
for extracting the real data.  Although it's like encryption in a way 
it's not encryption, there's no actual scrambling or software involved.

As has already been mentioned, the real concern may well be the 
recipient and how well thay take care of what you entrust to them.  We 
have recently had a couple of major incidents involving large financial 
institutions mis-handling data.  One shipped a tape unencrypted.  The 
other issue was the result of inappropriate activity by a 
sub-contractor.  There is virtually no defense against a disgruntled, 
dishonest or even careless employee.  This is why I view all these 
privacy statements as a big joke.  Anybody can put policies and 
procedures in place but are they followed (don't answer that question). 
 Anybody can establish punishments but those require being caught (and 
probably proven guilty).

More information about the Discuss mailing list