About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store
InfoWorld HomeNewsTest CenterOpinionsProduct GuideTechIndex
 COLUMN ARCHIVE  FORUMS
 

COLUMN

 
Security Advisor
P.J. Connolly

Cryptography tools abound, yet we rarely use them. Are they really only for crooks?

I WAS THINKING ABOUT cryptography the other day while reading about the rift between Phil Zimmerman and Network Associates over just how much of the PGP (Pretty Good Privacy) source code will be published. For crypto fans, this is the equivalent of Martin Luther nailing his Theses to the cathedral door. For the rest of us, it's just another corporate fight. But bigger questions in my head won't go away. Why haven't we taken more interest in encryption and digital signing of e-mail? More importantly, why aren't we using the tools we already have? Even I, your Security Watch guru, can't be bothered to use the crypto and signing features of my e-mail.

   ADVERTISEMENT
  

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Dell

Free IT resource

TechNet: More ways to know it, share it, and keep it running.

Sponsored by Microsoft

RELATED LINKS
»  IE 7 bug reopens debate over patch responsibilities
»  Woman ordered to pay for file-sharing will appeal
»  McAfee to buy SafeBoot for $350M
»  Security RSS feed 

IDG ENTERPRISE NETWORK
Research Reports  (CIO)
Ask the Expert  (CIO)

TOP NEWS 


IT SOLUTION SEARCH
Although the stories contained in crypto books are ancient history in Internet time, the peoples' squeamishness about crypto remains. When the Feds -- be they CIA, FBI, NSA, or Treasury Department -- discuss crypto, they make it sound as if anyone using it must be a child pornographer, drug smuggler, or terrorist. This attitude pervades mainstream media, despite the observation that journalists might be more interested than others in acquiring secure communication tools. I wonder if the various governmental smear campaigns against crypto are achieving their goals.

Not that these tools are hard to come by. On Windows, crypto and signing are included in the bundled Outlook Express, and more advanced features can be had for little or no cost or effort from a number of vendors. Of course, in countries other than the Land of the Free and the Home of the Braves, there are restrictions on what you can use. Even if you don't use PGP, having Netscape Navigator or Windows 2000 can be enough to get a traveler into hot water with another country's customs service. I'm planning to leave my laptop at home when I visit the West Indies next month, in part to avoid the possibility of a hassle with U.S. Customs.

It seems that few people are taught how to enable crypto, perhaps because many IT shops just don't want to deal with the backlash from users inconvenienced by the extra resources that a PC uses during encryption and decryption routines or by the problems of lost keys and unreadable messages.

In today's flood of e-mail messages, encrypted traffic sticks out like a sore thumb. If I were investigating a criminal enterprise, I'd be tempted to assume that when folks are using crypto, they must be hiding something. But this contradicts casual observations that underground organizations often prefer low-tech, but proven methods of communication. The slogan "When crypto is outlawed, only outlaws will have crypto" may ring true, but I expect that outlaws prefer to use more open channels and hide in the crowd.

Another problem with many crypto offerings is that they can leave you vulnerable to forensic-grade tools that can pull data from supposedly deleted files, including the temporary files that your e-mail application uses as a placeholder for the message before it's encrypted. It seems to me that the only way to get a truly secure solution is to write a mail application that has the encryption built in at the most fundamental level, so that even if temporary files are recovered, they may be rendered useless.

At the same time, I don't want to think about how many people are using weak passphrases -- a sequence that is hashed with random numbers to produce the encipherment key -- which might be easy to remember, but won't stand up under a brute-force attack. It's kind of like buying the best deadbolt available, only to leave the key under a flowerpot on the front porch.

Are there crypto success stories out there? I suspect that the kinds of shops using crypto are also the kinds of shops that don't talk about their work, but I hope some of you will write and tell me that crypto is working for your company, and how so. Until I'm convinced otherwise, I have to stick with the position that crypto is just more trouble than it's worth, and that it's likely to lull you into a false sense of security. Prove me wrong at pj_connolly@infoworld.com.

Get Security Watch free via e-mail

Go to www.iwsubscribe.com/newsletters and click Security Watch to receive this column every Thursday, free via e-mail.

Related article

USPS delivers a digital, signature-certified mail system


Test Center Senior Analyst P.J. Connolly once deciphered the message on the back of a cereal box.




RELATED SUBJECTS

Security
MORE >


SPONSORED WHITE PAPERS
EMC - Lower costs and improve reliability-Get the EMC CLARiiON white paper!
Ciphertrust - Are you ready for Sobig.G? Learn how to protect your email systems.
CDW - Personal attention. CDW. The Right Technology. Right Away.
EMC - Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
Intel - Free Intel white paper shows you how to deploy a secure wireless LAN
Cisco - FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
Verity, Inc. - "Mass Consolidation Hits the Web-Search Market"
McDATA - Download a FREE storage consolidation white paper from McDATA(R).
Lucent Technologies - Overcoming Common Firewall Limitations
Lucent Technologies - Leverage Your Mobile High Speed Data Access. Download Free White Paper!
Nokia - Get the scoop! Mobilizing business white papers & case studies.
BMC Software - Maximize the Potential of Enterprise Data: Free white paper!
Network Associates - Free white paper - Strategies for Optimizing Network Costs and Benefits
Entrust - Manage identities across applications. Improve productivity.
Stalker Software - CommuniGate Pro - Transform your Email and Calendaring
Remedy - A NEW Gartner Research Note:Producing Quality IT Services

Search the IDG White Paper Library:


SPONSORED LINKS

INFOWORLD MARKETPLACE


» IT Compliance Conference: Nov. 5-7 in San Diego
Best Practices, Peer Experiences, & Expert Advice for Building a Defensible IT Compliance Program
» FREE Sophos Threat Detection Test
Is your AV catching everything it should? Free virus, spyware and adware scan.
» IT Audit Checklists
Prepare for your next internal IT audit. Checklists cover security, risk management, PCI, and more.
» FREE White Paper: Mitigating Rock Phish Attacks
Standard anti-phishing methods cannot defeat complex Rock Phish attacks. Learn how to fight back...
» Apply BPM and ITIL at your IT Help Desk
ServiceWise brings BPM to complete IT service while eliminating integration cost. Learn more here.

 HOME  NEWS  TEST CENTER  OPINIONS  PRODUCT GUIDE  TECHINDEX   About : Advertise : Subscribe : Contact Us : Awards : Events 

Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy

All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services.

Computerworld :: Network World :: CIO :: PC World :: Darwin :: CMO :: CSO
IT Careers :: JavaWorld :: Macworld :: Mac Central :: Playlist :: GamePro :: GameStar :: Gamerhelp
ITWorld Canada :: Computerwoche :: Techworld UK :: tecChannel :: IDG.se :: IDG.no