[2678] in cryptography@c2.net mail archive
Re: PPTP (again)
daemon@ATHENA.MIT.EDU (Black Unicorn)
Wed May 13 10:05:27 1998
Date: Tue, 12 May 1998 23:52:28 -0500
To: pgut001@cs.auckland.ac.nz, cryptography@c2.net
From: Black Unicorn <unicorn@schloss.li>
In-Reply-To: <89503255816736@cs26.cs.auckland.ac.nz>
At 11:09 AM 5/13/98 , Peter Gutmann wrote:
>[Followups trimmed somewhat]
>
>Black Unicorn <unicorn@schloss.li> writes:
>
>>I've been watching trends which might suggest that a firm could be sued for
>>failing to exercise due diligence in their information protection efforts.
>>Shareholder derivative suits would be the most interesting from a legal
point
>>of view because the cause-effect chain doesn't need to be very strong for
one
>>such to succeed. So, under what circumstances would Microsoft (which is
>>exceptionally well represented from a legal standpoint, by the way) be
>>potentially liable for a security oversight?
>
>I wrote a paper on encryption and e-commerce about 2 years ago
>(http://www.cs.auckland.ac.nz/~pgut001/pubs/icommerce.pdf, rather in need of
>update in some areas) which briefly covers this issue in the section
>"Liabilities of Weak Encryption/Poor Security", but from the angle of having
>stockholders sue the company directors for negligence if they use known weak
>security and the company stock price slips due to this. For example
everyone
>even vaguely involved in computers and security knows that US-exportable
>crypto is no good (it's certainly had press coverage in every imaginable
>medium),
This assumption, that this is a clear and obvious case to make in court, is
perhaps the cardinal sin of information security "gurus." Look. If 40 bit
crypto is your weakest leak you are probably in the 99th percentile of
corporate America. There is no case there.
Is it secure enough for my taste? No.
Is it secure enough for a court? Probably.
