[2684] in cryptography@c2.net mail archive
Re: PPTP (again)
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Wed May 13 14:42:12 1998
In-Reply-To: <199805130505.WAA08345@blacklodge.c2.net>
Date: Wed, 13 May 1998 13:23:00 -0400
To: Black Unicorn <unicorn@schloss.li>, pgut001@cs.auckland.ac.nz,
cryptography@c2.net
From: "Arnold G. Reinhold" <reinhold@world.std.com>
At 11:52 PM -0500 5/12/98, Black Unicorn replied to Peter Gutmann as follows:
>
>This assumption, that this is a clear and obvious case to make in court, is
>perhaps the cardinal sin of information security "gurus." Look. If 40 bit
>crypto is your weakest leak you are probably in the 99th percentile of
>corporate America. There is no case there.
>
>Is it secure enough for my taste? No.
>Is it secure enough for a court? Probably.
There is an article by Laura DiDio in the May 11 Computerworld, p.6, titled
"Get lawyers, insurers to sell security plans." She cites security managers
at 25 major corporations as advising: "Enlist the aid of company lawyers
and insurance carriers who can graphically demonstrate the legal,
regulatory and financial risks of lax security." You can find the full text
at http://www.computerworld.com by searching on "lawyers insurers"
While I am no fan of the American tort system, it has forced many sectors
of the economy to take the potential views of courts into consideration
when making design decisions. On the whole this has lead to better designs.
Fear of litigation has proven to be a powerful way to get engineers to do
their jobs properly and to get their managers to heed safety
recommendations.
One reason that product liability has not yet affected the computer
security industry may be the slow speed of our legal system. Look how long
it took for the Tobacco litigation to come to fruition. But courts have
shown considerable understanding of technical issues in recent computer
cases.
By the way, the issue here is not 40-bit crypto, but PPTP using RC4 keys twice.
"Is it secure enough for a court?" Does your employer really want to find out?
Arnold Reinhold
