[2697] in cryptography@c2.net mail archive
Re: Liability and Fear Mongering.
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Thu May 14 12:40:27 1998
In-Reply-To: <199805140440.AA06656@world.std.com>
Date: Thu, 14 May 1998 07:29:02 -0400
To: Black Unicorn <unicorn@schloss.li>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: pgut001@cs.auckland.ac.nz, cryptography@c2.net
At 11:40 PM -0500 5/13/98, Black Unicorn wrote:
>
>I would like organizations to implement strong security measures but I
>recognize that their budgets might not permit the kind of expenditure that
>is required to really get your hands around enterprise wide security and in
>that case I am suggesting strongly that assessment services, particularly
>those that leave damning memos lying all over and no budget to fix the
>failings noted therein, be avoided. (This is especially so since we have
>identified this rock-and-a-hardplace situation as a hard-sell tactic which
>is seeing increased use, and which the article you cited demonstrates
>aptly, thanks).
>
The Computerworld article specifically addresses justifying a larger budget
for data security by quantifying potential losses. If that is a hard-sell
tactic, so be it.
>I'm also pointing out that there is an economy to the process of designing
>security solutions and that the scare tactics which involve exaggerated
>claims of massive liability, particularly by those with no degree in law,
>should be recognized for what they are. Fluff.
>
The Internet and electronic commerce are still in their infancy, but
growing at an extraordinary rate. I would question the advice of anyone,
law degreed or not, who claims to know how liability issues will play out
in this industry. There is a middle ground between "The sky is falling!"
and "It says encryption on the box so we're ok." Not using known defective
products is a prudent place to start.
When your friend wants to establish a secure computer link between his law
firm and that insulated, attorney-clinet-privileged engineering lab so they
can exchange damning memos, will you advise him to use PPTP?
>Finally I note that you can do it right without shooting yourself in the
>foot later.
>
>In short:
>
>Buy what you need.
>Need what you buy.
>
Here we can finally agree.
>Was it my spelling that threw you off? I'll try harder next time.
No, just the length. You might add "Authority through verbosity" to the
excellent list you posted yesterday.
Arnold Reinhold
