[3673] in cryptography@c2.net mail archive
RE: Is a serial cable as good as thin air?
daemon@ATHENA.MIT.EDU (Brown, R Ken)
Mon Nov 30 10:19:15 1998
From: "Brown, R Ken" <brownrk1@texaco.com>
To: cryptography@c2.net, "'dianelos@tecapro.com'" <dianelos@tecapro.com>
Date: Mon, 30 Nov 1998 08:54:01 -0600
> Dianelos Georgoudis[SMTP:dianelos@tecapro.com] described a security system
> and then asked:
>
> Here is the question: Is this as good as thin air?
The answer has to be "no" because you are introducing extra complexity.
There is more to go wrong.
> Can you see any way a hacker could use such a connection
> to penetrate the bank's network?
No, but that doesn't mean *they* can't :-) Presumably you are talking about
a situation where instructions posted on the web server from home users
cause changes to be made in their accounts? In whioch case if the web server
is compromised it could in principle be used to issue false instructions
that conform to the expected format, however they were transmitted serial
cable or floppy disk.
If I was a bank I would be very wary of proposals like "We would write our
own transmission protocol. " That seems to introduce yet more complexity,
not to mention maintenance effort and undiscovered bugs. It would seem safer
(more conservative a bank might say) to use off-the-shelf code which had
been tried and tested (& for which source code was available if you really
cared about security)
