LISTSERV - HP3000-L Archives

HP3000-L Archives

September 1999, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L September 1999, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Telnet encryption
From:	Neil Harvey <[log in to unmask]>
Reply To:	Neil Harvey <[log in to unmask]>
Date:	Sun, 19 Sep 1999 09:53:57 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (109 lines)

Slightly off topic..

I'm reminded of an ethereal session I had with my client's auditors.

We were about to put an interactive Internet site live, and patients and
doctors would have access to detailed information about themselves and their
own medical claims and history. This information had been available for
years directly from the HP3000, via paper send in clear text, faxes etc.

The client's auditors' objections were violent. I listened for a while, and
then asked for their indulgence, while I called the client's help desk on a
speaker phone. At the beginning of the call (after 5 minutes of being
re-assured that my call was valuable, all to the inevitable strains of
Montivani and the Thousand Strings:)), I was "challenged" for a member
number and surname, and was then given any information I wanted, in clear
voice, to the mounting discomfort of the beanies.

After receiving gobs of sensitive information, I thanked the operator, and
suggested that the client make this information available over the internet,
to which the operator replied "we are working on it in our IT department,
and we can't wait for it to happen".

I rested my case, and the site went live.

Jens always says that if you have someone "sniffing" your network, you have
much bigger problems that can be solved via SSL, VPN's, Encryption etc.

Regards

Neil




-----Original Message-----
From: Wirt Atmar [mailto:[log in to unmask]]
Sent: 18 September 1999 04:29
To: [log in to unmask]
Subject: Re: Telnet encryption


Richard rightly writes once again:

> This got me thinking, while I suppose I support the goal of simple,
>  transparent secure communications, let's not panic anyone.  Telephone,
>  fax, Cell, two-way radio, snail mail, face-to-face, etc., communications
>  have been mostly in the clear for years.  How many businesses encrypt
>  their postal mail communications?  Why don't more businesses use
>  encryption now for pre-Internet communications?
>
>  Eavesdropping on a telnet sessions is easy like wiretapping is easy, only
>  its harder as we all move to a fully switched local networks.  To do it,
>  one must be in the right place at the right time with the right
equipment.
>  There may be clever hacks that copy streams of data off of Internet
>  routers, just like someone can intercept business mail, but someone must
>  have wanted to listen.

[snip]

>  Call me naive, but for the most part, it seems to me that nobody out
there
>  much cares about the data passing by and encryption may often be just a
>  waste of time and energy.  It is the exceptions that need special
>  attention, not the routine - or else, the whole business world needs to
>  change habits of plain communications across the board (Internet and
>  pre-Internet media).

Let me wholeheartedly agree with Richard. I've never considered security to
be that much of a problem, especially on the HP3000. It is a business
computer after all. I consider much of the security fears that people have
to
be those whipped up by the people who want to sell you some sort of solution
-- and as a consequence, those fears tend to be all out of proportion to the
actual threat. As I have told a number of you, I regard much of the material
that you hear nowadays the equivalent of adult boogey-man stories, stories
best told around a campfire deep in the woods, just before bedtime.

There are only two places where wiretapping (either on a phone network or
the
internet) is easy: at either the source's location or the receiver's. Once
the message gets out into the public or packet-switched network, it is
extremely difficult to find. In that regard, a university campus (or
similarly large organization populated with inquisitive, technically
competent people) is probably the only/best place for someone to observe
passwords as they pass through the local LAN segment. The passwords are
there
in the clear, and observing them would then allow easy access to any part of
the local host system they wished to enter.

Nonetheless, because the HP3000 is a business computer, and because the
stories are so prevalent, for simple business reasons, some form of
encryption is probably necessary, if merely to assuage fears.

Personally, I could live without encryption, but that's another part of the
discussion that I wouldn't mind hearing people's thoughts. I have no qualms
about putting a simple encryption/decryption routine into QCTerm. The
algorithm I proposed earlier is about as secure as you're going to get
without getting into patented (and therefore royalty-demanding) routines.
And
if the keytext and keyoffset values were changed often,  encrypted messages
would be generally quite secure. Moreover, whatever is done, it has to be
SIMPLE, especially at the HP3000 end. The proposed routine is that also.

But, on the other hand, I have no desire to do more work that absolutely
necessary, thus comments are appreciated.

Wirt Atmar.

ATOM RSS1 RSS2

RAVEN.UTC.EDU