[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Secure Internet-based Electronic Commerce: The View from Outside the US



I've just made a draft copy of this paper available for comment as 
http://www.cs.auckland.ac.nz/~pgut01/paper.htm, a copy of the introduction is 
given below.  The whole thing is around 170K long (40 A4 pages when printed).
If anyone has any comments to make on it, please let me know.
 
Peter.
 
Introduction
------------
 
The creation of a global electronic commerce system will provide an extremely 
powerful magnet for hackers, criminals, disgruntled employees, and hostile 
(but also "friendly") governments intelligence agencies.  This problem is 
magnified by the nature of the Internet, which allows attackers to quickly 
disseminate technical details on performing attacks and software to exploit 
vulnerabilities.  A single skilled attacker willing to share their knowledge 
can enable hordes of dilletantes around the world to exploit a security hole 
in an operating system or application software within a matter of hours.  The 
Internet also enables an attacker to perform an attack over long distances 
with little chance of detection and even less chance of apprehension. The 
ability to carry this out more or less anonymously, at low cost, and with 
little chance of being caught, encourages attackers.
 
Because of well-publicized break-ins there has been a steadily increasing 
demand for encryption and related security measures to be included in software 
products.  Unfortunately these measures often consist either of "voodoo 
security" techniques where security is treated as a marketing checkbox only, 
or are rendered ineffective by the US governments refusal to allow 
non-americans access to the same security measures which it allows its own 
citizens. Organisations employing such (in)security systems may make 
themselves liable for damages or losses incurred when they are compromised.  
This paper covers the issues of using weak, US government-approved security as 
well as problems with flawed security measures, examines some of the measures 
necessary to provide an adequate level of security, and then suggests several 
possible solutions.