RE: Carnivore Update - Public Does Not Care
From: Quark Physics [mailto:meuon@highertech.net] Sent: Sunday, November 26, 2000 6:43 AM
extra trouble to install it. The proof is the market penetration of PGP. Only the geeks tend to use it and SSH is only used by SA geeks. The general market DOESN'T CARE!
The following parallels what our marketing department found out (after launch, unfortunately <sigh>).
We see roughly several levels of clients:
70% - "Huh? We're secure, only I have the root password" (actual quote)
10% - Encryption is hard, how about we ZIP the file we send via FTP? (not bad, it helps...)
These guys, 80% of the market, will not pay for it either. They will not buy software packages and they will not buy services either. They don't see a problem. Can we say "myopic"?
10% - SSL encrypted XML posts.
5% - SCP (SSH) file transfer, known keys on each side + passwords.
This last 15%, are mostly self-serve and actually know that there is a problem. But, they wont puchase, they don't need to, they're self-serve. This is where most of us, on this list, fall.
5% - Hardware encryption, leased line, keys for hardware encryption and passwords delivered in seperate parts by different people after identity verification. No physical connections to gateway systems. (Federal Reserve, Chase Manhatten Bank...)
The unknown tier, many of them are banks where minimum security is a regulatory thing. It's a part of doing business. I'm not sure, that if left to their own devices, that they wouldn't join the majority in in their apathy.
Until real data encryption is built into the Operating Systems and all software... --mike--
As long as we have Federal Export restrictions, on encryption products, this will continue to be an optional add-on (Win2K high-encryption pack ain't that bad. But, it is an add-on, one has to use the update service to install it).
5% - Hardware encryption, leased line, keys for hardware encryption and passwords delivered in seperate parts by different people after identity verification. No physical connections to gateway systems. (Federal Reserve, Chase Manhatten Bank...)
The unknown tier, many of them are banks where minimum security is a regulatory thing. It's a part of doing business. I'm not sure, that if left to their own devices, that they wouldn't join the majority in in their apathy.
We were actually suprised that the good banks are pretty tight and without real regulations that say exactly what to do. In technology reviews, we've been asked about Van Eck sniffing, encrypting data while in RAM, and some pretty impressive other stuff. Of course the bank is the one with the money at stake. What worries me, is my experience with corporate style IT management tells me they only get that paranoid after being burned a few times. Must have been some expensive lessons. --Mike--
We were actually suprised that the good banks are pretty tight and without real regulations that say exactly what to do. In technology reviews, we've been asked about Van Eck sniffing, encrypting data while in RAM, and some pretty impressive other stuff. Of course the bank is the one with the money at stake. What worries me, is my experience with corporate style IT management tells me they only get that paranoid after being burned a few times. Must have been some expensive lessons. --Mike--
I think you'll find it varies from intitution to institution. Even the big guys get sloppy. While sitting in the back of a cab @ a stoplight in NYC, my 802.11 wireless card lit up. I was able to browse quite a bit of a well known financial institution's network before the light changed.... And back to on-topic, AutoWeek had a interesting article (column actually) this week on Spam.
participants (3)
-
bob bownes
-
Quark Physics
-
Roeland Meyer