From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Cross Message-Id: <200109250227.WAA19696@augusta.math.psu.edu> To: 9fans@cse.psu.edu Subject: Re: [9fans] Plan 9 versus CORBA? In-Reply-To: <20010925012306.16242.qmail@g.bio.cse.psu.edu> References: Cc: Date: Mon, 24 Sep 2001 22:27:27 -0400 Topicbox-Message-UUID: f2e96dc0-eac9-11e9-9e20-41e7f4b1d025 In article <20010925012306.16242.qmail@g.bio.cse.psu.edu> you write: >Link level encryption of any sort sucks, because it serves as an excuse >to not insure proper end-to-end integrity. Easily sniffable wireless >ethernet focuses people's attention in a beautiful way. Unfortunately, that's just not the case, though. 802.11 encryption was, as you say, a bandaid. I think it's intention was largely to put the barrier to entry for sniffing wireless Ethernet on par with that required for sniffing ``normal'' Ethernet (where, obviously, you'd need a wire or sensative equipment to pick up latent radiated energy from a wire). Now, the response isn't to focus on the problem, but to try and ``fix'' 802.11. A lot of people who are putting in, eg, end-to-end crypto are doing so ``temporarily'' until the problems with the wireless LAN are ``fixed.'' The real problem is that too many people hear a word containing the letters ``crypto'' and automatically assume that word is equivalent to ``security.'' As we all know, and has history and the world in general have painfully demonstrated time and time again, reliance on cryptography alone only gives a hollow sense of false security. Attacks on crypto are rare in comparison to attacks against, eg, the reliability of software and the vulnerabilities inherent in code generated by lazy programmers. What's really needed is a holistic approach, that takes into account the ``big picture'' of security, and which emphasizes that there is no magic pill that one can swallow to provide blanket security, and that true security can only be achieved through a combination of complementary techniques. But, good luck selling that one. :-( - Dan C.