ECW2

Office Futures

Home page > Reference pages > eComWatch archive > ECW2

ECW2

Issue 2, September 20, 1999

+++ Security

+++ Great Press Releases of Our Time (2)

+++ Potemkin Villages and Pipes û More Notes from a Small Island

+++ Coming 'round the corner

+++ About eComWatch

+++ Security

It's been a busy week for security followers, as the Butler Group reports: "A crack team [boo!] of international cryptographic researchers has broken part of the security code for Internet banking transactions. The group of researchers, at the Dutch National Research Institute, rose to the challenge to break the RSA 512-bit encryption used for international protection protocol."

This laborious task took them over five months to complete and required that the group find the two prime numbers required to generate a single RSA key.

The United States has decided to loosen the provisions that treat strong encryption as a munition of war and strictly limit exports. The paranoid instantly concluded that either the NSA had broken strong encryption (usually well-informed sources have maintained for some time that US security have broken 128-bit encryption) or that export authorization would come with the price tag of back doors built into the software. The latter looks likely to be true at any rate. There is also a new bill on its way towards Congress, called the Cyberspace Electronic Security Act of 1999 (CESA). It contains these words, "The failure to provide law enforcement with the necessary ability to obtain the plaintext version of the evidence makes existing authorities useless." Key escrow, in other words. Here we go again. However, another proposal is that the prosecution may present decrypted files in evidence without divulging by whom, where or how they were decrypted.

Finally, and to add to the joy of nations, a file called nsa.key was found in the Windows operating system, leading to speculation that Microsoft was so worried that spooks would have trouble finding the key to crack local encryption that they had better signpost the door clearly.

The game of security leapfrog continues. Encryption systems which we were told a couple of years ago would take the entire computing resources of the planet the rest of the life of the universe to crack routinely fall to 27 kindergarten 286s networked together. The banks boldly stand up to be counted: they claim no one can compromise their security and please don't mention phantom withdrawals from ATMs they don't happen. And governments proclaim the citizen's right to privacy while maintaining their right to read your mail or eavesdrop on your phone calls.

Security is the lynchpin of confidence in e-commerce, yet the Internet was built with insecurity designed in. To make matters worse, the PC -- our standard tool for accessing it -- makes a sieve look watertight by comparison.

It is clear that for as long as Moore's Law applies, brute force methods will continue to overtake fixed security standards. This is no different from the offline world, where the tools available to the bad guys to rob our homes, steal our cars or counterfeit our money develop apace of the measures we take to prevent them.

It is interesting to reflect that, given the choice of worrying about the bad guys compromising our security, or the good guys in the person of our wise and beneficent governments, most of us in and around the IT industry probably worry more about the government. The man, and woman, in the street, worries more about the security measures in industry.

-oOo-

+++ Great Press Releases of Our Time (2)

Well, we didn't have to wait long. This week it was British Telecom's turn to send in an example of the 'guess the connection' school of press release writing. Slightly less contrived than BancTec's "Julia Roberts was here" effort last week, theirs goes like this: "What do Clyde Blowers and British Airways have in common?".

One obvious answer is 'hot air' but a better one would be 'sootblowers' (see www.clydeblowers.co.uk/corp/corpboi.htm), as anyone who lives near a large airport will confirm. The right answer, though, is that they are both finalists in this year's BT eBusiness Innovation Awards. You knew that all along, of course.

Out of a sense of duty, we strolled over to the site ( www.awards.abfl.co.uk/), to see who else was in the running. First in the list is Argos, the catalogue operation, which has built an intranet to expedite matters in its supply chain. (It's now engaged on a more urgent exercise -- see No Sale, next issue).

Next is Avon & Somerset Constabulary, with a communications project aimed at crime reduction in partnership with "the community" (i.e. anyone who isn't a copper or a villain). Nearly every result it cites is, in fact, of crime detection, not reduction. For instance, there is the arrest of a man "for GBH (grievous bodily harm, for our overseas readers) on a pregnant woman". The miscreant, having done the dirty deed in Bristol, was arrested in Blackpool, fully 150 miles away, only a day and half after his picture was sent electronically to the national media.

A good thing to have happened, clearly, but hardly innovative. Nearly ninety years have gone by since the first arrest brought about through electronic communication with "the community". It was in 1910 that wireless messages to and from the captain of a ship in mid-Atlantic led to the arrest in Quebec of that murderous medic, Dr Hawley Harvey Crippen (see www.met.police.uk/police/mps/2hq/2nh/2nh-hi02.htm). That really was a first.

Other organizations on BT's short-list include Bristol City Council (using mobile 'phones inside car park pay-and-display machines, something Reigate and Banstead Council were doing over two years ago), Dell, Digilab, ft.com, Future School, Hugur (from Iceland), UPS Europe and Waterstones. The Web site also includes descriptions of the finalists from earlier years (described, with leaden inevitability, as "classics").

We don't wish to attack the notion of industry prizes -- they can motivate and inform, as some of these do -- but too many projects in this collection are past their 'boast until' dates. They should have been weeded out at or before the semi-final stage. Our perception of the rest is not helped by many of the descriptions being badly written and pock-marked by eruptions of the egregious "it's". One expects that from hackers, techies, four-wheel drive enthusiasts and the like but not from people who are paid to write.

Also, only one project description -- that for Dell -- contains the Web address of the organization or project. Either the other entrants didn't have the gumption to include one or else the URLs were edited out. Poorly done, either way.

Bah! Humbug!

-oOo-

+++ Potemkin Villages and Pipes More Notes from a Small Island

Last issue we wrote of the government of Prince Edward Island's Potemkin IT village, being built around a local Oracle developer and the local telco, which is still shaking off the cobwebs of a century of monopoly.

The debate here has continued and it must reflect the situation in dozens of jurisdictions that are fighting to get a slice of the IT revolution. Part of the interest of the situation here is that we are being forced to look at successful e-commerce and try to identify the characteristics in terms simple enough to present to local bureaucrats and then contrast those with the related characteristics which form the base of their policy.

For example, talking to a chum at the local college, he referred to the fact that the Internet is content driven and that much of the clever technology of the Web has built up to circumvent the inadequate infrastructure. By contrast, the government here started off with a province-wide broadband network that, for cost reasons, is inaccessible to the private sector. As most bureaucrats use it only for e-mail (and in my experience communicating with them by e-mail is almost a guarantee of no reply), it is several million dollars worth of Potemkin village. He points out to the parallel case of universities and colleges investing heavily in the infrastructure but allowing content development to die on the vine of interdepartmental squabbles.

Some South Sea islanders developed cargo cults in which they would build airstrips in the hope that airplanes would magically appear and distribute Coca Cola and all the good things of civilization. Their present day equivalents may be the bureaucrats busy building pipes.

Is it fair to create a list of value pairs, one of which typifies a successful e-commerce approach, the other of which has universality as the preferred route of bureaucrats everywhere? Fair or not, it's amusing. So here's our list please contribute.

Successful e-commerce values	Bureaucratic IT policy

advantage through cost	advantage through time
bottom up	top down
content driven	infrastructure driven
global markets	domestic markets
eclectic	monolithic
focus on profits	focus on self
hardware extensive	hardware intensive
network organisation	hierarchical organization
individuals' work	teamwork
innovative	incremental development
interactive	one way
low cost	expensive
major resource is capital	major resource is information
new players	established players
open standards	proprietary
peer to peer	hierarchical
rapidly changing	static
self-sufficient structures	interdependent structures
"sweat equity" partners	"wage slaves"
task automation	process automation
user driven/customer driven	supplier driven/product driven

Can anyone instance a highly successful site that follows the values of column two, or cite any project from a bureaucratic organization that reflects a majority of the values of column one?

Clearly, it's not as back and white as portrayed here. There was a vigorous debate about the bureaucracy imposed on Amazon's support staff, for example. But modelling is always fun the question is whether there are now enough successful sites to begin assembling models which illuminate and guide.

-oOo-

+++ Coming 'round the corner

This isn't a technology newsletter but it would be quixotic of us to ignore the occasional advance that looks as though it would make a real difference to electronic commerce. We are often alerted to these by reading Jeffrey Harrow's Rapidly Changing Face of Computing. This is a free online technology journal that, unlike many of its kind, has an editor who uses a periscope rather than a microscope to see what's going on around him. We're fans and recommend it to you. Go to www.compaq.com/rcfoc and see why.

In the latest issue, Jeff discusses electronic paper. This is, in fact, made of plastic and contains minute elements of pigment that can be switched on and off electrically. There are two main offerings in prospect at the moment -- epaper, from Xerox, and E Ink, from an MIT spin-off of the same name. (Go to www.parc.xerox.com/dhl/projects/epaper/ and www.eink.com/, and to RcFoC, for more.)

We don't propose to discuss those details here but, instead, to consider some of the implications if its use. I can see reusable and/or erasable paper catching on, provided it is priced and marketed appropriately (a large proviso, given Xerox's history of non-exploitation of its research).

One snag, or virtue, is that one can see this material ("Virtual Palimpsest" <tm>?) occupying a legal status lower than that of email. It has neither the permanence of paper nor the traceability of email or a Web page. One could envisage the incorporation in it of some kind of digital key, so that it could be made more or less proof against forgery but that would still not stop it being erased. In other words, the document would either be completely legitimate or it would be completely false (in other words, erased and then either written over or left blank).

That opens up some interesting possibilities. There could be passwords or "Mission Impossible"-style instructions issued on it. These would be 'read once only', being erased within, say, five minutes of the encryption key being applied. The National Security Agency in America would just lurve that falling into the hands of spies, drug dealers and all the other bogeymen it purports to be fighting against (see Chris's piece on security in this issue.)

We'll be watching developments and reporting significant news. Meanwhile, if you can't wait for the products to arrive and can't afford to keep setting fire to tape recorders, you might like have a look at 1on1. This a new, and free, email service that lets you specify the life of any message once it has been received. After the expiration of that period, the 'autoshredder' destroys the message. There are all sorts of other security measures built in, its designers say, including a disabling of cut and paste and 2,048-bit security en route. For details and a download, go to www.1on1mail.com/index. (Note: We have not tested it or spoken to its designers, so don't construe this mention as a recommendation.)

-oOo-

About eComWatch

eComWatch is edited and published by Roger Whitehead and Christopher Ogg. Copyright Roger Whitehead and Christopher Ogg, 2002. eComWatch may be circulated freely in its original format with copyright notice intact. For permission to reproduce any article,