*BSD News Article 63202


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!bunyip.cc.uq.oz.au!munnari.OZ.AU!news.hawaii.edu!ames!usenet.kornet.nm.kr!xpat.postech.ac.kr!news.dacom.co.kr!usenet.seri.re.kr!news.cais.net!news.jsums.edu!gatech!news.mathworks.com!uunet!in2.uu.net!news.artisoft.com!not-for-mail
From: mday@Artisoft.COM (Matt Day)
Newsgroups: comp.os.linux.development.system,comp.os.linux.misc,comp.os.linux.networking,comp.unix.bsd.freebsd.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.bsdi.misc
Subject: Re: need secure OS to entrust millions to
Date: 27 Feb 1996 16:47:17 -0700
Organization: Artisoft, Inc.
Lines: 56
Message-ID: <4h0565$eq9@coyote.Artisoft.COM>
References: <4gi6t6$3h9@lace.colorado.edu> <4gssap$4ki@news.mountain.net>
NNTP-Posting-Host: coyote.artisoft.com
Xref: euryale.cc.adfa.oz.au comp.os.linux.development.system:19032 comp.os.linux.misc:90811 comp.os.linux.networking:31203 comp.unix.bsd.freebsd.misc:15207 comp.unix.bsd.netbsd.misc:2428 comp.unix.bsd.bsdi.misc:2602

In article <4gssap$4ki@news.mountain.net> rprowel@nttc.edu (R. Prowel) writes:
>In article <4gi6t6$3h9@lace.colorado.edu>,
>   wilcoxb@cs.colorado.edu (Bryce) wrote:
>>-----BEGIN PGP SIGNED MESSAGE-----
>>
>>I'm writing documentation which advises banks on how to
>>setup an electronic banking software package on a
>>Net-connected, firewall-protected Intel box.  Some of the
>>most important banks in the world will be reading this
>>documentation very soon.  The current version of the 
>>documentation, which I inherited, advises them to run
>>FreeBSD or BSDI.  I'm considering changing this
>>recommendation to Linux.  
>
>My recommendation for your clients is DONT!  I am a privacy and
>security advocate who has a real problem with any fincancial 
>transactions taking place over public networks such as the 
>InterNet.  I refuse to do business with entities who are so
>irresponsible as to move any records containing information about 
>me across public data networks.
>
>Don't be naive.  The concept of an absolutely secure network
>connected system is a pipe dream.

Of course networks can't be absolutely secure, but it's a nice goal.
Airplanes crash from time to time, despite the enormous safety and
reliability measures taken to prevent it from happening, but it doesn't
stop people from using airplanes (and heck, if your plane crashes, I'd
say you're much worse off than if some network cracker gets your Visa
card number).  So the challenge is figuring out the most secure ways to
go about providing the Internet financial services that customers are
begging for.  And in my opinion, a system can be crafted which would
provide at least the same level of reliability that you'd expect from a
commercial airline.  I'm not saying it would be an easy task, but I
don't think it's impossible either, especially for a commercial
organization.  I especially think the current level of reliability
protecting people (PIN numbers, credit card card numbers, signatures,
etc...) can be matched by an Internet banking service.

To the person who asked the original question: I suggest you immerse
yourself in the large amount of literature available on network
security, computer security, and cryptography before considering giving
advice to banks.  You need to be at LEAST as smart as the network
crackers out there to protect something like an online bank against
attack.  All you have to do is read a few of the recent CERT advisories
to realize just how intelligent and clever the network crackers are.
And to most typical network crackers, online banks will be the prime
cracking target.  You may want to consider consulting with a few
network security specialists before presenting a formal proposal to
anyone, and you'll probably want to hire a team of experts to actually
bring the system online safely.  Just slapping a firewall on the
network will not be sufficient by any means.

Good luck!  I'm looking forward to banking on the 'net.

Matt Day <mday@artisoft.com>