News from PANUG/BizNix - May 15, 2003 http://panug.org - http://biznix.org PANUG MEETING The PANUG meeting is tonight at 6:15 pm at Novell's office near Washington Square. See the PANUF Web site for directions. The main presentation will be on Firewall Appliances presented by Peter Brant from SonicWall. Pete will attempt to tackle and address the following issues in his presentation: Recent news regarding state legislation making firewalls illegal. Throughput - how many users can use a specific device before you need to look at a different product/model. Appliances as a VPN endpoint - includes a demonstration of client VPN software. Using Firewall devices, not only to connect different offices, but also to connect remote, mobile users. SECURITY THROUGH OBSCURITY by Ed Sawicki - Accelerated Learning Center / Tailored Computers Today's article by Bruce Schneider on Encryption and Wiretapping (http://panug.org/14) presents a solid example of how security devices that are developed without public review are not very secure at all. Bruce's example is encrypted telephone communications and the ease with which law enforcement can tap an encrypted voice stream. A more provocative example that Bruce did not mention but proves the point as well is the 1986 bombing of Libya by the United States. You may recall that the U.S. raid was in response to the bombing of a West Berlin discotheque that killed two U.S. soldiers. Intercepted encrypted radio messages between Tripoli and the Libyan embassy in West Berlin revealed that Libya was responsible for the bombing. The security through obscurity angle in this affair had to do with Libya purchasing its encryption equipment from a Swiss firm called Crypto AG. The firm was later discovered to have links to the German intelligence community and the U.S. National Security Agency (NSA). Crypto AG embedded the decryption key in the cipher text. Those who knew where to look could monitor the encrypted communication. The NSA knew where to look and President Ronald Regan had the proof he needed to order the attack. Countries using the Crypto AG equipment, such as Libya and Iran, thought they had secure encrypted communications channels because the equipment came from a manufacturer in a neutral country. They didn't. There was no way for them to verify the effectiveness of the equipment because these were black boxes whose algorithms couldn't be scrutinized by cryptographers. These days, to have a secure communications channel, you'd build your own encryption boxes that use free software that has already been scrutinized by an army of cryptographers. DISCLAIMER PANUG and BizNix welcome contributions from all members. Member contributions do not necessarily represent the official positions of PANUG or BizNix. If you don't contribute, the views of members that contribute frequently may appear to be the official position of the group(s).