| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 424.1 | | CVG::THOMPSON | Radical Centralist | Tue Jan 21 1992 14:21 | 14 |
| This is something I'd love to see. I have a PC class system at home
as do many DCU members. More still have terminals and modems. A
simple dial up system could be great. I'm sure that transfers and
balances information could be obtained much easier this way. Also
there it would make it easy for people to obtain the latest information
on all sorts of DCU options.
I could also see the possibility of filling in loan applications on-line
and saving people trips and mail.
The big issue is security. But lots of banks have been offering this
sort of thing for years so it's a problem with solutions.
Alfred
|
| 424.2 | .1 - sounds good | GIAMEM::HOVEY | | Tue Jan 21 1992 16:16 | 9 |
|
Security should be no more or less an issue with this system than
anything else we currently use, but I'm not an IS person.
Wouldn't the loan applications and approval process via the net be
a great service ? You could look up date processed, approval date,
etc..
Also to be able to see what checks clear, etc. would be nice.
|
| 424.3 | Absolutely, but for another reason... | GIAMEM::MUMFORD | Dick Mumford, DTN 244-7809 | Wed Jan 22 1992 11:04 | 10 |
| Another angle to consider is access. I am hard-of-hearing, and using
the EASY-TOUCH system is always an adventure for me - the only way I
can be "sure" of what's going on is to follow the printed brochure I
have. Of course, verifying balances and such which requires the
ability to hear well is hit-or-miss.
I'd love to see this feture added, for this and all previously-stated
reasons.
Dick.
|
| 424.4 | | BUNYIP::QUODLING | Woods for Pres !!! | Wed Jan 22 1992 16:01 | 7 |
| And if they were smart, they could have up-load/down-load capability
for Quicken, MYM, MYOB, and several of the other PC home accounting
packages...
q
|
| 424.5 | | AZTECH::WAGNER | It'sBetterToBurnOut, ThanFadeAway. | Thu Jan 23 1992 22:08 | 27 |
| When members of DCU (management or whoever) was out here at CXO (Colorado
Springs) holding the meeting on Paymate, I asked the person putting on the
meeting if it would be possible to have net access to Paymate.
"I was wondering if we'd ever be able to access Paymate from the
Net. I think it would be much easier than using the phone. Then
instead of having to enter an id number for each account, the
user could just have a DECwindows interface where they clicked on
the account name, entered the $$ amount in a field, and clicked on
OK."
I thought it would be pretty slick. He replied something to the effect,
"We will never have access to DCU [stuff] from the net. There are
to many people in Digital that know how to break into a system.
The risk of someone getting in and transfering funds, etc., is
too high. While something like a DECwindows interface would be
nice, the security risk is to high."
Now this has been a long time ago, so the conversation above is in no way
accurate, but the idea present is. He bascially said no way, because of
security.
I'd LOVE to be able to have access from the Net, and a DECwindows interface.
I think it would be really slick.
James.
|
| 424.6 | | STARCH::WHALEN | Vague clouds of electrons tunneling through computer circuits an | Fri Jan 24 1992 09:37 | 7 |
| re .5
They must know something that Investor Services doesn't; I can sell
stock by sending electronic mail, and that is definately less secure
than an interactive system that exchanges packets over the net.
Rich
|
| 424.7 | re.5 | GIAMEM::HOVEY | | Fri Jan 24 1992 13:10 | 8 |
|
I can't see why it's any more risky than using the phone. I'm sure
with all the IS expertise in a company like DEC that there could be a
method of accessing data via the net. Even an "Inquiry" type account
would suffice in some instances.
Is it any more risky than ordering items over the phone using
charge cards, etc.? As mentioned previously Banks have been doing this
for years. I think it may even be a better method then "EASY TOUCH".
|
| 424.8 | No more risky than phone | DESTES::ESTES | Dave Estes DTN 341-5224 | Fri Jan 24 1992 14:17 | 19 |
| I agree that access over the net is no more risky than via the phone. When one
accesses the Easy Touch system you must enter badge number and password. The
same thing could be done for net access with no increase in risk. In fact DCU
would be wise to allow passwords over the net to be greater than 4 characters.
Furthermore, a major protection of our money is that even if someone breaks into
my account, they can only 1) see how much (little!) money I have, 2) transfer
between MY accounts (i.e. not to theirs), and 3) have a check sent to me at my
address on file with DCU.
It seems to me that if the functionality were kept at the level of seeing my
account activity (e.g. balances, deposits made, check cleared, etc) and moving
money between my accounts via the net, that no increase in risk is presented.
I think its time for DCU to get on-line with the fact that they are here to
serve Digital Employees! We are also available to lend our expertise (where
present) to help them do the job better.
Dave
|
| 424.9 | Enet security is a problem to me | RGB::SEILER | Larry Seiler | Fri Jan 24 1992 15:32 | 49 |
| I wouldn't use it. The problem is that ethernet is a broadcast network,
and anyone who knows a few simple things can set their network node to
see *ALL* of the packets on their branch of the network! So every time
you log in remotely across the network, your password goes zinging past
a large number of nodes -- in clear text.
I've wished for years that we could have data encryption on the ethernet,
but perhaps this isn't really that major a problem. After all, to do
this, the cracker (not hacker) has to get priviledged access to a node
on the network -- and if they can do that, there are likely other ways
as well that they could break in. Also, few of the people who have
priviledged access as part of their jobs would ever be motivated to do
this, so it would have to be an outside job.
Now, while I'm ready to trust my fellow employees as a group not to hack
my accounts, I'm not prepared to extend that trust to my financial records.
It's one thing to trust that the DCU employees won't abuse their ability
to access my records, since financial integrity is a major factor in
getting hired and keeping your job when you work for a bank, S&L or CU (*).
But it's something quite different to trust my private data to the enet
community at large. I don't wish to take that risk -- not even the risk
of letting crackers see my account balances or shift money around (**) --
so I do not currently plan to use such a service if it is offered. I don't
even use the phone service at present, although I might start (***).
Enjoy,
Larry
(*) One of the reasons that I am so very upset about the sneaky way that
the Board has been hiding things from the membership is because it shows
that we cannot trust them as a group to be rigidly honest. It's just a
prejudice of mine, but I don't want to have anyone touching or seeing my
money who I don't absolutely trust.
(**) Yes, I use bank machines, and yes, that data goes over various kinds
of networks, too. The difference is that networks designed for financial
data *should* be designed to be mroe secure than the Enet! And even if
they are not, the company running that network is (I think) legally liable
for the security of the network. I don't think Digital wants to be liable
if a cracker gets into people's financial records over the Enet, nor would
I ask Digital to accept liability.
(***) It is completely legal to "tap" a phone conversation when that
conversation is broadcast. Lots of phone traffic is broadcast, e.g. by
microwave links or to/from satelites. You only need a search warrant to
tap into a data cable. And you thought the privacy of your phone calls
was protected by law? The NSA regularly taps broadcast phone calls.
Personally, I'm not concerned about the government tapping into my
financial records -- they see most of them every April anyway.
|
| 424.10 | | CVG::THOMPSON | Radical Centralist | Fri Jan 24 1992 15:59 | 5 |
| Access by terminal need not be access via the network. The security
problems are much less if you are just talking about dial up access.
Not that there aren't still concerns just fewer.
Alfred
|
| 424.11 | Picky legal details | LJOHUB::BOYLAN | | Fri Jan 24 1992 16:13 | 30 |
| Re: .9
> (***) It is completely legal to "tap" a phone conversation when that
> conversation is broadcast. Lots of phone traffic is broadcast, e.g. by
If I remember the cases correctly, it is technically legal to listen
in on a wireless telephone conversation (since you can often pick it
up with a simple AM/FM radio!), although it can be illegal to act on
or otherwise make use of information obtained by this means. ( If
you're planning a crime using a wireless telephone, "they" can listen
and use everything!)
However, it has been established that it is illegal to listen in to
a cellular telephone conversation. Like a normal, wired telephone,
law enforcement officials must obtain a warrent to monitor cellular
telephone transmissions.
It is also illegal to monitor microwave or satellite links carrying
domestic telephone conversations without a warrent. (Note the
important word "domestic"!!)
Larry makes an excellent point, though - the telephone company and
banks work hard to make the ATM data links moderately secure. The
network inside Digital is not the place for data that is personal.
There are just too many holes.
Perhaps dial-in access via modem?
- - Steve
|
| 424.12 | encrytpion product | SLOAN::HOM | | Fri Jan 24 1992 16:48 | 6 |
| There was at one time an encrytion product available from Digital.
Only the systems with the black box were able to read/understand
the info.
Gim
|
| 424.13 | | XLIB::SCHAFER | Mark Schafer, ISV Tech. Support | Fri Jan 24 1992 18:38 | 3 |
| I bet the security folks would be uneasy knowing that Digital engineers
(who design and build the hardware & software) would have access to
financial systems.
|
| 424.14 | Can be secured | CVMS::DOTEN | stay hungry | Sun Jan 26 1992 14:44 | 3 |
| You can encrypt message on the net, the part is DENSC or something like that.
-Glenn-
|
| 424.15 | | SSBN1::YANKES | | Mon Jan 27 1992 12:35 | 14 |
|
Re: .14
DESNC, not DENSC. Its a box that sits between your system and the
ethernet and encrypts all data going out to the ethernet.
Re: general
I agree that network security isn't there quite yet (as in products
shipping and deployed internally) to make me feel happy having DCU
hooked into the enet. Without going into detail, though, the technical
capability is not a long way off...
-craig
|
| 424.16 | True story | BKEEPR::BREITNER | | Tue Feb 11 1992 20:03 | 26 |
| A few years back, a local NH financial firm contacted the NH sales office with
the idea of offering on-line services to its DEC customers using VTX and the
EASYnet. Since the concept was clone-able, we ran with it - I was the network
consultant on the opportunity.
Previous replies to the base note have hit upon all the problems actually
encountered. The clear-text packets with passwords and financial info, the
interconnect to a non-DEC entity and the concerns and power of the External
Access Committee. The unavailability of encrypting - and when you want to
provide encrypted service to *any* *possible* terminal/device, it's still
vastly uneconomical. Even a VT100 via LAT to a modem bank to the financial
institution has most of the problems and no good solutions to the ensuing
corporate responsibility. We got pretty inventive about how password info
would get transmitted (by separate simultaneous touchtone phone access using
a transaction number on your screen with your PIN) - and using external
DECnet gateways to prohibit all but one type of traffic - but it always boiled
down to non-business-related traffic that would give DEC a legal headache.
So it died. And I'm far enough away from it now that I can agree that it should
have.
Should home-based PC's have access via public carrier? Could banks sell/provide
a DOS-based access/encryption package? Why not? (and I can hear the MAC and
Atari owners starting up now with ME TOO cries)
Norm
|
| 424.17 | encryption can be done, but takes time | HOTWTR::EVANS_BR | | Wed Feb 12 1992 19:48 | 13 |
| re: encryption
The concept of encrypting any sensitive information has been
available for about 10+ years. The technology is in chips, but uses an
algorythm involving 100 digit prime numbers and public/private codes.
ACM wrote up at least one article I can recall on this particular
topic. I know there are lots others (including the infamous DES).
Seems as if the real issue is timeliness... calculating the primes
takes about 20 minutes... (sigh) -- I would hope that has changed
slightly in the last 5 yrs.
Oh well, at least it *can* be done.
|
| 424.18 | "RSN" | ULTRA::KINDEL | Bill Kindel @ LTN1 | Thu Feb 13 1992 16:35 | 25 |
| Re .17:
> The concept of encrypting any sensitive information has been
> available for about 10+ years. The technology is in chips, but uses an
> algorythm involving 100 digit prime numbers and public/private codes.
> ACM wrote up at least one article I can recall on this particular
> topic. I know there are lots others (including the infamous DES).
Indeed, public key technology (DES is "secret key") has been around
quite a while. Only now is it starting to appear in security products.
CPU speeds have increased so dramatically in recent years that custom
encryption chips are no longer needed to reach acceptable performance.
Encryption products are still export-controlled as "munitions", though.
> Seems as if the real issue is timeliness... calculating the primes
> takes about 20 minutes... (sigh) -- I would hope that has changed
> slightly in the last 5 yrs.
It has -- quite significantly. We can expect that future public key
authentication products will add a few seconds to login time and
shorter periods to the establishment of authenticated client/server
connections. Message encryption isn't much of a burden either, now
that the lowliest desktop system sports 1+ MIPS in processing power.
The wait is nearly over for a solution to these problems.
|