Question on the state of the security industry (second half not necessarily on topic)

Ed Reed ereed at novell.com
Sun Jul 4 16:46:15 EDT 2004 

I recently had the same trouble with the Centers for Disease Control
(CDC) - who were calling around to followup on infant influenza
innoculations given last fall.

Ultimately, they wanted me to provide authorization to them to receive
HIPPA protected patient records from my son's pediatrician, and I 
couldn't figure out how to get them to definitively pursuade me that
they were really the CDC, who I was willing to be so authorized.

Such research MAY be appropriate, and in this case, I'm a believer in
the
flu shots, and am generally supportive.

But, while I could (and had to) identify myself to them (it was
a random-number dial canvas), they had no way, short of giving
me an 800 number to call (with obvious trust bootstrap problems
with that) to get past it.

Eventually, I found enough information on the CDC websites
(assuming that DNS wasn't hacked, that my ISP wasn't redirecting
my http queries to a Russian web site, and that the CDC site
hadn't been hacked) to cooperate (talked with 2 supervisors,
5 followup canvasers, etc.)

This is a problem that "real life" has.  This sort of problem has
been around since telephones came into existence (I didn't think
to check the caller-id on the call, presuming it would point me
to a call center located somewhere on the planet).

We cope.  And when the annoyance gets too bad, we kvetch,
pass laws, and file law suits.  Isn't that pretty much what's
happening, now?

Thought-control countries present separate problems (whether
that's the Patriot Act or the Chinese censorship of SMS messages).

For them, we have to rely on the Internet to route around censorship.
And facilitate alternate routes (silent ones?) when the routers are
own3d by the censors. (sorry - cross-over to another thread).

Ed

>>> Dave Howe <DaveHowe at gmx.co.uk> 7/3/2004 8:22:56 PM >>>
Joseph Ashwood wrote:
> I am continually asked about spam, and I personally treat phishing as
a
> subset of it, but I have seen virtually no interest in correcting
the
> problem. I have personally been told I don't even know how many times
that
> phishing "is not an issue."
Well if nothing else, it is impossible for my bank to send me anything
I 
would believe via email now....

To take this even slightly more on-topic - does anyone here have a bank

capable of authenticating themselves to you when they ring you?
I have had four phone calls from my bank this year, all of which start

out by asking me to identify myself to them. When I point out that they

must know who I am - as they just phoned me - and that I have no way of

knowing who they are, they are completely lost (probably takes them
away 
from the little paper script pinned to their desk)

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list