Security by asking the drunk whether he's drunk
Jerry Leichter
leichter at lrw.com
Wed Dec 24 06:42:43 EST 2008
Just one minor observation:
On Dec 22, 2008, at 5:18 AM, Peter Gutmann wrote:
> This leads to a scary rule of thumb for defenders:
>
> 1. The attackers have more CPU power than any legitimate user will
> ever have,
> and it costs them nothing to apply it. Any defence based on
> resource
> consumption is in trouble.
>
> 2. The attackers have more money than any legitimate user will ever
> have, and
> it costs them nothing to apply it. Any defence built around
> financial
> outlay as a limiting factor is in trouble.
>
> Corollary: Systems that can't defend themselves against a
> situation where
> the financial cost of any operation (for example registering a new
> account)
> is effectively zero is in trouble.
This one is a bit more complicated. Attackers have access to large
amounts of money *in relatively small units*. No matter how many
credit card accounts you steal, it would be pretty much impossible to
create an actual, properly populated, physical storefront in a decent
shopping area. You can be fairly confident that a physical store is
what it appears to be.
Granted, what you're discussing is on-line fraud. My point is that
this is yet another difference between the on-line and brick-and-
mortar worlds, and one that leads us astray when we try to apply our
real-world reasonableness filters to the on-line world. There are
many inter-related elements here. Perhaps the biggest factor is
*time*: On-line frauds can be setup, draw in victims, and disappear
very quickly - only to reappear someplace else. This allows them to
built using what is effectively the float on stolen identities - much
of which will be found and revoked by the end of a billing cycle. The
real world has much more inertia - there are many steps involved in
building out a physical storefront, they take time, and your money has
to be "good" across that entire time. Note that many real-world
frauds rely on the ability to short-cut what are normally time-
consuming procedures and disappear before the controls can kick in.
(Think of check kiting, or of the guys from what appear to be long-
established local paving companies that "pave" your driveway with
cheap oil and are gone by the next morning.)
EV certificates (unsuccessfully) attempt to bring some of this real-
world checking on line: They are expensive, and you have to pay in
one lump. They're not going to accept a bunch of credit cards. They
check your identity, which if done right takes time *and indirectly
checks that you actually have a history*. Of course, the actual
practice is different and, given the incentives in the industry -
where there is no penalty for giving out an invalid EV certificate,
and a reward for getting the job done quickly - this is all illusion.
Long-running frauds, while certainly not unknown (hello, Bernie
Madoff), are relatively rare: Every day out there is another chance
to get caught. The preferred mode of fraud will always be "get 'em
hooked, fleece 'em, get out of town - as fast as you can". Can we get
some of the advantages of this real-world fact in the on-line world?
The best example I know of is CMU's Perspectives effort: If something
"looks the same" to many observers over a period of time, it's more
likely to be trustworthy. Of course, if this kind of thing catches
on, it will be much harder for a startup to gain instant recognition.
The Internet "need for speed" isn't compatible with safety. Some
tradeoffs are inevitable.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list