[Cryptography] another security vulnerability / travesty

ianG iang at iang.org
Sat Oct 1 16:40:44 EDT 2016 

On 30/09/2016 22:35 pm, John Denker wrote:
> Simple question:  Suppose your aunt wanted to submit some medical documents
> to a clinic on the far side of town.  Short of hand-carrying the documents,
> what would you recommend?
>
> Consider the contrast:
>
> 1) In the US, most physicians will not accept email, on the grounds that
>  it provides insufficient privacy, and is therefore not HIPAA compliant.
>  I reckon that's true as far as it goes.  One could imagine using PGP
>  on top of Tor, but it's hard to imagine trusting typical patients to
>  do that that properly.
>
> 2) The odd thing is that they consider _fax_ to be HIPAA compliant.  That
>  seems quaint, like using an amulet to ward off disease.

...
If we want to reach groups that are familiar with old tools, we have to 
give them new tools that feel the same.

So, what would it take to invent a cyber-fax?

   Both - Install - click to run.

   Alice tells Bob to cyber-fax it to domain + code.

   Bob enters the document, the domain + code.  It returns a new code, 
which Bob tells to Alice.

   Alice types in the code, and out pops the document.



>  2a) Most people don't have fax machines, and even if they had the hardware
>   they wouldn't be able to use it because they rely on cell phones and don't
>   have a POTS line.  So at best they have to use somebody else's fax machine.
>
>  2b) Even when using a plain old fax machine, the idea that the signal
>   would be hard to intercept in transit is quaint, to say the least.


The reason is probably that the post leaves the hands of the postman and 
is therefore out of the security envelope, whereas the phone lines are a 
security domain that are point to point and therefore are reliably 
secure.  Wire tapping is a big crime whereas stealing someone's mail 
from the mailbox is not.


...
>  2d) One could imagine uploading forms via SSL.  I've seen examples
>   of this:
>      https://web.health.arizona.edu/cgi-bin/secure/immunform
>
>   However, I'm not sure I would trust a typical private-practice office
>   to run a secure server properly.  Furthermore I don't trust the
>   current Narrenschiff of root CAs.


Peer to peer.


> Cyber warfare has already begun, and we're losing the war.


We lost the war a decade or two back.  Now we're paying the cost.



iang

More information about the cryptography mailing list