<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Feb 22, 2016 at 4:33 PM, Tony Arcieri <span dir="ltr"><<a href="mailto:bascule@gmail.com" target="_blank">bascule@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="">On Mon, Feb 22, 2016 at 3:58 PM, Jerry Leichter <span dir="ltr"><<a href="mailto:leichter@lrw.com" target="_blank">leichter@lrw.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div>But for stuff actually being sold? Legislation may not prevent you from building this it, but it sure will prevent you from gaining much of a market, or making any money.</div></div></blockquote><div><br></div></span><div>Counterpoint: the iPhone </div></div></div></div></blockquote><div><br></div><div>One critical to Apple, Google and Samsung challenge is to build a device and network </div><div>sufficiently secure to establish a low risk payment platform. The future cash cow for </div><div>makers of all phones of all classes is point of sale payment</div><div><br></div><div>One flaw in most encryption tools is key management. I might have a 4k bit key</div><div>for ssh but the local private file is protected with a lesser pass phrase. Apple attempted </div><div>to defend a simply key pad code with an erase and halt feature with the cloud as</div><div>a backup. Failing a backup for weeks seems to be a flaw.... Apple could hobble </div><div>a phone that fails to backup and move data to the insecure cloud. Would that make</div><div>the DOJ happy.</div><div><br></div><div>The problem of financial transactions intertwines with the problem of secure communications.</div><div>I do not see how a transfer of $4.50 is vastly different technically than $4.5 million +....</div><div>Globally there are thousands of banks.... Source, destination, what; all need protections.<br>Other social interactions are kin.</div></div><div class="gmail_extra"> </div>So a question is what allows secure financial transactions on a global scale. The bank's</div><div class="gmail_extra">servers must have very very strong methods and tools to protect billions. Nations have </div><div class="gmail_extra">skin in the game. Failure of banks to be secure risks Trillions for nations (trust in</div><div class="gmail_extra">their financial institutions). Nations should demand more rather than less.</div><div class="gmail_extra"><br></div><div class="gmail_extra">A central key ring like Apple's is another fulcrum or chink.</div><div class="gmail_extra"><br></div><div class="gmail_extra">chroot with links allows a silent outside in attack from the main root system.<br>The outside in compromise would be invisible to the application in the chroot jail<br>Removing links demands more storage and capability based systems might</div><div class="gmail_extra">make chroot more durable.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Virtual machines are turtles all the way down.<br><br>Deletion: simple deletion seems to be part of the problem. Will deletions </div><div class="gmail_extra">be mandated to fail until a remote copy is logged? </div><div class="gmail_extra"><br></div><div class="gmail_extra">Tamper evident seems a valuable feature.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Challenging....<br><br></div><div class="gmail_extra">-- <br><div class="gmail_signature"><div dir="ltr"> T o m M i t c h e l l</div></div>
</div></div>