[FYI] Did Encryption Empower These Terrorists?
lynn.wheeler at firstdata.com
lynn.wheeler at firstdata.com
Mon Sep 24 12:31:39 EDT 2001
there are all sorts of shortcomings in this world. you find a "merchant"
that buys a computer, installs some webserver software and puts it up and
the web and expects that to handle everything.
there are sometimes prevalent things like that in the world; it would be
nice if people would choose a random 16-character value for every
PIN/password they need, that every PIN/password they have is different,
that every password/PIN changes at least monthly, and that every person
could easily remember one or two hundred 16-character random values that
change monthly, and no PIN/password is ever re-used.
misc. pin/password ref:
http://www.garlic.com/~lynn/2001d.html#52
security proportional to risk:
http://www.garlic.com/~lynn/aepay7.htm#netbank2
misc. information security & risk management:
http://www.garlic.com/~lynn/aepay3.htm#riskm
http:/www.garlic.com/~lynn/aepay3.htm#riskaads
misc. web refs:
http://www.garlic.com/~lynn/2001j.html#5
http://www.garlic.com/~lynn/subtopic.html#fraud
http://www.garlic.com/~lynn/subtopic.html#privacy
part of above posting ....
when we were working on the credit card transaction stuff (now frequently
referred
to as electronic commerce):
http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3
we tried to get various security measures specified:
* physical security for the data processing room, motion detecters, guards,
etc
* multiple layers of firewalls & packet filtering routers
* actual financial transactions performed on backroom dataprocessing
equipment away from the actual web server
* fbi background checks for all employees
* security audits
* minimum business & security certification levels.
... didn't happen, oh well.
Ben Laurie
<ben at algroup.co To: lynn.wheeler at firstdata.com
.uk> cc: jim_windle at eudoramail.com,
cryptography at wasabisystems.com, Hadmut
09/24/2001 Danisch <hadmut at danisch.de>
02:34 AM Subject: Re: [FYI] Did Encryption
Empower These Terrorists?
lynn.wheeler at firstdata.com wrote:
> The problems, of course are 1) account numbers are essentially shared
> secrets, 2) SSL only provides for protection for numbers in flight, 3)
the
> numbers at rest remain a major exploit (as per press stories regarding
> copying of account number master files at web servers) ... aka the use of
> SSL/ecryption only addressed a small portion of the problem. The web
server
> account number master file also typicall represents a risk that is
> significantly greater than what typical merchant otherwise has at risk
...
> making it difficult to support a solution where the level of
> security/protection is proportional to the risk
This is simply bad design - there should be no "account number master
file" on the web server!
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list