[FYI] Did Encryption Empower These Terrorists?

lynn.wheeler at firstdata.com lynn.wheeler at firstdata.com
Mon Sep 24 15:52:05 EDT 2001


If it was so easy ... it wouldn't be a problem. An objective of the
original e-commerce deployments was that the account number file not be
co-located on the webserver. Since a large number of subsequent deployments
have co-located on the webserver or on some equally accessable location
would tend to indicate that it isn't as easy as it might first appear.

One might suspect that the definition of "easy" is rather relative ... and
also there may be some questions regarding what aspect of the issues does
"easy" apply to (internet easy, server easy, webserver easy, technology
easy, programming easy, business process easy, process easy, etc).

I would claim that having it become so prevalent after the initial
subsequent deployments would imply that there are at least some issues
involved that make it much more than a simple, straight-forward, brain-dead
matter (if it was trivially obvious for everybody in world, then there is
some rational that nobody would have done in such a way that creates such
security & risk issues).




                                                                                   
                         Ben Laurie                                                
                    <ben at algroup.co     To:      lynn.wheeler at firstdata.com        
                               .uk>     cc:      cryptography at wasabisystems.com,   
                                           Hadmut Danisch <hadmut at danisch.de>,     
                         09/24/2001        jim_windle at eudoramail.com               
                           01:32 PM     Subject:      Re: [FYI] Did Encryption     
                                           Empower These Terrorists?               
                                                                                   




lynn.wheeler at firstdata.com wrote:
>
> there are all sorts of shortcomings in this world. you find a "merchant"
> that buys a computer, installs some webserver software and puts it up and
> the web and expects that to handle everything.

Fine, but that was not the point you claimed to be making. You said:

> The web server
> account number master file also typicall represents a risk that is
> significantly greater than what typical merchant otherwise has at risk
...
> making it difficult to support a solution where the level of
> security/protection is proportional to the risk

but that is simply not true - it is very easy to eliminate this
particular piece of crap design.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list