Interests of online banks and their users [was Re: Cryptogram: Palladium Only for DRM]
Adam Shostack
adam at homeport.org
Tue Sep 17 10:34:38 EDT 2002
On Mon, Sep 16, 2002 at 09:57:13PM -0500, Ted Lemon wrote:
| >Relevence to the Pd debate is that banks may in future insist on remote
| >attestation of users' software (however practically possible that is)
| >so
| >that they can attempt to dump yet more liability on their users
| >("Ladies and
| >gentlemen of the jury, Mr Doe's claim that he did not authorise this
| >transfer to a Caribbean account is obviously fraudulent as his Fritz
| >chip
| >proved to us that his system had not been compromised"...)
|
| Banks typically aren't that sophisticated. Demand for this capability
| probably will not materialize in time to save Pd, although there are
| probably people working for banks who will claim that they want it.
As soon as you start doing this, it becomes clear what a nightmare it
is for the bank to try to learn anything about its customers.
Firstly, its customers are diverse, and the breadth of information you
get is large. Second, what you learn falls into three categories
"known good," "unknown," and "known bad." Smart security people want
to say what is not explicitly ok is bad. That means most of your
customers have bad software, and lots of it. Do you deny them access?
Ask that they upgrade? Are you responsible if their upgrade breaks
things? Now, lets say you don't tell the customer with known bad
software to go away, because you value their business. Are you now
culpable in some way? After all, you *knew* that client was
comprimised...
PS: Hi Ashish! :)
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list