Question on the state of the security industry

Ian Grigg iang at systemics.com
Wed Jun 30 06:49:17 EDT 2004 

The phishing thing has now reached the mainstream,
epidemic proportions that were feared and predicted
in this list over the last year or two.  Many of
the "solution providers" are bailing in with ill-
thought out tools, presumably in the hope of cashing
in on a buying splurge, and hoping to turn the
result into lucrative cash flows.

In other news, Verisign just bailed in with a
service offering [1].  This is quite cunning,
as they have offered the service primarily as
a spam protection service, with a nod to phishing.
In this way they have something, a toe in the
water, but they avoid the embarrassing questions
about whatever happened to the last security
solution they sold.

Meanwhile, the security field has been deathly
silent.  (I recently had someone from the security
industry authoritively tell me phishing wasn't
a problem  ... because the local plod said he
couldn't find any!)

Here's my question - is anyone in the security
field of any sort of repute being asked about
phishing, consulted about solutions, contracted
to build?  Anything?

Or, are security professionals as a body being
totally ignored in the first major financial
attack that belongs totally to the Internet?

What I'm thinking of here is Scott's warning of
last year:

   Subject: Re: Maybe It's Snake Oil All the Way Down
   At 08:32 PM 5/31/03 -0400, Scott wrote:
   ...
   >When I drill down on the many pontifications made by computer
   >security and cryptography experts all I find is given wisdom.  Maybe
   >the reason that folks roll their own is because as far as they can see
   >that's what everyone does.  Roll your own then whip out your dick and
   >start swinging around just like the experts.

I think we have that situation.  For the first
time we are facing a real, difficult security
problem.  And the security experts have shot
their wad.

Comments?

iang


[1] Lynn Wheeler's links below if anyone is interested:
VeriSign Joins The Fight Against Online Fraud
http://www.informationweek.com/story/showArticle.jhtml;jsessionid=25FLNINV0L5DCQSNDBCCKHQ?articleID=22102218
http://www.infoworld.com/article/04/06/28/HNverisignantiphishing_1.html
http://zdnet.com.com/2100-1105_2-5250010.html
http://news.com.com/VeriSign+unveils+e-mail+protection+service/2100-7355_3-5250010.html?part=rss&tag=5250010&subj=news.7355.5


[2] sorry, the original email I couldn't
find, but here's the snippet, routed at:
http://www.mail-archive.com/cpunks@minder.net/msg01435.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list