"SSL stops credit card sniffing" is a correlation/causality myth

Adam Shostack adam at homeport.org
Wed Jun 1 12:09:18 EDT 2005 

On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote:
| 
| Ian G <iang at systemics.com> writes:
| >> Perhaps you are unaware of it because no one has chosen to make you
| >> aware of it. However, sniffing is used quite frequently in cases where
| >> information is not properly protected. I've personally dealt with
| >> several such situations.
| >
| > This leads to a big issue.  If there are no reliable reports,
| > what are we to believe in?  Are we to believe that the
| > problem doesn't exist because there is no scientific data,
| > or are we to believe those that say "I assure you it is a
| > big problem?"
| [...]
| > The only way we can overcome this issue is data.
| 
| You aren't going to get it. The companies that get victimized have a
| very strong incentive not to share incident information very
| widely. However, those of us who actually make our living in the field
| generally have a pretty strong sense of what is going wrong out there.

I believe that this is changing, and that Choicepoint is the wedge.
Organizations that are under no legal obligation to report breaches
are doing so, some quite rapidly, to avoid the PR disaster that hit
Choicepoint.

That shift may lead to a change in public perceptions from breaches
are rare to the reality, which is that breaches are common.  If that
shift takes place, then companies may be more willing to share data,
and thats a good.

[...] much deleted

| Statistics and the sort of economic analysis you speak of depends on
| assumptions like statistical independence and the ability to do
| calculations. If you have no basis for calculation and statistical
| independence doesn't hold because your actors are not random processes
| but intelligent actors, the method is worthless.
| 
| In most cases, by the way, the raw cost of attempting a cost benefit
| analysis will cost far more than just implementing a safeguard. A
| couple thou for encrypting a link or buying an SSL card is a lot
| cheaper than the consulting hours, and the output of the hours would
| be an utterly worthless analysis anyway.

So, that may be the case when you're dealing with an SSL accelerator,
but there are lots of other cases, say, implementing daabase security
rules, or ensuring that non-transactional lookups are logged, which
are harder to argue for, take more time and energy to implement, and
may well entail not implementing customer-visible features to get them
in on budget. 

Choicepoint and Lexis Nexis seemingly, had neither.  Nor are they
representational.   We lack good data, and while there are a few
hundred folks who have the experience, chops, and savvy to help their
customers make good decisions, there are tens of thousands of
companies, many of whom choose not to pay rates for that sort of
advice, and hire an MCSE, instead.  People who slap the label "best
practice" on log truncation.

I think that we need to promulgate the idea that Choicepoint is
creating a shift, that it will be ok to talk about breaches, with the
intent of getting better data over time.

Adam




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list