"SSL stops credit card sniffing" is a correlation/causality myth

[Anne & Lynn Wheeler]

Adam Shostack wrote:
> So, that may be the case when you're dealing with an SSL accelerator,
> but there are lots of other cases, say, implementing daabase security
> rules, or ensuring that non-transactional lookups are logged, which
> are harder to argue for, take more time and energy to implement, and
> may well entail not implementing customer-visible features to get them
> in on budget. 
> 
> Choicepoint and Lexis Nexis seemingly, had neither.  Nor are they
> representational.   We lack good data, and while there are a few
> hundred folks who have the experience, chops, and savvy to help their
> customers make good decisions, there are tens of thousands of
> companies, many of whom choose not to pay rates for that sort of
> advice, and hire an MCSE, instead.  People who slap the label "best
> practice" on log truncation.
> 
> I think that we need to promulgate the idea that Choicepoint is
> creating a shift, that it will be ok to talk about breaches, with the
> intent of getting better data over time.

we got brought in to work on some word smithing for both the cal. state 
and the fed. digital signature legislation (we somewhat concentrated on 
the distinction between digital signature authentication and that human 
signature implies read, understands, agrees, approves, authorizes, etc 
.... which isn't present in simple authentication).

one of the industry groups that was active in the effort had done some 
extensive surveys on driving factors behind various kinds of regulatory 
and legislative actions. with regard to privacy regulatory/legislative 
actions ... the two main driving factors were 1) identity theft and 2) 
effectively institutional (gov, commercial, etc) denial of service.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com