Security by asking the drunk whether he's drunk
leichter at lrw.com
Wed Dec 24 06:42:43 EST 2008
Just one minor observation:
On Dec 22, 2008, at 5:18 AM, Peter Gutmann wrote:
> This leads to a scary rule of thumb for defenders:
> 1. The attackers have more CPU power than any legitimate user will
> ever have,
> and it costs them nothing to apply it. Any defence based on
> consumption is in trouble.
> 2. The attackers have more money than any legitimate user will ever
> have, and
> it costs them nothing to apply it. Any defence built around
> outlay as a limiting factor is in trouble.
> Corollary: Systems that can't defend themselves against a
> situation where
> the financial cost of any operation (for example registering a new
> is effectively zero is in trouble.
This one is a bit more complicated. Attackers have access to large
amounts of money *in relatively small units*. No matter how many
credit card accounts you steal, it would be pretty much impossible to
create an actual, properly populated, physical storefront in a decent
shopping area. You can be fairly confident that a physical store is
what it appears to be.
Granted, what you're discussing is on-line fraud. My point is that
this is yet another difference between the on-line and brick-and-
mortar worlds, and one that leads us astray when we try to apply our
real-world reasonableness filters to the on-line world. There are
many inter-related elements here. Perhaps the biggest factor is
*time*: On-line frauds can be setup, draw in victims, and disappear
very quickly - only to reappear someplace else. This allows them to
built using what is effectively the float on stolen identities - much
of which will be found and revoked by the end of a billing cycle. The
real world has much more inertia - there are many steps involved in
building out a physical storefront, they take time, and your money has
to be "good" across that entire time. Note that many real-world
frauds rely on the ability to short-cut what are normally time-
consuming procedures and disappear before the controls can kick in.
(Think of check kiting, or of the guys from what appear to be long-
established local paving companies that "pave" your driveway with
cheap oil and are gone by the next morning.)
EV certificates (unsuccessfully) attempt to bring some of this real-
world checking on line: They are expensive, and you have to pay in
one lump. They're not going to accept a bunch of credit cards. They
check your identity, which if done right takes time *and indirectly
checks that you actually have a history*. Of course, the actual
practice is different and, given the incentives in the industry -
where there is no penalty for giving out an invalid EV certificate,
and a reward for getting the job done quickly - this is all illusion.
Long-running frauds, while certainly not unknown (hello, Bernie
Madoff), are relatively rare: Every day out there is another chance
to get caught. The preferred mode of fraud will always be "get 'em
hooked, fleece 'em, get out of town - as fast as you can". Can we get
some of the advantages of this real-world fact in the on-line world?
The best example I know of is CMU's Perspectives effort: If something
"looks the same" to many observers over a period of time, it's more
likely to be trustworthy. Of course, if this kind of thing catches
on, it will be much harder for a startup to gain instant recognition.
The Internet "need for speed" isn't compatible with safety. Some
tradeoffs are inevitable.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography