once more, with feeling.

James A. Donald jamesd at echeque.com
Tue Sep 9 16:36:45 EDT 2008 

Peter Gutmann wrote:
> Unfortunately I think the only way it (and a pile of other things as well) may 
> get stamped out is through a multi-pronged approach that includes legislation, 
> and specifically properly thought-out requirements rather than big-business- 
> bought legislation like UCITA/UCC or easily-circumvented recommendations like 
> the FFIEC ones (the banks quickly discovered that by redefining "two-factor 
> auth" to mean "twice as much one-factor auth" they could meet the requirements 
> without having to do anything to improve security).

The average cryptographic expert finds it tricky to set up something 
that is actually secure.  The average bureaucrat could not run a pie 
stand.  Legislation and so forth requires wise and good legislators and 
administrators, which is unlikely.

Visualize Obama, McCain, or Sarah Palin setting up your network 
security.  Then realize that whoever they appoint as Czar in charge of 
network security is likely to be less competent than they are.

> 
> I'm saying that under the influence of "Zero Day Threat" by Byron Acohido and
> Jon Swartz, which looks at some of the financial and credit-reporting industry
> practices that make identity fraud possible.  If you haven't read this
> already, go and get it now, apart from the annoyingly frequent context-
> switching between threads (one every few pages instead of the more usual one
> per chapter) it's a very scary read.  Given what it reveals about how the US
> financial/credit reporting industry works it should really be subtitled "We're
> all going to die", since there's no obvious handbrake mechanism present in the
> system to slow down identity theft - the rate-limiting step is the fact that
> the crooks simply can't use all the stolen identities they have, not any
> security measures that may be present.  If you don't believe me, visit any of
> the hits from the following search:
> 
>   http://www.google.com/search?q=fullz+dumps
> 
> (that's the easiest way to demo the problem to the masses without requiring
> people to learn to read cyrillic first :-).
> 
> Yup, we're all going to die.
> 
>> So that there becomes a directly attributable financial impact to the sites
>> that deploy in that way.
> 
> The "financial impact" point is the key word, at the moment it's cheaper and
> easier for the banks/credit reporting companies to be non-compliant/insecure
> than it is for them to be secure.  I'm not sure that the browser is the most
> effective way to hit them over this though.
> 
> Discuss :-).
> 
> Peter.
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
> 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list