[Cryptography] cost-watch - the cost of the Target breach

[Jerry Leichter]

On Dec 6, 2014, at 8:28 PM, Phillip Hallam-Baker <phill at hallambaker.com> wrote: 
> Ross points out (if I recall his comments correctly) that with chip&pin, the burden of proof moves away from the banks, which is why the banks are so hot for chip&pin.  But don't hold your breath waiting for chip&pin to produce any improvement.  I just read that the new US chip&pin system has already been hacked, and it isn't even in real service here yet!
> There is a difference between going to sea in a boat that takes on some water and going to sea in a boat with a giant hole in the bottom. Ross greatly overstates his case. 
To be fair, Anderson was heavily involved in the defense of people unfairly blamed for loses by banks who claimed their systems were "completely secure", when in fact they were horrendously insecure.  This caused real harm to real people.  So on the matter of assignment of responsibility, his views are understandable. The British banks have always been much better at fobbing responsibility off on consumers than the American banks - hardly something to be proud of.  (I don't know what the "state of play" is in the rest of the world.)

On the general matter of the way he reports on vulnerabilities, at least his published papers - my only exposure to his work - he's *at least* as responsible in describing the nature of the attacks he and his students find as other researchers I'm aware of.  Given the general response of corporations to any demonstrations of problems in their systems - denial, obfuscation, attacks on the reporters - it's understandable that not all reports remain sober and careful analyses of the true risks.
                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141206/410a47b5/attachment.html>