[Cryptography] Now it's personal -- Belgian cryptographer MITM'd by GCHQ/NSA

[Kevin W. Wall]

On Sat, Feb 1, 2014 at 8:33 PM, Phillip Hallam-Baker <hallam at gmail.com> wrote:

[snip]

> We do have a model for protecting Web sites that works pretty well called
> PCI. That is the scheme that the credit card companies developed to protect
> their assets when they are exposed online. PCI is supported by numerous
> tools and services that provide compliance checking. It isn't perfect but it
> is a known starting point.

I would challenge the "works pretty well" part of your assertion about PCI.

First of all, I've worked in assisting web applications to become
PCI DSS compliant as long as it's been around (which is almost 10 yrs).
In my opinion, as well as the opinion of most others whom I know who
are doing similar work, PCI is largely a joke. (Although it is now
*much* better than it used to be when it started.)

Oh sure, things might be much worse if PCI DSS wasn't mandatory for
merchants handling credit cards, but the truth is, it is largely not working.
Part of this has to do with the reluctance of PCI to fine merchants in
violation of DSS, but the bigger reason is that it promotes a checklist
mentality to application security and that's always going to fail. The best
that you can do is hope that it raises everyone's awareness a bit.  The
good that has come from i is not due directly from the PCI DSS itself
but rather because it has--to various degrees--provided a reason for CISOs
to allocate more funding towards security. More funding means more visibility.
Enough visibility means the other C-level execs take notice and eventually
IT *might* start allocating a bit more time and attention towards security.

However, one has only to look at all the merchant credit card breaches
to see that PCI DSS doesn't really prevent stolen credit card information.

Part of the issue is that IT organizations strive to meet the *letter* of the
"law" of PCI DSS rather than the *spirit* of the law. It's pretty much going
to be that way anytime the approach to security is some checklist mentality
rather than developing and implementing proper secure SDLC.

> What we need is PCI for social media sites and for email providers. It does
> not have to be perfect and it won't be. But it will be a start. And unlike
> the credit card companies we have a lot more ability to change our
> credentials.

Any success that PCI does have is because all the major credit card
issuers (Visa, Master Card, AmEx, Discover, and another whose name
escapes me at the moment) together decided that something could and must
be done and they were in a position to make it so. These payment card
industry providers together also had a virtual monopoly on the the credit card
system so they could force the merchants using their cards to do pretty
much whatever they wanted and the PCI players had an economic incentive
for doing so and thus were able to pressure the merchants to see things
their way.

I do not see the same model working for social media site and email
providers. Let's suppose that Google, Yahoo, Microsoft, Facebook, and
LinkedIn decided that having some sort of minimal security standards
to enforce was a good idea. Who is going to implement that? Well, it
would have to fall to those companies themselves.  So they are not
seeing the same economic incentives to raise the level for the entire
industry. As long as they are better than their competitors, they win.
That's all they need to be; they don't have to be secure, then just have
to be secure enough, which means at least as good as the others to that
all their users and traffic doesn't beat a path to their competitor's
sites. For this industry sector, I see no benefit for them to self
regulate.  This is different than PCI, where the players could come up
with some standard, lean on the merchants to implement it (with threats
of fines if they didn't) and thus spread out the impelementation costs.
The secondary market for applications and/or web sites using social
media or email services is not large enough to spread out the cost
so the social media and email providers would have to assume all the
costs themselves.

Secondly, as Ian mentioned in his subsequent reply, there is a very different
threat model going on here. PCI DSS has as its threat model prevention
of information disclosure by external hackers and insider attacks.
Preventing mass surveillance is very different matter (and one, I might
add, that is incorporated into the very business model of most of
the free social media sites and email providers, the only difference
is that the transparency--their end users agree to a TOS that consents
to such mass surveillance by the relevant company).

Now understand that I'm not saying that some standards body such as W3C
or IETF or or EPIC or someone who is part of the EU Data Protection
Directive, etc. can't decide to throw their collective weight behind
things like encryption everywhere, but if they have no arm-twisting
abilities (such as imposing punitive damages for non-adherance), IMO
it's not likely to amount to much.  Still, it would nice to see them try.
*Any* step towards improved application security and user privacy is
in my book, a step in the right direction and while they are not likely
to be steps as large as we'd like to see, they still should be encouraged.
(Again, don't let the perfect become the enemy of the good.)

Well, I've rambled on enough and all of this is a bit OT from crypto,
so I'll shut up now.

Regards,
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.