As a privacy lawyer, I thank you for the recommendation to use lawyers.
:-) But from a consumer's perspective, I wish we could point them to a
few easy ways they can verify authenticity.
From: Dr. Jeffrey Race [mailto:jrace(_at_)attglobal(_dot_)net]
Sent: Sunday, December 21, 2003 10:30 AM
To: Jeffrey Race
Cc: ietf(_at_)ietf(_dot_)org; parry(_at_)aftab(_dot_)com
Subject: Re: [Fwd: [isdf] need help from the ietf list...can someone
post this for me? or allow me to post directly?]
You must base your business plan on the fact that your problem has no
solution, technical or otherwise. Any technical means to restrict
access or identify a host can be defeated by a determined hacker, and
you can be 100% sure that your hackers are more motivated than your
Even were technical solutions to exist (which they don't), you still
face the implications of Sturgeon's Law
[<http://www.faqs.org/docs/jargon/S/Sturgeon's-Law.html>] that ninety
percent of everything is crap, including human mentality (in my
opinion a low estimate). Social engineering possibilities are
endless in this environment.
As a business you must take defensive measures against technical
failures and human gullibility. Probably start with good lawyers
and good contracts, placing all responsibility on the customers.
My (very excellent) little bank in Cambridge Massachusetts has just
written my wife that the checking account database was stolen by
a bank employee so she should inform the credit reporting agencies
of likely identity theft. You see the problem . . . .
Having some technical knowledge of how secure these systems are, I
have chosen never to use either electronic banking or an ATM card.
The losses from the regularly recurrent frauds against my few credit
cards are entirely borne by the sloppy merchants who tolerate
From: Parry Aftab <parry(_at_)aftab(_dot_)com>
Subject: [isdf] need help from the ietf list...can someone post this
me? or allow me to post directly?
Date: 20 Dec 2003 16:50:33 -0500
We have been experiencing a huge growth in phishing (e-mails designed
trick people into providing sensitive information (creditcard,
passwords, etc.) to a spoofed website masquerading as a trusted
financial institutional site.
For example, you receive an e-mail telling you that there has been a
security breach at PayPal, and you need to log into the site and
your info, by using the bogus link they provide.
Every time we announce a way to confirm that the site is what it
to be (checking the certificate, history bar, etc.) the phishers find
tech solution to improve their frauds.
Now IE has a bug that allows them to mask the real site more easily,
showing the spoofed site in the navigation bar.
Do any of the IETF members have suggestions for easy ways of
that the site you just linked to is really the site you wanted to
I am asking in my capacity of the world¢s largest online safety and