ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?]

2003-12-20 20:39:14
from [Dr. Jeffrey Race] [Permanent Link] 
You must base your business plan on the fact that your problem has no
solution, technical or otherwise.   Any technical means to restrict
access or identify a host can be defeated by a determined hacker, and
you can be 100% sure that your hackers are more motivated than your
employees.

Even were technical solutions to exist (which they don't), you still
face the implications of Sturgeon's Law
[<http://www.faqs.org/docs/jargon/S/Sturgeon's-Law.html>] that ninety
percent of everything is crap, including human mentality (in my
opinion a low estimate).   Social engineering possibilities are
endless in this environment.

As a business you must take defensive measures against technical
failures and human gullibility.  Probably start with good lawyers
and good contracts, placing all responsibility on the customers.

My (very excellent) little bank in Cambridge Massachusetts has just
written my wife that the checking account database was stolen by
a bank employee so she should inform the credit reporting agencies
of likely identity theft.   You see the problem . . . .

Having some technical knowledge of how secure these systems are, I
have chosen never to use either electronic banking or an ATM card.
The losses from the regularly recurrent frauds against my few credit
cards are entirely borne by the sloppy merchants who tolerate
fraudulent usage.

Jeffrey Race



-----Forwarded Message-----
From: Parry Aftab <parry(_at_)aftab(_dot_)com>
To: isdf(_at_)isoc(_dot_)org
Subject: [isdf] need help from the ietf list...can someone post this for
me? or allow me to post directly?
Date: 20 Dec 2003 16:50:33 -0500



We have been experiencing a huge growth in phishing (e-mails designed to
trick people into providing sensitive information (creditcard, account
passwords, etc.) to a spoofed website masquerading as a trusted
financial institutional site.

For example, you receive an e-mail telling you that there has been a
security breach at PayPal, and you need to log into the site and correct
your info, by using the bogus link they provide.

Every time we announce a way to confirm that the site is what it claims
to be (checking the certificate, history bar, etc.) the phishers find a
tech solution to improve their frauds.

Now IE has a bug that allows them to mask the real site more easily, by
showing the spoofed site in the navigation bar.



Do any of the IETF members have suggestions for easy ways of confirming
that the site you just linked to is really the site you wanted to
access?

I am asking in my capacity of the world¢s largest online safety and help
group, WiredSafety.org.>>

Parry Aftab
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?], Valdis . Kletnieks
Next by Date:  Re: Never-ending arguments about mailing lists considered harmful (was: Re: Adding [ietf] considered harmful), Dave Crocker
Previous by Thread:  [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?], Franck Martin
Next by Thread:  Re: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?], Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]