[147247] in cryptography@c2.net mail archive
Re: [Cryptography] PRISM-Proofing and PRISM-Hardening
daemon@ATHENA.MIT.EDU (Max Kington)
Thu Sep 19 18:07:39 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <r422Ps-1075i-3A51DFDC59B5484EB372BFE47B8F0DC6@Williams-MacBook-Pro.local>
Date: Thu, 19 Sep 2013 22:11:23 +0100
From: Max Kington <mkington@webhanger.com>
To: Bill Frantz <frantz@pwpconsult.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============5071205785690673902==
Content-Type: multipart/alternative; boundary=047d7b41425408549004e6c2ff3e
--047d7b41425408549004e6c2ff3e
Content-Type: text/plain; charset=ISO-8859-1
On 19 Sep 2013 19:11, "Bill Frantz" <frantz@pwpconsult.com> wrote:
>
> On 9/19/13 at 5:26 AM, rsalz@akamai.com (Salz, Rich) wrote:
>
>>> I know I would be a lot more comfortable with a way to check the mail
against a piece of paper I
>>
>> received directly from my bank.
>>
>> I would say this puts you in the sub 1% of the populace. Most people
want to do things online because it is much easier and "gets rid of paper."
Those are the systems we need to secure. Perhaps another way to look at
it: how can we make out-of-band verification simpler?
>
>
> Do you have any evidence to support this contention? Remember we're
talking about money, not just social networks.
>
> I can support mine. ;-)
>
> If organizations like Consumers Union say that you should take that
number from the bank paperwork you got when you signed up for an account,
or signed up for online banking, or got with your monthly statement, or got
as a special security mailing and enter it into your email client, I
suspect a reasonable percentage of people would do it. It is, after all a
one time operation.
As with other themes though, one size does not fit all. The funny thing
being that banks are actually extremely adept at doing out of band paper
verification. Secure printing is born out of financial transactions,
everything from cheques to cash to PIN notification.
I think it was Phillip who said that other trust models need to be
developed. I'm not as down on the Web of trust as others are but I strongly
believe that there has to be an ordered set of priorities. Usability has to
be right up there as a near-peer with overall system security. Otherwise as
we've seen a real attack in this context is simply to dissuade people to
use it and developers, especially of security oriented systems can do that
of their own accord.
If you want to get your systems users to help with out of band verification
get them 'talking' to each other. Perry said that our social networks are
great for keeping spam out of our mailboxes yet were busy trying to cut out
the technology that's driven all of this.
Out of band for your banking might mean security printing techniques and
securing your email, phoning your friends.
>
> Cheers - Bill
>
> -----------------------------------------------------------------------
> Bill Frantz | If the site is supported by | Periwinkle
> (408)356-8506 | ads, you are the product. | 16345 Englewood Ave
> www.pwpconsult.com | | Los Gatos, CA 95032
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
--047d7b41425408549004e6c2ff3e
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<p dir=3D"ltr"><br>
On 19 Sep 2013 19:11, "Bill Frantz" <<a href=3D"mailto:frantz@=
pwpconsult.com">frantz@pwpconsult.com</a>> wrote:<br>
><br>
> On 9/19/13 at 5:26 AM, <a href=3D"mailto:rsalz@akamai.com">rsalz@akama=
i.com</a> (Salz, Rich) wrote:<br>
><br>
>>> I know I would be a lot more comfortable with a way to check t=
he mail against a piece of paper I<br>
>><br>
>> received directly from my bank.<br>
>><br>
>> I would say this puts you in the sub 1% of the populace. =A0Most p=
eople want to do things online because it is much easier and "gets rid=
of paper." =A0Those are the systems we need to secure. =A0Perhaps ano=
ther way to look at it: =A0how can we make out-of-band verification simpler=
?<br>
><br>
><br>
> Do you have any evidence to support this contention? Remember we'r=
e talking about money, not just social networks.<br>
><br>
> I can support mine. ;-)<br>
><br>
> If organizations like Consumers Union say that you should take that nu=
mber from the bank paperwork you got when you signed up for an account, or =
signed up for online banking, or got with your monthly statement, or got as=
a special security mailing and enter it into your email client, I suspect =
a reasonable percentage of people would do it. It is, after all a one time =
operation.</p>
<p dir=3D"ltr">As with other themes though, one size does not fit all. The =
funny thing being that banks are actually extremely adept at doing out of b=
and paper verification. Secure printing is born out of financial transactio=
ns, everything from cheques to cash to PIN notification.</p>
<p dir=3D"ltr">I think it was Phillip who said that other trust models need=
to be developed. I'm not as down on the Web of trust as others are but=
I strongly believe that there has to be an ordered set of priorities. Usab=
ility has to be right up there as a near-peer with overall system security.=
Otherwise as we've seen a real attack in this context is simply to dis=
suade people to use it and developers, especially of security oriented syst=
ems can do that of their own accord.</p>
<p dir=3D"ltr">If you want to get your systems users to help with out of ba=
nd verification get them 'talking' to each other. Perry said that o=
ur social networks are great for keeping spam out of our mailboxes yet were=
busy trying to cut out the technology that's driven all of this. </p>
<p dir=3D"ltr">Out of band for your banking might mean security printing te=
chniques and securing your email, phoning your friends. </p>
<p dir=3D"ltr">><br>
> Cheers - Bill<br>
><br>
> ----------------------------------------------------------------------=
-<br>
> Bill Frantz =A0 =A0 =A0 =A0| If the site is supported by =A0| Periwink=
le<br>
> (408)356-8506=A0 =A0 =A0 | ads, you are the product. =A0 =A0| 16345 En=
glewood Ave<br>
> <a href=3D"http://www.pwpconsult.com">www.pwpconsult.com</a> | =A0 =A0=
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0| Los Gatos, CA 95032<b=
r>
><br>
><br>
> _______________________________________________<br>
> The cryptography mailing list<br>
> <a href=3D"mailto:cryptography@metzdowd.com">cryptography@metzdowd.com=
</a><br>
> <a href=3D"http://www.metzdowd.com/mailman/listinfo/cryptography">http=
://www.metzdowd.com/mailman/listinfo/cryptography</a><br>
</p>
--047d7b41425408549004e6c2ff3e--
--===============5071205785690673902==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============5071205785690673902==--
