[59952] in North American Network Operators' Group
Re: User negligence?
daemon@ATHENA.MIT.EDU (Jamie Reid)
Sun Jul 27 16:18:43 2003
Date: Sun, 27 Jul 2003 16:16:30 -0400
From: "Jamie Reid" <Jamie.Reid@mbs.gov.on.ca>
To: chris@UU.NET, nanog@vo.cnchost.com
Cc: nanog@merit.edu, wb8foz@nrk.com
Errors-To: owner-nanog-outgoing@merit.edu
This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.
--=_722C6432.9BFA74A3
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
I wonder if this could just be solved by selling fraud insurance?=20
It could be another ridiculous bank surcharge or service, but would
negate the need for byzantine technology infrastructures to support it.=20
All that user end security devices do is put more non-repudiable=20
onus on the user, so that when it fails, the service provider is protected,=
=20
and the user is cryptographically guaranteed to be SOL. Biometrics
are an excellent example of this. They are a single factor authentication=
=20
technology, maybe two factor if there is a PIN, and when the database
gets compromised, nobody will believe that the user isn't responsible,=20
because "The System is Perfect".=20
Many security technologies are based upon the risk avoidance paradigm
of government/military organizations, instead of the more practical=20
risk management perspective of more nimble organizations. This is
partially why alot of technologies aren't getting adopted. They are =
Perfect, but=20
a burden.=20
The solution that balances security and accessability will be the one =
that=20
incorporates an acceptable loss expectancy and enables the company to =
leverage the
convenience of that risk. Building massive security structures does =
little to=20
decrease the actual risk, they just push it out to the edges, that is, =
to=20
customers. =20
The ubiquity of personal computers as general information appliances has =
made=20
them more of an interface to the economy than the tools that we are used =
to=20
using them as. Since these interfaces are as diversely designed as wallets =
(M$
turned our machines into wallets), we can either demand better wallet =
security=20
devices, or we can mitigate risks to their contents through insurance. =20
--
Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre=20
Corporate Security, MBS =20
416 327 2324=20
>>> "Christopher L. Morrow" <chris@UU.NET> 07/27/03 03:39pm >>>
On Sun, 27 Jul 2003, JC Dill wrote:
>
> At 07:21 AM 7/27/2003, David Lesher wrote:
>
> >Strip <http://www.zetetic.net/index.html> is your helper here.
>
> I have strip. Unfortunately, I don't always have my Palm at hand when I
> want to login to my bank, and I didn't have it at hand the *last* time,
> when I had to change the password, so the new password didn't get =
entered
> into strip. But that's beside the point, using strip on a pda (to help
> remember passwords) is a solution that only works for some people, in =
some
> circumstances. It would be much better to have a policy that just =
WORKED.
>
or a 10 dollar key fob that always had a code you could combine with your
'pin' for a password... why is a solution like RSA/ACE so difficult for
people to accept on a wide scale?
Afterall, banks charge you for checks, why not for the FOB, and make you
purchase the replacement when you lose it?
-Chris
--=_722C6432.9BFA74A3
Content-Type: text/plain
Content-Disposition: attachment;
filename=TEXT.htm
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px">
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>I wonder if this could just be solved by selling fraud
insurance? </FONT></DIV>
<DIV><FONT size=1>It could be another ridiculous bank surcharge or service, but
would</FONT></DIV>
<DIV><FONT size=1>negate the need for byzantine technology infrastructures to
support it. </FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>All that user end security devices do is put more
non-repudiable </FONT></DIV>
<DIV><FONT size=1>onus on the user, so that when it fails, the service provider
is protected, </FONT></DIV>
<DIV><FONT size=1>and the user is cryptographically guaranteed to be SOL.
Biometrics</FONT></DIV>
<DIV><FONT size=1>are an excellent example of this. They are a single factor
authentication </FONT></DIV>
<DIV><FONT size=1>technology, maybe two factor if there is a PIN, and when the
database</FONT></DIV>
<DIV><FONT size=1>gets compromised, nobody will believe that the user isn't
responsible, </FONT></DIV>
<DIV><FONT size=1>because "The System is Perfect". </FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=1>Many security technologies are based upon the risk avoidance
paradigm</FONT></DIV>
<DIV><FONT size=1>of government/military organizations, instead of
the more practical </FONT></DIV>
<DIV><FONT size=1>risk management perspective of more nimble organizations.
</FONT> This is</DIV>
<DIV>partially why alot of technologies aren't getting adopted. They are
Perfect, but </DIV>
<DIV>a burden. </DIV>
<DIV> </DIV>
<DIV>The solution that balances security and accessability will be the one that
</DIV>
<DIV>incorporates an acceptable loss expectancy and enables the company to
leverage the</DIV>
<DIV>convenience of that risk. Building massive security
structures does little to </DIV>
<DIV>decrease the actual risk, they just push it out to the edges,
that is, to </DIV>
<DIV>customers. </DIV>
<DIV> </DIV>
<DIV>The ubiquity of personal computers as general information appliances
has made </DIV>
<DIV>them more of an interface to the economy than the tools that we are used to
</DIV>
<DIV>using them as. Since these interfaces are as diversely designed as
wallets (M$</DIV>
<DIV>turned our machines into wallets), we can either demand
better wallet security </DIV>
<DIV>devices, or we can mitigate risks to their contents through insurance.
<BR></DIV>
<DIV> </DIV>
<DIV>--<BR>Jamie.Reid, CISSP, <A
href="mailto:jamie.reid@mbs.gov.on.ca">jamie.reid@mbs.gov.on.ca</A><BR>Senior
Security Specialist, Information Protection Centre <BR>Corporate Security,
MBS <BR>416 327 2324 <BR>>>> "Christopher L. Morrow"
<chris@UU.NET> 07/27/03 03:39pm >>><BR><BR>On Sun, 27 Jul 2003,
JC Dill wrote:<BR><BR>><BR>> At 07:21 AM 7/27/2003, David Lesher
wrote:<BR>><BR>> >Strip <<A
href="http://www.zetetic.net/index.html">http://www.zetetic.net/index.html</A>>
is your helper here.<BR>><BR>> I have strip. Unfortunately, I don't
always have my Palm at hand when I<BR>> want to login to my bank, and I
didn't have it at hand the *last* time,<BR>> when I had to change the
password, so the new password didn't get entered<BR>> into strip. But
that's beside the point, using strip on a pda (to help<BR>> remember
passwords) is a solution that only works for some people, in some<BR>>
circumstances. It would be much better to have a policy that just
WORKED.<BR>><BR><BR>or a 10 dollar key fob that always had a code you could
combine with your<BR>'pin' for a password... why is a solution like RSA/ACE so
difficult for<BR>people to accept on a wide scale?<BR><BR>Afterall, banks charge
you for checks, why not for the FOB, and make you<BR>purchase the replacement
when you lose it?<BR><BR><BR>-Chris<BR><BR><BR></DIV></BODY></HTML>
--=_722C6432.9BFA74A3--
